[packages/kernel/LINUX_4_1] - rel 2; tons of apparmor and misc (CVE mainly) fixes from OpenSUSE
arekm
arekm at pld-linux.org
Fri Apr 14 09:21:25 CEST 2017
commit f2ed6f667ed0c8935eab85d22159e669464522be
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Fri Apr 14 09:20:52 2017 +0200
- rel 2; tons of apparmor and misc (CVE mainly) fixes from OpenSUSE
kernel-apparmor.patch | 1134 ++++++++++++
kernel-small_fixes.patch | 4300 +++++++++++++++++++++++++++++++++++++++++++++-
kernel.spec | 5 +-
3 files changed, 5435 insertions(+), 4 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index eba55bb..877b4a3 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -5,6 +5,9 @@
# PENDING STABLE PATCHES:
# https://git.kernel.org/cgit/linux/kernel/git/sashal/linux-stable.git/log/?h=linux-4.1.y-queue
#
+# OTHER PATCHES:
+# http://kernel.opensuse.org/cgit/kernel/log/?h=openSUSE-42.1 ; see series.conf
+#
# TODO:
# - benchmark NO_HZ & HZ=1000 vs HZ=300 on i686
# - IPv4 source address selection for multihomed vservers is completely broken
@@ -71,7 +74,7 @@
%define have_pcmcia 0
%endif
-%define rel 1
+%define rel 2
%define basever 4.1
%define postver .39
diff --git a/kernel-apparmor.patch b/kernel-apparmor.patch
index cdbdc0a..a475c85 100644
--- a/kernel-apparmor.patch
+++ b/kernel-apparmor.patch
@@ -1608,3 +1608,1137 @@ index 0000000..478aa4d
--
1.8.3.2
+patches.apparmor/apparmor-temporary-work-around-for-bug-while-unloadi
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 1 Oct 2015 11:57:52 -0700
+Subject: [PATCH] apparmor: temporary work around for bug while unloading policy
+Patch-mainline: TBD
+References: boo#941867
+
+Buglink: https://bugzilla.opensuse.org/show_bug.cgi?id=941867
+
+This patch will stop the bug() call from triggering while unloading/
+replacing policy. It does not address the root cause of the issue
+but will only cause some memory leakage of the sub policies that
+should have been freed before the current profile being destroyed.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -157,12 +157,10 @@ static void policy_destroy(struct aa_pol
+ AA_ERROR("%s: internal error, "
+ "policy '%s' still contains profiles\n",
+ __func__, policy->name);
+- BUG();
+ }
+ if (on_list_rcu(&policy->list)) {
+ AA_ERROR("%s: internal error, policy '%s' still on list\n",
+ __func__, policy->name);
+- BUG();
+ }
+
+ /* don't free name as its a subset of hname */
+patches.apparmor/apparmor-fix-refcount-bug-in-profile-replacement
+From dcda617a0c5160c73e0aa02813c871339ea08004 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Mon, 11 Apr 2016 16:55:10 -0700
+Subject: [PATCH] apparmor: fix refcount bug in profile replacement
+Git-commit: dcda617a0c5160c73e0aa02813c871339ea08004
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1188,12 +1188,12 @@ ssize_t aa_replace_profiles(void *udata,
+ aa_get_profile(newest);
+ aa_put_profile(parent);
+ rcu_assign_pointer(ent->new->parent, newest);
+- } else
+- aa_put_profile(newest);
++ }
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+ aa_get_profile(ent->new));
+ __list_add_profile(&parent->base.profiles, ent->new);
++ aa_put_profile(newest);
+ } else {
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+patches.apparmor/apparmor-fix-replacement-bug-that-adds-new-child-to-
+From ec34fa24a934f4c8fd68f39b84abf34c42e5b06a Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Mon, 11 Apr 2016 16:57:19 -0700
+Subject: [PATCH] apparmor: fix replacement bug that adds new child to old parent
+Git-commit: ec34fa24a934f4c8fd68f39b84abf34c42e5b06a
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+When set atomic replacement is used and the parent is updated before the
+child, and the child did not exist in the old parent so there is no
+direct replacement then the new child is incorrectly added to the old
+parent. This results in the new parent not having the child(ren) that
+it should and the old parent when being destroyed asserting the
+following error.
+
+Apparmor: policy_destroy: internal error, policy '<profile/name>' still
+contains profiles
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1192,7 +1192,7 @@ ssize_t aa_replace_profiles(void *udata,
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+ aa_get_profile(ent->new));
+- __list_add_profile(&parent->base.profiles, ent->new);
++ __list_add_profile(&newest->base.profiles, ent->new);
+ aa_put_profile(newest);
+ } else {
+ /* aafs interface uses replacedby */
+patches.apparmor/apparmor-fix-uninitialized-lsm_audit-member
+From b6b1b81b3afba922505b57f4c812bba022f7c4a9 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Sun, 8 Jun 2014 11:20:54 -0700
+Subject: [PATCH] apparmor: fix uninitialized lsm_audit member
+Git-commit: b6b1b81b3afba922505b57f4c812bba022f7c4a9
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Buglink: http://bugs.launchpad.net/bugs/1268727
+
+The task field in the lsm_audit struct needs to be initialized if
+a change_hat fails, otherwise the following oops will occur
+
+Bug: unable to handle kernel paging request at 0000002fbead7d08
+Ip: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
+PGD 1e3f35067 PUD 0
+Oops: 0002 [#1] SMP
+Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc]
+Cpu: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu
+Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011
+Task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000
+Rip: 0010:[<ffffffff8171153e>] [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50
+Rsp: 0018:ffff880212987b68 EFLAGS: 00010006
+Rax: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000
+Rdx: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08
+Rbp: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0
+R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f
+R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830
+Fs: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700
+Cs: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Cr2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0
+Stack: ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026
+Call Trace:
+ [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80
+ [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
+ [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80
+ [<ffffffff81075fee>] send_sig_info+0x1e/0x30
+ [<ffffffff8130242d>] aa_audit+0x13d/0x190
+ [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130
+ [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50
+ [<ffffffff81304cc2>] aa_change_hat+0x202/0x530
+ [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0
+ [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300
+ [<ffffffff812cee56>] security_setprocattr+0x16/0x20
+ [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130
+ [<ffffffff811b7604>] vfs_write+0xb4/0x1f0
+ [<ffffffff811b8039>] SyS_write+0x49/0xa0
+ [<ffffffff8171a1bf>] tracesys+0xe1/0xe6
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/audit.c | 3 ++-
+ security/apparmor/file.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -200,7 +200,8 @@ int aa_audit(int type, struct aa_profile
+
+ if (sa->aad->type == AUDIT_APPARMOR_KILL)
+ (void)send_sig_info(SIGKILL, NULL,
+- sa->u.tsk ? sa->u.tsk : current);
++ sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
++ sa->u.tsk : current);
+
+ if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
+ return complain_error(sa->aad->error);
+--- a/security/apparmor/file.c
++++ b/security/apparmor/file.c
+@@ -110,7 +110,8 @@ int aa_audit_file(struct aa_profile *pro
+ int type = AUDIT_APPARMOR_AUTO;
+ struct common_audit_data sa;
+ struct apparmor_audit_data aad = {0,};
+- sa.type = LSM_AUDIT_DATA_NONE;
++ sa.type = LSM_AUDIT_DATA_TASK;
++ sa.u.tsk = NULL;
+ sa.aad = &aad;
+ aad.op = op,
+ aad.fs.request = request;
+patches.apparmor/apparmor-exec-should-not-be-returning-ENOENT-when-it
+From 9049a7922124d843a2cd26a02b1d00a17596ec0c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Fri, 25 Jul 2014 04:02:03 -0700
+Subject: [PATCH] apparmor: exec should not be returning ENOENT when it denies
+Git-commit: 9049a7922124d843a2cd26a02b1d00a17596ec0c
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+The current behavior is confusing as it causes exec failures to report
+the executable is missing instead of identifying that apparmor
+caused the failure.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/domain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -433,7 +433,7 @@ int apparmor_bprm_set_creds(struct linux
+ new_profile = aa_get_newest_profile(ns->unconfined);
+ info = "ux fallback";
+ } else {
+- error = -ENOENT;
++ error = -EACCES;
+ info = "profile not found";
+ /* remove MAY_EXEC to audit as failure */
+ perms.allow &= ~MAY_EXEC;
+patches.apparmor/apparmor-fix-update-the-mtime-of-the-profile-file-on
+From d671e890205a663429da74e1972e652bea4d73ab Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Fri, 25 Jul 2014 04:01:56 -0700
+Subject: [PATCH] apparmor: fix update the mtime of the profile file on replacement
+Git-commit: d671e890205a663429da74e1972e652bea4d73ab
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/apparmorfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -380,6 +380,8 @@ void __aa_fs_profile_migrate_dents(struc
+
+ for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
+ new->dents[i] = old->dents[i];
++ if (new->dents[i])
++ new->dents[i]->d_inode->i_mtime = CURRENT_TIME;
+ old->dents[i] = NULL;
+ }
+ }
+patches.apparmor/apparmor-fix-disconnected-bind-mnts-reconnection
+From f2e561d190da7ff5ee265fa460e2d7f753dddfda Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Fri, 25 Jul 2014 04:02:08 -0700
+Subject: [PATCH] apparmor: fix disconnected bind mnts reconnection
+Git-commit: f2e561d190da7ff5ee265fa460e2d7f753dddfda
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Bind mounts can fail to be properly reconnected when PATH_CONNECT is
+specified. Ensure that when PATH_CONNECT is specified the path has
+a root.
+
+Buglink: http://bugs.launchpad.net/bugs/1319984
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/path.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/path.c
++++ b/security/apparmor/path.c
+@@ -141,7 +141,10 @@ static int d_namespace_path(struct path
+ error = -EACCES;
+ if (*res == '/')
+ *name = res + 1;
+- }
++ } else if (*res != '/')
++ /* CONNECT_PATH with missing root */
++ error = prepend(name, *name - buf, "/", 1);
++
+ }
+
+ out:
+patches.apparmor/apparmor-internal-paths-should-be-treated-as-disconn
+From bd35db8b8ca6e27fc17a9057ef78e1ddfc0de351 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Fri, 25 Jul 2014 04:02:10 -0700
+Subject: [PATCH] apparmor: internal paths should be treated as disconnected
+Git-commit: bd35db8b8ca6e27fc17a9057ef78e1ddfc0de351
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Internal mounts are not mounted anywhere and as such should be treated
+as disconnected paths.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/path.c | 64 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 36 insertions(+), 28 deletions(-)
+
+--- a/security/apparmor/path.c
++++ b/security/apparmor/path.c
+@@ -25,7 +25,6 @@
+ #include "include/path.h"
+ #include "include/policy.h"
+
+-
+ /* modified from dcache.c */
+ static int prepend(char **buffer, int buflen, const char *str, int namelen)
+ {
+@@ -39,6 +38,38 @@ static int prepend(char **buffer, int bu
+
+ #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
+
++/* If the path is not connected to the expected root,
++ * check if it is a sysctl and handle specially else remove any
++ * leading / that __d_path may have returned.
++ * Unless
++ * specifically directed to connect the path,
++ * OR
++ * if in a chroot and doing chroot relative paths and the path
++ * resolves to the namespace root (would be connected outside
++ * of chroot) and specifically directed to connect paths to
++ * namespace root.
++ */
++static int disconnect(const struct path *path, char *buf, char **name,
++ int flags)
++{
++ int error = 0;
++
++ if (!(flags & PATH_CONNECT_PATH) &&
++ !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
++ our_mnt(path->mnt))) {
++ /* disconnected path, don't return pathname starting
++ * with '/'
++ */
++ error = -EACCES;
++ if (**name == '/')
++ *name = *name + 1;
++ } else if (**name != '/')
++ /* CONNECT_PATH with missing root */
++ error = prepend(name, *name - buf, "/", 1);
++
++ return error;
++}
++
+ /**
+ * d_namespace_path - lookup a name associated with a given path
+ * @path: path to lookup (NOT NULL)
+@@ -74,7 +105,8 @@ static int d_namespace_path(struct path
+ * control instead of hard coded /proc
+ */
+ return prepend(name, *name - buf, "/proc", 5);
+- }
++ } else
++ return disconnect(path, buf, name, flags);
+ return 0;
+ }
+
+@@ -120,32 +152,8 @@ static int d_namespace_path(struct path
+ goto out;
+ }
+
+- /* If the path is not connected to the expected root,
+- * check if it is a sysctl and handle specially else remove any
+- * leading / that __d_path may have returned.
+- * Unless
+- * specifically directed to connect the path,
+- * OR
+- * if in a chroot and doing chroot relative paths and the path
+- * resolves to the namespace root (would be connected outside
+- * of chroot) and specifically directed to connect paths to
+- * namespace root.
+- */
+- if (!connected) {
+- if (!(flags & PATH_CONNECT_PATH) &&
+- !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
+- our_mnt(path->mnt))) {
+- /* disconnected path, don't return pathname starting
+- * with '/'
+- */
+- error = -EACCES;
+- if (*res == '/')
+- *name = res + 1;
+- } else if (*res != '/')
+- /* CONNECT_PATH with missing root */
+- error = prepend(name, *name - buf, "/", 1);
+-
+- }
++ if (!connected)
++ error = disconnect(path, buf, name, flags);
+
+ out:
+ return error;
+patches.apparmor/apparmor-fix-put-parent-ref-after-updating-the-activ
+From f351841f8d41072e741e45299070d421a5833a4a Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Sat, 16 Apr 2016 13:59:02 -0700
+Subject: [PATCH] apparmor: fix put() parent ref after updating the active ref
+Git-commit: f351841f8d41072e741e45299070d421a5833a4a
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1186,8 +1186,8 @@ ssize_t aa_replace_profiles(void *udata,
+ /* parent replaced in this atomic set? */
+ if (newest != parent) {
+ aa_get_profile(newest);
+- aa_put_profile(parent);
+ rcu_assign_pointer(ent->new->parent, newest);
++ aa_put_profile(parent);
+ }
+ /* aafs interface uses replacedby */
+ rcu_assign_pointer(ent->new->replacedby->profile,
+patches.apparmor/apparmor-fix-log-failures-for-all-profiles-in-a-set
+From bf15cf0c641be8e57d45f110a9d91464f5bb461a Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Sat, 16 Apr 2016 14:16:50 -0700
+Subject: [PATCH] apparmor: fix log failures for all profiles in a set
+Git-commit: bf15cf0c641be8e57d45f110a9d91464f5bb461a
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+currently only the profile that is causing the failure is logged. This
+makes it more confusing than necessary about which profiles loaded
+and which didn't. So make sure to log success and failure messages for
+all profiles in the set being loaded.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy.c | 29 +++++++++++++++++++----------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1066,7 +1066,7 @@ static int __lookup_replace(struct aa_na
+ */
+ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
+ {
+- const char *ns_name, *name = NULL, *info = NULL;
++ const char *ns_name, *info = NULL;
+ struct aa_namespace *ns = NULL;
+ struct aa_load_ent *ent, *tmp;
+ int op = OP_PROF_REPL;
+@@ -1081,18 +1081,15 @@ ssize_t aa_replace_profiles(void *udata,
+ /* released below */
+ ns = aa_prepare_namespace(ns_name);
+ if (!ns) {
+- info = "failed to prepare namespace";
+- error = -ENOMEM;
+- name = ns_name;
+- goto fail;
++ error = audit_policy(op, GFP_KERNEL, ns_name,
++ "failed to prepare namespace", -ENOMEM);
++ goto free;
+ }
+
+ mutex_lock(&ns->lock);
+ /* setup parent and ns info */
+ list_for_each_entry(ent, &lh, list) {
+ struct aa_policy *policy;
+-
+- name = ent->new->base.hname;
+ error = __lookup_replace(ns, ent->new->base.hname, noreplace,
+ &ent->old, &info);
+ if (error)
+@@ -1120,7 +1117,6 @@ ssize_t aa_replace_profiles(void *udata,
+ if (!p) {
+ error = -ENOENT;
+ info = "parent does not exist";
+- name = ent->new->base.hname;
+ goto fail_lock;
+ }
+ rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
+@@ -1213,9 +1209,22 @@ out:
+
+ fail_lock:
+ mutex_unlock(&ns->lock);
+-fail:
+- error = audit_policy(op, GFP_KERNEL, name, info, error);
+
++ /* audit cause of failure */
++ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
++ audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
++ /* audit status that rest of profiles in the atomic set failed too */
++ info = "valid profile in failed atomic policy load";
++ list_for_each_entry(tmp, &lh, list) {
++ if (tmp == ent) {
++ info = "unchecked profile in failed atomic policy load";
++ /* skip entry that caused failure */
++ continue;
++ }
++ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
++ audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
++ }
++free:
+ list_for_each_entry_safe(ent, tmp, &lh, list) {
+ list_del_init(&ent->list);
+ aa_load_ent_free(ent);
+patches.apparmor/apparmor-fix-audit-full-profile-hname-on-successful-
+From 7ee6da25dcce27b6023a8673fdf8be98dcf7cacf Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Sat, 16 Apr 2016 14:19:38 -0700
+Subject: [PATCH] apparmor: fix audit full profile hname on successful load
+Git-commit: 7ee6da25dcce27b6023a8673fdf8be98dcf7cacf
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Currently logging of a successful profile load only logs the basename
+of the profile. This can result in confusion when a child profile has
+the same name as the another profile in the set. Logging the hname
+will ensure there is no confusion.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -1158,7 +1158,7 @@ ssize_t aa_replace_profiles(void *udata,
+ list_del_init(&ent->list);
+ op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
+
+- audit_policy(op, GFP_ATOMIC, ent->new->base.name, NULL, error);
++ audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error);
+
+ if (ent->old) {
+ __replace_profile(ent->old, ent->new, 1);
+patches.apparmor/apparmor-ensure-the-target-profile-name-is-always-au
+From f7da2de01127b58d93cebeab165136d0998e7b1a Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Wed, 20 Apr 2016 14:18:18 -0700
+Subject: [PATCH] apparmor: ensure the target profile name is always audited
+Git-commit: f7da2de01127b58d93cebeab165136d0998e7b1a
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+The target profile name was not being correctly audited in a few
+cases because the target variable was not being set and gotos
+passed the code to set it at apply:
+
+Since it is always based on new_profile just drop the target var
+and conditionally report based on new_profile.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/domain.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -346,7 +346,7 @@ int apparmor_bprm_set_creds(struct linux
+ file_inode(bprm->file)->i_uid,
+ file_inode(bprm->file)->i_mode
+ };
+- const char *name = NULL, *target = NULL, *info = NULL;
++ const char *name = NULL, *info = NULL;
+ int error = cap_bprm_set_creds(bprm);
+ if (error)
+ return error;
+@@ -401,6 +401,7 @@ int apparmor_bprm_set_creds(struct linux
+ if (cxt->onexec) {
+ struct file_perms cp;
+ info = "change_profile onexec";
++ new_profile = aa_get_newest_profile(cxt->onexec);
+ if (!(perms.allow & AA_MAY_ONEXEC))
+ goto audit;
+
+@@ -415,7 +416,6 @@ int apparmor_bprm_set_creds(struct linux
+
+ if (!(cp.allow & AA_MAY_ONEXEC))
+ goto audit;
+- new_profile = aa_get_newest_profile(cxt->onexec);
+ goto apply;
+ }
+
+@@ -447,10 +447,8 @@ int apparmor_bprm_set_creds(struct linux
+ if (!new_profile) {
+ error = -ENOMEM;
+ info = "could not create null profile";
+- } else {
++ } else
+ error = -EACCES;
+- target = new_profile->base.hname;
+- }
+ perms.xindex |= AA_X_UNSAFE;
+ } else
+ /* fail exec */
+@@ -461,7 +459,6 @@ int apparmor_bprm_set_creds(struct linux
+ * fail the exec.
+ */
+ if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
+- aa_put_profile(new_profile);
+ error = -EPERM;
+ goto cleanup;
+ }
+@@ -476,10 +473,8 @@ int apparmor_bprm_set_creds(struct linux
+
+ if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
+ error = may_change_ptraced_domain(new_profile);
+- if (error) {
+- aa_put_profile(new_profile);
++ if (error)
+ goto audit;
+- }
+ }
+
+ /* Determine if secure exec is needed.
+@@ -500,7 +495,6 @@ int apparmor_bprm_set_creds(struct linux
+ bprm->unsafe |= AA_SECURE_X_NEEDED;
+ }
+ apply:
+- target = new_profile->base.hname;
+ /* when transitioning profiles clear unsafe personality bits */
+ bprm->per_clear |= PER_CLEAR_ON_SETID;
+
+@@ -508,15 +502,19 @@ x_clear:
+ aa_put_profile(cxt->profile);
+ /* transfer new profile reference will be released when cxt is freed */
+ cxt->profile = new_profile;
++ new_profile = NULL;
+
+ /* clear out all temporary/transitional state from the context */
+ aa_clear_task_cxt_trans(cxt);
+
+ audit:
+ error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
+- name, target, cond.uid, info, error);
++ name,
++ new_profile ? new_profile->base.hname : NULL,
++ cond.uid, info, error);
+
+ cleanup:
++ aa_put_profile(new_profile);
+ aa_put_profile(profile);
+ kfree(buffer);
+
+patches.apparmor/apparmor-check-that-xindex-is-in-trans_table-bounds
+From 23ca7b640b4a55f8747301b6bd984dd05545f6a7 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 17 Mar 2016 12:02:54 -0700
+Subject: [PATCH] apparmor: check that xindex is in trans_table bounds
+Git-commit: 23ca7b640b4a55f8747301b6bd984dd05545f6a7
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy_unpack.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -722,7 +722,7 @@ static bool verify_xindex(int xindex, in
+ int index, xtype;
+ xtype = xindex & AA_X_TYPE_MASK;
+ index = xindex & AA_X_INDEX_MASK;
+- if (xtype == AA_X_TABLE && index > table_size)
++ if (xtype == AA_X_TABLE && index >= table_size)
+ return 0;
+ return 1;
+ }
+patches.apparmor/apparmor-fix-refcount-race-when-finding-a-child-prof
+From de7c4cc947f9f56f61520ee7edaf380434a98c8d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Wed, 16 Dec 2015 18:09:10 -0800
+Subject: [PATCH] apparmor: fix refcount race when finding a child profile
+Git-commit: de7c4cc947f9f56f61520ee7edaf380434a98c8d
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+When finding a child profile via an rcu critical section, the profile
+may be put and scheduled for deletion after the child is found but
+before its refcount is incremented.
+
+Protect against this by repeating the lookup if the profiles refcount
+is 0 and is one its way to deletion.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Seth Arnold <seth.arnold at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -765,7 +765,9 @@ struct aa_profile *aa_find_child(struct
+ struct aa_profile *profile;
+
+ rcu_read_lock();
+- profile = aa_get_profile(__find_child(&parent->base.profiles, name));
++ do {
++ profile = __find_child(&parent->base.profiles, name);
++ } while (profile && !aa_get_profile_not0(profile));
+ rcu_read_unlock();
+
+ /* refcount released by caller */
+patches.apparmor/apparmor-use-list_next_entry-instead-of-list_entry_n
+From 38dbd7d8be36b5e68c96a24b406f3653180c1c03 Mon Sep 17 00:00:00 2001
+From: Geliang Tang <geliangtang at 163.com>
+Date: Mon, 16 Nov 2015 21:46:33 +0800
+Subject: [PATCH] apparmor: use list_next_entry instead of list_entry_next
+Git-commit: 38dbd7d8be36b5e68c96a24b406f3653180c1c03
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+list_next_entry has been defined in list.h, so I replace list_entry_next
+with it.
+
+Signed-off-by: Geliang Tang <geliangtang at 163.com>
+Acked-by: Serge Hallyn <serge.hallyn at canonical.com>
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/apparmorfs.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -552,8 +552,6 @@ fail2:
+ }
+
+
+-#define list_entry_next(pos, member) \
+- list_entry(pos->member.next, typeof(*pos), member)
+ #define list_entry_is_head(pos, head, member) (&pos->member == (head))
+
+ /**
+@@ -584,7 +582,7 @@ static struct aa_namespace *__next_names
+ parent = ns->parent;
+ while (ns != root) {
+ mutex_unlock(&ns->lock);
+- next = list_entry_next(ns, base.list);
++ next = list_next_entry(ns, base.list);
+ if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
+ mutex_lock(&next->lock);
+ return next;
+@@ -638,7 +636,7 @@ static struct aa_profile *__next_profile
+ parent = rcu_dereference_protected(p->parent,
+ mutex_is_locked(&p->ns->lock));
+ while (parent) {
+- p = list_entry_next(p, base.list);
++ p = list_next_entry(p, base.list);
+ if (!list_entry_is_head(p, &parent->base.profiles, base.list))
+ return p;
+ p = parent;
+@@ -647,7 +645,7 @@ static struct aa_profile *__next_profile
+ }
+
+ /* is next another profile in the namespace */
+- p = list_entry_next(p, base.list);
++ p = list_next_entry(p, base.list);
+ if (!list_entry_is_head(p, &ns->base.profiles, base.list))
+ return p;
+
+patches.apparmor/apparmor-add-missing-id-bounds-check-on-dfa-verifica
+From 15756178c6a65b261a080e21af4766f59cafc112 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 2 Jun 2016 02:37:02 -0700
+Subject: [PATCH] apparmor: add missing id bounds check on dfa verification
+Git-commit: 15756178c6a65b261a080e21af4766f59cafc112
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/include/match.h | 1 +
+ security/apparmor/match.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/security/apparmor/include/match.h
++++ b/security/apparmor/include/match.h
+@@ -62,6 +62,7 @@ struct table_set_header {
+ #define YYTD_ID_ACCEPT2 6
+ #define YYTD_ID_NXT 7
+ #define YYTD_ID_TSIZE 8
++#define YYTD_ID_MAX 8
+
+ #define YYTD_DATA8 1
+ #define YYTD_DATA16 2
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -47,6 +47,8 @@ static struct table_header *unpack_table
+ * it every time we use td_id as an index
+ */
+ th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
++ if (th.td_id > YYTD_ID_MAX)
++ goto out;
+ th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
+ th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
+ blob += sizeof(struct table_header);
+patches.apparmor/apparmor-don-t-check-for-vmalloc_addr-if-kvzalloc-fa
+From 3197f5adf539a3ee6331f433a51483f8c842f890 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Wed, 15 Jun 2016 09:57:55 +0300
+Subject: [PATCH] apparmor: don't check for vmalloc_addr if kvzalloc() failed
+Git-commit: 3197f5adf539a3ee6331f433a51483f8c842f890
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/match.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -75,14 +75,14 @@ static struct table_header *unpack_table
+ u32, be32_to_cpu);
+ else
+ goto fail;
++ /* if table was vmalloced make sure the page tables are synced
++ * before it is used, as it goes live to all cpus.
++ */
++ if (is_vmalloc_addr(table))
++ vm_unmap_aliases();
+ }
+
+ out:
+- /* if table was vmalloced make sure the page tables are synced
+- * before it is used, as it goes live to all cpus.
+- */
+- if (is_vmalloc_addr(table))
+- vm_unmap_aliases();
+ return table;
+ fail:
+ kvfree(table);
+patches.apparmor/apparmor-fix-oops-in-profile_unpack-when-policy_db-i
+From 5f20fdfed16bc599a325a145bf0123a8e1c9beea Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Wed, 15 Jun 2016 10:00:55 +0300
+Subject: [PATCH] apparmor: fix oops in profile_unpack() when policy_db is not present
+Git-commit: 5f20fdfed16bc599a325a145bf0123a8e1c9beea
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Buglink: http://bugs.launchpad.net/bugs/1592547
+
+If unpack_dfa() returns NULL due to the dfa not being present,
+profile_unpack() is not checking if the dfa is not present (NULL).
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/policy_unpack.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -629,6 +629,9 @@ static struct aa_profile *unpack_profile
+ error = PTR_ERR(profile->policy.dfa);
+ profile->policy.dfa = NULL;
+ goto fail;
++ } else if (!profile->policy.dfa) {
++ error = -EPROTO;
++ goto fail;
+ }
+ if (!unpack_u32(e, &profile->policy.start[0], "start"))
+ /* default start state */
+patches.apparmor/apparmor-fix-module-parameters-can-be-changed-after-
+From 58acf9d911c8831156634a44d0b022d683e1e50c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Wed, 22 Jun 2016 18:01:08 -0700
+Subject: [PATCH] apparmor: fix module parameters can be changed after policy is locked
+Git-commit: 58acf9d911c8831156634a44d0b022d683e1e50c
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+the policy_lock parameter is a one way switch that prevents policy
+from being further modified. Unfortunately some of the module parameters
+can effectively modify policy by turning off enforcement.
+
+split policy_admin_capable into a view check and a full admin check,
+and update the admin check to test the policy_lock parameter.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/include/policy.h | 2 ++
+ security/apparmor/lsm.c | 22 ++++++++++------------
+ security/apparmor/policy.c | 18 +++++++++++++++++-
+ 3 files changed, 29 insertions(+), 13 deletions(-)
+
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -406,6 +406,8 @@ static inline int AUDIT_MODE(struct aa_p
+ return profile->audit;
+ }
+
++bool policy_view_capable(void);
++bool policy_admin_capable(void);
+ bool aa_may_manage_policy(int op);
+
+ #endif /* __AA_POLICY_H */
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -874,51 +874,49 @@ __setup("apparmor=", apparmor_enabled_se
+ /* set global flag turning off the ability to load policy */
+ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+- if (aa_g_lock_policy)
+- return -EACCES;
+ return param_set_bool(val, kp);
+ }
+
+ static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+ return param_get_bool(buffer, kp);
+ }
+
+ static int param_set_aabool(const char *val, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+ return param_set_bool(val, kp);
+ }
+
+ static int param_get_aabool(char *buffer, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+ return param_get_bool(buffer, kp);
+ }
+
+ static int param_set_aauint(const char *val, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+ return param_set_uint(val, kp);
+ }
+
+ static int param_get_aauint(char *buffer, const struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+ return param_get_uint(buffer, kp);
+ }
+
+ static int param_get_audit(char *buffer, struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_view_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+@@ -930,7 +928,7 @@ static int param_get_audit(char *buffer,
+ static int param_set_audit(const char *val, struct kernel_param *kp)
+ {
+ int i;
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+@@ -951,7 +949,7 @@ static int param_set_audit(const char *v
+
+ static int param_get_mode(char *buffer, struct kernel_param *kp)
+ {
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+@@ -963,7 +961,7 @@ static int param_get_mode(char *buffer,
+ static int param_set_mode(const char *val, struct kernel_param *kp)
+ {
+ int i;
+- if (!capable(CAP_MAC_ADMIN))
++ if (!policy_admin_capable())
+ return -EPERM;
+
+ if (!apparmor_enabled)
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -917,6 +917,22 @@ static int audit_policy(int op, gfp_t gf
+ &sa, NULL);
+ }
+
++bool policy_view_capable(void)
++{
++ struct user_namespace *user_ns = current_user_ns();
++ bool response = false;
++
++ if (ns_capable(user_ns, CAP_MAC_ADMIN))
++ response = true;
++
++ return response;
++}
++
++bool policy_admin_capable(void)
++{
++ return policy_view_capable() && !aa_g_lock_policy;
++}
++
+ /**
+ * aa_may_manage_policy - can the current task manage policy
+ * @op: the policy manipulation operation being done
+@@ -931,7 +947,7 @@ bool aa_may_manage_policy(int op)
+ return 0;
+ }
+
+- if (!capable(CAP_MAC_ADMIN)) {
++ if (!policy_admin_capable()) {
+ audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
+ return 0;
+ }
+patches.apparmor/apparmor-do-not-expose-kernel-stack
+From f4ee2def2d70692ccff0d55353df4ee594fd0017 Mon Sep 17 00:00:00 2001
+From: Heinrich Schuchardt <xypron.glpk at gmx.de>
+Date: Fri, 10 Jun 2016 23:34:26 +0200
+Subject: [PATCH] apparmor: do not expose kernel stack
+Git-commit: f4ee2def2d70692ccff0d55353df4ee594fd0017
+Patch-mainline: 4.8-rc1
+References: bsc#1000304
+
+Do not copy uninitalized fields th.td_hilen, th.td_data.
+
+Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ security/apparmor/match.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/match.c
++++ b/security/apparmor/match.c
+@@ -63,7 +63,9 @@ static struct table_header *unpack_table
+
+ table = kvzalloc(tsize);
+ if (table) {
+- *table = th;
++ table->td_id = th.td_id;
++ table->td_flags = th.td_flags;
++ table->td_lolen = th.td_lolen;
+ if (th.td_flags == YYTD_DATA8)
+ UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
+ u8, byte_to_byte);
+patches.apparmor/apparmor-fix-change_hat-not-finding-hat-after-policy-replacement.patch
+From: John Johansen <john.johansen at canonical.com>
+Date: Wed, 31 Aug 2016 21:10:06 -0700
+Subject: apparmor: fix change_hat not finding hat after policy replacement
+Git-commit: 3d40658c977769ce2138f286cf131537bf68bdfe
+Patch-mainline: 4.9-rc7
+References: bsc#1000287
+
+After a policy replacement, the task cred may be out of date and need
+to be updated. However change_hat is using the stale profiles from
+the out of date cred resulting in either: a stale profile being applied
+or, incorrect failure when searching for a hat profile as it has been
+migrated to the new parent profile.
+
+Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
+Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+Acked-by: Jeff Mahoney <jeffm at suse.com>
+---
+ security/apparmor/domain.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
+index f2a83b4..dbd68f2 100644
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -621,8 +621,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
+ /* released below */
+ cred = get_current_cred();
+ cxt = cred_cxt(cred);
+- profile = aa_cred_profile(cred);
+- previous_profile = cxt->previous;
++ profile = aa_get_newest_profile(aa_cred_profile(cred));
++ previous_profile = aa_get_newest_profile(cxt->previous);
+
+ if (unconfined(profile)) {
+ info = "unconfined";
+@@ -718,6 +718,8 @@ audit:
+ out:
+ aa_put_profile(hat);
+ kfree(name);
++ aa_put_profile(profile);
++ aa_put_profile(previous_profile);
+ put_cred(cred);
+
+ return error;
+
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index cd518b2..a2fa50e 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -125,10 +125,1138 @@ index 29531ec..65fbfb7 100644
if (!mp->m_eofblocks_workqueue)
goto out_destroy_log;
-From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
+patches.fixes/x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch
+From 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi at upv.es>
+Date: Thu, 10 Mar 2016 20:51:00 +0100
+Subject: [PATCH] x86/mm/32: Enable full randomization on i386 and X86_32
+Git-commit: 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb
+Patch-mainline: 4.6-rc1
+References: bnc#974308, CVE-2016-3672
+
+Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
+the stack and the executable are randomized but not other mmapped files
+(libraries, vDSO, etc.). This patch enables randomization for the
+libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
+
+By default on i386 there are 8 bits for the randomization of the libraries,
+vDSO and mmaps which only uses 1MB of VA.
+
+This patch preserves the original randomness, using 1MB of VA out of 3GB or
+4GB. We think that 1MB out of 3GB is not a big cost for having the ASLR.
+
+The first obvious security benefit is that all objects are randomized (not
+only the stack and the executable) in legacy mode which highly increases
+the ASLR effectiveness, otherwise the attackers may use these
+non-randomized areas. But also sensitive setuid/setgid applications are
+more secure because currently, attackers can disable the randomization of
+these applications by setting the ulimit stack to "unlimited". This is a
+very old and widely known trick to disable the ASLR in i386 which has been
+allowed for too long.
+
+Another trick used to disable the ASLR was to set the ADDR_NO_RANDOMIZE
+personality flag, but fortunately this doesn't work on setuid/setgid
+applications because there is security checks which clear Security-relevant
+flags.
+
+This patch always randomizes the mmap_legacy_base address, removing the
+possibility to disable the ASLR by setting the stack to "unlimited".
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi at upv.es>
+Acked-by: Ismael Ripoll Ripoll <iripoll at upv.es>
+Acked-by: Kees Cook <keescook at chromium.org>
+Acked-by: Arjan van de Ven <arjan at linux.intel.com>
+Cc: Linus Torvalds <torvalds at linux-foundation.org>
+Cc: Peter Zijlstra <peterz at infradead.org>
+Cc: Thomas Gleixner <tglx at linutronix.de>
+Cc: akpm at linux-foundation.org
+Cc: kees Cook <keescook at chromium.org>
+Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Reviewed-by: Michal Hocko <mhocko at suse.cz>
+
+---
+ arch/x86/mm/mmap.c | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
+
+diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
+index 96bd1e2bffaf..389939f74dd5 100644
+--- a/arch/x86/mm/mmap.c
++++ b/arch/x86/mm/mmap.c
+@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
+ }
+
+ /*
+- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
+- * does, but not when emulating X86_32
+- */
+-static unsigned long mmap_legacy_base(unsigned long rnd)
+-{
+- if (mmap_is_ia32())
+- return TASK_UNMAPPED_BASE;
+- else
+- return TASK_UNMAPPED_BASE + rnd;
+-}
+-
+-/*
+ * This function, called very early during the creation of a new
+ * process VM image, sets up which VM layout function to use:
+ */
+@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+ if (current->flags & PF_RANDOMIZE)
+ random_factor = arch_mmap_rnd();
+
+- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
++ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
+
+ if (mmap_is_legacy()) {
+ mm->mmap_base = mm->mmap_legacy_base;
+--
+1.8.5.6
+
+patches.fixes/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
+From cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 Mon Sep 17 00:00:00 2001
+From: Chris Salls <salls at cs.ucsb.edu>
+Date: Fri, 7 Apr 2017 23:48:11 -0700
+Subject: [PATCH] mm/mempolicy.c: fix error handling in set_mempolicy and
+ mbind.
+Git-commit: cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
+Patch-mainline: 4.11-rc5
+References: bnc#1033336, CVE-2017-7616
+
+In the case that compat_get_bitmap fails we do not want to copy the
+bitmap to the user as it will contain uninitialized stack data and leak
+sensitive data.
+
+Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: Michal Hocko <mhocko at suse.cz>
+
+---
+ mm/mempolicy.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 75b2745bac41..37d0b334bfe9 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -1529,7 +1529,6 @@ static int copy_nodes_to_user(unsigned long __user *mask, unsigned long maxnode,
+ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
+ compat_ulong_t, maxnode)
+ {
+- long err = 0;
+ unsigned long __user *nm = NULL;
+ unsigned long nr_bits, alloc_size;
+ DECLARE_BITMAP(bm, MAX_NUMNODES);
+@@ -1538,14 +1537,13 @@ static int copy_nodes_to_user(unsigned long __user *mask, unsigned long maxnode,
+ alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+
+ if (nmask) {
+- err = compat_get_bitmap(bm, nmask, nr_bits);
++ if (compat_get_bitmap(bm, nmask, nr_bits))
++ return -EFAULT;
+ nm = compat_alloc_user_space(alloc_size);
+- err |= copy_to_user(nm, bm, alloc_size);
++ if (copy_to_user(nm, bm, alloc_size))
++ return -EFAULT;
+ }
+
+- if (err)
+- return -EFAULT;
+-
+ return sys_set_mempolicy(mode, nm, nr_bits+1);
+ }
+
+@@ -1553,7 +1551,6 @@ static int copy_nodes_to_user(unsigned long __user *mask, unsigned long maxnode,
+ compat_ulong_t, mode, compat_ulong_t __user *, nmask,
+ compat_ulong_t, maxnode, compat_ulong_t, flags)
+ {
+- long err = 0;
+ unsigned long __user *nm = NULL;
+ unsigned long nr_bits, alloc_size;
+ nodemask_t bm;
+@@ -1562,14 +1559,13 @@ static int copy_nodes_to_user(unsigned long __user *mask, unsigned long maxnode,
+ alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
+
+ if (nmask) {
+- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
++ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
++ return -EFAULT;
+ nm = compat_alloc_user_space(alloc_size);
+- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
++ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
++ return -EFAULT;
+ }
+
+- if (err)
+- return -EFAULT;
+-
+ return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
+ }
+
+--
+1.8.5.6
+
+patches.fixes/0001-ipc-shm-Fix-shmat-mmap-nil-page-protection.patch
+From 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave at stgolabs.net>
+Date: Mon, 27 Feb 2017 14:28:24 -0800
+Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
+Git-commit: 95e91b831f87ac8e1f8ed50c14d709089b4e01b8
+Patch-mainline: v4.11-rc1
+References: CVE-2017-5669 bsc#1026914
+
+The issue is described here, with a nice testcase:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=192931
+
+The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
+the address rounded down to 0. For the regular mmap case, the
+protection mentioned above is that the kernel gets to generate the
+address -- arch_get_unmapped_area() will always check for MAP_FIXED and
+return that address. So by the time we do security_mmap_addr(0) things
+get funky for shmat().
+
+The testcase itself shows that while a regular user crashes, root will
+not have a problem attaching a nil-page. There are two possible fixes
+to this. The first, and which this patch does, is to simply allow root
+to crash as well -- this is also regular mmap behavior, ie when hacking
+up the testcase and adding mmap(... |MAP_FIXED). While this approach
+is the safer option, the second alternative is to ignore SHM_RND if the
+rounded address is 0, thus only having MAP_SHARED flags. This makes the
+behavior of shmat() identical to the mmap() case. The downside of this
+is obviously user visible, but does make sense in that it maintains
+semantics after the round-down wrt 0 address and mmap.
+
+Passes shm related ltp tests.
+
+Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
+Signed-off-by: Davidlohr Bueso <dbueso at suse.de>
+Reported-by: Gareth Evans <gareth.evans at contextis.co.uk>
+Cc: Manfred Spraul <manfred at colorfullife.com>
+Cc: Michael Kerrisk <mtk.manpages at googlemail.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+---
+ ipc/shm.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/ipc/shm.c b/ipc/shm.c
+index d7805acb44fd..06ea9ef7f54a 100644
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -1091,8 +1091,8 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
+ * "raddr" thing points to kernel space, and there has to be a wrapper around
+ * this.
+ */
+-long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+- unsigned long shmlba)
++long do_shmat(int shmid, char __user *shmaddr, int shmflg,
++ ulong *raddr, unsigned long shmlba)
+ {
+ struct shmid_kernel *shp;
+ unsigned long addr;
+@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
+ goto out;
+ else if ((addr = (ulong)shmaddr)) {
+ if (addr & (shmlba - 1)) {
+- if (shmflg & SHM_RND)
+- addr &= ~(shmlba - 1); /* round down */
++ /*
++ * Round down to the nearest multiple of shmlba.
++ * For sane do_mmap_pgoff() parameters, avoid
++ * round downs that trigger nil-page and MAP_FIXED.
++ */
++ if ((shmflg & SHM_RND) && addr >= shmlba)
++ addr &= ~(shmlba - 1);
+ else
+ #ifndef __ARCH_FORCE_SHMLBA
+ if (addr & ~PAGE_MASK)
+--
+2.6.6
+
+patches.fixes/rds-fix-an-infoleak-in-rds_inc_info_copy.patch
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Thu, 2 Jun 2016 04:11:20 -0400
+Subject: rds: fix an infoleak in rds_inc_info_copy
+Patch-mainline: v4.7-rc3
+Git-commit: 4116def2337991b39919f3b448326e21c40e0dbb
+References: bsc#983213 CVE-2016-5244
+
+The last field "flags" of object "minfo" is not initialized.
+Copying this object out may leak kernel stack data.
+Assign 0 to it to avoid leak.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Acked-by: Santosh Shilimkar <santosh.shilimkar at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Borislav Petkov <bp at suse.de>
+---
+ net/rds/recv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -545,5 +545,7 @@ void rds_inc_info_copy(struct rds_incomi
+ minfo.fport = inc->i_hdr.h_dport;
+ }
+
++ minfo.flags = 0;
++
+ rds_info_copy(iter, &minfo, sizeof(minfo));
+ }
+patches.fixes/gro-Defer-clearing-of-flush-bit-in-tunnel-paths.patch
+From: Alexander Duyck <aduyck at mirantis.com>
+Date: Wed, 9 Mar 2016 09:24:23 -0800
+Subject: gro: Defer clearing of flush bit in tunnel paths
+Patch-mainline: v4.6-rc1
+Git-commit: c194cf93c164ed1c71142485ee0f70f9f2d1fe35
+References: CVE-2016-7039 bsc#1001486
+
+This patch updates the GRO handlers for GRE, VXLAN, GENEVE, and FOU so that
+we do not clear the flush bit until after we have called the next level GRO
+handler. Previously this was being cleared before parsing through the list
+of frames, however this resulted in several paths where either the bit
+needed to be reset but wasn't as in the case of FOU, or cases where it was
+being set as in GENEVE. By just deferring the clearing of the bit until
+after the next level protocol has been parsed we can avoid any unnecessary
+bit twiddling and avoid bugs.
+
+Signed-off-by: Alexander Duyck <aduyck at mirantis.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+openSUSE-42.1: omit geneve part (geneve driver was added in v4.2-rc1)
+
+---
+ drivers/net/vxlan.c | 2 +-
+ net/ipv4/fou.c | 3 +--
+ net/ipv4/gre_offload.c | 3 +--
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -621,7 +621,6 @@ static struct sk_buff **vxlan_gro_receiv
+ goto out;
+ }
+
+- flush = 0;
+
+ for (p = *head; p; p = p->next) {
+ if (!NAPI_GRO_CB(p)->same_flow)
+@@ -636,6 +635,7 @@ static struct sk_buff **vxlan_gro_receiv
+ }
+
+ pp = call_gro_receive(eth_gro_receive, head, skb);
++ flush = 0;
+
+ out:
+ skb_gro_remcsum_cleanup(skb, &grc);
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -323,8 +323,6 @@ static struct sk_buff **gue_gro_receive(
+
+ skb_gro_pull(skb, hdrlen);
+
+- flush = 0;
+-
+ for (p = *head; p; p = p->next) {
+ const struct guehdr *guehdr2;
+
+@@ -356,6 +354,7 @@ static struct sk_buff **gue_gro_receive(
+ goto out_unlock;
+
+ pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
++ flush = 0;
+
+ out_unlock:
+ rcu_read_unlock();
+--- a/net/ipv4/gre_offload.c
++++ b/net/ipv4/gre_offload.c
+@@ -182,8 +182,6 @@ static struct sk_buff **gre_gro_receive(
+ null_compute_pseudo);
+ }
+
+- flush = 0;
+-
+ for (p = *head; p; p = p->next) {
+ const struct gre_base_hdr *greh2;
+
+@@ -220,6 +218,7 @@ static struct sk_buff **gre_gro_receive(
+ skb_gro_postpull_rcsum(skb, greh, grehlen);
+
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
++ flush = 0;
+
+ out_unlock:
+ rcu_read_unlock();
+patches.fixes/sctp-validate-chunk-len-before-actually-using-it.patch
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Tue, 25 Oct 2016 14:27:39 -0200
+Subject: sctp: validate chunk len before actually using it
+Patch-mainline: v4.9-rc4
+Git-commit: bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
+References: CVE-2016-9555 bsc#1011685
+
+Andrey Konovalov reported that KASAN detected that SCTP was using a slab
+beyond the boundaries. It was caused because when handling out of the
+blue packets in function sctp_sf_ootb() it was checking the chunk len
+only after already processing the first chunk, validating only for the
+2nd and subsequent ones.
+
+The fix is to just move the check upwards so it's also validated for the
+1st chunk.
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/sctp/sm_statefuns.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index e6bb98e583fb..690a973b72b5 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3426,6 +3426,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net,
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+ commands);
+
++ /* Report violation if chunk len overflows */
++ ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
++ if (ch_end > skb_tail_pointer(skb))
++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
++ commands);
++
+ /* Now that we know we at least have a chunk header,
+ * do things that are type appropriate.
+ */
+@@ -3457,12 +3463,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net,
+ }
+ }
+
+- /* Report violation if chunk len overflows */
+- ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+- if (ch_end > skb_tail_pointer(skb))
+- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+- commands);
+-
+ ch = (sctp_chunkhdr_t *) ch_end;
+ } while (ch_end < skb_tail_pointer(skb));
+
+--
+2.10.2
+
+patches.fixes/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 2 Dec 2016 09:44:53 -0800
+Subject: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
+Patch-mainline: v4.9-rc8
+Git-commit: b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
+References: CVE-2016-9793 bsc#1013531
+
+CAP_NET_ADMIN users should not be allowed to set negative
+sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
+corruptions, crashes, OOM...
+
+Note that before commit 82981930125a ("net: cleanups in
+sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
+and SO_RCVBUF were vulnerable.
+
+This needs to be backported to all known linux kernels.
+
+Again, many thanks to syzkaller team for discovering this gem.
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/core/sock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 47fc8bb3b946..510003ac0567 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -732,7 +732,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ val = min_t(u32, val, sysctl_wmem_max);
+ set_sndbuf:
+ sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
+- sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF);
++ sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
+ /* Wake up sending tasks if we upped the value. */
+ sk->sk_write_space(sk);
+ break;
+@@ -768,7 +768,7 @@ set_rcvbuf:
+ * returning the value we actually used in getsockopt
+ * is the most desirable behavior.
+ */
+- sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF);
++ sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
+ break;
+
+ case SO_RCVBUFFORCE:
+--
+2.11.0
+
+patches.fixes/tcp-take-care-of-truncations-done-by-sk_filter.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Thu, 10 Nov 2016 13:12:35 -0800
+Subject: tcp: take care of truncations done by sk_filter()
+Patch-mainline: v4.9-rc6
+Git-commit: ac6e780070e30e4c35bd395acfe9191e6268bdd3
+References: CVE-2016-8645 bsc#1009969
+
+With syzkaller help, Marco Grassi found a bug in TCP stack,
+crashing in tcp_collapse()
+
+Root cause is that sk_filter() can truncate the incoming skb,
+but TCP stack was not really expecting this to happen.
+It probably was expecting a simple DROP or ACCEPT behavior.
+
+We first need to make sure no part of TCP header could be removed.
+Then we need to adjust TCP_SKB_CB(skb)->end_seq
+
+Many thanks to syzkaller team and Marco for giving us a reproducer.
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Marco Grassi <marco.gra at gmail.com>
+Reported-by: Vladis Dronov <vdronov at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ include/net/tcp.h | 1 +
+ net/ipv4/tcp_ipv4.c | 19 ++++++++++++++++++-
+ net/ipv6/tcp_ipv6.c | 6 ++++--
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 3d3a365233f0..22c9eb3eea84 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1094,6 +1094,7 @@ static inline void tcp_prequeue_init(struct tcp_sock *tp)
+ }
+
+ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb);
++int tcp_filter(struct sock *sk, struct sk_buff *skb);
+
+ #undef STATE_TRACE
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 13b92d595138..bbaaf7c62645 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1540,6 +1540,21 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb)
+ }
+ EXPORT_SYMBOL(tcp_prequeue);
+
++int tcp_filter(struct sock *sk, struct sk_buff *skb)
++{
++ struct tcphdr *th = (struct tcphdr *)skb->data;
++ unsigned int eaten = skb->len;
++ int err;
++
++ err = sk_filter_trim_cap(sk, skb, th->doff * 4);
++ if (!err) {
++ eaten -= skb->len;
++ TCP_SKB_CB(skb)->end_seq -= eaten;
++ }
++ return err;
++}
++EXPORT_SYMBOL(tcp_filter);
++
+ /*
+ * From tcp_input.c
+ */
+@@ -1623,8 +1638,10 @@ process:
+
+ nf_reset(skb);
+
+- if (sk_filter(sk, skb))
++ if (tcp_filter(sk, skb))
+ goto discard_and_relse;
++ th = (const struct tcphdr *)skb->data;
++ iph = ip_hdr(skb);
+
+ sk_incoming_cpu_update(sk);
+ skb->dev = NULL;
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index ac6c40d08ac5..3c552910831a 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1215,7 +1215,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+ if (skb->protocol == htons(ETH_P_IP))
+ return tcp_v4_do_rcv(sk, skb);
+
+- if (sk_filter(sk, skb))
++ if (tcp_filter(sk, skb))
+ goto discard;
+
+ /*
+@@ -1421,8 +1421,10 @@ process:
+ goto discard_and_relse;
+ #endif
+
+- if (sk_filter(sk, skb))
++ if (tcp_filter(sk, skb))
+ goto discard_and_relse;
++ th = (const struct tcphdr *)skb->data;
++ hdr = ipv6_hdr(skb);
+
+ sk_incoming_cpu_update(sk);
+ skb->dev = NULL;
+--
+2.11.0
+patches.fixes/net-introduce-__sock_queue_rcv_skb-function.patch
+
+
+From: samanthakumar <samanthakumar at google.com>
+Date: Tue, 5 Apr 2016 12:41:15 -0400
+Subject: net: introduce __sock_queue_rcv_skb() function
+Patch-mainline: v4.7-rc1
+Git-commit: e6afc8ace6dd5cef5e812f26c72579da8806f5ac (partial)
+References: bsc#1009969
+No-fix: 30c7be26fd3587abcb69587f781098e3ca2d565b
+No-fix: 10df8e6152c6c400a563a673e9956320bfce1871
+No-fix: e83c6744e81abc93a20d0eb3b7f504a176a6126a
+No-fix: a612769774a30e4fc143c4cb6395c12573415660
+No-fix: ce25d66ad5f8d921bac5fe2d32d62fa30c0f9a70
+No-fix: 595d0b29463343c3be995d3948930b8231e5b8cd
+No-fix: 31c2e4926fe912f88388bcaa8450fcaa8f2ece47
+No-fix: 9f9a45beaa96188085d52d273c2ecb052c7d8d27
+No-fix: 4d0fc73ebe94ac984a187f21fbf4f3a1ac846f5a
+No-fix: 1da8c681d5c122afe9fbadc02e92a0f9e3f7af44
+No-fix: 39b2dd765e0711e1efd1d1df089473a8dd93ad48
+
+This allows to separate the call to sk_filter() out of
+sock_queue_rcv_skb() function. In mainline, this is a part of larger
+commit which does something else and has an impressive list of "Fixes:"
+follow-ups, pick only the part we need.
+
+Signed-off-by: Sam Kumar <samanthakumar at google.com>
+Signed-off-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ include/net/sock.h | 1 +
+ net/core/sock.c | 19 +++++++++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index e19fecd9d63e..3f5cdfecfa6c 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1981,6 +1981,7 @@ void sk_reset_timer(struct sock *sk, struct timer_list *timer,
+
+ void sk_stop_timer(struct sock *sk, struct timer_list *timer);
+
++int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
+ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
+
+ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb);
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 47fc8bb3b946..9a022b944784 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -431,9 +431,8 @@ static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
+ }
+
+
+-int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
++int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ {
+- int err;
+ unsigned long flags;
+ struct sk_buff_head *list = &sk->sk_receive_queue;
+
+@@ -443,10 +442,6 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ return -ENOMEM;
+ }
+
+- err = sk_filter(sk, skb);
+- if (err)
+- return err;
+-
+ if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
+ atomic_inc(&sk->sk_drops);
+ return -ENOBUFS;
+@@ -469,6 +464,18 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ sk->sk_data_ready(sk);
+ return 0;
+ }
++EXPORT_SYMBOL(__sock_queue_rcv_skb);
++
++int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
++{
++ int err;
++
++ err = sk_filter(sk, skb);
++ if (err)
++ return err;
++
++ return __sock_queue_rcv_skb(sk, skb);
++}
+ EXPORT_SYMBOL(sock_queue_rcv_skb);
+
+ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
+--
+2.11.0
+
+patches.fixes/rose-limit-sk_filter-trim-to-payload.patch
+
+From: Willem de Bruijn <willemb at google.com>
+Date: Tue, 12 Jul 2016 18:18:56 -0400
+Subject: rose: limit sk_filter trim to payload
+Patch-mainline: v4.7
+Git-commit: f4979fcea7fd36d8e2f556abef86f80e0d5af1ba
+References: bsc#1009969
+
+Sockets can have a filter program attached that drops or trims
+incoming packets based on the filter program return value.
+
+Rose requires data packets to have at least ROSE_MIN_LEN bytes. It
+verifies this on arrival in rose_route_frame and unconditionally pulls
+the bytes in rose_recvmsg. The filter can trim packets to below this
+value in-between, causing pull to fail, leaving the partial header at
+the time of skb_copy_datagram_msg.
+
+Place a lower bound on the size to which sk_filter may trim packets
+by introducing sk_filter_trim_cap and call this for rose packets.
+
+Signed-off-by: Willem de Bruijn <willemb at google.com>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+openSUSE-13.2: we only need sk_filter_trim_cap() function but the change
+in rose driver make good sense so let's take the whole patch.
+
+---
+ include/linux/filter.h | 6 +++++-
+ net/core/filter.c | 9 +++++----
+ net/rose/rose_in.c | 3 ++-
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 1ce6e1049a3b..ad808ab81ffa 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -358,7 +358,11 @@ static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
+ }
+ #endif /* CONFIG_DEBUG_SET_MODULE_RONX */
+
+-int sk_filter(struct sock *sk, struct sk_buff *skb);
++int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap);
++static inline int sk_filter(struct sock *sk, struct sk_buff *skb)
++{
++ return sk_filter_trim_cap(sk, skb, 1);
++}
+
+ void bpf_prog_select_runtime(struct bpf_prog *fp);
+ void bpf_prog_free(struct bpf_prog *fp);
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 238bb3f9c51d..b3888d0fef82 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -47,9 +47,10 @@
+ #include <linux/bpf.h>
+
+ /**
+- * sk_filter - run a packet through a socket filter
++ * sk_filter_trim_cap - run a packet through a socket filter
+ * @sk: sock associated with &sk_buff
+ * @skb: buffer to filter
++ * @cap: limit on how short the eBPF program may trim the packet
+ *
+ * Run the filter code and then cut skb->data to correct size returned by
+ * SK_RUN_FILTER. If pkt_len is 0 we toss packet. If skb->len is smaller
+@@ -58,7 +59,7 @@
+ * be accepted or -EPERM if the packet should be tossed.
+ *
+ */
+-int sk_filter(struct sock *sk, struct sk_buff *skb)
++int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap)
+ {
+ int err;
+ struct sk_filter *filter;
+@@ -80,13 +81,13 @@ int sk_filter(struct sock *sk, struct sk_buff *skb)
+ if (filter) {
+ unsigned int pkt_len = SK_RUN_FILTER(filter, skb);
+
+- err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
++ err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM;
+ }
+ rcu_read_unlock();
+
+ return err;
+ }
+-EXPORT_SYMBOL(sk_filter);
++EXPORT_SYMBOL(sk_filter_trim_cap);
+
+ static u64 __skb_get_pay_offset(u64 ctx, u64 a, u64 x, u64 r4, u64 r5)
+ {
+diff --git a/net/rose/rose_in.c b/net/rose/rose_in.c
+index 79c4abcfa6b4..0a6394754e81 100644
+--- a/net/rose/rose_in.c
++++ b/net/rose/rose_in.c
+@@ -164,7 +164,8 @@ static int rose_state3_machine(struct sock *sk, struct sk_buff *skb, int framety
+ rose_frames_acked(sk, nr);
+ if (ns == rose->vr) {
+ rose_start_idletimer(sk);
+- if (sock_queue_rcv_skb(sk, skb) == 0) {
++ if (sk_filter_trim_cap(sk, skb, ROSE_MIN_LEN) == 0 &&
++ __sock_queue_rcv_skb(sk, skb) == 0) {
+ rose->vr = (rose->vr + 1) % ROSE_MODULUS;
+ queued = 1;
+ } else {
+--
+2.11.0
+
+patches.kabi/kABI-reintroduce-sk_filter.patch
+
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Wed, 14 Dec 2016 09:09:18 +0100
+Subject: kABI: reintroduce sk_filter
+Patch-mainline: Never, kabi workaround
+References: bsc#1009969
+
+Backport of mainline commit ac6e780070e3 ("tcp: take care of truncations
+done by sk_filter()") makde sk_filter() an inline wrapper.
+
+Restore the old function, because it is a part of kABI. The function
+is now only a wrapper to sk_filter_trim_cap.
+
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Michal Kubecek <mkubecek at suse.cz>
+---
+ include/linux/filter.h | 5 +----
+ net/core/filter.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index ad808ab81ffa..2799f6e90b90 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -359,10 +359,7 @@ static inline void bpf_prog_unlock_ro(struct bpf_prog *fp)
+ #endif /* CONFIG_DEBUG_SET_MODULE_RONX */
+
+ int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap);
+-static inline int sk_filter(struct sock *sk, struct sk_buff *skb)
+-{
+- return sk_filter_trim_cap(sk, skb, 1);
+-}
++int sk_filter(struct sock *sk, struct sk_buff *skb);
+
+ void bpf_prog_select_runtime(struct bpf_prog *fp);
+ void bpf_prog_free(struct bpf_prog *fp);
+diff --git a/net/core/filter.c b/net/core/filter.c
+index b3888d0fef82..1e5c0c3d900e 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -46,6 +46,12 @@
+ #include <linux/if_vlan.h>
+ #include <linux/bpf.h>
+
++int sk_filter(struct sock *sk, struct sk_buff *skb)
++{
++ return sk_filter_trim_cap(sk, skb, 1);
++}
++EXPORT_SYMBOL(sk_filter);
++
+ /**
+ * sk_filter_trim_cap - run a packet through a socket filter
+ * @sk: sock associated with &sk_buff
+--
+2.11.0
+
+patches.fixes/ip6_gre-fix-ip6gre_err-invalid-reads.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Sat, 4 Feb 2017 23:18:55 -0800
+Subject: ip6_gre: fix ip6gre_err() invalid reads
+Patch-mainline: v4.10
+Git-commit: 7892032cfe67f4bde6fc2ee967e45a8fbaf33756
+References: CVE-2017-5897 bsc#1023762
+
+Andrey Konovalov reported out of bound accesses in ip6gre_err()
+
+If GRE flags contains GRE_KEY, the following expression
+*(((__be32 *)p) + (grehlen / 4) - 1)
+
+accesses data ~40 bytes after the expected point, since
+grehlen includes the size of IPv6 headers.
+
+Let's use a "struct gre_base_hdr *greh" pointer to make this
+code more readable.
+
+p[1] becomes greh->protocol.
+grhlen is the GRE header length.
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/ipv6/ip6_gre.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index b1311da5d7b8..9e2cdeebf30d 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -55,6 +55,7 @@
+ #include <net/ip6_fib.h>
+ #include <net/ip6_route.h>
+ #include <net/ip6_tunnel.h>
++#include <net/gre.h>
+
+
+ static bool log_ecn_error = true;
+@@ -367,35 +368,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
+
+
+ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+- u8 type, u8 code, int offset, __be32 info)
++ u8 type, u8 code, int offset, __be32 info)
+ {
+- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
+- __be16 *p = (__be16 *)(skb->data + offset);
+- int grehlen = offset + 4;
++ const struct gre_base_hdr *greh;
++ const struct ipv6hdr *ipv6h;
++ int grehlen = sizeof(*greh);
+ struct ip6_tnl *t;
++ int key_off = 0;
+ __be16 flags;
++ __be32 key;
+
+- flags = p[0];
+- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
+- if (flags&(GRE_VERSION|GRE_ROUTING))
+- return;
+- if (flags&GRE_KEY) {
+- grehlen += 4;
+- if (flags&GRE_CSUM)
+- grehlen += 4;
+- }
++ if (!pskb_may_pull(skb, offset + grehlen))
++ return;
++ greh = (const struct gre_base_hdr *)(skb->data + offset);
++ flags = greh->flags;
++ if (flags & (GRE_VERSION | GRE_ROUTING))
++ return;
++ if (flags & GRE_CSUM)
++ grehlen += 4;
++ if (flags & GRE_KEY) {
++ key_off = grehlen + offset;
++ grehlen += 4;
+ }
+
+- /* If only 8 bytes returned, keyed message will be dropped here */
+- if (!pskb_may_pull(skb, grehlen))
++ if (!pskb_may_pull(skb, offset + grehlen))
+ return;
+ ipv6h = (const struct ipv6hdr *)skb->data;
+- p = (__be16 *)(skb->data + offset);
++ greh = (const struct gre_base_hdr *)(skb->data + offset);
++ key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
+
+ t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
+- flags & GRE_KEY ?
+- *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
+- p[1]);
++ key, greh->protocol);
+ if (!t)
+ return;
+
+--
+2.11.1
+
+patches.fixes/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Sat, 4 Feb 2017 11:16:52 -0800
+Subject: ipv4: keep skb->dst around in presence of IP options
+Patch-mainline: v4.10-rc8
+Git-commit: 34b2cef20f19c87999fff3da4071e66937db9644
+References: CVE-2017-5970 bsc#1024938
+
+Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
+is accessed.
+
+ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
+are present.
+
+We could refine the test to the presence of ts_needtime or srr,
+but IP options are not often used, so let's be conservative.
+
+Thanks to syzkaller team for finding this bug.
+
+Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/ipv4/ip_sockglue.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index b6c7bdea4853..6a06a3d0f28c 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -1186,7 +1186,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
+ pktinfo->ipi_ifindex = 0;
+ pktinfo->ipi_spec_dst.s_addr = 0;
+ }
+- skb_dst_drop(skb);
++ /* We need to keep the dst for __ip_options_echo()
++ * We could restrict the test to opt.ts_needtime || opt.srr,
++ * but the following is good enough as IP options are not often used.
++ */
++ if (unlikely(IPCB(skb)->opt.optlen))
++ skb_dst_force(skb);
++ else
++ skb_dst_drop(skb);
+ }
+
+ int ip_setsockopt(struct sock *sk, int level,
+--
+2.11.1
+
+patches.fixes/sctp-avoid-BUG_ON-on-sctp_wait_for_sndbuf.patch
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Mon, 6 Feb 2017 18:10:31 -0200
+Subject: sctp: avoid BUG_ON on sctp_wait_for_sndbuf
+Patch-mainline: v4.10-rc8
+Git-commit: 2dcab598484185dea7ec22219c76dcdd59e3cb90
+References: CVE-2017-5986 bsc#1025235
+
+Alexander Popov reported that an application may trigger a BUG_ON in
+sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
+waiting on it to queue more data and meanwhile another thread peels off
+the association being used by the first thread.
+
+This patch replaces the BUG_ON call with a proper error handling. It
+will return -EPIPE to the original sendmsg call, similarly to what would
+have been done if the association wasn't found in the first place.
+
+Acked-by: Alexander Popov <alex.popov at linux.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/sctp/socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 3c5833058b03..b4b2bb4eccf8 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -6963,7 +6963,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ */
+ release_sock(sk);
+ current_timeo = schedule_timeout(current_timeo);
+- BUG_ON(sk != asoc->base.sk);
++ if (sk != asoc->base.sk)
++ goto do_error;
+ lock_sock(sk);
+
+ *timeo_p = current_timeo;
+--
+2.11.1
+
+patches.fixes/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Thu, 23 Feb 2017 09:31:18 -0300
+Subject: sctp: deny peeloff operation on asocs with threads sleeping on it
+Patch-mainline: v4.11-rc1
+Git-commit: dfcb9f4f99f1e9a49e43398a7bfbf56927544af1
+References: CVE-2017-6353 bsc#1027066
+
+commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+attempted to avoid a BUG_ON call when the association being used for a
+sendmsg() is blocked waiting for more sndbuf and another thread did a
+peeloff operation on such asoc, moving it to another socket.
+
+As Ben Hutchings noticed, then in such case it would return without
+locking back the socket and would cause two unlocks in a row.
+
+Further analysis also revealed that it could allow a double free if the
+application managed to peeloff the asoc that is created during the
+sendmsg call, because then sctp_sendmsg() would try to free the asoc
+that was created only for that call.
+
+This patch takes another approach. It will deny the peeloff operation
+if there is a thread sleeping on the asoc, so this situation doesn't
+exist anymore. This avoids the issues described above and also honors
+the syscalls that are already being handled (it can be multiple sendmsg
+calls).
+
+Joint work with Xin Long.
+
+Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+Cc: Alexander Popov <alex.popov at linux.com>
+Cc: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Signed-off-by: Xin Long <lucien.xin at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/sctp/socket.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index b4b2bb4eccf8..fcf10252017e 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4432,6 +4432,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
+ if (!asoc)
+ return -EINVAL;
+
++ /* If there is a thread waiting on more sndbuf space for
++ * sending on this asoc, it cannot be peeled.
++ */
++ if (waitqueue_active(&asoc->wait))
++ return -EBUSY;
++
+ /* An association cannot be branched off from an already peeled-off
+ * socket, nor is this supported for tcp style sockets.
+ */
+@@ -6963,8 +6969,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ */
+ release_sock(sk);
+ current_timeo = schedule_timeout(current_timeo);
+- if (sk != asoc->base.sk)
+- goto do_error;
+ lock_sock(sk);
+
+ *timeo_p = current_timeo;
+--
+2.11.1
+
+patches.fixes/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
From: Andrey Konovalov <andreyknvl at google.com>
Date: Thu, 16 Feb 2017 17:22:46 +0100
Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
+Patch-mainline: v4.10
+Git-commit: 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
+References: CVE-2017-6074 bsc#1026024
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
@@ -151,12 +1279,14 @@ simply consumed
Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
Acked-by: Eric Dumazet <edumazet at google.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
---
net/dccp/input.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/dccp/input.c b/net/dccp/input.c
-index ba34718..8fedc2d 100644
+index 3bd14e885396..dbe2573f6ba1 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
@@ -170,5 +1300,3169 @@ index ba34718..8fedc2d 100644
if (dh->dccph_type == DCCP_PKT_RESET)
goto discard;
--
-cgit v0.12
+2.11.1
+
+patches.fixes/tcp-avoid-infinite-loop-in-tcp_splice_read.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 3 Feb 2017 14:59:38 -0800
+Subject: tcp: avoid infinite loop in tcp_splice_read()
+Patch-mainline: v4.10-rc8
+Git-commit: ccf7abb93af09ad0868ae9033d1ca8108bdaec82
+References: CVE-2017-6214 bsc#1026722
+
+Splicing from TCP socket is vulnerable when a packet with URG flag is
+received and stored into receive queue.
+
+__tcp_splice_read() returns 0, and sk_wait_data() immediately
+returns since there is the problematic skb in queue.
+
+This is a nice way to burn cpu (aka infinite loop) and trigger
+soft lockups.
+
+Again, this gem was found by syzkaller tool.
+
+Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/ipv4/tcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 19d385a0f02d..cf6186f5a035 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -780,6 +780,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
+ ret = -EAGAIN;
+ break;
+ }
++ /* if __tcp_splice_read() got nothing while we have
++ * an skb in receive queue, we do not want to loop.
++ * This might happen with URG data.
++ */
++ if (!skb_queue_empty(&sk->sk_receive_queue))
++ break;
+ sk_wait_data(sk, &timeo);
+ if (signal_pending(current)) {
+ ret = sock_intr_errno(timeo);
+--
+2.11.1
+
+patches.fixes/udp-fix-IP_CHECKSUM-handling.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Sun, 23 Oct 2016 18:03:06 -0700
+Subject: udp: fix IP_CHECKSUM handling
+Patch-mainline: v4.9-rc4
+Git-commit: 10df8e6152c6c400a563a673e9956320bfce1871
+References: CVE-2017-6347 bsc#1027179
+
+First bug was added in commit ad6f939ab193 ("ip: Add offset parameter to
+ip_cmsg_recv") : Tom missed that ipv4 udp messages could be received on
+AF_INET6 socket. ip_cmsg_recv(msg, skb) should have been replaced by
+ip_cmsg_recv_offset(msg, skb, sizeof(struct udphdr));
+
+Then commit e6afc8ace6dd ("udp: remove headers from UDP packets before
+queueing") forgot to adjust the offsets now UDP headers are pulled
+before skb are put in receive queue.
+
+Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
+Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Cc: Sam Kumar <samanthakumar at google.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Tested-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+openSUSE-42.1: pick only the part fixing the udpv6_recvmsg() issue,
+commit e6afc8ace6dd ("udp: remove headers from UDP packets before
+queueing") is not present.
+
+---
+ net/ipv6/udp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 1173557ea551..49766bf20cd5 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -493,7 +493,7 @@ try_again:
+
+ if (is_udp4) {
+ if (inet->cmsg_flags)
+- ip_cmsg_recv(msg, skb);
++ ip_cmsg_recv_offset(msg, skb, sizeof(struct udphdr));
+ } else {
+ if (np->rxopt.all)
+ ip6_datagram_recv_specific_ctl(sk, msg, skb);
+--
+2.12.0
+
+patches.fixes/ip-fix-IP_CHECKSUM-handling.patch
+From: Paolo Abeni <pabeni at redhat.com>
+Date: Tue, 21 Feb 2017 09:33:18 +0100
+Subject: ip: fix IP_CHECKSUM handling
+Patch-mainline: v4.11-rc1
+Git-commit: ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32
+References: CVE-2017-6347 bsc#1027179
+
+The skbs processed by ip_cmsg_recv() are not guaranteed to
+be linear e.g. when sending UDP packets over loopback with
+MSGMORE.
+Using csum_partial() on [potentially] the whole skb len
+is dangerous; instead be on the safe side and use skb_checksum().
+
+Thanks to syzkaller team to detect the issue and provide the
+reproducer.
+
+v1 -> v2:
+ - move the variable declaration in a tighter scope
+
+Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Paolo Abeni <pabeni at redhat.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/ipv4/ip_sockglue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index 6a06a3d0f28c..6b3d4eeda568 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -106,7 +106,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
+ return;
+
+ if (offset != 0)
+- csum = csum_sub(csum, csum_partial(skb->data, offset, 0));
++ csum = csum_sub(csum, skb_checksum(skb, 0, offset, 0));
+
+ put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
+ }
+--
+2.12.0
+
+patches.fixes/packet-fix-races-in-fanout_add.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Tue, 14 Feb 2017 09:03:51 -0800
+Subject: packet: fix races in fanout_add()
+Patch-mainline: v4.10
+Git-commit: d199fab63c11998a602205f7ee7ff7c05c97164b
+References: CVE-2017-6346 bsc#1027189
+
+Multiple threads can call fanout_add() at the same time.
+
+We need to grab fanout_mutex earlier to avoid races that could
+lead to one thread freeing po->rollover that was set by another thread.
+
+Do the same in fanout_release(), for peace of mind, and to help us
+finding lockdep issues earlier.
+
+Fixes: dc99f600698d ("packet: Add fanout support.")
+Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Michal Kubecek <mkubecek at suse.cz>
+
+openSUSE-42.1: no rollover stuff from commit 0648ab70afe6 ("packet:
+rollover prepare: per-socket state"); only extend the area covered by
+fanout_mutex.
+
+---
+ net/packet/af_packet.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index b9d1baaa8bdc..3d6b2e111a55 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1447,13 +1447,16 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
+ return -EINVAL;
+ }
+
++ mutex_lock(&fanout_mutex);
++
++ err = -EINVAL;
+ if (!po->running)
+- return -EINVAL;
++ goto out;
+
++ err = -EALREADY;
+ if (po->fanout)
+- return -EALREADY;
++ goto out;
+
+- mutex_lock(&fanout_mutex);
+ match = NULL;
+ list_for_each_entry(f, &fanout_list, list) {
+ if (f->id == id &&
+@@ -1509,18 +1512,18 @@ static void fanout_release(struct sock *sk)
+ struct packet_sock *po = pkt_sk(sk);
+ struct packet_fanout *f;
+
+- f = po->fanout;
+- if (!f)
+- return;
+-
+ mutex_lock(&fanout_mutex);
+- po->fanout = NULL;
++ f = po->fanout;
++ if (f) {
++ po->fanout = NULL;
+
+- if (atomic_dec_and_test(&f->sk_ref)) {
+- list_del(&f->list);
+- dev_remove_pack(&f->prot_hook);
+- kfree(f);
++ if (atomic_dec_and_test(&f->sk_ref)) {
++ list_del(&f->list);
++ dev_remove_pack(&f->prot_hook);
++ kfree(f);
++ }
+ }
++
+ mutex_unlock(&fanout_mutex);
+ }
+
+--
+2.12.0
+
+patches.fixes/net-llc-avoid-BUG_ON-in-skb_orphan.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Sun, 12 Feb 2017 14:03:52 -0800
+Subject: net/llc: avoid BUG_ON() in skb_orphan()
+Patch-mainline: v4.10
+Git-commit: 8b74d439e1697110c5e5c600643e823eb1dd0762
+References: CVE-2017-6345 bsc#1027190
+
+It seems nobody used LLC since linux-3.12.
+
+Fortunately fuzzers like syzkaller still know how to run this code,
+otherwise it would be no fun.
+
+Setting skb->sk without skb->destructor leads to all kinds of
+bugs, we now prefer to be very strict about it.
+
+Ideally here we would use skb_set_owner() but this helper does not exist yet,
+only CAN seems to have a private helper for that.
+
+Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/llc/llc_conn.c | 3 +++
+ net/llc/llc_sap.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
+index 81a61fce3afb..841026e02ce8 100644
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
+ * another trick required to cope with how the PROCOM state
+ * machine works. -acme
+ */
++ skb_orphan(skb);
++ sock_hold(sk);
+ skb->sk = sk;
++ skb->destructor = sock_efree;
+ }
+ if (!sock_owned_by_user(sk))
+ llc_conn_rcv(sk, skb);
+diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
+index d0e1e804ebd7..5404d0d195cc 100644
+--- a/net/llc/llc_sap.c
++++ b/net/llc/llc_sap.c
+@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
+
+ ev->type = LLC_SAP_EV_TYPE_PDU;
+ ev->reason = 0;
++ skb_orphan(skb);
++ sock_hold(sk);
+ skb->sk = sk;
++ skb->destructor = sock_efree;
+ llc_sap_state_process(sap, skb);
+ }
+
+--
+2.12.0
+
+patches.fixes/l2tp-fix-racy-SOCK_ZAPPED-flag-check-in-l2tp_ip-6-_b.patch
+From: Guillaume Nault <g.nault at alphalink.fr>
+Date: Fri, 18 Nov 2016 22:13:00 +0100
+Subject: l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
+Patch-mainline: v4.9-rc7
+Git-commit: 32c231164b762dddefa13af5a0101032c70b50ef
+References: CVE-2016-10200 bsc#1028415
+
+Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
+Without lock, a concurrent call could modify the socket flags between
+the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
+a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
+would then leave a stale pointer there, generating use-after-free
+errors when walking through the list or modifying adjacent entries.
+
+BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
+Write of size 8 by task syz-executor/10987
+CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
+ ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
+ ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
+ ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
+Call Trace:
+ [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
+ [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
+ [< inline >] print_address_description mm/kasan/report.c:194
+ [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
+ [< inline >] kasan_report mm/kasan/report.c:303
+ [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
+ [< inline >] __write_once_size ./include/linux/compiler.h:249
+ [< inline >] __hlist_del ./include/linux/list.h:622
+ [< inline >] hlist_del_init ./include/linux/list.h:637
+ [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
+ [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
+ [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
+ [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
+ [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
+ [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
+ [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
+ [<ffffffff813774f9>] task_work_run+0xf9/0x170
+ [<ffffffff81324aae>] do_exit+0x85e/0x2a00
+ [<ffffffff81326dc8>] do_group_exit+0x108/0x330
+ [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
+ [<ffffffff811b49af>] do_signal+0x7f/0x18f0
+ [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
+ [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
+ [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
+ [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
+Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
+Allocated:
+PID = 10987
+ [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
+ [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
+ [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
+ [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
+ [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417
+ [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708
+ [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716
+ [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
+ [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
+ [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
+ [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
+ [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
+ [ 1116.897025] [< inline >] sock_create net/socket.c:1193
+ [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223
+ [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
+ [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
+Freed:
+PID = 10987
+ [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
+ [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
+ [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
+ [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352
+ [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374
+ [ 1116.897025] [< inline >] slab_free mm/slub.c:2951
+ [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
+ [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369
+ [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
+ [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
+ [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
+ [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
+ [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
+ [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
+ [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
+ [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
+ [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
+ [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
+ [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
+ [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
+ [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
+ [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
+ [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
+ [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
+ [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
+ [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
+ [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
+ [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
+ [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
+Memory state around the buggy address:
+ ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ^
+ ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+==================================================================
+
+The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
+
+Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
+Reported-by: Baozeng Ding <sploving1 at gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Baozeng Ding <sploving1 at gmail.com>
+Signed-off-by: Guillaume Nault <g.nault at alphalink.fr>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/l2tp/l2tp_ip.c | 5 +++--
+ net/l2tp/l2tp_ip6.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 44ee0683b14b..1a8281de81d5 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -251,8 +251,6 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ int ret;
+ int chk_addr_ret;
+
+- if (!sock_flag(sk, SOCK_ZAPPED))
+- return -EINVAL;
+ if (addr_len < sizeof(struct sockaddr_l2tpip))
+ return -EINVAL;
+ if (addr->l2tp_family != AF_INET)
+@@ -267,6 +265,9 @@ static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ read_unlock_bh(&l2tp_ip_lock);
+
+ lock_sock(sk);
++ if (!sock_flag(sk, SOCK_ZAPPED))
++ goto out;
++
+ if (sk->sk_state != TCP_CLOSE || addr_len < sizeof(struct sockaddr_l2tpip))
+ goto out;
+
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index 36f8fa223a78..d3c9eb8241b1 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -266,8 +266,6 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ int addr_type;
+ int err;
+
+- if (!sock_flag(sk, SOCK_ZAPPED))
+- return -EINVAL;
+ if (addr->l2tp_family != AF_INET6)
+ return -EINVAL;
+ if (addr_len < sizeof(*addr))
+@@ -293,6 +291,9 @@ static int l2tp_ip6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ lock_sock(sk);
+
+ err = -EINVAL;
++ if (!sock_flag(sk, SOCK_ZAPPED))
++ goto out_unlock;
++
+ if (sk->sk_state != TCP_CLOSE)
+ goto out_unlock;
+
+--
+2.12.0
+
+patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch
+From: Andy Whitcroft <apw at canonical.com>
+Date: Wed, 22 Mar 2017 07:29:31 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
+Patch-mainline: v4.11-rc5
+Git-commit: 677e806da4d916052585301785d847c3b3e6186a
+References: CVE-2017-7184 bsc#1030573
+
+When a new xfrm state is created during an XFRM_MSG_NEWSA call we
+validate the user supplied replay_esn to ensure that the size is valid
+and to ensure that the replay_window size is within the allocated
+buffer. However later it is possible to update this replay_esn via a
+XFRM_MSG_NEWAE call. There we again validate the size of the supplied
+buffer matches the existing state and if so inject the contents. We do
+not at this point check that the replay_window is within the allocated
+memory. This leads to out-of-bounds reads and writes triggered by
+netlink packets. This leads to memory corruption and the potential for
+priviledge escalation.
+
+We already attempt to validate the incoming replay information in
+xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
+is not trying to change the size of the replay state buffer which
+includes the replay_esn. It however does not check the replay_window
+remains within that buffer. Add validation of the contained
+replay_window.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw at canonical.com>
+Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 2091664295ba..1c1b9ed94719 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -389,6 +389,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ return -EINVAL;
+
++ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
++ return -EINVAL;
++
+ return 0;
+ }
+
+--
+2.12.2
+
+patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
+From: Andy Whitcroft <apw at canonical.com>
+Date: Thu, 23 Mar 2017 07:45:44 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
+Patch-mainline: v4.11-rc5
+Git-commit: f843ee6dd019bcece3e74e76ad9df0155655d0df
+References: CVE-2017-7184 bsc#1030573
+
+Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
+wrapping issues. To ensure we are correctly ensuring that the two ESN
+structures are the same size compare both the overall size as reported
+by xfrm_replay_state_esn_len() and the internal length are the same.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw at canonical.com>
+Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/xfrm/xfrm_user.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 1c1b9ed94719..2dc882637cdf 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -386,7 +386,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ up = nla_data(rp);
+ ulen = xfrm_replay_state_esn_len(up);
+
+- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
++ /* Check the overall length and the internal bitmap length to avoid
++ * potential overflow. */
++ if (nla_len(rp) < ulen ||
++ xfrm_replay_state_esn_len(replay_esn) != ulen ||
++ replay_esn->bmp_len != up->bmp_len)
+ return -EINVAL;
+
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+--
+2.12.2
+
+patches.fixes/ping-implement-proper-locking.patch
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 24 Mar 2017 19:36:13 -0700
+Subject: ping: implement proper locking
+Patch-mainline: v4.11-rc6
+Git-commit: 43a6684519ab0a6c52024b5e25322476cabad893
+References: CVE-2017-2671 bsc#1031003
+
+We got a report of yet another bug in ping
+
+http://www.openwall.com/lists/oss-security/2017/03/24/6
+
+->disconnect() is not called with socket lock held.
+
+Fix this by acquiring ping rwlock earlier.
+
+Thanks to Daniel, Alexander and Andrey for letting us know this problem.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Daniel Jiang <danieljiang0415 at gmail.com>
+Reported-by: Solar Designer <solar at openwall.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/ipv4/ping.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 3dac3d4aa26f..b670627106ef 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -154,17 +154,18 @@ void ping_hash(struct sock *sk)
+ void ping_unhash(struct sock *sk)
+ {
+ struct inet_sock *isk = inet_sk(sk);
++
+ pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
++ write_lock_bh(&ping_table.lock);
+ if (sk_hashed(sk)) {
+- write_lock_bh(&ping_table.lock);
+ hlist_nulls_del(&sk->sk_nulls_node);
+ sk_nulls_node_init(&sk->sk_nulls_node);
+ sock_put(sk);
+ isk->inet_num = 0;
+ isk->inet_sport = 0;
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+- write_unlock_bh(&ping_table.lock);
+ }
++ write_unlock_bh(&ping_table.lock);
+ }
+ EXPORT_SYMBOL_GPL(ping_unhash);
+
+--
+2.12.2
+
+patches.fixes/net-packet-fix-overflow-in-check-for-priv-area-size.patch
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:20 +0200
+Subject: net/packet: fix overflow in check for priv area size
+Patch-mainline: v4.11-rc6
+Git-commit: 2b6867c2ce76c596676bec7d2d525af525fdc6e2
+References: CVE-2017-7308 bsc#1031579
+
+Subtracting tp_sizeof_priv from tp_block_size and casting to int
+to check whether one is less then the other doesn't always work
+(both of them are unsigned ints).
+
+Compare them as is instead.
+
+Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
+it can overflow inside BLK_PLUS_PRIV otherwise.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 3d6b2e111a55..6dcbc1249836 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3870,8 +3870,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
+ goto out;
+ if (po->tp_version >= TPACKET_V3 &&
+- (int)(req->tp_block_size -
+- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++ req->tp_block_size <=
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ goto out;
+ if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ po->tp_reserve))
+--
+2.12.2
+
+patches.fixes/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:21 +0200
+Subject: net/packet: fix overflow in check for tp_frame_nr
+Patch-mainline: v4.11-rc6
+Git-commit: 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
+References: CVE-2017-7308 bsc#1031579
+
+When calculating rb->frames_per_block * req->tp_block_nr the result
+can overflow.
+
+Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
+
+Since frames_per_block <= tp_block_size, the expression would
+never overflow.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 6dcbc1249836..2bc45a85dd8c 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3882,6 +3882,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
+ if (unlikely(rb->frames_per_block <= 0))
+ goto out;
++ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
++ goto out;
+ if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ req->tp_frame_nr))
+ goto out;
+--
+2.12.2
+
+patches.fixes/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:22 +0200
+Subject: net/packet: fix overflow in check for tp_reserve
+Patch-mainline: v4.11-rc6
+Git-commit: bcc5364bdcfe131e6379363f089e7b4108d35b70
+References: CVE-2017-7308 bsc#1031579
+
+When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
+
+Fix by checking that tp_reserve <= INT_MAX on assign.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2bc45a85dd8c..b07f96947aee 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3377,6 +3377,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
++ if (val > INT_MAX)
++ return -EINVAL;
+ po->tp_reserve = val;
+ return 0;
+ }
+--
+2.12.2
+
+patches.fixes/net-socket-fix-recvmmsg-not-returning-error-from-soc.patch
+From: Maxime Jayat <maxime.jayat at mobile-devices.fr>
+Date: Tue, 21 Feb 2017 18:35:51 +0100
+Subject: net: socket: fix recvmmsg not returning error from sock_error
+Patch-mainline: v4.11-rc1
+Git-commit: e623a9e9dec29ae811d11f83d0074ba254aba374
+References: CVE-2016-7117 bsc#1003077
+
+Commit 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path"),
+changed the exit path of recvmmsg to always return the datagrams
+variable and modified the error paths to set the variable to the error
+code returned by recvmsg if necessary.
+
+However in the case sock_error returned an error, the error code was
+then ignored, and recvmmsg returned 0.
+
+Change the error path of recvmmsg to correctly return the error code
+of sock_error.
+
+The bug was triggered by using recvmmsg on a CAN interface which was
+not up. Linux 4.6 and later return 0 in this case while earlier
+releases returned -ENETDOWN.
+
+Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
+Signed-off-by: Maxime Jayat <maxime.jayat at mobile-devices.fr>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/socket.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index e66e4f357506..8327df0448f4 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2192,8 +2192,10 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ return err;
+
+ err = sock_error(sock->sk);
+- if (err)
++ if (err) {
++ datagrams = err;
+ goto out_put;
++ }
+
+ entry = mmsg;
+ compat_entry = (struct compat_mmsghdr __user *)mmsg;
+--
+2.12.2
+
+patches.fixes/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
+From: Michal Kubecek <mkubecek at suse.cz>
+Date: Tue, 3 Jan 2017 11:25:59 +0100
+Subject: netfilter: nfnetlink: correctly validate length of batch messages
+Patch-mainline: v4.5-rc6
+Git-commit: c58d6c93680f28ac58984af61d0a7ebf4319c241
+References: CVE-2016-7917 bsc#1010444
+
+If nlh->nlmsg_len is zero then an infinite loop is triggered because
+'skb_pull(skb, msglen);' pulls zero bytes.
+
+The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
+NLMSG_HDRLEN' which bypasses the length validation and will later
+trigger an out-of-bound read.
+
+If the length validation does fail then the malformed batch message is
+copied back to userspace. However, we cannot do this because the
+nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
+netlink_ack:
+
+ [ 41.455421] ==================================================================
+ [ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
+ [ 41.456431] Read of size 4294967280 by task a.out/987
+ [ 41.456431] =============================================================================
+ [ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
+ [ 41.456431] -----------------------------------------------------------------------------
+ ...
+ [ 41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
+ [ 41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
+ [ 41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 ....... at EV."3...
+ [ 41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
+ ^^ start of batch nlmsg with
+ nlmsg_len=4294967280
+ ...
+ [ 41.456431] Memory state around the buggy address:
+ [ 41.456431] ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [ 41.456431] ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ [ 41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
+ [ 41.456431] ^
+ [ 41.456431] ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ [ 41.456431] ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
+ [ 41.456431] ==================================================================
+
+Fix this with better validation of nlh->nlmsg_len and by setting
+NFNL_BATCH_FAILURE if any batch message fails length validation.
+
+CAP_NET_ADMIN is required to trigger the bugs.
+
+Fixes: 9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
+Signed-off-by: Phil Turnbull <phil.turnbull at oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+openSUSE-42.1: NFNL_BATCH_FAILURE hasn't been introduced yet so just
+set success to false which has the same effect (immediate bailout
+which is what we also do for other malformed messages).
+
+---
+ net/netfilter/nfnetlink.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
+index 69e3ceffa14d..d8276282bccb 100644
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -320,10 +320,12 @@ replay:
+ nlh = nlmsg_hdr(skb);
+ err = 0;
+
+- if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
+- skb->len < nlh->nlmsg_len) {
+- err = -EINVAL;
+- goto ack;
++ if (nlh->nlmsg_len < NLMSG_HDRLEN ||
++ skb->len < nlh->nlmsg_len ||
++ nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
++ nfnl_err_reset(&err_list);
++ success = false;
++ goto done;
+ }
+
+ /* Only requests are handled by the kernel */
+--
+2.11.0
+
+patches.fixes/netfilter-arp_tables-fix-invoking-32bit-iptable-P-IN.patch
+From: Hongxu Jia <hongxu.jia at windriver.com>
+Date: Tue, 29 Nov 2016 21:56:26 -0500
+Subject: netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
+Patch-mainline: v4.9-rc8
+Git-commit: 17a49cd549d9dc8707dc9262210166455c612dde
+References: CVE-2016-4997 CVE-2016-4998 bsc#986362 bsc#986365
+
+Since 09d9686047db ("netfilter: x_tables: do compat validation via
+translate_table"), it used compatr structure to assign newinfo
+structure. In translate_compat_table of ip_tables.c and ip6_tables.c,
+it used compatr->hook_entry to replace info->hook_entry and
+compatr->underflow to replace info->underflow, but not do the same
+replacement in arp_tables.c.
+
+It caused invoking 32-bit "arptbale -P INPUT ACCEPT" failed in 64bit
+kernel.
+--------------------------------------
+root at qemux86-64:~# arptables -P INPUT ACCEPT
+root at qemux86-64:~# arptables -P INPUT ACCEPT
+ERROR: Policy for `INPUT' offset 448 != underflow 0
+arptables: Incompatible with this kernel
+--------------------------------------
+
+Fixes: 09d9686047db ("netfilter: x_tables: do compat validation via translate_table")
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+Acked-by: Florian Westphal <fw at strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Acked-by: Michal Kubecek <mkubecek at suse.cz>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index ebf5821caefb..7510a851d316 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1330,8 +1330,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
+
+ newinfo->number = compatr->num_entries;
+ for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
+- newinfo->hook_entry[i] = info->hook_entry[i];
+- newinfo->underflow[i] = info->underflow[i];
++ newinfo->hook_entry[i] = compatr->hook_entry[i];
++ newinfo->underflow[i] = compatr->underflow[i];
+ }
+ entry1 = newinfo->entries[raw_smp_processor_id()];
+ pos = entry1;
+--
+2.12.2
+
+patches.fixes/ext4-validate-s_first_meta_bg-at-mount-time.patch
+From 3a4b77cd47bb837b8557595ec7425f281f2ca1fe Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu at gmail.com>
+Date: Thu, 1 Dec 2016 15:08:37 -0500
+Subject: [PATCH] ext4: validate s_first_meta_bg at mount time
+Git-commit: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
+Patch-mainline: v4.10-rc1
+References: bsc#1023377 CVE-2016-10208
+
+Ralf Spenneberg reported that he hit a kernel crash when mounting a
+modified ext4 image. And it turns out that kernel crashed when
+calculating fs overhead (ext4_calculate_overhead()), this is because
+the image has very large s_first_meta_bg (debug code shows it's
+842150400), and ext4 overruns the memory in count_overhead() when
+setting bitmap buffer, which is PAGE_SIZE.
+
+Ext4_calculate_overhead(): buf = get_zeroed_page(GFP_NOFS); <=== PAGE_SIZE buffer
+ blks = count_overhead(sb, i, buf);
+
+Count_overhead(): for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
+ ext4_set_bit(EXT4_B2C(sbi, s++), buf); <=== buffer overrun
+ count++;
+ }
+
+This can be reproduced easily for me by this script:
+
+ #!/bin/bash
+ rm -f fs.img
+ mkdir -p /mnt/ext4
+ fallocate -l 16M fs.img
+ mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
+ debugfs -w -R "ssv first_meta_bg 842150400" fs.img
+ mount -o loop fs.img /mnt/ext4
+
+Fix it by validating s_first_meta_bg first at mount time, and
+refusing to mount if its value exceeds the largest possible meta_bg
+number.
+
+Reported-by: Ralf Spenneberg <ralf at os-t.de>
+Signed-off-by: Eryu Guan <guaneryu at gmail.com>
+Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+Reviewed-by: Andreas Dilger <adilger at dilger.ca>
+Signed-off-by: Jan Kara <jack at suse.cz>
+
+---
+ fs/ext4/super.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3997,6 +3997,15 @@ static int ext4_fill_super(struct super_
+ (EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
+ db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
+ EXT4_DESC_PER_BLOCK(sb);
++ if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_META_BG)) {
++ if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
++ ext4_msg(sb, KERN_WARNING,
++ "first meta block group too large: %u "
++ "(group descriptor block count %u)",
++ le32_to_cpu(es->s_first_meta_bg), db_count);
++ goto failed_mount;
++ }
++ }
+ sbi->s_group_desc = ext4_kvmalloc(db_count *
+ sizeof(struct buffer_head *),
+ GFP_KERNEL);
+patches.fixes/cuse-fix-memory-leak.patch
+From: Miklos Szeredi <miklos at szeredi.hu>
+Date: Tue, 10 Nov 2015 10:32:36 +0100
+Subject: cuse: fix memory leak
+Git-commit: 2c5816b4beccc8ba709144539f6fdd764f8fa49c
+Patch-mainline: v4.4-rc5
+References: bsc#969356, CVE-2015-1339
+
+The problem is that fuse_dev_alloc() acquires an extra reference to cc.fc,
+and the original ref count is never dropped.
+
+Reported-by: Colin Ian King <colin.king at canonical.com>
+Signed-off-by: Miklos Szeredi <miklos at szeredi.hu>
+Fixes: cc080e9e9be1 ("fuse: introduce per-instance fuse_dev structure")
+Cc: <stable at vger.kernel.org> # v4.2+
+Acked-by: Borislav Petkov <bp at suse.de>
+---
+ fs/fuse/cuse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/fuse/cuse.c
++++ b/fs/fuse/cuse.c
+@@ -542,6 +542,8 @@ static int cuse_channel_release(struct i
+ unregister_chrdev_region(cc->cdev->dev, 1);
+ cdev_del(cc->cdev);
+ }
++ /* Base reference is now owned by "fud" */
++ fuse_conn_put(&cc->fc);
+
+ rc = fuse_dev_release(inode, file); /* puts the base reference */
+
+patches.fixes/tmpfs-clear-S_ISGID-when-setting-posix-ACLs.patch
+From 497de07d89c1410d76a15bec2bb41f24a2a89f31 Mon Sep 17 00:00:00 2001
+From: Gu Zheng <guzheng1 at huawei.com>
+Date: Mon, 9 Jan 2017 09:34:48 +0800
+Subject: [PATCH] tmpfs: clear S_ISGID when setting posix ACLs
+Git-commit: 497de07d89c1410d76a15bec2bb41f24a2a89f31
+Patch-mainline: v4.10-rc4
+References: bsc#1021258 CVE-2017-5551
+
+This change was missed the tmpfs modification in In CVE-2016-7097
+commit 073931017b49 ("posix_acl: Clear SGID bit when setting
+file permissions")
+It can test by xfstest generic/375, which failed to clear
+setgid bit in the following test case on tmpfs:
+
+ touch $testfile
+ chown 100:100 $testfile
+ chmod 2755 $testfile
+ _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
+
+Signed-off-by: Gu Zheng <guzheng1 at huawei.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Jan Kara <jack at suse.cz>
+
+---
+ fs/posix_acl.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -903,11 +903,10 @@ int simple_set_acl(struct inode *inode,
+ int error;
+
+ if (type == ACL_TYPE_ACCESS) {
+- error = posix_acl_equiv_mode(acl, &inode->i_mode);
+- if (error < 0)
+- return 0;
+- if (error == 0)
+- acl = NULL;
++ error = posix_acl_update_mode(inode,
++ &inode->i_mode, &acl);
++ if (error)
++ return error;
+ }
+
+ inode->i_ctime = CURRENT_TIME;
+patches.fixes/sg-fix-double-free-when-drives-detach-during-sg_io.patch
+From: Calvin Owens <calvinowens at fb.com>
+Date: Fri, 30 Oct 2015 16:57:00 -0700
+Subject: sg: Fix double-free when drives detach during SG_IO
+Git-commit: f3951a3709ff50990bf3e188c27d346792103432
+Patch-mainline: v4.4-rc1
+References: CVE-2015-8962 bsc#1010501
+
+In sg_common_write(), we free the block request and return -ENODEV if
+the device is detached in the middle of the SG_IO ioctl().
+
+Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
+end up freeing rq->cmd in the already free rq object, and then free
+the object itself out from under the current user.
+
+This ends up corrupting random memory via the list_head on the rq
+object. The most common crash trace I saw is this:
+
+ ------------[ cut here ]------------
+ kernel BUG at block/blk-core.c:1420!
+ Call Trace:
+ [<ffffffff81281eab>] blk_put_request+0x5b/0x80
+ [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
+ [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
+ [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
+ [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
+ [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
+ [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
+ [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
+ [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
+ [<ffffffff81602afb>] tracesys+0xdd/0xe2
+ RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
+
+The solution is straightforward: just set srp->rq to NULL in the
+failure branch so that sg_finish_rem_req() doesn't attempt to re-free
+it.
+
+Additionally, since sg_rq_end_io() will never be called on the object
+when this happens, we need to free memory backing ->cmd if it isn't
+embedded in the object itself.
+
+KASAN was extremely helpful in finding the root cause of this bug.
+
+Signed-off-by: Calvin Owens <calvinowens at fb.com>
+Acked-by: Douglas Gilbert <dgilbert at interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn at suse.de>
+---
+ drivers/scsi/sg.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index 9d7b7db..503ab8b 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -787,8 +787,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
+ return k; /* probably out of space --> ENOMEM */
+ }
+ if (atomic_read(&sdp->detaching)) {
+- if (srp->bio)
++ if (srp->bio) {
++ if (srp->rq->cmd != srp->rq->__cmd)
++ kfree(srp->rq->cmd);
++
+ blk_end_request_all(srp->rq, -EIO);
++ srp->rq = NULL;
++ }
++
+ sg_finish_rem_req(srp);
+ return -ENODEV;
+ }
+
+patches.fixes/don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Tue, 6 Dec 2016 16:18:14 -0800
+Subject: Don't feed anything but regular iovec's to blk_rq_map_user_iov
+Git-commit: a0ac402cfcdc904f9772e1762b3fda112dcc56a0
+Patch-mainline: v4.10 or v4.9-rc9 (next release)
+References: CVE-2016-9576 bsc#1013604
+
+In theory we could map other things, but there's a reason that function
+is called "user_iov". Using anything else (like splice can do) just
+confuses it.
+
+Reported-and-tested-by: Johannes Thumshirn <jthumshirn at suse.de>
+Cc: Al Viro <viro at ZenIV.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: Johannes Thumshirn <jthumshirn at suse.de>
+---
+ block/blk-map.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -90,6 +90,9 @@ int blk_rq_map_user_iov(struct request_q
+ if (!iter || !iter->count)
+ return -EINVAL;
+
++ if (!iter_is_iovec((struct iov_iter *) iter))
++ return -EINVAL;
++
+ iov_for_each(iov, i, *iter) {
+ unsigned long uaddr = (unsigned long) iov.iov_base;
+
+patches.fixes/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
+From: peter chang <dpf at google.com>
+Date: Wed, 15 Feb 2017 14:11:54 -0800
+Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
+Git-commit: bf33f87dd04c371ea33feb821b60d63d754e3124
+Patch-mainline: v4.11-rc5
+References: bsc#1030213, CVE-2017-7187
+
+The user can control the size of the next command passed along, but the
+value passed to the ioctl isn't checked against the usable max command
+size.
+
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Peter Chang <dpf at google.com>
+Acked-by: Douglas Gilbert <dgilbert at interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+Acked-by: Johannes Thumshirn <jthumshirn at suse.de>
+---
+ drivers/scsi/sg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index e831e01..849ff81 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
+ result = get_user(val, ip);
+ if (result)
+ return result;
++ if (val > SG_MAX_CDB_SIZE)
++ return -ENOMEM;
+ sfp->next_cmd_len = (val > 0) ? val : 0;
+ return 0;
+ case SG_GET_VERSION_NUM:
+
+patches.fixes/media-xc2028-avoid-use-after-free
+From 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+Date: Thu, 28 Jan 2016 09:22:44 -0200
+Subject: [PATCH] [media] xc2028: avoid use after free
+Git-commit: 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18
+Patch-mainline: 4.6-rc1
+References: CVE-2016-7913,bsc#1010478
+
+If struct xc2028_config is passed without a firmware name,
+the following trouble may happen:
+
+[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
+[11009.907491] ==================================================================
+[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
+[11009.907992] Read of size 1 by task modprobe/28992
+[11009.907994] =============================================================================
+[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected
+[11009.907999] -----------------------------------------------------------------------------
+
+[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
+[11009.908012] ___slab_alloc+0x581/0x5b0
+[11009.908014] __slab_alloc+0x51/0x90
+[11009.908017] __kmalloc+0x27b/0x350
+[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
+[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60
+[11009.908029] usb_submit_urb+0xb0e/0x1200
+[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0
+[11009.908035] usb_serial_generic_write+0x92/0xc0
+[11009.908039] usb_console_write+0x38a/0x560
+[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0
+[11009.908051] console_unlock+0x40d/0x900
+[11009.908056] vprintk_emit+0x4b4/0x830
+[11009.908061] vprintk_default+0x1f/0x30
+[11009.908064] printk+0x99/0xb5
+[11009.908067] kasan_report_error+0x10a/0x550
+[11009.908070] __asan_report_load1_noabort+0x43/0x50
+[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
+[11009.908077] __slab_free+0x2ec/0x460
+[11009.908080] kfree+0x266/0x280
+[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028]
+[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
+[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
+[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
+[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
+[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx]
+[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
+[11009.908108] do_one_initcall+0x141/0x300
+[11009.908111] do_init_module+0x1d0/0x5ad
+[11009.908114] load_module+0x6666/0x9ba0
+[11009.908117] SyS_finit_module+0x108/0x130
+[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76
+[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080
+[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
+
+[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(......
+[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j....
+[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43
+[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
+[11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
+[11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
+[11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
+[11009.908158] Call Trace:
+[11009.908162] [<ffffffff81932007>] dump_stack+0x4b/0x64
+[11009.908165] [<ffffffff81556759>] print_trailer+0xf9/0x150
+[11009.908168] [<ffffffff8155ccb4>] object_err+0x34/0x40
+[11009.908171] [<ffffffff8155f260>] kasan_report_error+0x230/0x550
+[11009.908175] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
+[11009.908179] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
+[11009.908182] [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
+[11009.908185] [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
+[11009.908189] [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
+[11009.908192] [<ffffffff8194cea6>] strcmp+0x96/0xb0
+[11009.908196] [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
+[11009.908200] [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
+[11009.908203] [<ffffffff8155ea78>] ? memset+0x28/0x30
+[11009.908206] [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
+[11009.908211] [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
+[11009.908215] [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
+[11009.908219] [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
+[11009.908222] [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
+[11009.908226] [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
+[11009.908230] [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
+[11009.908233] [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
+[11009.908238] [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
+[11009.908242] [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
+[11009.908245] [<ffffffff8195222d>] ? string+0x14d/0x1f0
+[11009.908249] [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
+[11009.908253] [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
+[11009.908257] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
+[11009.908260] [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
+[11009.908264] [<ffffffff812e9846>] ? __module_address+0xb6/0x360
+[11009.908268] [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
+[11009.908271] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
+[11009.908275] [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
+[11009.908278] [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
+[11009.908282] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
+[11009.908285] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
+[11009.908289] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
+[11009.908292] [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
+[11009.908296] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
+[11009.908299] [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
+[11009.908302] [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
+[11009.908306] [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
+[11009.908309] [<ffffffff8159e708>] ? put_object+0x48/0x70
+[11009.908314] [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
+[11009.908317] [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
+[11009.908320] [<ffffffffa0150000>] ? 0xffffffffa0150000
+[11009.908324] [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
+[11009.908327] [<ffffffff810021b1>] do_one_initcall+0x141/0x300
+[11009.908330] [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
+[11009.908333] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
+[11009.908337] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
+[11009.908340] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
+[11009.908343] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
+[11009.908346] [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
+[11009.908350] [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
+[11009.908353] [<ffffffff812f2626>] load_module+0x6666/0x9ba0
+[11009.908356] [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
+[11009.908361] [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
+[11009.908366] [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
+[11009.908369] [<ffffffff815bc940>] ? open_exec+0x50/0x50
+[11009.908374] [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
+[11009.908377] [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
+[11009.908379] [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
+[11009.908383] [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
+[11009.908394] [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
+[11009.908396] Memory state around the buggy address:
+[11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
+[11009.908405] ^
+[11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[11009.908411] ==================================================================
+
+In order to avoid it, let's set the cached value of the firmware
+name to NULL after freeing it. While here, return an error if
+the memory allocation fails.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ drivers/media/tuners/tuner-xc2028.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/tuners/tuner-xc2028.c
++++ b/drivers/media/tuners/tuner-xc2028.c
+@@ -1403,11 +1403,12 @@ static int xc2028_set_config(struct dvb_
+ * in order to avoid troubles during device release.
+ */
+ kfree(priv->ctrl.fname);
++ priv->ctrl.fname = NULL;
+ memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
+ if (p->fname) {
+ priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
+ if (priv->ctrl.fname == NULL)
+- rc = -ENOMEM;
++ return -ENOMEM;
+ }
+
+ /*
+patches.fixes/media-xc2028-unlock-on-error-in-xc2028_set_config
+From 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Wed, 3 Feb 2016 13:34:00 -0200
+Subject: [PATCH] [media] xc2028: unlock on error in xc2028_set_config()
+Git-commit: 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d
+Patch-mainline: 4.6-rc1
+References: CVE-2016-7913 bsc#1010478
+
+We have to unlock before returning -ENOMEM.
+
+Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+Acked-by: Takashi Iwai <tiwai at suse.de>
+
+---
+ drivers/media/tuners/tuner-xc2028.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/tuners/tuner-xc2028.c
++++ b/drivers/media/tuners/tuner-xc2028.c
+@@ -1407,8 +1407,10 @@ static int xc2028_set_config(struct dvb_
+ memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
+ if (p->fname) {
+ priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
+- if (priv->ctrl.fname == NULL)
+- return -ENOMEM;
++ if (priv->ctrl.fname == NULL) {
++ rc = -ENOMEM;
++ goto unlock;
++ }
+ }
+
+ /*
+@@ -1440,6 +1442,7 @@ static int xc2028_set_config(struct dvb_
+ } else
+ priv->state = XC2028_WAITING_FIRMWARE;
+ }
++unlock:
+ mutex_unlock(&priv->lock);
+
+ return rc;
+patches.fixes/xc2028-Fix-use-after-free-bug-properly
+From 22a1e7783e173ab3d86018eb590107d68df46c11 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai at suse.de>
+Date: Thu, 17 Nov 2016 10:49:31 +0100
+Subject: [PATCH] xc2028: Fix use-after-free bug properly
+Git-commit: 22a1e7783e173ab3d86018eb590107d68df46c11
+References: CVE-2016-7913 bsc#1010478
+Patch-mainline: 4.9-rc7
+
+The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried
+to address the reported use-after-free by clearing the reference.
+
+However, it's clearing the wrong pointer; it sets NULL to
+priv->ctrl.fname, but it's anyway overwritten by the next line
+memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
+
+OTOH, the actual code accessing the freed string is the strcmp() call
+with priv->fname:
+ if (!firmware_name[0] && p->fname &&
+ priv->fname && strcmp(p->fname, priv->fname))
+ free_firmware(priv);
+
+where priv->fname points to the previous file name, and this was
+already freed by kfree().
+
+For fixing the bug properly, this patch does the following:
+
+- Keep the copy of firmware file name in only priv->fname,
+ priv->ctrl.fname isn't changed;
+- The allocation is done only when the firmware gets loaded;
+- The kfree() is called in free_firmware() commonly
+
+Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+
+---
+ drivers/media/tuners/tuner-xc2028.c | 37 ++++++++++++++++---------------------
+ 1 file changed, 16 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
+index 317ef63ee789..8d96a22647b3 100644
+--- a/drivers/media/tuners/tuner-xc2028.c
++++ b/drivers/media/tuners/tuner-xc2028.c
+@@ -281,6 +281,14 @@ static void free_firmware(struct xc2028_data *priv)
+ int i;
+ tuner_dbg("%s called\n", __func__);
+
++ /* free allocated f/w string */
++ if (priv->fname != firmware_name)
++ kfree(priv->fname);
++ priv->fname = NULL;
++
++ priv->state = XC2028_NO_FIRMWARE;
++ memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
++
+ if (!priv->firm)
+ return;
+
+@@ -291,9 +299,6 @@ static void free_firmware(struct xc2028_data *priv)
+
+ priv->firm = NULL;
+ priv->firm_size = 0;
+- priv->state = XC2028_NO_FIRMWARE;
+-
+- memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
+ }
+
+ static int load_all_firmwares(struct dvb_frontend *fe,
+@@ -884,9 +889,8 @@ static int check_firmware(struct dvb_frontend *fe, unsigned int type,
+ return 0;
+
+ fail:
+- priv->state = XC2028_NO_FIRMWARE;
++ free_firmware(priv);
+
+- memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
+ if (retry_count < 8) {
+ msleep(50);
+ retry_count++;
+@@ -1332,11 +1336,8 @@ static int xc2028_dvb_release(struct dvb_frontend *fe)
+ mutex_lock(&xc2028_list_mutex);
+
+ /* only perform final cleanup if this is the last instance */
+- if (hybrid_tuner_report_instance_count(priv) == 1) {
++ if (hybrid_tuner_report_instance_count(priv) == 1)
+ free_firmware(priv);
+- kfree(priv->ctrl.fname);
+- priv->ctrl.fname = NULL;
+- }
+
+ if (priv)
+ hybrid_tuner_release_state(priv);
+@@ -1399,19 +1400,8 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
+
+ /*
+ * Copy the config data.
+- * For the firmware name, keep a local copy of the string,
+- * in order to avoid troubles during device release.
+ */
+- kfree(priv->ctrl.fname);
+- priv->ctrl.fname = NULL;
+ memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
+- if (p->fname) {
+- priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
+- if (priv->ctrl.fname == NULL) {
+- rc = -ENOMEM;
+- goto unlock;
+- }
+- }
+
+ /*
+ * If firmware name changed, frees firmware. As free_firmware will
+@@ -1426,10 +1416,15 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
+
+ if (priv->state == XC2028_NO_FIRMWARE) {
+ if (!firmware_name[0])
+- priv->fname = priv->ctrl.fname;
++ priv->fname = kstrdup(p->fname, GFP_KERNEL);
+ else
+ priv->fname = firmware_name;
+
++ if (!priv->fname) {
++ rc = -ENOMEM;
++ goto unlock;
++ }
++
+ rc = request_firmware_nowait(THIS_MODULE, 1,
+ priv->fname,
+ priv->i2c_props.adap->dev.parent,
+--
+2.10.2
+
+patches.fixes/irda-fix-lockdep-annotations-in-hashbin_delete.patch
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 17 Feb 2017 16:19:39 -0500
+Subject: irda: Fix lockdep annotations in hashbin_delete().
+Git-commit: 4c03b862b12f980456f9de92db6d508a4999b788
+Patch-mainline: v4.10
+References: bsc#1027178, CVE-2017-6348
+
+A nested lock depth was added to the hasbin_delete() code but it
+doesn't actually work some well and results in tons of lockdep splats.
+
+Fix the code instead to properly drop the lock around the operation
+and just keep peeking the head of the hashbin queue.
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Tested-by: Dmitry Vyukov <dvyukov at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Acked-by: Borislav Petkov <bp at suse.de>
+---
+ net/irda/irqueue.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
+index acbe61c7e683..160dc89335e2 100644
+--- a/net/irda/irqueue.c
++++ b/net/irda/irqueue.c
+@@ -383,9 +383,6 @@ hashbin_t *hashbin_new(int type)
+ * for deallocating this structure if it's complex. If not the user can
+ * just supply kfree, which should take care of the job.
+ */
+-#ifdef CONFIG_LOCKDEP
+-static int hashbin_lock_depth = 0;
+-#endif
+ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+ {
+ irda_queue_t* queue;
+@@ -396,22 +393,27 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+ IRDA_ASSERT(hashbin->magic == HB_MAGIC, return -1;);
+
+ /* Synchronize */
+- if ( hashbin->hb_type & HB_LOCK ) {
+- spin_lock_irqsave_nested(&hashbin->hb_spinlock, flags,
+- hashbin_lock_depth++);
+- }
++ if (hashbin->hb_type & HB_LOCK)
++ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
+
+ /*
+ * Free the entries in the hashbin, TODO: use hashbin_clear when
+ * it has been shown to work
+ */
+ for (i = 0; i < HASHBIN_SIZE; i ++ ) {
+- queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
+- while (queue ) {
+- if (free_func)
+- (*free_func)(queue);
+- queue = dequeue_first(
+- (irda_queue_t**) &hashbin->hb_queue[i]);
++ while (1) {
++ queue = dequeue_first((irda_queue_t**) &hashbin->hb_queue[i]);
++
++ if (!queue)
++ break;
++
++ if (free_func) {
++ if (hashbin->hb_type & HB_LOCK)
++ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
++ free_func(queue);
++ if (hashbin->hb_type & HB_LOCK)
++ spin_lock_irqsave(&hashbin->hb_spinlock, flags);
++ }
+ }
+ }
+
+@@ -420,12 +422,8 @@ int hashbin_delete( hashbin_t* hashbin, FREE_FUNC free_func)
+ hashbin->magic = ~HB_MAGIC;
+
+ /* Release lock */
+- if ( hashbin->hb_type & HB_LOCK) {
++ if (hashbin->hb_type & HB_LOCK)
+ spin_unlock_irqrestore(&hashbin->hb_spinlock, flags);
+-#ifdef CONFIG_LOCKDEP
+- hashbin_lock_depth--;
+-#endif
+- }
+
<Skipped 1522 lines>
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/f2ed6f667ed0c8935eab85d22159e669464522be
More information about the pld-cvs-commit
mailing list