From 327c921aa72698030b650cc0995782f3e1a0b14c Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 23 May 2016 02:34:39 +0100 Subject: [PATCH] Update to 4.5.5 Drop changes that were applied upstream. Fix/ignore ABI changes. --- debian/changelog | 89 ++++++- debian/config/defines | 1 + ...unimplemented-scatter-gather-feature.patch | 37 --- ...x-check_map_func_compatibility-logic.patch | 94 ------- ...fdput-in-replace_map_fd_with_map_ptr.patch | 41 --- .../bugfix/all/bpf-fix-refcnt-overflow.patch | 147 ----------- ...ix-page-length-clamping-in-hash-walk.patch | 31 --- ...filename-handle-malformed-nm-entries.patch | 60 ----- .../bugfix/all/net-fix-infoleak-in-llc.patch | 29 --- .../all/net-fix-infoleak-in-rtnetlink.patch | 45 ---- ...id-kernel-pointer-value-leak-in-slab.patch | 45 ---- ...t-fix-compile-errors-when-glibc-net-.patch | 245 ------------------ .../net-sched-fix-abi-change-in-4.5.5.patch | 35 +++ debian/patches/series | 11 +- 14 files changed, 125 insertions(+), 785 deletions(-) delete mode 100644 debian/patches/bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch delete mode 100644 debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch delete mode 100644 debian/patches/bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch delete mode 100644 debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch delete mode 100644 debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch delete mode 100644 debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch delete mode 100644 debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch delete mode 100644 debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch delete mode 100644 debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch delete mode 100644 debian/patches/bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch create mode 100644 debian/patches/debian/net-sched-fix-abi-change-in-4.5.5.patch diff --git a/debian/changelog b/debian/changelog index 23e00f4dd..264417726 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,91 @@ -linux (4.5.4-2) UNRELEASED; urgency=medium +linux (4.5.5-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5 + - decnet: Do not build routes to devices without decnet private data. + - route: do not cache fib route info on local routes with oif + - packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface + - net: sched: do not requeue a NULL skb + - bpf/verifier: reject invalid LD_ABS | BPF_DW instruction + - cdc_mbim: apply "NDP to end" quirk to all Huawei devices + - soreuseport: fix ordering for mixed v4/v6 sockets + - net: use skb_postpush_rcsum instead of own implementations + - vlan: pull on __vlan_insert_tag error path and fix csum correction + - openvswitch: Orphan skbs before IPv6 defrag + - openvswitch: use flow protocol when recalculating ipv6 checksums + - net/mlx5_core: Fix soft lockup in steering error flow + - net/mlx5e: Device's mtu field is u16 and not int + - net/mlx5e: Fix minimum MTU + - net/mlx5e: Use vport MTU rather than physical port MTU + - ipv4/fib: don't warn when primary address is missing if in_dev is dead + - net/mlx4_en: fix spurious timestamping callbacks + - net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case + - gre: do not pull header in ICMP error processing + - net_sched: introduce qdisc_replace() helper + - net_sched: update hierarchical backlog too + - sch_htb: update backlog as well + - sch_dsmark: update backlog as well + - netem: Segment GSO packets on enqueue + - ipv6/ila: fix nlsize calculation for lwtunnel + - net/mlx4_en: Fix endianness bug in IPV6 csum calculation + - [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only + - net: bridge: fix old ioctl unlocked net device walk + - bridge: fix igmp / mld query parsing + - net: fix a kernel infoleak in x25 module + - net: thunderx: avoid exposing kernel stack + - tcp: refresh skb timestamp at retransmit time + - net/route: enforce hoplimit max value + - ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang + - ocfs2: fix posix_acl_create deadlock + - zsmalloc: fix zs_can_compact() integer overflow + - mm: thp: calculate the mapcount correctly for THP pages during WP faults + - [x86] crypto: qat - fix invalid pf2vf_resp_wq logic + - crypto: testmgr - Use kmalloc memory for RSA input + - ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2) + - ALSA: usb-audio: Yet another Phoneix Audio device quirk + - ALSA: hda - Fix subwoofer pin on ASUS N751 and N551 + - ALSA: hda - Fix white noise on Asus UX501VW headset + - ALSA: hda - Fix broken reconfig + - [armhf] spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is + overridden + - [armhf] spi: spi-ti-qspi: Handle truncated frames properly + - perf diff: Fix duplicated output column + - perf/core: Disable the event on a truncated AUX record + - vfs: rename: check backing inode being equal + - workqueue: fix rebind bound workers warning + - [armhf] regulator: s2mps11: Fix invalid selector mask and voltages + for buck9 + - [armhf] regulator: axp20x: Fix axp22x ldo_io voltage ranges + - atomic_open(): fix the handling of create_error + - qla1280: Don't allocate 512kb of host tags + - tools lib traceevent: Do not reassign parg after collapse_tree() + - Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing" + - [x86] drm/i915: Update CDCLK_FREQ register on BDW after changing cdclk + frequency + - drm/radeon: fix PLL sharing on DCE6.1 (v2) + - [x86] drm/i915: Bail out of pipe config compute loop on LPT + - [x86] Revert "drm/i915: start adding dp mst audio" + - [x86] drm/i915/bdw: Add missing delay during L3 SQC credit programming + - drm/radeon: fix DP link training issue with second 4K monitor + - drm/radeon: fix DP mode validation + - [x86] drm/amdgpu: fix DP mode validation + - btrfs: reada: Fix in-segment calculation for reada + - Btrfs: fix truncate_space_check + - btrfs: remove error message from search ioctl for nonexistent tree + - btrfs: change max_inline default to 2048 + - Btrfs: fix unreplayable log after snapshot delete + parent dir fsync + - Btrfs: fix file loss on log replay after renaming a file and fsync + - Btrfs: fix extent_same allowing destination offset beyond i_size + - Btrfs: fix deadlock between direct IO reads and buffered writes + - Btrfs: fix race when checking if we can skip fsync'ing an inode + - Btrfs: do not collect ordered extents when logging that inode exists + - btrfs: csum_tree_block: return proper errno value + - btrfs: do not write corrupted metadata blocks to disk + - Btrfs: fix invalid reference in replace_path + - btrfs: handle non-fatal errors in btrfs_qgroup_inherit() + - btrfs: fallback to vmalloc in btrfs_compare_tree + - Btrfs: don't use src fd for printk + - btrfs: Reset IO error counters before start of device replacing [ Salvatore Bonaccorso ] * tipc: check nl sock before parsing nested attributes (CVE-2016-4951) diff --git a/debian/config/defines b/debian/config/defines index 464e1dbd8..e0b1287a4 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -1,6 +1,7 @@ [abi] abiname: 2 ignore-changes: + module:drivers/net/ethernet/* module:sound/hda/* zpci_disable_device zpci_enable_device diff --git a/debian/patches/bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch b/debian/patches/bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch deleted file mode 100644 index df43429fb..000000000 --- a/debian/patches/bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Ben Hutchings -Date: Wed, 20 Apr 2016 23:23:08 +0100 -Subject: atl2: Disable unimplemented scatter/gather feature -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=f43bfaeddc79effbf3d0fcb53ca477cca66f3db8 - -atl2 includes NETIF_F_SG in hw_features even though it has no support -for non-linear skbs. This bug was originally harmless since the -driver does not claim to implement checksum offload and that used to -be a requirement for SG. - -Now that SG and checksum offload are independent features, if you -explicitly enable SG *and* use one of the rare protocols that can use -SG without checkusm offload, this potentially leaks sensitive -information (before you notice that it just isn't working). Therefore -this obscure bug has been designated CVE-2016-2117. - -Reported-by: Justin Yackoski -Signed-off-by: Ben Hutchings -Fixes: ec5f06156423 ("net: Kill link between CSUM and SG features.") -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/atheros/atlx/atl2.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c -index 8f76f4558a88..2ff465848b65 100644 ---- a/drivers/net/ethernet/atheros/atlx/atl2.c -+++ b/drivers/net/ethernet/atheros/atlx/atl2.c -@@ -1412,7 +1412,7 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - err = -EIO; - -- netdev->hw_features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_RX; -+ netdev->hw_features = NETIF_F_HW_VLAN_CTAG_RX; - netdev->features |= (NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); - - /* Init PHY as early as possible due to power saving issue */ diff --git a/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch b/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch deleted file mode 100644 index 83a0254f5..000000000 --- a/debian/patches/bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: Alexei Starovoitov -Date: Wed, 27 Apr 2016 18:56:21 -0700 -Subject: [3/3] bpf: fix check_map_func_compatibility logic -Origin: https://git.kernel.org/linus/6aff67c85c9e5a4bc99e5211c1bac547936626ca - -The commit 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter") -introduced clever way to check bpf_helper<->map_type compatibility. -Later on commit a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") adjusted -the logic and inadvertently broke it. -Get rid of the clever bool compare and go back to two-way check -from map and from helper perspective. - -Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper") -Reported-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Signed-off-by: Daniel Borkmann -Signed-off-by: David S. Miller -[bwh: Backported to 4.5: - - Drop the STACK_TRACE case - - No verbose() logging] ---- ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -239,15 +239,6 @@ static const char * const reg_type_str[] - [CONST_IMM] = "imm", - }; - --static const struct { -- int map_type; -- int func_id; --} func_limit[] = { -- {BPF_MAP_TYPE_PROG_ARRAY, BPF_FUNC_tail_call}, -- {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_read}, -- {BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_FUNC_perf_event_output}, --}; -- - static void print_verifier_state(struct verifier_env *env) - { - enum bpf_reg_type t; -@@ -898,24 +889,42 @@ static int check_func_arg(struct verifie - - static int check_map_func_compatibility(struct bpf_map *map, int func_id) - { -- bool bool_map, bool_func; -- int i; -- - if (!map) - return 0; - -- for (i = 0; i < ARRAY_SIZE(func_limit); i++) { -- bool_map = (map->map_type == func_limit[i].map_type); -- bool_func = (func_id == func_limit[i].func_id); -- /* only when map & func pair match it can continue. -- * don't allow any other map type to be passed into -- * the special func; -- */ -- if (bool_func && bool_map != bool_func) -- return -EINVAL; -+ /* We need a two way check, first is from map perspective ... */ -+ switch (map->map_type) { -+ case BPF_MAP_TYPE_PROG_ARRAY: -+ if (func_id != BPF_FUNC_tail_call) -+ goto error; -+ break; -+ case BPF_MAP_TYPE_PERF_EVENT_ARRAY: -+ if (func_id != BPF_FUNC_perf_event_read && -+ func_id != BPF_FUNC_perf_event_output) -+ goto error; -+ break; -+ default: -+ break; -+ } -+ -+ /* ... and second from the function itself. */ -+ switch (func_id) { -+ case BPF_FUNC_tail_call: -+ if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY) -+ goto error; -+ break; -+ case BPF_FUNC_perf_event_read: -+ case BPF_FUNC_perf_event_output: -+ if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY) -+ goto error; -+ break; -+ default: -+ break; - } - - return 0; -+error: -+ return -EINVAL; - } - - static int check_call(struct verifier_env *env, int func_id) diff --git a/debian/patches/bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/debian/patches/bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch deleted file mode 100644 index 4c43fcdb7..000000000 --- a/debian/patches/bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Jann Horn -Date: Tue, 26 Apr 2016 22:26:26 +0200 -Subject: [1/3] bpf: fix double-fdput in replace_map_fd_with_map_ptr() -Origin: https://git.kernel.org/linus/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 - -When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode -references a non-map file descriptor as a map file descriptor, the error -handling code called fdput() twice instead of once (in __bpf_map_get() and -in replace_map_fd_with_map_ptr()). If the file descriptor table of the -current task is shared, this causes f_count to be decremented too much, -allowing the struct file to be freed while it is still in use -(use-after-free). This can be exploited to gain root privileges by an -unprivileged user. - -This bug was introduced in -commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only -exploitable since -commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because -previously, CAP_SYS_ADMIN was required to reach the vulnerable code. - -(posted publicly according to request by maintainer) - -Signed-off-by: Jann Horn -Signed-off-by: Linus Torvalds -Acked-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller ---- - kernel/bpf/verifier.c | 1 - - 1 file changed, 1 deletion(-) - ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2003,7 +2003,6 @@ static int replace_map_fd_with_map_ptr(s - if (IS_ERR(map)) { - verbose("fd %d is not pointing to valid bpf_map\n", - insn->imm); -- fdput(f); - return PTR_ERR(map); - } - diff --git a/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch b/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch deleted file mode 100644 index a5b3d77fc..000000000 --- a/debian/patches/bugfix/all/bpf-fix-refcnt-overflow.patch +++ /dev/null @@ -1,147 +0,0 @@ -From: Alexei Starovoitov -Date: Wed, 27 Apr 2016 18:56:20 -0700 -Subject: [2/3] bpf: fix refcnt overflow -Origin: https://git.kernel.org/linus/92117d8443bc5afacc8d5ba82e541946310f106e - -On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK, -the malicious application may overflow 32-bit bpf program refcnt. -It's also possible to overflow map refcnt on 1Tb system. -Impose 32k hard limit which means that the same bpf program or -map cannot be shared by more than 32k processes. - -Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") -Reported-by: Jann Horn -Signed-off-by: Alexei Starovoitov -Acked-by: Daniel Borkmann -Signed-off-by: David S. Miller ---- - include/linux/bpf.h | 3 ++- - kernel/bpf/inode.c | 7 ++++--- - kernel/bpf/syscall.c | 24 ++++++++++++++++++++---- - kernel/bpf/verifier.c | 11 +++++++---- - 4 files changed, 33 insertions(+), 12 deletions(-) - ---- a/include/linux/bpf.h -+++ b/include/linux/bpf.h -@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_p - void bpf_register_map_type(struct bpf_map_type_list *tl); - - struct bpf_prog *bpf_prog_get(u32 ufd); -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog); - void bpf_prog_put(struct bpf_prog *prog); - void bpf_prog_put_rcu(struct bpf_prog *prog); - - struct bpf_map *bpf_map_get_with_uref(u32 ufd); - struct bpf_map *__bpf_map_get(struct fd f); --void bpf_map_inc(struct bpf_map *map, bool uref); -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref); - void bpf_map_put_with_uref(struct bpf_map *map); - void bpf_map_put(struct bpf_map *map); - ---- a/kernel/bpf/inode.c -+++ b/kernel/bpf/inode.c -@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum - { - switch (type) { - case BPF_TYPE_PROG: -- atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt); -+ raw = bpf_prog_inc(raw); - break; - case BPF_TYPE_MAP: -- bpf_map_inc(raw, true); -+ raw = bpf_map_inc(raw, true); - break; - default: - WARN_ON_ONCE(1); -@@ -297,7 +297,8 @@ static void *bpf_obj_do_get(const struct - goto out; - - raw = bpf_any_get(inode->i_private, *type); -- touch_atime(&path); -+ if (!IS_ERR(raw)) -+ touch_atime(&path); - - path_put(&path); - return raw; ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -201,11 +201,18 @@ struct bpf_map *__bpf_map_get(struct fd - return f.file->private_data; - } - --void bpf_map_inc(struct bpf_map *map, bool uref) -+/* prog's and map's refcnt limit */ -+#define BPF_MAX_REFCNT 32768 -+ -+struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref) - { -- atomic_inc(&map->refcnt); -+ if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&map->refcnt); -+ return ERR_PTR(-EBUSY); -+ } - if (uref) - atomic_inc(&map->usercnt); -+ return map; - } - - struct bpf_map *bpf_map_get_with_uref(u32 ufd) -@@ -217,7 +224,7 @@ struct bpf_map *bpf_map_get_with_uref(u3 - if (IS_ERR(map)) - return map; - -- bpf_map_inc(map, true); -+ map = bpf_map_inc(map, true); - fdput(f); - - return map; -@@ -600,6 +607,15 @@ static struct bpf_prog *__bpf_prog_get(s - return f.file->private_data; - } - -+struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog) -+{ -+ if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) { -+ atomic_dec(&prog->aux->refcnt); -+ return ERR_PTR(-EBUSY); -+ } -+ return prog; -+} -+ - /* called by sockets/tracing/seccomp before attaching program to an event - * pairs with bpf_prog_put() - */ -@@ -612,7 +628,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd) - if (IS_ERR(prog)) - return prog; - -- atomic_inc(&prog->aux->refcnt); -+ prog = bpf_prog_inc(prog); - fdput(f); - - return prog; ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -2022,15 +2022,18 @@ static int replace_map_fd_with_map_ptr(s - return -E2BIG; - } - -- /* remember this map */ -- env->used_maps[env->used_map_cnt++] = map; -- - /* hold the map. If the program is rejected by verifier, - * the map will be released by release_maps() or it - * will be used by the valid program until it's unloaded - * and all maps are released in free_bpf_prog_info() - */ -- bpf_map_inc(map, false); -+ map = bpf_map_inc(map, false); -+ if (IS_ERR(map)) { -+ fdput(f); -+ return PTR_ERR(map); -+ } -+ env->used_maps[env->used_map_cnt++] = map; -+ - fdput(f); - next_insn: - insn++; diff --git a/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch b/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch deleted file mode 100644 index aa54020ec..000000000 --- a/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Herbert Xu -Date: Wed, 4 May 2016 17:52:56 +0800 -Subject: crypto: hash - Fix page length clamping in hash walk -Origin: https://git.kernel.org/linus/13f4bb78cf6a312bbdec367ba3da044b09bf0e29 - -The crypto hash walk code is broken when supplied with an offset -greater than or equal to PAGE_SIZE. This patch fixes it by adjusting -walk->pg and walk->offset when this happens. - -Cc: -Reported-by: Steffen Klassert -Signed-off-by: Herbert Xu ---- - crypto/ahash.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/crypto/ahash.c b/crypto/ahash.c -index 5fc1f172963d..3887a98abcc3 100644 ---- a/crypto/ahash.c -+++ b/crypto/ahash.c -@@ -69,8 +69,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk) - struct scatterlist *sg; - - sg = walk->sg; -- walk->pg = sg_page(sg); - walk->offset = sg->offset; -+ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT); -+ walk->offset = offset_in_page(walk->offset); - walk->entrylen = sg->length; - - if (walk->entrylen > walk->total) diff --git a/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch deleted file mode 100644 index 995822627..000000000 --- a/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Al Viro -Date: Thu, 5 May 2016 16:25:35 -0400 -Subject: get_rock_ridge_filename(): handle malformed NM entries -Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6 - -Payloads of NM entries are not supposed to contain NUL. When we run -into such, only the part prior to the first NUL goes into the -concatenation (i.e. the directory entry name being encoded by a bunch -of NM entries). We do stop when the amount collected so far + the -claimed amount in the current NM entry exceed 254. So far, so good, -but what we return as the total length is the sum of *claimed* -sizes, not the actual amount collected. And that can grow pretty -large - not unlimited, since you'd need to put CE entries in -between to be able to get more than the maximum that could be -contained in one isofs directory entry / continuation chunk and -we are stop once we'd encountered 32 CEs, but you can get about 8Kb -easily. And that's what will be passed to readdir callback as the -name length. 8Kb __copy_to_user() from a buffer allocated by -__get_free_page() - -Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really) -Signed-off-by: Al Viro ---- - fs/isofs/rock.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c -index 5384ceb35b1c..98b3eb7d8eaf 100644 ---- a/fs/isofs/rock.c -+++ b/fs/isofs/rock.c -@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de, - int retnamlen = 0; - int truncate = 0; - int ret = 0; -+ char *p; -+ int len; - - if (!ISOFS_SB(inode->i_sb)->s_rock) - return 0; -@@ -267,12 +269,17 @@ repeat: - rr->u.NM.flags); - break; - } -- if ((strlen(retname) + rr->len - 5) >= 254) { -+ len = rr->len - 5; -+ if (retnamlen + len >= 254) { - truncate = 1; - break; - } -- strncat(retname, rr->u.NM.name, rr->len - 5); -- retnamlen += rr->len - 5; -+ p = memchr(rr->u.NM.name, '\0', len); -+ if (unlikely(p)) -+ len = p - rr->u.NM.name; -+ memcpy(retname + retnamlen, rr->u.NM.name, len); -+ retnamlen += len; -+ retname[retnamlen] = '\0'; - break; - case SIG('R', 'E'): - kfree(rs.buffer); diff --git a/debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch b/debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch deleted file mode 100644 index 17638b413..000000000 --- a/debian/patches/bugfix/all/net-fix-infoleak-in-llc.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Kangjie Lu -Date: Tue, 3 May 2016 16:35:05 -0400 -Subject: net: fix infoleak in llc -Origin: https://git.kernel.org/linus/b8670c09f37bdf2847cc44f36511a53afc6161fd - -The stack object “info” has a total size of 12 bytes. Its last byte -is padding which is not initialized and leaked via “put_cmsg”. - -Signed-off-by: Kangjie Lu -Signed-off-by: David S. Miller ---- - net/llc/af_llc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index b3c52e3..8ae3ed9 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb) - if (llc->cmsg_flags & LLC_CMSG_PKTINFO) { - struct llc_pktinfo info; - -+ memset(&info, 0, sizeof(info)); - info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex; - llc_pdu_decode_dsap(skb, &info.lpi_sap); - llc_pdu_decode_da(skb, info.lpi_mac); --- -2.8.1 - diff --git a/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch deleted file mode 100644 index 097daefb8..000000000 --- a/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Kangjie Lu -Date: Tue, 3 May 2016 16:46:24 -0400 -Subject: net: fix infoleak in rtnetlink -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6 - -The stack object “map” has a total size of 32 bytes. Its last 4 -bytes are padding generated by compiler. These padding bytes are -not initialized and sent out via “nla_put”. - -Signed-off-by: Kangjie Lu -Signed-off-by: David S. Miller ---- - net/core/rtnetlink.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_ - - static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev) - { -- struct rtnl_link_ifmap map = { -- .mem_start = dev->mem_start, -- .mem_end = dev->mem_end, -- .base_addr = dev->base_addr, -- .irq = dev->irq, -- .dma = dev->dma, -- .port = dev->if_port, -- }; -+ struct rtnl_link_ifmap map; -+ -+ memset(&map, 0, sizeof(map)); -+ map.mem_start = dev->mem_start; -+ map.mem_end = dev->mem_end; -+ map.base_addr = dev->base_addr; -+ map.irq = dev->irq; -+ map.dma = dev->dma; -+ map.port = dev->if_port; -+ - if (nla_put(skb, IFLA_MAP, sizeof(map), &map)) - return -EMSGSIZE; - diff --git a/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch b/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch deleted file mode 100644 index 84c2beb25..000000000 --- a/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Linus Torvalds -Date: Sat, 14 May 2016 11:11:44 -0700 -Subject: nf_conntrack: avoid kernel pointer value leak in slab name -Origin: https://git.kernel.org/linus/31b0b385f69d8d5491a4bca288e25e63f1d945d0 - -The slab name ends up being visible in the directory structure under -/sys, and even if you don't have access rights to the file you can see -the filenames. - -Just use a 64-bit counter instead of the pointer to the 'net' structure -to generate a unique name. - -This code will go away in 4.7 when the conntrack code moves to a single -kmemcache, but this is the backportable simple solution to avoiding -leaking kernel pointers to user space. - -Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep") -Signed-off-by: Linus Torvalds -Acked-by: Eric Dumazet -Cc: stable@vger.kernel.org -Signed-off-by: David S. Miller ---- - net/netfilter/nf_conntrack_core.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/net/netfilter/nf_conntrack_core.c -+++ b/net/netfilter/nf_conntrack_core.c -@@ -1780,6 +1780,7 @@ void nf_conntrack_init_end(void) - - int nf_conntrack_init_net(struct net *net) - { -+ static atomic64_t unique_id; - int ret = -ENOMEM; - int cpu; - -@@ -1802,7 +1803,8 @@ int nf_conntrack_init_net(struct net *ne - if (!net->ct.stat) - goto err_pcpu_lists; - -- net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net); -+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu", -+ (u64)atomic64_inc_return(&unique_id)); - if (!net->ct.slabname) - goto err_slabname; - diff --git a/debian/patches/bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch b/debian/patches/bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch deleted file mode 100644 index 80c3e7a91..000000000 --- a/debian/patches/bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch +++ /dev/null @@ -1,245 +0,0 @@ -From: Mikko Rapeli -Date: Sun, 24 Apr 2016 17:45:00 +0200 -Subject: uapi glibc compat: fix compile errors when glibc net/if.h included - before linux/if.h -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/4a91cb61bb995e5571098188092e296192309c77 -Bug-Debian: https://bugs.debian.org/822393 - -glibc's net/if.h contains copies of definitions from linux/if.h and these -conflict and cause build failures if both files are included by application -source code. Changes in uapi headers, which fixed header file dependencies to -include linux/if.h when it was needed, e.g. commit 1ffad83d, made the -net/if.h and linux/if.h incompatibilities visible as build failures for -userspace applications like iproute2 and xtables-addons. - -This patch fixes compile errors when glibc net/if.h is included before -linux/if.h: - -./linux/if.h:99:21: error: redeclaration of enumerator ‘IFF_NOARP’ -./linux/if.h:98:23: error: redeclaration of enumerator ‘IFF_RUNNING’ -./linux/if.h:97:26: error: redeclaration of enumerator ‘IFF_NOTRAILERS’ -./linux/if.h:96:27: error: redeclaration of enumerator ‘IFF_POINTOPOINT’ -./linux/if.h:95:24: error: redeclaration of enumerator ‘IFF_LOOPBACK’ -./linux/if.h:94:21: error: redeclaration of enumerator ‘IFF_DEBUG’ -./linux/if.h:93:25: error: redeclaration of enumerator ‘IFF_BROADCAST’ -./linux/if.h:92:19: error: redeclaration of enumerator ‘IFF_UP’ -./linux/if.h:252:8: error: redefinition of ‘struct ifconf’ -./linux/if.h:203:8: error: redefinition of ‘struct ifreq’ -./linux/if.h:169:8: error: redefinition of ‘struct ifmap’ -./linux/if.h:107:23: error: redeclaration of enumerator ‘IFF_DYNAMIC’ -./linux/if.h:106:25: error: redeclaration of enumerator ‘IFF_AUTOMEDIA’ -./linux/if.h:105:23: error: redeclaration of enumerator ‘IFF_PORTSEL’ -./linux/if.h:104:25: error: redeclaration of enumerator ‘IFF_MULTICAST’ -./linux/if.h:103:21: error: redeclaration of enumerator ‘IFF_SLAVE’ -./linux/if.h:102:22: error: redeclaration of enumerator ‘IFF_MASTER’ -./linux/if.h:101:24: error: redeclaration of enumerator ‘IFF_ALLMULTI’ -./linux/if.h:100:23: error: redeclaration of enumerator ‘IFF_PROMISC’ - -The cases where linux/if.h is included before net/if.h need a similar fix in -the glibc side, or the order of include files can be changed userspace -code as a workaround. - -This change was tested in x86 userspace on Debian unstable with -scripts/headers_compile_test.sh: - -$ make headers_install && \ - cd usr/include && ../../scripts/headers_compile_test.sh -l -k -... -cc -Wall -c -nostdinc -I /usr/lib/gcc/i586-linux-gnu/5/include -I /usr/lib/gcc/i586-linux-gnu/5/include-fixed -I . -I /home/mcfrisk/src/linux-2.6/usr/headers_compile_test_include.2uX2zH -I /home/mcfrisk/src/linux-2.6/usr/headers_compile_test_include.2uX2zH/i586-linux-gnu -o /dev/null ./linux/if.h_libc_before_kernel.h -PASSED libc before kernel test: ./linux/if.h - -Reported-by: Jan Engelhardt -Reported-by: Josh Boyer -Reported-by: Stephen Hemminger -Reported-by: Waldemar Brodkorb -Cc: Gabriel Laskar -Signed-off-by: Mikko Rapeli -Signed-off-by: David S. Miller ---- - include/uapi/linux/if.h | 28 +++++++++++++++++++++++++ - include/uapi/linux/libc-compat.h | 44 ++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 72 insertions(+) - -diff --git a/include/uapi/linux/if.h b/include/uapi/linux/if.h -index f80277569f24..e601c8c3bdc7 100644 ---- a/include/uapi/linux/if.h -+++ b/include/uapi/linux/if.h -@@ -19,14 +19,20 @@ - #ifndef _LINUX_IF_H - #define _LINUX_IF_H - -+#include /* for compatibility with glibc */ - #include /* for "__kernel_caddr_t" et al */ - #include /* for "struct sockaddr" et al */ - #include /* for "__user" et al */ - -+#if __UAPI_DEF_IF_IFNAMSIZ - #define IFNAMSIZ 16 -+#endif /* __UAPI_DEF_IF_IFNAMSIZ */ - #define IFALIASZ 256 - #include - -+/* For glibc compatibility. An empty enum does not compile. */ -+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO != 0 && \ -+ __UAPI_DEF_IF_NET_DEVICE_FLAGS != 0 - /** - * enum net_device_flags - &struct net_device flags - * -@@ -68,6 +74,8 @@ - * @IFF_ECHO: echo sent packets. Volatile. - */ - enum net_device_flags { -+/* for compatibility with glibc net/if.h */ -+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS - IFF_UP = 1<<0, /* sysfs */ - IFF_BROADCAST = 1<<1, /* volatile */ - IFF_DEBUG = 1<<2, /* sysfs */ -@@ -84,11 +92,17 @@ enum net_device_flags { - IFF_PORTSEL = 1<<13, /* sysfs */ - IFF_AUTOMEDIA = 1<<14, /* sysfs */ - IFF_DYNAMIC = 1<<15, /* sysfs */ -+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS */ -+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO - IFF_LOWER_UP = 1<<16, /* volatile */ - IFF_DORMANT = 1<<17, /* volatile */ - IFF_ECHO = 1<<18, /* volatile */ -+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO */ - }; -+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO != 0 && __UAPI_DEF_IF_NET_DEVICE_FLAGS != 0 */ - -+/* for compatibility with glibc net/if.h */ -+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS - #define IFF_UP IFF_UP - #define IFF_BROADCAST IFF_BROADCAST - #define IFF_DEBUG IFF_DEBUG -@@ -105,9 +119,13 @@ enum net_device_flags { - #define IFF_PORTSEL IFF_PORTSEL - #define IFF_AUTOMEDIA IFF_AUTOMEDIA - #define IFF_DYNAMIC IFF_DYNAMIC -+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS */ -+ -+#if __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO - #define IFF_LOWER_UP IFF_LOWER_UP - #define IFF_DORMANT IFF_DORMANT - #define IFF_ECHO IFF_ECHO -+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO */ - - #define IFF_VOLATILE (IFF_LOOPBACK|IFF_POINTOPOINT|IFF_BROADCAST|IFF_ECHO|\ - IFF_MASTER|IFF_SLAVE|IFF_RUNNING|IFF_LOWER_UP|IFF_DORMANT) -@@ -166,6 +184,8 @@ enum { - * being very small might be worth keeping for clean configuration. - */ - -+/* for compatibility with glibc net/if.h */ -+#if __UAPI_DEF_IF_IFMAP - struct ifmap { - unsigned long mem_start; - unsigned long mem_end; -@@ -175,6 +195,7 @@ struct ifmap { - unsigned char port; - /* 3 bytes spare */ - }; -+#endif /* __UAPI_DEF_IF_IFMAP */ - - struct if_settings { - unsigned int type; /* Type of physical device or protocol */ -@@ -200,6 +221,8 @@ struct if_settings { - * remainder may be interface specific. - */ - -+/* for compatibility with glibc net/if.h */ -+#if __UAPI_DEF_IF_IFREQ - struct ifreq { - #define IFHWADDRLEN 6 - union -@@ -223,6 +246,7 @@ struct ifreq { - struct if_settings ifru_settings; - } ifr_ifru; - }; -+#endif /* __UAPI_DEF_IF_IFREQ */ - - #define ifr_name ifr_ifrn.ifrn_name /* interface name */ - #define ifr_hwaddr ifr_ifru.ifru_hwaddr /* MAC address */ -@@ -249,6 +273,8 @@ struct ifreq { - * must know all networks accessible). - */ - -+/* for compatibility with glibc net/if.h */ -+#if __UAPI_DEF_IF_IFCONF - struct ifconf { - int ifc_len; /* size of buffer */ - union { -@@ -256,6 +282,8 @@ struct ifconf { - struct ifreq __user *ifcu_req; - } ifc_ifcu; - }; -+#endif /* __UAPI_DEF_IF_IFCONF */ -+ - #define ifc_buf ifc_ifcu.ifcu_buf /* buffer address */ - #define ifc_req ifc_ifcu.ifcu_req /* array of structures */ - -diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h -index 7d024ceb075d..d5e38c73377c 100644 ---- a/include/uapi/linux/libc-compat.h -+++ b/include/uapi/linux/libc-compat.h -@@ -51,6 +51,40 @@ - /* We have included glibc headers... */ - #if defined(__GLIBC__) - -+/* Coordinate with glibc net/if.h header. */ -+#if defined(_NET_IF_H) -+ -+/* GLIBC headers included first so don't define anything -+ * that would already be defined. */ -+ -+#define __UAPI_DEF_IF_IFCONF 0 -+#define __UAPI_DEF_IF_IFMAP 0 -+#define __UAPI_DEF_IF_IFNAMSIZ 0 -+#define __UAPI_DEF_IF_IFREQ 0 -+/* Everything up to IFF_DYNAMIC, matches net/if.h until glibc 2.23 */ -+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS 0 -+/* For the future if glibc adds IFF_LOWER_UP, IFF_DORMANT and IFF_ECHO */ -+#ifndef __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO -+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 1 -+#endif /* __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO */ -+ -+#else /* _NET_IF_H */ -+ -+/* Linux headers included first, and we must define everything -+ * we need. The expectation is that glibc will check the -+ * __UAPI_DEF_* defines and adjust appropriately. */ -+ -+#define __UAPI_DEF_IF_IFCONF 1 -+#define __UAPI_DEF_IF_IFMAP 1 -+#define __UAPI_DEF_IF_IFNAMSIZ 1 -+#define __UAPI_DEF_IF_IFREQ 1 -+/* Everything up to IFF_DYNAMIC, matches net/if.h until glibc 2.23 */ -+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS 1 -+/* For the future if glibc adds IFF_LOWER_UP, IFF_DORMANT and IFF_ECHO */ -+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 1 -+ -+#endif /* _NET_IF_H */ -+ - /* Coordinate with glibc netinet/in.h header. */ - #if defined(_NETINET_IN_H) - -@@ -117,6 +151,16 @@ - * that we need. */ - #else /* !defined(__GLIBC__) */ - -+/* Definitions for if.h */ -+#define __UAPI_DEF_IF_IFCONF 1 -+#define __UAPI_DEF_IF_IFMAP 1 -+#define __UAPI_DEF_IF_IFNAMSIZ 1 -+#define __UAPI_DEF_IF_IFREQ 1 -+/* Everything up to IFF_DYNAMIC, matches net/if.h until glibc 2.23 */ -+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS 1 -+/* For the future if glibc adds IFF_LOWER_UP, IFF_DORMANT and IFF_ECHO */ -+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 1 -+ - /* Definitions for in.h */ - #define __UAPI_DEF_IN_ADDR 1 - #define __UAPI_DEF_IN_IPPROTO 1 diff --git a/debian/patches/debian/net-sched-fix-abi-change-in-4.5.5.patch b/debian/patches/debian/net-sched-fix-abi-change-in-4.5.5.patch new file mode 100644 index 000000000..fbf0110fa --- /dev/null +++ b/debian/patches/debian/net-sched-fix-abi-change-in-4.5.5.patch @@ -0,0 +1,35 @@ +From: Ben Hutchings +Date: Mon, 23 May 2016 01:25:47 +0100 +Subject: net/sched: Fix ABI change in 4.5.5 +Forwarded: not-needed + +Restore the function qdisc_tree_decrease_qlen(), removed in 4.5.5. +It can now be a trivial wrapper for its replacement, +qdisc_tree_reduce_backlog(). + +--- +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -398,6 +398,7 @@ void qdisc_reset(struct Qdisc *qdisc); + void qdisc_destroy(struct Qdisc *qdisc); + void qdisc_tree_reduce_backlog(struct Qdisc *qdisc, unsigned int n, + unsigned int len); ++void qdisc_tree_decrease_qlen(struct Qdisc *qdisc, unsigned int n); + struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue, + const struct Qdisc_ops *ops); + struct Qdisc *qdisc_create_dflt(struct netdev_queue *dev_queue, +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -782,6 +782,12 @@ void qdisc_tree_reduce_backlog(struct Qd + } + EXPORT_SYMBOL(qdisc_tree_reduce_backlog); + ++void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n) ++{ ++ qdisc_tree_reduce_backlog(sch, n, 0); ++} ++EXPORT_SYMBOL(qdisc_tree_decrease_qlen); ++ + static void notify_and_destroy(struct net *net, struct sk_buff *skb, + struct nlmsghdr *n, u32 clid, + struct Qdisc *old, struct Qdisc *new) diff --git a/debian/patches/series b/debian/patches/series index 95bd339f5..b3a2c96d6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -82,10 +82,8 @@ bugfix/all/disable-some-marvell-phys.patch bugfix/all/rtsx_usb_ms-use-msleep_interruptible-in-polling-loop.patch bugfix/all/mm-zone_device-depends-on-sparsemem_vmemmap.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch -bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch bugfix/all/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch -bugfix/all/uapi-glibc-compat-fix-compile-errors-when-glibc-net-.patch bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch bugfix/all/revert-stmmac-fix-eth0-no-phy-found-regression.patch @@ -135,16 +133,8 @@ bugfix/all/netfilter-x_tables-check-for-size-overflow.patch bugfix/all/netfilter-x_tables-validate-e-target_offset-early.patch bugfix/all/netfilter-x_tables-make-sure-e-next_offset-covers-re.patch bugfix/x86/x86-mm-32-enable-full-randomization-on-i386-and-x86_.patch -bugfix/all/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch -bugfix/all/bpf-fix-refcnt-overflow.patch -bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch -bugfix/all/net-fix-infoleak-in-llc.patch -bugfix/all/net-fix-infoleak-in-rtnetlink.patch -bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch -bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch -bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch @@ -174,3 +164,4 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch bugfix/all/power-cpupower-fix-manpages-NAME.patch bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch +debian/net-sched-fix-abi-change-in-4.5.5.patch