--- /dev/null
+From 18365225f0440d09708ad9daade2ec11275c3df9 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Fri, 12 May 2017 15:46:26 -0700
+Subject: hwpoison, memcg: forcibly uncharge LRU pages
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit 18365225f0440d09708ad9daade2ec11275c3df9 upstream.
+
+Laurent Dufour has noticed that hwpoinsoned pages are kept charged. In
+his particular case he has hit a bad_page("page still charged to
+cgroup") when onlining a hwpoison page. While this looks like something
+that shouldn't happen in the first place because onlining hwpages and
+returning them to the page allocator makes only little sense it shows a
+real problem.
+
+hwpoison pages do not get freed usually so we do not uncharge them (at
+least not since commit 0a31bc97c80c ("mm: memcontrol: rewrite uncharge
+API")). Each charge pins memcg (since e8ea14cc6ead ("mm: memcontrol:
+take a css reference for each charged page")) as well and so the
+mem_cgroup and the associated state will never go away. Fix this leak
+by forcibly uncharging a LRU hwpoisoned page in delete_from_lru_cache().
+We also have to tweak uncharge_list because it cannot rely on zero ref
+count for these pages.
+
+[akpm@linux-foundation.org: coding-style fixes]
+Fixes: 0a31bc97c80c ("mm: memcontrol: rewrite uncharge API")
+Link: http://lkml.kernel.org/r/20170502185507.GB19165@dhcp22.suse.cz
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reported-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Tested-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
+Reviewed-by: Balbir Singh <bsingharora@gmail.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 2 +-
+ mm/memory-failure.c | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -6500,7 +6500,7 @@ static void uncharge_list(struct list_he
+ next = page->lru.next;
+
+ VM_BUG_ON_PAGE(PageLRU(page), page);
+- VM_BUG_ON_PAGE(page_count(page), page);
++ VM_BUG_ON_PAGE(!PageHWPoison(page) && page_count(page), page);
+
+ pc = lookup_page_cgroup(page);
+ if (!PageCgroupUsed(pc))
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -548,6 +548,13 @@ static int delete_from_lru_cache(struct
+ */
+ ClearPageActive(p);
+ ClearPageUnevictable(p);
++
++ /*
++ * Poisoned page might never drop its ref count to 0 so we have
++ * to uncharge it manually from its memcg.
++ */
++ mem_cgroup_uncharge(p);
++
+ /*
+ * drop the page count elevated by isolate_lru_page()
+ */
--- /dev/null
+From 999898355e08ae3b92dfd0a08db706e0c6703d30 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Wed, 14 Dec 2016 15:06:07 -0800
+Subject: ipc: msg, make msgrcv work with LONG_MIN
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 999898355e08ae3b92dfd0a08db706e0c6703d30 upstream.
+
+When LONG_MIN is passed to msgrcv, one would expect to recieve any
+message. But convert_mode does *msgtyp = -*msgtyp and -LONG_MIN is
+undefined. In particular, with my gcc -LONG_MIN produces -LONG_MIN
+again.
+
+So handle this case properly by assigning LONG_MAX to *msgtyp if
+LONG_MIN was specified as msgtyp to msgrcv.
+
+This code:
+ long msg[] = { 100, 200 };
+ int m = msgget(IPC_PRIVATE, IPC_CREAT | 0644);
+ msgsnd(m, &msg, sizeof(msg), 0);
+ msgrcv(m, &msg, sizeof(msg), LONG_MIN, 0);
+
+produces currently nothing:
+
+ msgget(IPC_PRIVATE, IPC_CREAT|0644) = 65538
+ msgsnd(65538, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, 0) = 0
+ msgrcv(65538, ...
+
+Except a UBSAN warning:
+
+ UBSAN: Undefined behaviour in ipc/msg.c:745:13
+ negation of -9223372036854775808 cannot be represented in type 'long int':
+
+With the patch, I see what I expect:
+
+ msgget(IPC_PRIVATE, IPC_CREAT|0644) = 0
+ msgsnd(0, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, 0) = 0
+ msgrcv(0, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, -9223372036854775808, 0) = 16
+
+Link: http://lkml.kernel.org/r/20161024082633.10148-1-jslaby@suse.cz
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Manfred Spraul <manfred@colorfullife.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/msg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/ipc/msg.c
++++ b/ipc/msg.c
+@@ -740,7 +740,10 @@ static inline int convert_mode(long *msg
+ if (*msgtyp == 0)
+ return SEARCH_ANY;
+ if (*msgtyp < 0) {
+- *msgtyp = -*msgtyp;
++ if (*msgtyp == LONG_MIN) /* -LONG_MIN is undefined */
++ *msgtyp = LONG_MAX;
++ else
++ *msgtyp = -*msgtyp;
+ return SEARCH_LESSEQUAL;
+ }
+ if (msgflg & MSG_EXCEPT)
--- /dev/null
+From 561b5e0709e4a248c67d024d4d94b6e31e3edf2f Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Mon, 10 Jul 2017 15:49:51 -0700
+Subject: mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
+
+From: Michal Hocko <mhocko@suse.com>
+
+commit 561b5e0709e4a248c67d024d4d94b6e31e3edf2f upstream.
+
+Commit 1be7107fbe18 ("mm: larger stack guard gap, between vmas") has
+introduced a regression in some rust and Java environments which are
+trying to implement their own stack guard page. They are punching a new
+MAP_FIXED mapping inside the existing stack Vma.
+
+This will confuse expand_{downwards,upwards} into thinking that the
+stack expansion would in fact get us too close to an existing non-stack
+vma which is a correct behavior wrt safety. It is a real regression on
+the other hand.
+
+Let's work around the problem by considering PROT_NONE mapping as a part
+of the stack. This is a gros hack but overflowing to such a mapping
+would trap anyway an we only can hope that usespace knows what it is
+doing and handle it propely.
+
+Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas")
+Link: http://lkml.kernel.org/r/20170705182849.GA18027@dhcp22.suse.cz
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Debugged-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Cc: Willy Tarreau <w@1wt.eu>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2191,7 +2191,8 @@ int expand_upwards(struct vm_area_struct
+ gap_addr = TASK_SIZE;
+
+ next = vma->vm_next;
+- if (next && next->vm_start < gap_addr) {
++ if (next && next->vm_start < gap_addr &&
++ (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
+ if (!(next->vm_flags & VM_GROWSUP))
+ return -ENOMEM;
+ /* Check that both stack segments have the same anon_vma? */
+@@ -2271,7 +2272,8 @@ int expand_downwards(struct vm_area_stru
+ if (gap_addr > address)
+ return -ENOMEM;
+ prev = vma->vm_prev;
+- if (prev && prev->vm_end > gap_addr) {
++ if (prev && prev->vm_end > gap_addr &&
++ (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
+ if (!(prev->vm_flags & VM_GROWSDOWN))
+ return -ENOMEM;
+ /* Check that both stack segments have the same anon_vma? */
--- /dev/null
+From 444f901742d054a4cd5ff045871eac5131646cfb Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <ulrich.weber@riverbed.com>
+Date: Mon, 24 Oct 2016 18:07:23 +0200
+Subject: netfilter: nf_conntrack_sip: extend request line validation
+
+From: Ulrich Weber <ulrich.weber@riverbed.com>
+
+commit 444f901742d054a4cd5ff045871eac5131646cfb upstream.
+
+on SIP requests, so a fragmented TCP SIP packet from an allow header starting with
+ INVITE,NOTIFY,OPTIONS,REFER,REGISTER,UPDATE,SUBSCRIBE
+ Content-Length: 0
+
+will not bet interpreted as an INVITE request. Also Request-URI must start with an alphabetic character.
+
+Confirm with RFC 3261
+ Request-Line = Method SP Request-URI SP SIP-Version CRLF
+
+Fixes: 30f33e6dee80 ("[NETFILTER]: nf_conntrack_sip: support method specific request/response handling")
+Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
+Acked-by: Marco Angaroni <marcoangaroni@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_sip.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_sip.c
++++ b/net/netfilter/nf_conntrack_sip.c
+@@ -1434,9 +1434,12 @@ static int process_sip_request(struct sk
+ handler = &sip_handlers[i];
+ if (handler->request == NULL)
+ continue;
+- if (*datalen < handler->len ||
++ if (*datalen < handler->len + 2 ||
+ strncasecmp(*dptr, handler->method, handler->len))
+ continue;
++ if ((*dptr)[handler->len] != ' ' ||
++ !isalpha((*dptr)[handler->len+1]))
++ continue;
+
+ if (ct_sip_get_header(ct, *dptr, 0, *datalen, SIP_HDR_CSEQ,
+ &matchoff, &matchlen) <= 0) {
--- /dev/null
+From b173a28f62cf929324a8a6adcc45adadce311d16 Mon Sep 17 00:00:00 2001
+From: Liping Zhang <liping.zhang@spreadtrum.com>
+Date: Mon, 8 Aug 2016 21:57:58 +0800
+Subject: netfilter: nf_ct_expect: remove the redundant slash when policy name is empty
+
+From: Liping Zhang <liping.zhang@spreadtrum.com>
+
+commit b173a28f62cf929324a8a6adcc45adadce311d16 upstream.
+
+The 'name' filed in struct nf_conntrack_expect_policy{} is not a
+pointer, so check it is NULL or not will always return true. Even if the
+name is empty, slash will always be displayed like follows:
+ # cat /proc/net/nf_conntrack_expect
+ 297 l3proto = 2 proto=6 src=1.1.1.1 dst=2.2.2.2 sport=1 dport=1025 ftp/
+ ^
+
+Fixes: 3a8fc53a45c4 ("netfilter: nf_ct_helper: allocate 16 bytes for the helper and policy names")
+Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_expect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -557,7 +557,7 @@ static int exp_seq_show(struct seq_file
+ helper = rcu_dereference(nfct_help(expect->master)->helper);
+ if (helper) {
+ seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
+- if (helper->expect_policy[expect->class].name)
++ if (helper->expect_policy[expect->class].name[0])
+ seq_printf(s, "/%s",
+ helper->expect_policy[expect->class].name);
+ }
--- /dev/null
+From 4b380c42f7d00a395feede754f0bc2292eebe6e5 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
+
+From: Kevin Cernekee <cernekee@chromium.org>
+
+commit 4b380c42f7d00a395feede754f0bc2292eebe6e5 upstream.
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ $ nfct helper list
+ nfct v1.4.4: netlink error: Operation not permitted
+ $ vpnns -- nfct helper list
+ {
+ .name = ftp,
+ .queuenum = 0,
+ .l3protonum = 2,
+ .l4protonum = 6,
+ .priv_data_len = 24,
+ .status = enabled,
+ };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+
+@@ -392,6 +393,9 @@ nfnl_cthelper_new(struct sock *nfnl, str
+ struct nfnl_cthelper *nlcth;
+ int ret = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ return -EINVAL;
+
+@@ -595,6 +599,9 @@ nfnl_cthelper_get(struct sock *nfnl, str
+ struct nfnl_cthelper *nlcth;
+ bool tuple_set = false;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .dump = nfnl_cthelper_dump_table,
+@@ -661,6 +668,9 @@ nfnl_cthelper_del(struct sock *nfnl, str
+ struct nfnl_cthelper *nlcth, *n;
+ int j = 0, ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (tb[NFCTH_NAME])
+ helper_name = nla_data(tb[NFCTH_NAME]);
+
--- /dev/null
+From 95a8d19f28e6b29377a880c6264391a62e07fccc Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 25 Aug 2016 15:33:29 +0200
+Subject: netfilter: restart search if moved to other chain
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 95a8d19f28e6b29377a880c6264391a62e07fccc upstream.
+
+In case nf_conntrack_tuple_taken did not find a conflicting entry
+check that all entries in this hash slot were tested and restart
+in case an entry was moved to another chain.
+
+Reported-by: Eric Dumazet <edumazet@google.com>
+Fixes: ea781f197d6a ("netfilter: nf_conntrack: use SLAB_DESTROY_BY_RCU and get rid of call_rcu()")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -695,6 +695,7 @@ nf_conntrack_tuple_taken(const struct nf
+ * least once for the stats anyway.
+ */
+ rcu_read_lock_bh();
++ begin:
+ hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) {
+ ct = nf_ct_tuplehash_to_ctrack(h);
+ if (ct != ignored_conntrack &&
+@@ -706,6 +707,12 @@ nf_conntrack_tuple_taken(const struct nf
+ }
+ NF_CT_STAT_INC(net, searched);
+ }
++
++ if (get_nulls_value(n) != hash) {
++ NF_CT_STAT_INC(net, search_restart);
++ goto begin;
++ }
++
+ rcu_read_unlock_bh();
+
+ return 0;
--- /dev/null
+From cc31d43b4154ad5a7d8aa5543255a93b7e89edc2 Mon Sep 17 00:00:00 2001
+From: Pau Espin Pedrol <pau.espin@tessares.net>
+Date: Fri, 6 Jan 2017 20:33:27 +0100
+Subject: netfilter: use fwmark_reflect in nf_send_reset
+
+From: Pau Espin Pedrol <pau.espin@tessares.net>
+
+commit cc31d43b4154ad5a7d8aa5543255a93b7e89edc2 upstream.
+
+Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
+the routing is checked later in the same code path.
+
+Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
+ net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+--- a/net/ipv4/netfilter/nf_reject_ipv4.c
++++ b/net/ipv4/netfilter/nf_reject_ipv4.c
+@@ -122,6 +122,8 @@ void nf_send_reset(struct sk_buff *oldsk
+ /* ip_route_me_harder expects skb->dst to be set */
+ skb_dst_set_noref(nskb, skb_dst(oldskb));
+
++ nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
++
+ skb_reserve(nskb, LL_MAX_HEADER);
+ niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
+ ip4_dst_hoplimit(skb_dst(nskb)));
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -155,6 +155,7 @@ void nf_send_reset6(struct net *net, str
+ fl6.daddr = oip6h->saddr;
+ fl6.fl6_sport = otcph->dest;
+ fl6.fl6_dport = otcph->source;
++ fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark);
+ security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
+ dst = ip6_route_output(net, NULL, &fl6);
+ if (dst == NULL || dst->error) {
+@@ -178,6 +179,8 @@ void nf_send_reset6(struct net *net, str
+
+ skb_dst_set(nskb, dst);
+
++ nskb->mark = fl6.flowi6_mark;
++
+ skb_reserve(nskb, hh_len + dst->header_len);
+ ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
+ ip6_dst_hoplimit(dst));
--- /dev/null
+From 916a27901de01446bcf57ecca4783f6cff493309 Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: netfilter: xt_osf: Add missing permission checks
+
+From: Kevin Cernekee <cernekee@chromium.org>
+
+commit 916a27901de01446bcf57ecca4783f6cff493309 upstream.
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ vpnns -- nfnl_osf -f /tmp/pf.os
+
+ vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list. Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct so
+ struct xt_osf_finger *kf = NULL, *sf;
+ int err = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
+@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct
+ struct xt_osf_finger *sf;
+ int err = -ENOENT;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
usbip-fix-implicit-fallthrough-warning.patch
can-af_can-can_rcv-replace-warn_once-by-pr_warn_once.patch
can-af_can-canfd_rcv-replace-warn_once-by-pr_warn_once.patch
+mm-mmap.c-do-not-blow-on-prot_none-map_fixed-holes-in-the-stack.patch
+hwpoison-memcg-forcibly-uncharge-lru-pages.patch
+ipc-msg-make-msgrcv-work-with-long_min.patch
+netfilter-nf_ct_expect-remove-the-redundant-slash-when-policy-name-is-empty.patch
+netfilter-restart-search-if-moved-to-other-chain.patch
+netfilter-nf_conntrack_sip-extend-request-line-validation.patch
+netfilter-use-fwmark_reflect-in-nf_send_reset.patch
+netfilter-nfnetlink_cthelper-add-missing-permission-checks.patch
+netfilter-xt_osf-add-missing-permission-checks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
