--- /dev/null
+From cec80d82142ab25c71eee24b529cfeaf17c43062 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 1 Oct 2015 01:35:55 +0100
+Subject: alpha: uapi: Add support for __SANE_USERSPACE_TYPES__
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit cec80d82142ab25c71eee24b529cfeaf17c43062 upstream.
+
+This fixes compiler errors in perf such as:
+
+tests/attr.c: In function 'store_event':
+tests/attr.c:66:27: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__u64 {aka long unsigned int}' [-Werror=format=]
+ snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir,
+ ^
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Tested-by: Michael Cree <mcree@orcon.net.nz>
+Signed-off-by: Matt Turner <mattst88@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/types.h | 2 +-
+ arch/alpha/include/uapi/asm/types.h | 12 +++++++++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/alpha/include/asm/types.h
++++ b/arch/alpha/include/asm/types.h
+@@ -1,6 +1,6 @@
+ #ifndef _ALPHA_TYPES_H
+ #define _ALPHA_TYPES_H
+
+-#include <asm-generic/int-ll64.h>
++#include <uapi/asm/types.h>
+
+ #endif /* _ALPHA_TYPES_H */
+--- a/arch/alpha/include/uapi/asm/types.h
++++ b/arch/alpha/include/uapi/asm/types.h
+@@ -9,8 +9,18 @@
+ * need to be careful to avoid a name clashes.
+ */
+
+-#ifndef __KERNEL__
++/*
++ * This is here because we used to use l64 for alpha
++ * and we don't want to impact user mode with our change to ll64
++ * in the kernel.
++ *
++ * However, some user programs are fine with this. They can
++ * flag __SANE_USERSPACE_TYPES__ to get int-ll64.h here.
++ */
++#if !defined(__SANE_USERSPACE_TYPES__) && !defined(__KERNEL__)
+ #include <asm-generic/int-l64.h>
++#else
++#include <asm-generic/int-ll64.h>
+ #endif
+
+ #endif /* _UAPI_ALPHA_TYPES_H */
--- /dev/null
+From dd2bc473482eedc60c29cf00ad12568ce40ce511 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Fri, 4 Aug 2017 11:22:31 +0800
+Subject: ceph: fix readpage from fscache
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit dd2bc473482eedc60c29cf00ad12568ce40ce511 upstream.
+
+ceph_readpage() unlocks page prematurely prematurely in the case
+that page is reading from fscache. Caller of readpage expects that
+page is uptodate when it get unlocked. So page shoule get locked
+by completion callback of fscache_read_or_alloc_pages()
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/addr.c | 24 +++++++++++++++---------
+ fs/ceph/cache.c | 12 +++---------
+ 2 files changed, 18 insertions(+), 18 deletions(-)
+
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -189,7 +189,7 @@ static int ceph_releasepage(struct page
+ /*
+ * read a single page, without unlocking it.
+ */
+-static int readpage_nounlock(struct file *filp, struct page *page)
++static int ceph_do_readpage(struct file *filp, struct page *page)
+ {
+ struct inode *inode = file_inode(filp);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+@@ -219,7 +219,7 @@ static int readpage_nounlock(struct file
+
+ err = ceph_readpage_from_fscache(inode, page);
+ if (err == 0)
+- goto out;
++ return -EINPROGRESS;
+
+ dout("readpage inode %p file %p page %p index %lu\n",
+ inode, filp, page, page->index);
+@@ -249,8 +249,11 @@ out:
+
+ static int ceph_readpage(struct file *filp, struct page *page)
+ {
+- int r = readpage_nounlock(filp, page);
+- unlock_page(page);
++ int r = ceph_do_readpage(filp, page);
++ if (r != -EINPROGRESS)
++ unlock_page(page);
++ else
++ r = 0;
+ return r;
+ }
+
+@@ -1094,7 +1097,7 @@ retry_locked:
+ goto retry_locked;
+ r = writepage_nounlock(page, NULL);
+ if (r < 0)
+- goto fail_nosnap;
++ goto fail_unlock;
+ goto retry_locked;
+ }
+
+@@ -1122,11 +1125,14 @@ retry_locked:
+ }
+
+ /* we need to read it. */
+- r = readpage_nounlock(file, page);
+- if (r < 0)
+- goto fail_nosnap;
++ r = ceph_do_readpage(file, page);
++ if (r < 0) {
++ if (r == -EINPROGRESS)
++ return -EAGAIN;
++ goto fail_unlock;
++ }
+ goto retry_locked;
+-fail_nosnap:
++fail_unlock:
+ unlock_page(page);
+ return r;
+ }
+--- a/fs/ceph/cache.c
++++ b/fs/ceph/cache.c
+@@ -224,13 +224,7 @@ void ceph_fscache_unregister_inode_cooki
+ fscache_relinquish_cookie(cookie, 0);
+ }
+
+-static void ceph_vfs_readpage_complete(struct page *page, void *data, int error)
+-{
+- if (!error)
+- SetPageUptodate(page);
+-}
+-
+-static void ceph_vfs_readpage_complete_unlock(struct page *page, void *data, int error)
++static void ceph_readpage_from_fscache_complete(struct page *page, void *data, int error)
+ {
+ if (!error)
+ SetPageUptodate(page);
+@@ -259,7 +253,7 @@ int ceph_readpage_from_fscache(struct in
+ return -ENOBUFS;
+
+ ret = fscache_read_or_alloc_page(ci->fscache, page,
+- ceph_vfs_readpage_complete, NULL,
++ ceph_readpage_from_fscache_complete, NULL,
+ GFP_KERNEL);
+
+ switch (ret) {
+@@ -288,7 +282,7 @@ int ceph_readpages_from_fscache(struct i
+ return -ENOBUFS;
+
+ ret = fscache_read_or_alloc_pages(ci->fscache, mapping, pages, nr_pages,
+- ceph_vfs_readpage_complete_unlock,
++ ceph_readpage_from_fscache_complete,
+ NULL, mapping_gfp_mask(mapping));
+
+ switch (ret) {
--- /dev/null
+From 9e37b1784f2be9397a903307574ee565bbadfd75 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Thu, 24 Aug 2017 15:16:40 -0700
+Subject: CIFS: Fix maximum SMB2 header size
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit 9e37b1784f2be9397a903307574ee565bbadfd75 upstream.
+
+Currently the maximum size of SMB2/3 header is set incorrectly which
+leads to hanging of directory listing operations on encrypted SMB3
+connections. Fix this by setting the maximum size to 170 bytes that
+is calculated as RFC1002 length field size (4) + transform header
+size (52) + SMB2 header size (64) + create response size (56).
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Acked-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -82,8 +82,8 @@
+
+ #define NUMBER_OF_SMB2_COMMANDS 0x0013
+
+-/* BB FIXME - analyze following length BB */
+-#define MAX_SMB2_HDR_SIZE 0x78 /* 4 len + 64 hdr + (2*24 wct) + 2 bct + 2 pad */
++/* 4 len + 52 transform hdr + 64 hdr + 56 create rsp */
++#define MAX_SMB2_HDR_SIZE 0x00b0
+
+ #define SMB2_PROTO_NUMBER cpu_to_le32(0x424d53fe)
+
--- /dev/null
+From 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Sun, 27 Aug 2017 16:56:08 -0500
+Subject: CIFS: remove endian related sparse warning
+
+From: Steve French <smfrench@gmail.com>
+
+commit 6e3c1529c39e92ed64ca41d53abadabbaa1d5393 upstream.
+
+Recent patch had an endian warning ie
+cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
+
+Signed-off-by: Steve French <smfrench@gmail.com>
+CC: Ronnie Sahlberg <lsahlber@redhat.com>
+Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -194,7 +194,7 @@ check_name(struct dentry *direntry, stru
+ int i;
+
+ if (unlikely(direntry->d_name.len >
+- tcon->fsAttrInfo.MaxPathNameComponentLength))
++ le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength)))
+ return -ENAMETOOLONG;
+
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
--- /dev/null
+From b339752d054fb32863418452dff350a1086885b1 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 28 Aug 2017 14:51:27 -0700
+Subject: cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
+
+From: Tejun Heo <tj@kernel.org>
+
+commit b339752d054fb32863418452dff350a1086885b1 upstream.
+
+When !NUMA, cpumask_of_node(@node) equals cpu_online_mask regardless of
+@node. The assumption seems that if !NUMA, there shouldn't be more than
+one node and thus reporting cpu_online_mask regardless of @node is
+correct. However, that assumption was broken years ago to support
+DISCONTIGMEM and whether a system has multiple nodes or not is
+separately controlled by NEED_MULTIPLE_NODES.
+
+This means that, on a system with !NUMA && NEED_MULTIPLE_NODES,
+cpumask_of_node() will report cpu_online_mask for all possible nodes,
+indicating that the CPUs are associated with multiple nodes which is an
+impossible configuration.
+
+This bug has been around forever but doesn't look like it has caused any
+noticeable symptoms. However, it triggers a WARN recently added to
+workqueue to verify NUMA affinity configuration.
+
+Fix it by reporting empty cpumask on non-zero nodes if !NUMA.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/topology.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/asm-generic/topology.h
++++ b/include/asm-generic/topology.h
+@@ -48,7 +48,11 @@
+ #define parent_node(node) ((void)(node),0)
+ #endif
+ #ifndef cpumask_of_node
+-#define cpumask_of_node(node) ((void)node, cpu_online_mask)
++ #ifdef CONFIG_NEED_MULTIPLE_NODES
++ #define cpumask_of_node(node) ((node) == 0 ? cpu_online_mask : cpu_none_mask)
++ #else
++ #define cpumask_of_node(node) ((void)node, cpu_online_mask)
++ #endif
+ #endif
+ #ifndef pcibus_to_node
+ #define pcibus_to_node(bus) ((void)(bus), -1)
--- /dev/null
+From 1c08c22c874ac88799cab1f78c40f46110274915 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Thu, 24 Aug 2017 12:04:29 -0400
+Subject: cpuset: Fix incorrect memory_pressure control file mapping
+
+From: Waiman Long <longman@redhat.com>
+
+commit 1c08c22c874ac88799cab1f78c40f46110274915 upstream.
+
+The memory_pressure control file was incorrectly set up without
+a private value (0, by default). As a result, this control
+file was treated like memory_migrate on read. By adding back the
+FILE_MEMORY_PRESSURE private value, the correct memory pressure value
+will be returned.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: 7dbdb199d3bf ("cgroup: replace cftype->mode with CFTYPE_WORLD_WRITABLE")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cpuset.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -1910,6 +1910,7 @@ static struct cftype files[] = {
+ {
+ .name = "memory_pressure",
+ .read_u64 = cpuset_read_u64,
++ .private = FILE_MEMORY_PRESSURE,
+ },
+
+ {
+++ /dev/null
-From 445a582738de6802669aeed9c33ca406c23c3b1f Mon Sep 17 00:00:00 2001
-From: Stephan Mueller <smueller@chronox.de>
-Date: Wed, 16 Aug 2017 11:56:24 +0200
-Subject: crypto: algif_skcipher - only call put_page on referenced and used pages
-
-From: Stephan Mueller <smueller@chronox.de>
-
-commit 445a582738de6802669aeed9c33ca406c23c3b1f upstream.
-
-For asynchronous operation, SGs are allocated without a page mapped to
-them or with a page that is not used (ref-counted). If the SGL is freed,
-the code must only call put_page for an SG if there was a page assigned
-and ref-counted in the first place.
-
-This fixes a kernel crash when using io_submit with more than one iocb
-using the sendmsg and sendpage (vmsplice/splice) interface.
-
-Signed-off-by: Stephan Mueller <smueller@chronox.de>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- crypto/algif_skcipher.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/crypto/algif_skcipher.c
-+++ b/crypto/algif_skcipher.c
-@@ -86,8 +86,13 @@ static void skcipher_free_async_sgls(str
- }
- sgl = sreq->tsg;
- n = sg_nents(sgl);
-- for_each_sg(sgl, sg, n, i)
-- put_page(sg_page(sg));
-+ for_each_sg(sgl, sg, n, i) {
-+ struct page *page = sg_page(sg);
-+
-+ /* some SGs may not have a page mapped */
-+ if (page && page_ref_count(page))
-+ put_page(page);
-+ }
-
- kfree(sreq->tsg);
- }
--- /dev/null
+From 9afae2719273fa1d406829bf3498f82dbdba71c7 Mon Sep 17 00:00:00 2001
+From: "Xiangliang.Yu" <Xiangliang.Yu@amd.com>
+Date: Wed, 16 Aug 2017 14:25:51 +0800
+Subject: drm/ttm: Fix accounting error when fail to get pages for pool
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiangliang.Yu <Xiangliang.Yu@amd.com>
+
+commit 9afae2719273fa1d406829bf3498f82dbdba71c7 upstream.
+
+When fail to get needed page for pool, need to put allocated pages
+into pool. But current code has a miscalculation of allocated pages,
+correct it.
+
+Signed-off-by: Xiangliang.Yu <Xiangliang.Yu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Monk Liu <monk.liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_page_alloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
++++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
+@@ -612,7 +612,7 @@ static void ttm_page_pool_fill_locked(st
+ } else {
+ pr_err("Failed to fill pool (%p)\n", pool);
+ /* If we have any pages left put them to the pool. */
+- list_for_each_entry(p, &pool->list, lru) {
++ list_for_each_entry(p, &new_pages, lru) {
+ ++cpages;
+ }
+ list_splice(&new_pages, &pool->list);
irqchip-mips-gic-sync-after-enabling-gic-region.patch
i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
-crypto-algif_skcipher-only-call-put_page-on-referenced-and-used-pages.patch
+ceph-fix-readpage-from-fscache.patch
+cpumask-fix-spurious-cpumask_of_node-on-non-numa-multi-node-configs.patch
+cpuset-fix-incorrect-memory_pressure-control-file-mapping.patch
+alpha-uapi-add-support-for-__sane_userspace_types__.patch
+cifs-fix-maximum-smb2-header-size.patch
+cifs-remove-endian-related-sparse-warning.patch
+wl1251-add-a-missing-spin_lock_init.patch
+xfrm-policy-check-policy-direction-value.patch
+drm-ttm-fix-accounting-error-when-fail-to-get-pages-for-pool.patch
--- /dev/null
+From f581a0dd744fe32b0a8805e279c59ec1ac676d60 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 31 Aug 2017 16:47:43 +0200
+Subject: wl1251: add a missing spin_lock_init()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit f581a0dd744fe32b0a8805e279c59ec1ac676d60 upstream.
+
+wl1251: add a missing spin_lock_init()
+
+This fixes the following kernel warning:
+
+ [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745
+ [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: <none>/-1,
+ .owner_cpu: 0
+ [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W
+ 4.12.0-03002-gec979a4-dirty #40
+ [ 5668.772796] Hardware name: Nokia RX-51 board
+ [ 5668.773071] Workqueue: phy1 wl1251_irq_work
+ [ 5668.773345] [<c010c9e4>] (unwind_backtrace) from [<c010a274>]
+ (show_stack+0x10/0x14)
+ [ 5668.773803] [<c010a274>] (show_stack) from [<c01545a4>]
+ (do_raw_spin_lock+0x6c/0xa0)
+ [ 5668.774230] [<c01545a4>] (do_raw_spin_lock) from [<c06ca578>]
+ (_raw_spin_lock_irqsave+0x10/0x18)
+ [ 5668.774658] [<c06ca578>] (_raw_spin_lock_irqsave) from [<c048c010>]
+ (wl1251_op_tx+0x38/0x5c)
+ [ 5668.775115] [<c048c010>] (wl1251_op_tx) from [<c06a12e8>]
+ (ieee80211_tx_frags+0x188/0x1c0)
+ [ 5668.775543] [<c06a12e8>] (ieee80211_tx_frags) from [<c06a138c>]
+ (__ieee80211_tx+0x6c/0x130)
+ [ 5668.775970] [<c06a138c>] (__ieee80211_tx) from [<c06a3dbc>]
+ (ieee80211_tx+0xdc/0x104)
+ [ 5668.776367] [<c06a3dbc>] (ieee80211_tx) from [<c06a4af0>]
+ (__ieee80211_subif_start_xmit+0x454/0x8c8)
+ [ 5668.776824] [<c06a4af0>] (__ieee80211_subif_start_xmit) from
+ [<c06a4f94>] (ieee80211_subif_start_xmit+0x30/0x2fc)
+ [ 5668.777343] [<c06a4f94>] (ieee80211_subif_start_xmit) from
+ [<c0578848>] (dev_hard_start_xmit+0x80/0x118)
+...
+
+ by adding the missing spin_lock_init().
+
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wl1251/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ti/wl1251/main.c
++++ b/drivers/net/wireless/ti/wl1251/main.c
+@@ -1567,6 +1567,7 @@ struct ieee80211_hw *wl1251_alloc_hw(voi
+
+ wl->state = WL1251_STATE_OFF;
+ mutex_init(&wl->mutex);
++ spin_lock_init(&wl->wl_lock);
+
+ wl->tx_mgmt_frm_rate = DEFAULT_HW_GEN_TX_RATE;
+ wl->tx_mgmt_frm_mod = DEFAULT_HW_GEN_MODULATION_TYPE;
--- /dev/null
+From 7bab09631c2a303f87a7eb7e3d69e888673b9b7e Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Wed, 2 Aug 2017 19:50:14 +0200
+Subject: xfrm: policy: check policy direction value
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.
+
+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
+as an array index. This can lead to an out-of-bound access, kernel lockup and
+DoS. Add a check for the 'dir' value.
+
+This fixes CVE-2017-11600.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3275,9 +3275,15 @@ int xfrm_migrate(const struct xfrm_selec
+ struct xfrm_state *x_new[XFRM_MAX_DEPTH];
+ struct xfrm_migrate *mp;
+
++ /* Stage 0 - sanity checks */
+ if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
+ goto out;
+
++ if (dir >= XFRM_POLICY_MAX) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ /* Stage 1 - find policy */
+ if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) {
+ err = -ENOENT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
