Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.4.6-200.vanilla.knurd.1.fc22

10 files changed, 432 insertions, 272 deletions

diff --git a/0001-arm64-account-for-sparsemem-section-alignment-when-c.patch b/0001-arm64-account-for-sparsemem-section-alignment-when-c.patch
deleted file mode 100644
index 78e01defa..000000000
--- a/0001-arm64-account-for-sparsemem-section-alignment-when-c.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From b3ffe8a6522dd1f07c181a5f2581142776e2162d Mon Sep 17 00:00:00 2001
-From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Date: Tue, 8 Mar 2016 21:09:29 +0700
-Subject: [PATCH] arm64: account for sparsemem section alignment when choosing
- vmemmap offset
-
-Commit dfd55ad85e4a ("arm64: vmemmap: use virtual projection of linear
-region") fixed an issue where the struct page array would overflow into the
-adjacent virtual memory region if system RAM was placed so high up in
-physical memory that its addresses were not representable in the build time
-configured virtual address size.
-
-However, the fix failed to take into account that the vmemmap region needs
-to be relatively aligned with respect to the sparsemem section size, so that
-a sequence of page structs corresponding with a sparsemem section in the
-linear region appears naturally aligned in the vmemmap region.
-
-So round up vmemmap to sparsemem section size. Since this essentially moves
-the projection of the linear region up in memory, also revert the reduction
-of the size of the vmemmap region.
-
-Fixes: dfd55ad85e4a ("arm64: vmemmap: use virtual projection of linear region")
-Tested-by: Mark Langsdorf <mlangsdo@redhat.com>
-Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
----
- arch/arm64/include/asm/pgtable.h | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h
-index fc9f7ef..eaa9cab 100644
---- a/arch/arm64/include/asm/pgtable.h
-+++ b/arch/arm64/include/asm/pgtable.h
-@@ -40,7 +40,7 @@
-  * VMALLOC_END: extends to the available space below vmmemmap, PCI I/O space,
-  *	fixed mappings and modules
-  */
--#define VMEMMAP_SIZE		ALIGN((1UL << (VA_BITS - PAGE_SHIFT - 1)) * sizeof(struct page), PUD_SIZE)
-+#define VMEMMAP_SIZE		ALIGN((1UL << (VA_BITS - PAGE_SHIFT)) * sizeof(struct page), PUD_SIZE)
- 
- #ifndef CONFIG_KASAN
- #define VMALLOC_START		(VA_START)
-@@ -52,7 +52,8 @@
- #define VMALLOC_END		(PAGE_OFFSET - PUD_SIZE - VMEMMAP_SIZE - SZ_64K)
- 
- #define VMEMMAP_START		(VMALLOC_END + SZ_64K)
--#define vmemmap			((struct page *)VMEMMAP_START - (memstart_addr >> PAGE_SHIFT))
-+#define vmemmap			((struct page *)VMEMMAP_START - \
-+				 SECTION_ALIGN_DOWN(memstart_addr >> PAGE_SHIFT))
- 
- #define FIRST_USER_ADDRESS	0UL
- 
--- 
-2.5.0
-
diff --git a/0001-cdc-acm-fix-NULL-pointer-reference.patch b/0001-cdc-acm-fix-NULL-pointer-reference.patch
new file mode 100644
index 000000000..3d63411c0
--- /dev/null
+++ b/0001-cdc-acm-fix-NULL-pointer-reference.patch
@@ -0,0 +1,46 @@
+From 29c6dd591bbd592472247441de9fa694acdabae8 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 7 Jan 2016 11:01:00 +0100
+Subject: [PATCH] cdc-acm: fix NULL pointer reference
+
+The union descriptor must be checked. Its usage was conditional
+before the parser was introduced. This is important, because
+many RNDIS device, which also use the common parser, have
+bogus extra descriptors.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Tested-by: Vasily Galkin <galkin-vv@yandex.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/usb/cdc_ether.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
+index 3da70bf..7cba2c3 100644
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -160,6 +160,12 @@ int usbnet_generic_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	info->u = header.usb_cdc_union_desc;
+ 	info->header = header.usb_cdc_header_desc;
+ 	info->ether = header.usb_cdc_ether_desc;
++	if (!info->u) {
++		if (rndis)
++			goto skip;
++		else /* in that case a quirk is mandatory */
++			goto bad_desc;
++	}
+ 	/* we need a master/control interface (what we're
+ 	 * probed with) and a slave/data interface; union
+ 	 * descriptors sort this all out.
+@@ -256,7 +262,7 @@ skip:
+ 			goto bad_desc;
+ 		}
+ 
+-	} else if (!info->header || !info->u || (!rndis && !info->ether)) {
++	} else if (!info->header || (!rndis && !info->ether)) {
+ 		dev_dbg(&intf->dev, "missing cdc %s%s%sdescriptor\n",
+ 			info->header ? "" : "header ",
+ 			info->u ? "" : "union ",
+-- 
+2.5.0
+
diff --git a/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
new file mode 100644
index 000000000..ac8e71c72
--- /dev/null
+++ b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
@@ -0,0 +1,59 @@
+From 94c78c81df3056e573fb84000a32512e9c16e555 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Thu, 10 Mar 2016 08:49:02 -0500
+Subject: [PATCH] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU
+ devices
+
+A Fedora user reports that the ftdi_sio driver works properly for the
+ICP DAS I-7561U device.  Further, the user manual for these devices
+instructs users to load the driver and add the ids using the sysfs
+interface.
+
+Add support for these in the driver directly so that the devices work
+out of the box instead of needing manual configuration.
+
+Reported-by: <thesource@mail.ru>
+CC: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/usb/serial/ftdi_sio.c     | 4 ++++
+ drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 8c660ae401d8..b61f12160d37 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_table_combined[] = {
+ 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
+ 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
+ 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
++	/* ICP DAS I-756xU devices */
++	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
++	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
++	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ 	{ }					/* Terminating entry */
+ };
+ 
+diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
+index a84df2513994..a4ec24ce6a11 100644
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -872,6 +872,14 @@
+ #define NOVITUS_BONO_E_PID		0x6010
+ 
+ /*
++ * ICPDAS I-756*U devices
++ */
++#define ICPDAS_VID				0x1b5c
++#define ICPDAS_I7560U_PID			0x0103
++#define ICPDAS_I7561U_PID			0x0104
++#define ICPDAS_I7563U_PID			0x0105
++
++/*
+  * RT Systems programming cables for various ham radios
+  */
+ #define RTSYSTEMS_VID		0x2100	/* Vendor ID */
+-- 
+2.5.0
+
diff --git a/cfg80211-wext-fix-message-ordering.patch b/cfg80211-wext-fix-message-ordering.patch
deleted file mode 100644
index 8d3cdfdda..000000000
--- a/cfg80211-wext-fix-message-ordering.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From cb150b9d23be6ee7f3a0fff29784f1c5b5ac514d Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 27 Jan 2016 13:29:34 +0100
-Subject: cfg80211/wext: fix message ordering
-
-Since cfg80211 frequently takes actions from its netdev notifier
-call, wireless extensions messages could still be ordered badly
-since the wext netdev notifier, since wext is built into the
-kernel, runs before the cfg80211 netdev notifier. For example,
-the following can happen:
-
-5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
-    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
-5: wlan1: <BROADCAST,MULTICAST,UP>
-    link/ether
-
-when setting the interface down causes the wext message.
-
-To also fix this, export the wireless_nlevent_flush() function
-and also call it from the cfg80211 notifier.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- include/net/iw_handler.h | 6 ++++++
- net/wireless/core.c      | 2 ++
- net/wireless/wext-core.c | 3 ++-
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h
-index 8f81bbb..e0f4109 100644
---- a/include/net/iw_handler.h
-+++ b/include/net/iw_handler.h
-@@ -439,6 +439,12 @@ int dev_get_wireless_info(char *buffer, char **start, off_t offset, int length);
- /* Send a single event to user space */
- void wireless_send_event(struct net_device *dev, unsigned int cmd,
- 			 union iwreq_data *wrqu, const char *extra);
-+#ifdef CONFIG_WEXT_CORE
-+/* flush all previous wext events - if work is done from netdev notifiers */
-+void wireless_nlevent_flush(void);
-+#else
-+static inline void wireless_nlevent_flush(void) {}
-+#endif
- 
- /* We may need a function to send a stream of events to user space.
-  * More on that later... */
-diff --git a/net/wireless/core.c b/net/wireless/core.c
-index b091551..8f0bac7 100644
---- a/net/wireless/core.c
-+++ b/net/wireless/core.c
-@@ -1147,6 +1147,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
- 		return NOTIFY_DONE;
- 	}
- 
-+	wireless_nlevent_flush();
-+
- 	return NOTIFY_OK;
- }
- 
-diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
-index 87dd619..b50ee5d 100644
---- a/net/wireless/wext-core.c
-+++ b/net/wireless/wext-core.c
-@@ -342,7 +342,7 @@ static const int compat_event_type_size[] = {
- 
- /* IW event code */
- 
--static void wireless_nlevent_flush(void)
-+void wireless_nlevent_flush(void)
- {
- 	struct sk_buff *skb;
- 	struct net *net;
-@@ -355,6 +355,7 @@ static void wireless_nlevent_flush(void)
- 				    GFP_KERNEL);
- 	}
- }
-+EXPORT_SYMBOL_GPL(wireless_nlevent_flush);
- 
- static int wext_netdev_notifier_call(struct notifier_block *nb,
- 				     unsigned long state, void *ptr)
--- 
-cgit v0.12
-
diff --git a/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
new file mode 100644
index 000000000..48e4762e3
--- /dev/null
+++ b/ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
@@ -0,0 +1,97 @@
+From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Sun, 13 Mar 2016 23:28:00 -0400
+Subject: ipv4: Don't do expensive useless work during inetdev destroy.
+
+When an inetdev is destroyed, every address assigned to the interface
+is removed.  And in this scenerio we do two pointless things which can
+be very expensive if the number of assigned interfaces is large:
+
+1) Address promotion.  We are deleting all addresses, so there is no
+   point in doing this.
+
+2) A full nf conntrack table purge for every address.  We only need to
+   do this once, as is already caught by the existing
+   masq_dev_notifier so masq_inet_event() can skip this.
+
+Reported-by: Solar Designer <solar@openwall.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
+---
+ net/ipv4/devinet.c                          |  4 ++++
+ net/ipv4/fib_frontend.c                     |  4 ++++
+ net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++--
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 65e76a4..e333bc8 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
+ 
+ 	ASSERT_RTNL();
+ 
++	if (in_dev->dead)
++		goto no_promotions;
++
+ 	/* 1. Deleting primary ifaddr forces deletion all secondaries
+ 	 * unless alias promotion is set
+ 	 **/
+@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
+ 			fib_del_ifaddr(ifa, ifa1);
+ 	}
+ 
++no_promotions:
+ 	/* 2. Unlink it */
+ 
+ 	*ifap = ifa1->ifa_next;
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 4734475..21add55 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
+ 		subnet = 1;
+ 	}
+ 
++	if (in_dev->dead)
++		goto no_promotions;
++
+ 	/* Deletion is more complicated than add.
+ 	 * We should take care of not to delete too much :-)
+ 	 *
+@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
+ 		}
+ 	}
+ 
++no_promotions:
+ 	if (!(ok & BRD_OK))
+ 		fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
+ 	if (subnet && ifa->ifa_prefixlen < 31) {
+diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
+index c6eb421..ea91058 100644
+--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
+@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this,
+ 			   unsigned long event,
+ 			   void *ptr)
+ {
+-	struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
++	struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
+ 	struct netdev_notifier_info info;
+ 
+-	netdev_notifier_info_init(&info, dev);
++	/* The masq_dev_notifier will catch the case of the device going
++	 * down.  So if the inetdev is dead and being destroyed we have
++	 * no work to do.  Otherwise this is an individual address removal
++	 * and we have to perform the flush.
++	 */
++	if (idev->dead)
++		return NOTIFY_DONE;
++
++	netdev_notifier_info_init(&info, idev->dev);
+ 	return masq_device_event(this, event, &info);
+ }
+ 
+-- 
+cgit v0.12
+
diff --git a/kernel.spec b/kernel.spec
index 9fbc59ea4..38f802232 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 5
+%define stable_update 6
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -628,10 +628,6 @@ Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
 #rhbz 1278942
 Patch643: media-ivtv-avoid-going-past-input-audio-array.patch
 
-#rhbz 1302037
-Patch644: wext-fix-message-delay-ordering.patch
-Patch645: cfg80211-wext-fix-message-ordering.patch
-
 #rhbz 1255325
 Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
 
@@ -644,8 +640,20 @@ Patch659: pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
 #rhbz 1310252 1313318
 Patch660: 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch
 
-#Fix for known arm64 breakage. No bugzilla becuase proactivity \o/
-Patch661: 0001-arm64-account-for-sparsemem-section-alignment-when-c.patch
+#rhbz 1316719
+Patch662: 0001-cdc-acm-fix-NULL-pointer-reference.patch
+
+#rhbz 1316136
+Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
+
+#CVE-2016-3135 rhbz 1317386 1317387
+Patch664: netfilter-x_tables-check-for-size-overflow.patch
+
+#CVE-2016-3134 rhbz 1317383 1317384
+Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
+
+#CVE-2016-3135 rhbz 1318172 1318270
+Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
 
 # END OF PATCH DEFINITIONS
 %endif
@@ -1323,10 +1331,6 @@ ApplyPatch PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
 #rhbz 1278942
 ApplyPatch media-ivtv-avoid-going-past-input-audio-array.patch
 
-#rhbz 1302037
-ApplyPatch wext-fix-message-delay-ordering.patch
-ApplyPatch cfg80211-wext-fix-message-ordering.patch
-
 #rhbz 1255325
 ApplyPatch HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
 
@@ -1339,7 +1343,20 @@ ApplyPatch pipe-limit-the-per-user-amount-of-pages-allocated-in.patch
 #rhbz 1310252 1313318
 ApplyPatch 0001-drm-i915-Pretend-cursor-is-always-on-for-ILK-style-W.patch
 
-ApplyPatch 0001-arm64-account-for-sparsemem-section-alignment-when-c.patch
+ApplyPatch 0001-cdc-acm-fix-NULL-pointer-reference.patch
+
+#rhbz 1316136
+ApplyPatch USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
+
+#CVE-2016-3135 rhbz 1317386 1317387
+ApplyPatch netfilter-x_tables-check-for-size-overflow.patch
+
+#CVE-2016-3134 rhbz 1317383 1317384
+ApplyPatch netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
+
+#CVE-2016-3135 rhbz 1318172 1318270
+ApplyPatch ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2189,6 +2206,25 @@ fi
 #
 # 
 %changelog
+* Wed Mar 16 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-200
+- Linux v4.4.6
+
+* Wed Mar 16 2016 Laura Abbott <labbott@redhat.com>
+- Revert patch causing radeon breakage (rhbz 1317300 1317179)
+
+* Wed Mar 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3135 ipv4: DoS when destroying a network interface (rhbz 1318172 1318270)
+
+* Mon Mar 14 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3134 netfilter: missing bounds check in ipt_entry struct (rhbz 1317383 1317384)
+- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387)
+
+* Fri Mar 11 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Add patch for ICP DAS I-756xU devices (rhbz 1316136)
+
+* Thu Mar 10 2016 Laura Abbott <labbott@redhat.com>
+- cdc-acm: fix NULL pointer reference (rhbz 1316719)
+
 * Wed Mar 09 2016 Laura Abbott <labbott@redhat.com> - 4.4.5-200
 - Linux v4.4.5
 - Fix for known arm64 bootup issue
diff --git a/netfilter-x_tables-check-for-size-overflow.patch b/netfilter-x_tables-check-for-size-overflow.patch
new file mode 100644
index 000000000..81e3d36fa
--- /dev/null
+++ b/netfilter-x_tables-check-for-size-overflow.patch
@@ -0,0 +1,31 @@
+Subject:    [PATCH nf] netfilter: x_tables: check for size overflow
+From:       Florian Westphal <fw () strlen ! de>
+Date:       2016-03-10 0:56:23
+
+Ben Hawkes says:
+ integer overflow in xt_alloc_table_info, which on 32-bit systems can
+ lead to small structure allocation and a copy_from_user based heap
+ corruption.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ net/netfilter/x_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index c8a0b7d..17a9a9f 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
+ 	struct xt_table_info *info = NULL;
+ 	size_t sz = sizeof(*info) + size;
+ 
++	if (sz < sizeof(*info))
++		return NULL;
++
+ 	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+ 	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
+ 		return NULL;
+-- 
+2.4.10
diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
new file mode 100644
index 000000000..ebfe1716f
--- /dev/null
+++ b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
@@ -0,0 +1,150 @@
+Subject:    [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values
+From:       Florian Westphal <fw () strlen ! de>
+Date:       2016-03-10 0:56:02
+
+Ben Hawkes says:
+
+ In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
+ is possible for a user-supplied ipt_entry structure to have a large
+ next_offset field. This field is not bounds checked prior to writing a
+ counter value at the supplied offset.
+
+Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
+is out of bounds, assuming this is the last entry.
+
+With malformed data thats not necessarily the case so we can
+write outside of allocated area later as we might not have walked the
+entire blob.
+
+Fix this by simplifying mark_source_chains -- it already has to check
+if nextoff is in range to catch invalid jumps, so just do the check
+when we move to a next entry as well.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ net/ipv4/netfilter/arp_tables.c | 16 ++++++++--------
+ net/ipv4/netfilter/ip_tables.c  | 15 ++++++++-------
+ net/ipv6/netfilter/ip6_tables.c | 13 ++++++-------
+ 3 files changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index b488cac..5a0b591 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 
+ 				/* Move along one */
+ 				size = e->next_offset;
++
++				if (pos + size > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct arpt_entry *)
+ 					(entry0 + pos + size);
+ 				e->counters.pcnt = pos;
+@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (strcmp(t->target.u.user.name,
+ 					   XT_STANDARD_TARGET) == 0 &&
+ 				    newpos >= 0) {
+-					if (newpos > newinfo->size -
+-						sizeof(struct arpt_entry)) {
+-						duprintf("mark_source_chains: "
+-							"bad verdict (%i)\n",
+-								newpos);
+-						return 0;
+-					}
+-
+ 					/* This a jump; chase it. */
+ 					duprintf("Jump rule %u -> %u\n",
+ 						 pos, newpos);
+@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 					/* ... this is a fallthru */
+ 					newpos = pos + e->next_offset;
+ 				}
++
++				if (newpos > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct arpt_entry *)
+ 					(entry0 + newpos);
+ 				e->counters.pcnt = pos;
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index b99affa..ceb995f 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 
+ 				/* Move along one */
+ 				size = e->next_offset;
++
++				if (pos + size > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct ipt_entry *)
+ 					(entry0 + pos + size);
+ 				e->counters.pcnt = pos;
+@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (strcmp(t->target.u.user.name,
+ 					   XT_STANDARD_TARGET) == 0 &&
+ 				    newpos >= 0) {
+-					if (newpos > newinfo->size -
+-						sizeof(struct ipt_entry)) {
+-						duprintf("mark_source_chains: "
+-							"bad verdict (%i)\n",
+-								newpos);
+-						return 0;
+-					}
+ 					/* This a jump; chase it. */
+ 					duprintf("Jump rule %u -> %u\n",
+ 						 pos, newpos);
+@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 					/* ... this is a fallthru */
+ 					newpos = pos + e->next_offset;
+ 				}
++
++				if (newpos > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct ipt_entry *)
+ 					(entry0 + newpos);
+ 				e->counters.pcnt = pos;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 99425cf..d88a794 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 
+ 				/* Move along one */
+ 				size = e->next_offset;
++				if (pos + size > newinfo->size - sizeof(*e))
++					return 0;
+ 				e = (struct ip6t_entry *)
+ 					(entry0 + pos + size);
+ 				e->counters.pcnt = pos;
+@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (strcmp(t->target.u.user.name,
+ 					   XT_STANDARD_TARGET) == 0 &&
+ 				    newpos >= 0) {
+-					if (newpos > newinfo->size -
+-						sizeof(struct ip6t_entry)) {
+-						duprintf("mark_source_chains: "
+-							"bad verdict (%i)\n",
+-								newpos);
+-						return 0;
+-					}
+ 					/* This a jump; chase it. */
+ 					duprintf("Jump rule %u -> %u\n",
+ 						 pos, newpos);
+@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 					/* ... this is a fallthru */
+ 					newpos = pos + e->next_offset;
+ 				}
++
++				if (newpos > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct ip6t_entry *)
+ 					(entry0 + newpos);
+ 				e->counters.pcnt = pos;
+-- 
+2.4.10
diff --git a/sources b/sources
index 81332263b..680e50713 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 9a78fa2eb6c68ca5a40ed5af08142599  linux-4.4.tar.xz
 dcbc8fe378a676d5d0dd208cf524e144  perf-man-4.4.tar.gz
-edddb33405ea1ab02b90eb9cecaa43f6  patch-4.4.5.xz
+d48f09bf61f2500d70f839e190dc7c5a  patch-4.4.6.xz
diff --git a/wext-fix-message-delay-ordering.patch b/wext-fix-message-delay-ordering.patch
deleted file mode 100644
index 109b68da3..000000000
--- a/wext-fix-message-delay-ordering.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 27 Jan 2016 12:37:52 +0100
-Subject: wext: fix message delay/ordering
-
-Beniamino reported that he was getting an RTM_NEWLINK message for a
-given interface, after the RTM_DELLINK for it. It turns out that the
-message is a wireless extensions message, which was sent because the
-interface had been connected and disconnection while it was deleted
-caused a wext message.
-
-For its netlink messages, wext uses RTM_NEWLINK, but the message is
-without all the regular rtnetlink attributes, so "ip monitor link"
-prints just rudimentary information:
-
-5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
-    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
-Deleted 5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
-    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
-5: wlan1: <BROADCAST,MULTICAST,UP>
-    link/ether
-(from my hwsim reproduction)
-
-This can cause userspace to get confused since it doesn't expect an
-RTM_NEWLINK message after RTM_DELLINK.
-
-The reason for this is that wext schedules a worker to send out the
-messages, and the scheduling delay can cause the messages to get out
-to userspace in different order.
-
-To fix this, have wext register a netdevice notifier and flush out
-any pending messages when netdevice state changes. This fixes any
-ordering whenever the original message wasn't sent by a notifier
-itself.
-
-Cc: stable@vger.kernel.org
-Reported-by: Beniamino Galvani <bgalvani@redhat.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/wireless/wext-core.c | 51 +++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 40 insertions(+), 11 deletions(-)
-
-diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
-index c8717c1..87dd619 100644
---- a/net/wireless/wext-core.c
-+++ b/net/wireless/wext-core.c
-@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = {
- 
- /* IW event code */
- 
-+static void wireless_nlevent_flush(void)
-+{
-+	struct sk_buff *skb;
-+	struct net *net;
-+
-+	ASSERT_RTNL();
-+
-+	for_each_net(net) {
-+		while ((skb = skb_dequeue(&net->wext_nlevents)))
-+			rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
-+				    GFP_KERNEL);
-+	}
-+}
-+
-+static int wext_netdev_notifier_call(struct notifier_block *nb,
-+				     unsigned long state, void *ptr)
-+{
-+	/*
-+	 * When a netdev changes state in any way, flush all pending messages
-+	 * to avoid them going out in a strange order, e.g. RTM_NEWLINK after
-+	 * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close()
-+	 * or similar - all of which could otherwise happen due to delays from
-+	 * schedule_work().
-+	 */
-+	wireless_nlevent_flush();
-+
-+	return NOTIFY_OK;
-+}
-+
-+static struct notifier_block wext_netdev_notifier = {
-+	.notifier_call = wext_netdev_notifier_call,
-+};
-+
- static int __net_init wext_pernet_init(struct net *net)
- {
- 	skb_queue_head_init(&net->wext_nlevents);
-@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = {
- 
- static int __init wireless_nlevent_init(void)
- {
--	return register_pernet_subsys(&wext_pernet_ops);
-+	int err = register_pernet_subsys(&wext_pernet_ops);
-+
-+	if (err)
-+		return err;
-+
-+	return register_netdevice_notifier(&wext_netdev_notifier);
- }
- 
- subsys_initcall(wireless_nlevent_init);
-@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init);
- /* Process events generated by the wireless layer or the driver. */
- static void wireless_nlevent_process(struct work_struct *work)
- {
--	struct sk_buff *skb;
--	struct net *net;
--
- 	rtnl_lock();
--
--	for_each_net(net) {
--		while ((skb = skb_dequeue(&net->wext_nlevents)))
--			rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
--				    GFP_KERNEL);
--	}
--
-+	wireless_nlevent_flush();
- 	rtnl_unlock();
- }
- 
--- 
-cgit v0.12
-