Merge remote-tracking branch 'origin/master' into f24-user-thl-vanilla-rawhidekernel-4.5.0-1.vanilla.knurd.1.fc24

9 files changed, 332 insertions, 71 deletions

diff --git a/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
new file mode 100644
index 000000000..ac8e71c72
--- /dev/null
+++ b/USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
@@ -0,0 +1,59 @@
+From 94c78c81df3056e573fb84000a32512e9c16e555 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Thu, 10 Mar 2016 08:49:02 -0500
+Subject: [PATCH] USB: serial: ftdi_sio: Add support for ICP DAS I-756xU
+ devices
+
+A Fedora user reports that the ftdi_sio driver works properly for the
+ICP DAS I-7561U device.  Further, the user manual for these devices
+instructs users to load the driver and add the ids using the sysfs
+interface.
+
+Add support for these in the driver directly so that the devices work
+out of the box instead of needing manual configuration.
+
+Reported-by: <thesource@mail.ru>
+CC: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/usb/serial/ftdi_sio.c     | 4 ++++
+ drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
+index 8c660ae401d8..b61f12160d37 100644
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1004,6 +1004,10 @@ static const struct usb_device_id id_table_combined[] = {
+ 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
+ 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
+ 	{ USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
++	/* ICP DAS I-756xU devices */
++	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
++	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
++	{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ 	{ }					/* Terminating entry */
+ };
+ 
+diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
+index a84df2513994..a4ec24ce6a11 100644
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -872,6 +872,14 @@
+ #define NOVITUS_BONO_E_PID		0x6010
+ 
+ /*
++ * ICPDAS I-756*U devices
++ */
++#define ICPDAS_VID				0x1b5c
++#define ICPDAS_I7560U_PID			0x0103
++#define ICPDAS_I7561U_PID			0x0104
++#define ICPDAS_I7563U_PID			0x0105
++
++/*
+  * RT Systems programming cables for various ham radios
+  */
+ #define RTSYSTEMS_VID		0x2100	/* Vendor ID */
+-- 
+2.5.0
+
diff --git a/config-generic b/config-generic
index 0e8f19219..a970c6577 100644
--- a/config-generic
+++ b/config-generic
@@ -1825,13 +1825,13 @@ CONFIG_B43_PCMCIA=y
 CONFIG_B43_SDIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BCMA_PIO=y
-CONFIG_B43_DEBUG=y
+# CONFIG_B43_DEBUG is not set
 CONFIG_B43_PHY_LP=y
 CONFIG_B43_PHY_N=y
 CONFIG_B43_PHY_HT=y
 CONFIG_B43_PHY_G=y
 CONFIG_B43LEGACY=m
-CONFIG_B43LEGACY_DEBUG=y
+# CONFIG_B43LEGACY_DEBUG is not set
 CONFIG_B43LEGACY_DMA=y
 CONFIG_B43LEGACY_PIO=y
 CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
@@ -5132,7 +5132,7 @@ CONFIG_PM_DEBUG=y
 # CONFIG_DPM_WATCHDOG is not set # revisit this in debug
 CONFIG_PM_TRACE=y
 CONFIG_PM_TRACE_RTC=y
-CONFIG_PM_TEST_SUSPEND=y
+# CONFIG_PM_TEST_SUSPEND is not set
 # CONFIG_PM_OPP is not set
 # CONFIG_PM_AUTOSLEEP is not set
 # CONFIG_PM_WAKELOCKS is not set
diff --git a/config-nodebug b/config-nodebug
index 3a2eee381..c173637a2 100644
--- a/config-nodebug
+++ b/config-nodebug
@@ -2,101 +2,101 @@ CONFIG_SND_VERBOSE_PRINTK=y
 CONFIG_SND_DEBUG=y
 CONFIG_SND_PCM_XRUN_DEBUG=y
 
-CONFIG_DEBUG_ATOMIC_SLEEP=y
-
-CONFIG_DEBUG_MUTEXES=y
-CONFIG_DEBUG_RT_MUTEXES=y
-CONFIG_DEBUG_LOCK_ALLOC=y
-CONFIG_LOCK_TORTURE_TEST=m
-CONFIG_PROVE_LOCKING=y
-CONFIG_DEBUG_SPINLOCK=y
-CONFIG_PROVE_RCU=y
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_PROVE_RCU is not set
 # CONFIG_PROVE_RCU_REPEATEDLY is not set
-CONFIG_DEBUG_PER_CPU_MAPS=y
+# CONFIG_DEBUG_PER_CPU_MAPS is not set
 CONFIG_CPUMASK_OFFSTACK=y
 
-CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
+# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
 
-CONFIG_FAULT_INJECTION=y
-CONFIG_FAILSLAB=y
-CONFIG_FAIL_PAGE_ALLOC=y
-CONFIG_FAIL_MAKE_REQUEST=y
-CONFIG_FAULT_INJECTION_DEBUG_FS=y
-CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
-CONFIG_FAIL_IO_TIMEOUT=y
-CONFIG_FAIL_MMC_REQUEST=y
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_FAILSLAB is not set
+# CONFIG_FAIL_PAGE_ALLOC is not set
+# CONFIG_FAIL_MAKE_REQUEST is not set
+# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
+# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
+# CONFIG_FAIL_IO_TIMEOUT is not set
+# CONFIG_FAIL_MMC_REQUEST is not set
 
-CONFIG_LOCK_STAT=y
+# CONFIG_LOCK_STAT is not set
 
-CONFIG_DEBUG_STACK_USAGE=y
+# CONFIG_DEBUG_STACK_USAGE is not set
 
-CONFIG_ACPI_DEBUG=y
+# CONFIG_ACPI_DEBUG is not set
 # CONFIG_ACPI_DEBUGGER is not set
 
-CONFIG_DEBUG_SG=y
-CONFIG_DEBUG_PI_LIST=y
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_PI_LIST is not set
 
 # CONFIG_PAGE_EXTENSION is not set
 # CONFIG_PAGE_OWNER is not set
 # CONFIG_DEBUG_PAGEALLOC is not set
 
-CONFIG_DEBUG_OBJECTS=y
+# CONFIG_DEBUG_OBJECTS is not set
 # CONFIG_DEBUG_OBJECTS_SELFTEST is not set
-CONFIG_DEBUG_OBJECTS_FREE=y
-CONFIG_DEBUG_OBJECTS_TIMERS=y
-CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
+# CONFIG_DEBUG_OBJECTS_FREE is not set
+# CONFIG_DEBUG_OBJECTS_TIMERS is not set
+# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
 CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
 
 CONFIG_X86_PTDUMP=y
-CONFIG_ARM64_PTDUMP=y
-CONFIG_EFI_PGT_DUMP=y
+# CONFIG_ARM64_PTDUMP is not set
+# CONFIG_EFI_PGT_DUMP is not set
 
-CONFIG_CAN_DEBUG_DEVICES=y
+# CONFIG_CAN_DEBUG_DEVICES is not set
 
-CONFIG_MODULE_FORCE_UNLOAD=y
+# CONFIG_MODULE_FORCE_UNLOAD is not set
 
 
-CONFIG_DEBUG_NOTIFIERS=y
+# CONFIG_DEBUG_NOTIFIERS is not set
 
-CONFIG_DMA_API_DEBUG=y
+# CONFIG_DMA_API_DEBUG is not set
 
-CONFIG_MMIOTRACE=y
+# CONFIG_MMIOTRACE is not set
 
-CONFIG_DEBUG_CREDENTIALS=y
+# CONFIG_DEBUG_CREDENTIALS is not set
 
 # off in both production debug and nodebug builds,
 #  on in rawhide nodebug builds
-CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
 
-CONFIG_EXT4_DEBUG=y
+# CONFIG_EXT4_DEBUG is not set
 
 # CONFIG_XFS_WARN is not set
 
-CONFIG_DEBUG_PERF_USE_VMALLOC=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
 
-CONFIG_JBD2_DEBUG=y
+# CONFIG_JBD2_DEBUG is not set
 
-CONFIG_NFSD_FAULT_INJECTION=y
+# CONFIG_NFSD_FAULT_INJECTION is not set
 
-CONFIG_DEBUG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
 
-CONFIG_DRBD_FAULT_INJECTION=y
+# CONFIG_DRBD_FAULT_INJECTION is not set
 
-CONFIG_ATH_DEBUG=y
-CONFIG_CARL9170_DEBUGFS=y
-CONFIG_IWLWIFI_DEVICE_TRACING=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_CARL9170_DEBUGFS is not set
+# CONFIG_IWLWIFI_DEVICE_TRACING is not set
 
 # CONFIG_RTLWIFI_DEBUG is not set
 
-CONFIG_DEBUG_OBJECTS_WORK=y
+# CONFIG_DEBUG_OBJECTS_WORK is not set
 
-CONFIG_DMADEVICES_DEBUG=y
+# CONFIG_DMADEVICES_DEBUG is not set
 # CONFIG_DMADEVICES_VDEBUG is not set
 
 CONFIG_PM_ADVANCED_DEBUG=y
 
-CONFIG_CEPH_LIB_PRETTYDEBUG=y
-CONFIG_QUOTA_DEBUG=y
+# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
+# CONFIG_QUOTA_DEBUG is not set
 
 
 CONFIG_KGDB_KDB=y
@@ -104,19 +104,19 @@ CONFIG_KDB_DEFAULT_ENABLE=0x0
 CONFIG_KDB_KEYBOARD=y
 CONFIG_KDB_CONTINUE_CATASTROPHIC=0
 
-CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
+# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
 # CONFIG_PERCPU_TEST is not set
-CONFIG_TEST_LIST_SORT=y
+# CONFIG_TEST_LIST_SORT is not set
 # CONFIG_TEST_STRING_HELPERS is not set
 
-CONFIG_DETECT_HUNG_TASK=y
+# CONFIG_DETECT_HUNG_TASK is not set
 CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
-CONFIG_WQ_WATCHDOG=y
+# CONFIG_WQ_WATCHDOG is not set
 
-CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
+# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
 
-CONFIG_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
 CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
 # CONFIG_DEBUG_KMEMLEAK_TEST is not set
 CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
@@ -127,4 +127,4 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
 
 # CONFIG_SPI_DEBUG is not set
 
-CONFIG_X86_DEBUG_STATIC_CPU_HAS=y
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
diff --git a/config-x86-generic b/config-x86-generic
index 4815913be..10a3a126b 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -377,7 +377,7 @@ CONFIG_SP5100_TCO=m
 
 # CONFIG_MEMTEST is not set
 # CONFIG_DEBUG_TLBFLUSH is not set
-CONFIG_MAXSMP=y
+# CONFIG_MAXSMP is not set
 
 
 CONFIG_HP_ILO=m
diff --git a/gitrev b/gitrev
index fe30586f1..9391263df 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-7f02bf6b5f5de90b7a331759b5364e41c0f39bf9
+f2c1242194c7af9b26f53359ab2b23df36d3a643
diff --git a/kernel.spec b/kernel.spec
index fb7463a7f..1902bbb4c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -6,7 +6,7 @@ Summary: The Linux kernel
 # For a stable, released kernel, released_kernel should be 1. For rawhide
 # and/or a kernel built from an rc or git snapshot, released_kernel should
 # be 0.
-%global released_kernel 0
+%global released_kernel 1
 
 # Sign modules on x86.  Make sure the config files match this setting if more
 # architectures are added.
@@ -50,7 +50,7 @@ Summary: The Linux kernel
 # base_sublevel is the kernel version we're starting with and patching
 # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base,
 # which yields a base_sublevel of 0.
-%define base_sublevel 4
+%define base_sublevel 5
 
 ## If this is a released kernel ##
 %if 0%{?released_kernel}
@@ -75,9 +75,9 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%define rcrev 7
+%define rcrev 0
 # The git snapshot level
-%define gitrev 2
+%define gitrev 0
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -133,7 +133,7 @@ Summary: The Linux kernel
 # Set debugbuildsenabled to 1 for production (build separate debug kernels)
 #  and 0 for rawhide (all kernels are debug kernels).
 # See also 'make debug' and 'make release'.
-%define debugbuildsenabled 0
+%define debugbuildsenabled 1
 
 # Want to build a vanilla kernel build without any non-upstream patches?
 %define with_vanilla %{?_without_vanilla: 0} %{?!_without_vanilla: 1}
@@ -630,6 +630,15 @@ Patch648: 0001-mm-CONFIG_NR_ZONES_EXTENDED.patch
 #rhbz 1312102
 Patch649: perf-tools-Fix-python-extension-build.patch
 
+#rhbz 1316136
+Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch
+
+#CVE-2016-3135 rhbz 1317386 1317387
+Patch664: netfilter-x_tables-check-for-size-overflow.patch
+
+#CVE-2016-3134 rhbz 1317383 1317384
+Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2154,6 +2163,20 @@ fi
 #
 # 
 %changelog
+* Mon Mar 14 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-1
+- Linux v4.5
+- Disable debugging options.
+
+* Mon Mar 14 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3134 netfilter: missing bounds check in ipt_entry struct (rhbz 1317383 1317384)
+- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387)
+
+* Fri Mar 11 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Add patch for ICP DAS I-756xU devices (rhbz 1316136)
+
+* Thu Mar 10 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc7.git3.1
+- Linux v4.5-rc7-215-gf2c1242
+
 * Wed Mar 09 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc7.git2.1
 - Linux v4.5-rc7-159-g7f02bf6
 
diff --git a/netfilter-x_tables-check-for-size-overflow.patch b/netfilter-x_tables-check-for-size-overflow.patch
new file mode 100644
index 000000000..81e3d36fa
--- /dev/null
+++ b/netfilter-x_tables-check-for-size-overflow.patch
@@ -0,0 +1,31 @@
+Subject:    [PATCH nf] netfilter: x_tables: check for size overflow
+From:       Florian Westphal <fw () strlen ! de>
+Date:       2016-03-10 0:56:23
+
+Ben Hawkes says:
+ integer overflow in xt_alloc_table_info, which on 32-bit systems can
+ lead to small structure allocation and a copy_from_user based heap
+ corruption.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ net/netfilter/x_tables.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index c8a0b7d..17a9a9f 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
+ 	struct xt_table_info *info = NULL;
+ 	size_t sz = sizeof(*info) + size;
+ 
++	if (sz < sizeof(*info))
++		return NULL;
++
+ 	/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
+ 	if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
+ 		return NULL;
+-- 
+2.4.10
diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
new file mode 100644
index 000000000..ebfe1716f
--- /dev/null
+++ b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
@@ -0,0 +1,150 @@
+Subject:    [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values
+From:       Florian Westphal <fw () strlen ! de>
+Date:       2016-03-10 0:56:02
+
+Ben Hawkes says:
+
+ In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
+ is possible for a user-supplied ipt_entry structure to have a large
+ next_offset field. This field is not bounds checked prior to writing a
+ counter value at the supplied offset.
+
+Problem is that xt_entry_foreach() macro stops iterating once e->next_offset
+is out of bounds, assuming this is the last entry.
+
+With malformed data thats not necessarily the case so we can
+write outside of allocated area later as we might not have walked the
+entire blob.
+
+Fix this by simplifying mark_source_chains -- it already has to check
+if nextoff is in range to catch invalid jumps, so just do the check
+when we move to a next entry as well.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ net/ipv4/netfilter/arp_tables.c | 16 ++++++++--------
+ net/ipv4/netfilter/ip_tables.c  | 15 ++++++++-------
+ net/ipv6/netfilter/ip6_tables.c | 13 ++++++-------
+ 3 files changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index b488cac..5a0b591 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 
+ 				/* Move along one */
+ 				size = e->next_offset;
++
++				if (pos + size > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct arpt_entry *)
+ 					(entry0 + pos + size);
+ 				e->counters.pcnt = pos;
+@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (strcmp(t->target.u.user.name,
+ 					   XT_STANDARD_TARGET) == 0 &&
+ 				    newpos >= 0) {
+-					if (newpos > newinfo->size -
+-						sizeof(struct arpt_entry)) {
+-						duprintf("mark_source_chains: "
+-							"bad verdict (%i)\n",
+-								newpos);
+-						return 0;
+-					}
+-
+ 					/* This a jump; chase it. */
+ 					duprintf("Jump rule %u -> %u\n",
+ 						 pos, newpos);
+@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 					/* ... this is a fallthru */
+ 					newpos = pos + e->next_offset;
+ 				}
++
++				if (newpos > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct arpt_entry *)
+ 					(entry0 + newpos);
+ 				e->counters.pcnt = pos;
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index b99affa..ceb995f 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 
+ 				/* Move along one */
+ 				size = e->next_offset;
++
++				if (pos + size > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct ipt_entry *)
+ 					(entry0 + pos + size);
+ 				e->counters.pcnt = pos;
+@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (strcmp(t->target.u.user.name,
+ 					   XT_STANDARD_TARGET) == 0 &&
+ 				    newpos >= 0) {
+-					if (newpos > newinfo->size -
+-						sizeof(struct ipt_entry)) {
+-						duprintf("mark_source_chains: "
+-							"bad verdict (%i)\n",
+-								newpos);
+-						return 0;
+-					}
+ 					/* This a jump; chase it. */
+ 					duprintf("Jump rule %u -> %u\n",
+ 						 pos, newpos);
+@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 					/* ... this is a fallthru */
+ 					newpos = pos + e->next_offset;
+ 				}
++
++				if (newpos > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct ipt_entry *)
+ 					(entry0 + newpos);
+ 				e->counters.pcnt = pos;
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 99425cf..d88a794 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 
+ 				/* Move along one */
+ 				size = e->next_offset;
++				if (pos + size > newinfo->size - sizeof(*e))
++					return 0;
+ 				e = (struct ip6t_entry *)
+ 					(entry0 + pos + size);
+ 				e->counters.pcnt = pos;
+@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (strcmp(t->target.u.user.name,
+ 					   XT_STANDARD_TARGET) == 0 &&
+ 				    newpos >= 0) {
+-					if (newpos > newinfo->size -
+-						sizeof(struct ip6t_entry)) {
+-						duprintf("mark_source_chains: "
+-							"bad verdict (%i)\n",
+-								newpos);
+-						return 0;
+-					}
+ 					/* This a jump; chase it. */
+ 					duprintf("Jump rule %u -> %u\n",
+ 						 pos, newpos);
+@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 					/* ... this is a fallthru */
+ 					newpos = pos + e->next_offset;
+ 				}
++
++				if (newpos > newinfo->size - sizeof(*e))
++					return 0;
++
+ 				e = (struct ip6t_entry *)
+ 					(entry0 + newpos);
+ 				e->counters.pcnt = pos;
+-- 
+2.4.10
diff --git a/sources b/sources
index 0695297d3..4d9a84fe2 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,2 @@
-9a78fa2eb6c68ca5a40ed5af08142599  linux-4.4.tar.xz
-dcbc8fe378a676d5d0dd208cf524e144  perf-man-4.4.tar.gz
-78a23c8a117f99bbe8f45bdd0183cf18  patch-4.5-rc7.xz
-6fb09377dd2cd1acddc7f23dadbfafa5  patch-4.5-rc7-git2.xz
+a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
+6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz