Hello community,
here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-05-31 12:12:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kernel-source (Old)
and /work/SRC/openSUSE:Factory/.kernel-source.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source"
Wed May 31 12:12:08 2017 rev:366 rq:498347 version:4.11.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-05-24 16:46:10.290004909 +0200
+++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-05-31 12:12:10.076551223 +0200
@@ -1,0 +2,65 @@
+Thu May 25 19:55:04 CEST 2017 - jslaby@suse.cz
+
+- Linux 4.11.3 (CVE-2017-7487 bnc#1012628 bsc#1038879).
+- Delete
+ patches.fixes/ipx-call-ipxitf_put-in-ioctl-error-path.patch.
+- commit 7262353
+
+-------------------------------------------------------------------
+Thu May 25 18:39:12 CEST 2017 - tiwai@suse.de
+
+- Refresh patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork.
+ Update patch-mainline and git-commit tags.
+- commit 2182e18
+
+-------------------------------------------------------------------
+Wed May 24 13:34:41 CEST 2017 - mkubecek@suse.cz
+
+- ipv6/dccp: do not inherit ipv6_mc_list from parent
+ (CVE-2017-9076 CVE-2017-9077 bsc#1039885 bsc#1040069).
+- commit fcae12e
+
+-------------------------------------------------------------------
+Wed May 24 13:30:56 CEST 2017 - mkubecek@suse.cz
+
+- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
+ (CVE-2017-9075 bsc#1039883).
+- commit 9f0e1bf
+
+-------------------------------------------------------------------
+Wed May 24 13:22:36 CEST 2017 - mkubecek@suse.cz
+
+- ipv6: Check ip6_find_1stfragopt() return value properly
+ (CVE-2017-9074 bsc#1039882).
+- ipv6: Prevent overrun when parsing v6 header options
+ (CVE-2017-9074 bsc#1039882).
+- commit 1862833
+
+-------------------------------------------------------------------
+Wed May 24 13:17:31 CEST 2017 - mkubecek@suse.cz
+
+- ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487
+ bsc#1038879).
+- commit 01283ea
+
+-------------------------------------------------------------------
+Wed May 24 11:36:31 CEST 2017 - mkubecek@suse.cz
+
+- dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890
+ bsc#1038544).
+- commit cedfd44
+
+-------------------------------------------------------------------
+Tue May 23 16:57:08 CEST 2017 - tiwai@suse.de
+
+- crypto: skcipher - Add missing API setkey checks
+ (bsc#1040389,CVE-2017-9211).
+- commit a536fda
+
+-------------------------------------------------------------------
+Tue May 23 07:52:52 CEST 2017 - tiwai@suse.de
+
+- ptrace: Properly initialize ptracer_cred on fork (bsc#1040041).
+- commit 24082da
+
+-------------------------------------------------------------------
dtb-armv6l.changes: same change
dtb-armv7l.changes: same change
kernel-64kb.changes: same change
kernel-debug.changes: same change
kernel-default.changes: same change
kernel-docs.changes: same change
kernel-lpae.changes: same change
kernel-obs-build.changes: same change
kernel-obs-qa.changes: same change
kernel-pae.changes: same change
kernel-source.changes: same change
kernel-syms.changes: same change
kernel-syzkaller.changes: same change
kernel-vanilla.changes: same change
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ dtb-aarch64.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.051143258 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.055142694 +0200
@@ -17,7 +17,7 @@
%define srcversion 4.11
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -29,9 +29,9 @@
%(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,find-provides,find-requires,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb})
Name: dtb-aarch64
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
dtb-armv6l.spec: same change
dtb-armv7l.spec: same change
++++++ kernel-64kb.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.143130274 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.143130274 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.11
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel with 64kb PAGE_SIZE
License: GPL-2.0
Group: System/Kernel
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
kernel-debug.spec: same change
kernel-default.spec: same change
++++++ kernel-docs.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.215120112 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.219119548 +0200
@@ -16,7 +16,7 @@
#
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -42,9 +42,9 @@
Summary: Kernel Documentation (man pages)
License: GPL-2.0
Group: Documentation/Man
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
++++++ kernel-lpae.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.239116725 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.243116161 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.11
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel for LPAE enabled systems
License: GPL-2.0
Group: System/Kernel
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
++++++ kernel-obs-build.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.267112773 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.271112209 +0200
@@ -19,7 +19,7 @@
#!BuildIgnore: post-build-checks
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%define vanilla_only 0
@@ -57,9 +57,9 @@
Summary: package kernel and initrd for OBS VM builds
License: GPL-2.0
Group: SLES
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
++++++ kernel-obs-qa.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.295108822 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.299108257 +0200
@@ -17,7 +17,7 @@
# needsrootforbuild
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%include %_sourcedir/kernel-spec-macros
@@ -36,9 +36,9 @@
Summary: Basic QA tests for the kernel
License: GPL-2.0
Group: SLES
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
++++++ kernel-pae.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.327104305 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.331103741 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.11
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel with PAE Support
License: GPL-2.0
Group: System/Kernel
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
++++++ kernel-source.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.351100918 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.355100354 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.11
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%define vanilla_only 0
@@ -30,9 +30,9 @@
Summary: The Linux Kernel Sources
License: GPL-2.0
Group: Development/Sources
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
++++++ kernel-syms.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.379096966 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.379096966 +0200
@@ -24,10 +24,10 @@
Summary: Kernel Symbol Versions (modversions)
License: GPL-2.0
Group: Development/Sources
-Version: 4.11.2
+Version: 4.11.3
%if %using_buildservice
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
++++++ kernel-syzkaller.spec ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:20.407093015 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:20.407093015 +0200
@@ -18,7 +18,7 @@
%define srcversion 4.11
-%define patchversion 4.11.2
+%define patchversion 4.11.3
%define variant %{nil}
%define vanilla_only 0
@@ -58,9 +58,9 @@
Summary: Kernel used for fuzzing by syzkaller
License: GPL-2.0
Group: System/Kernel
-Version: 4.11.2
+Version: 4.11.3
%if 0%{?is_kotd}
-Release: <RELEASE>.g03903d8
+Release: <RELEASE>.g7262353
%else
Release: 0
%endif
kernel-vanilla.spec: same change
++++++ patches.fixes.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks new/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks
--- old/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks 2017-05-25 19:55:04.000000000 +0200
@@ -0,0 +1,77 @@
+From 9933e113c2e87a9f46a40fde8dafbf801dca1ab9 Mon Sep 17 00:00:00 2001
+From: Herbert Xu
+Date: Wed, 10 May 2017 03:48:23 +0800
+Subject: [PATCH] crypto: skcipher - Add missing API setkey checks
+Git-commit: 9933e113c2e87a9f46a40fde8dafbf801dca1ab9
+Patch-mainline: 4.12-rc3
+References: bsc#1040389,CVE-2017-9211
+
+The API setkey checks for key sizes and alignment went AWOL during the
+skcipher conversion. This patch restores them.
+
+Cc:
+Fixes: 4e6c3df4d729 ("crypto: skcipher - Add low-level skcipher...")
+Reported-by: Baozeng
+Signed-off-by: Herbert Xu
+Acked-by: Takashi Iwai
+
+---
+ crypto/skcipher.c | 40 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 1 deletion(-)
+
+--- a/crypto/skcipher.c
++++ b/crypto/skcipher.c
+@@ -764,6 +764,44 @@ static int crypto_init_skcipher_ops_ablk
+ return 0;
+ }
+
++static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm,
++ const u8 *key, unsigned int keylen)
++{
++ unsigned long alignmask = crypto_skcipher_alignmask(tfm);
++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
++ u8 *buffer, *alignbuffer;
++ unsigned long absize;
++ int ret;
++
++ absize = keylen + alignmask;
++ buffer = kmalloc(absize, GFP_ATOMIC);
++ if (!buffer)
++ return -ENOMEM;
++
++ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
++ memcpy(alignbuffer, key, keylen);
++ ret = cipher->setkey(tfm, alignbuffer, keylen);
++ kzfree(buffer);
++ return ret;
++}
++
++static int skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key,
++ unsigned int keylen)
++{
++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
++ unsigned long alignmask = crypto_skcipher_alignmask(tfm);
++
++ if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) {
++ crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
++ return -EINVAL;
++ }
++
++ if ((unsigned long)key & alignmask)
++ return skcipher_setkey_unaligned(tfm, key, keylen);
++
++ return cipher->setkey(tfm, key, keylen);
++}
++
+ static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm)
+ {
+ struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm);
+@@ -784,7 +822,7 @@ static int crypto_skcipher_init_tfm(stru
+ tfm->__crt_alg->cra_type == &crypto_givcipher_type)
+ return crypto_init_skcipher_ops_ablkcipher(tfm);
+
+- skcipher->setkey = alg->setkey;
++ skcipher->setkey = skcipher_setkey;
+ skcipher->encrypt = alg->encrypt;
+ skcipher->decrypt = alg->decrypt;
+ skcipher->ivsize = alg->ivsize;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch new/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
--- old/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200
@@ -0,0 +1,45 @@
+From: Eric Dumazet
+Date: Tue, 9 May 2017 06:29:19 -0700
+Subject: dccp/tcp: do not inherit mc_list from parent
+Patch-mainline: v4.12-rc1
+Git-commit: 657831ffc38e30092a2d5f03d385d710eb88b09a
+References: CVE-2017-8890 bsc#1038544
+
+syzkaller found a way to trigger double frees from ip_mc_drop_socket()
+
+It turns out that leave a copy of parent mc_list at accept() time,
+which is very bad.
+
+Very similar to commit 8b485ce69876 ("tcp: do not inherit
+fastopen_req from parent")
+
+Initial report from Pray3r, completed by Andrey one.
+Thanks a lot to them !
+
+Signed-off-by: Eric Dumazet
+Reported-by: Pray3r
+Reported-by: Andrey Konovalov
+Tested-by: Andrey Konovalov
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/ipv4/inet_connection_sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index 5e313c1ac94f..1054d330bf9d 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
+ /* listeners have SOCK_RCU_FREE, not the children */
+ sock_reset_flag(newsk, SOCK_RCU_FREE);
+
++ inet_sk(newsk)->mc_list = NULL;
++
+ newsk->sk_mark = inet_rsk(req)->ir_mark;
+ atomic64_set(&newsk->sk_cookie,
+ atomic64_read(&inet_rsk(req)->ir_cookie));
+--
+2.13.0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch new/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
--- old/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch 2017-05-25 19:55:04.000000000 +0200
@@ -0,0 +1,96 @@
+From: "David S. Miller"
+Date: Wed, 17 May 2017 22:54:11 -0400
+Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
+Patch-mainline: v4.12-rc2
+Git-commit: 7dd7eb9513bd02184d45f000ab69d78cb1fa1531
+References: CVE-2017-9074 bsc#1039882
+
+Do not use unsigned variables to see if it returns a negative
+error or not.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Julia Lawall
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/ipv6/ip6_offload.c | 9 ++++-----
+ net/ipv6/ip6_output.c | 7 +++----
+ net/ipv6/udp_offload.c | 8 +++++---
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index eab36abc9f22..280268f1dd7b 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+ const struct net_offload *ops;
+ int proto;
+ struct frag_hdr *fptr;
+- unsigned int unfrag_ip6hlen;
+ unsigned int payload_len;
+ u8 *prevhdr;
+ int offset = 0;
+@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+ skb->network_header = (u8 *)ipv6h - skb->head;
+
+ if (udpfrag) {
+- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+- if (unfrag_ip6hlen < 0)
+- return ERR_PTR(unfrag_ip6hlen);
+- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
++ int err = ip6_find_1stfragopt(skb, &prevhdr);
++ if (err < 0)
++ return ERR_PTR(err);
++ fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
+ fptr->frag_off = htons(offset);
+ if (skb->next)
+ fptr->frag_off |= htons(IP6_MF);
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 01deecda2f84..d4a31becbd25 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -597,11 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ int ptr, offset = 0, err = 0;
+ u8 *prevhdr, nexthdr = 0;
+
+- hlen = ip6_find_1stfragopt(skb, &prevhdr);
+- if (hlen < 0) {
+- err = hlen;
++ err = ip6_find_1stfragopt(skb, &prevhdr);
++ if (err < 0)
+ goto fail;
+- }
++ hlen = err;
+ nexthdr = *prevhdr;
+
+ mtu = ip6_skb_dst_mtu(skb);
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index b348cff47395..a2267f80febb 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ u8 frag_hdr_sz = sizeof(struct frag_hdr);
+ __wsum csum;
+ int tnl_hlen;
++ int err;
+
+ mss = skb_shinfo(skb)->gso_size;
+ if (unlikely(skb->len <= mss))
+@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ /* Find the unfragmentable header and shift it left by frag_hdr_sz
+ * bytes to insert fragment header.
+ */
+- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+- if (unfrag_ip6hlen < 0)
+- return ERR_PTR(unfrag_ip6hlen);
++ err = ip6_find_1stfragopt(skb, &prevhdr);
++ if (err < 0)
++ return ERR_PTR(err);
++ unfrag_ip6hlen = err;
+ nexthdr = *prevhdr;
+ *prevhdr = NEXTHDR_FRAGMENT;
+ unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
+--
+2.13.0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch new/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
--- old/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch 2017-05-25 19:55:04.000000000 +0200
@@ -0,0 +1,235 @@
+From: Craig Gallek
+Date: Tue, 16 May 2017 14:36:23 -0400
+Subject: ipv6: Prevent overrun when parsing v6 header options
+Patch-mainline: v4.12-rc2
+Git-commit: 2423496af35d94a87156b063ea5cedffc10a70a1
+References: CVE-2017-9074 bsc#1039882
+
+The KASAN warning repoted below was discovered with a syzkaller
+program. The reproducer is basically:
+ int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
+ send(s, &one_byte_of_data, 1, MSG_MORE);
+ send(s, &more_than_mtu_bytes_data, 2000, 0);
+
+The socket() call sets the nexthdr field of the v6 header to
+NEXTHDR_HOP, the first send call primes the payload with a non zero
+byte of data, and the second send call triggers the fragmentation path.
+
+The fragmentation code tries to parse the header options in order
+to figure out where to insert the fragment option. Since nexthdr points
+to an invalid option, the calculation of the size of the network header
+can made to be much larger than the linear section of the skb and data
+is read outside of it.
+
+This fix makes ip6_find_1stfrag return an error if it detects
+running out-of-bounds.
+
+[ 42.361487] ==================================================================
+[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
+[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
+[ 42.366469]
+[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
+[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
+[ 42.368824] Call Trace:
+[ 42.369183] dump_stack+0xb3/0x10b
+[ 42.369664] print_address_description+0x73/0x290
+[ 42.370325] kasan_report+0x252/0x370
+[ 42.370839] ? ip6_fragment+0x11c8/0x3730
+[ 42.371396] check_memory_region+0x13c/0x1a0
+[ 42.371978] memcpy+0x23/0x50
+[ 42.372395] ip6_fragment+0x11c8/0x3730
+[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
+[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
+[ 42.374263] ? ip6_forward+0x2e30/0x2e30
+[ 42.374803] ip6_finish_output+0x584/0x990
+[ 42.375350] ip6_output+0x1b7/0x690
+[ 42.375836] ? ip6_finish_output+0x990/0x990
+[ 42.376411] ? ip6_fragment+0x3730/0x3730
+[ 42.376968] ip6_local_out+0x95/0x160
+[ 42.377471] ip6_send_skb+0xa1/0x330
+[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
+[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
+[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
+[ 42.379633] ? _copy_from_user+0x84/0xe0
+[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
+[ 42.380878] ? ___sys_sendmsg+0x162/0x930
+[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
+[ 42.382074] ? sock_has_perm+0x1f6/0x290
+[ 42.382614] ? ___sys_sendmsg+0x167/0x930
+[ 42.383173] ? lock_downgrade+0x660/0x660
+[ 42.383727] inet_sendmsg+0x123/0x500
+[ 42.384226] ? inet_sendmsg+0x123/0x500
+[ 42.384748] ? inet_recvmsg+0x540/0x540
+[ 42.385263] sock_sendmsg+0xca/0x110
+[ 42.385758] SYSC_sendto+0x217/0x380
+[ 42.386249] ? SYSC_connect+0x310/0x310
+[ 42.386783] ? __might_fault+0x110/0x1d0
+[ 42.387324] ? lock_downgrade+0x660/0x660
+[ 42.387880] ? __fget_light+0xa1/0x1f0
+[ 42.388403] ? __fdget+0x18/0x20
+[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
+[ 42.389472] ? SyS_setsockopt+0x17f/0x260
+[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
+[ 42.390650] SyS_sendto+0x40/0x50
+[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
+[ 42.391731] RIP: 0033:0x7fbbb711e383
+[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
+[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
+[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
+[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
+[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
+[ 42.397257]
+[ 42.397411] Allocated by task 3789:
+[ 42.397702] save_stack_trace+0x16/0x20
+[ 42.398005] save_stack+0x46/0xd0
+[ 42.398267] kasan_kmalloc+0xad/0xe0
+[ 42.398548] kasan_slab_alloc+0x12/0x20
+[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
+[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
+[ 42.399654] __alloc_skb+0xf8/0x580
+[ 42.400003] sock_wmalloc+0xab/0xf0
+[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
+[ 42.400813] ip6_append_data+0x1a8/0x2f0
+[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
+[ 42.401505] inet_sendmsg+0x123/0x500
+[ 42.401860] sock_sendmsg+0xca/0x110
+[ 42.402209] ___sys_sendmsg+0x7cb/0x930
+[ 42.402582] __sys_sendmsg+0xd9/0x190
+[ 42.402941] SyS_sendmsg+0x2d/0x50
+[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
+[ 42.403718]
+[ 42.403871] Freed by task 1794:
+[ 42.404146] save_stack_trace+0x16/0x20
+[ 42.404515] save_stack+0x46/0xd0
+[ 42.404827] kasan_slab_free+0x72/0xc0
+[ 42.405167] kfree+0xe8/0x2b0
+[ 42.405462] skb_free_head+0x74/0xb0
+[ 42.405806] skb_release_data+0x30e/0x3a0
+[ 42.406198] skb_release_all+0x4a/0x60
+[ 42.406563] consume_skb+0x113/0x2e0
+[ 42.406910] skb_free_datagram+0x1a/0xe0
+[ 42.407288] netlink_recvmsg+0x60d/0xe40
+[ 42.407667] sock_recvmsg+0xd7/0x110
+[ 42.408022] ___sys_recvmsg+0x25c/0x580
+[ 42.408395] __sys_recvmsg+0xd6/0x190
+[ 42.408753] SyS_recvmsg+0x2d/0x50
+[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
+[ 42.409513]
+[ 42.409665] The buggy address belongs to the object at ffff88000969e780
+[ 42.409665] which belongs to the cache kmalloc-512 of size 512
+[ 42.410846] The buggy address is located 24 bytes inside of
+[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
+[ 42.411941] The buggy address belongs to the page:
+[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
+[ 42.413298] flags: 0x100000000008100(slab|head)
+[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
+[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
+[ 42.415074] page dumped because: kasan: bad access detected
+[ 42.415604]
+[ 42.415757] Memory state around the buggy address:
+[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 42.418273] ^
+[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 42.419882] ==================================================================
+
+Reported-by: Andrey Konovalov
+Signed-off-by: Craig Gallek
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/ipv6/ip6_offload.c | 2 ++
+ net/ipv6/ip6_output.c | 4 ++++
+ net/ipv6/output_core.c | 14 ++++++++------
+ net/ipv6/udp_offload.c | 2 ++
+ 4 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index 93e58a5e1837..eab36abc9f22 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -117,6 +117,8 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+
+ if (udpfrag) {
+ unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
++ if (unfrag_ip6hlen < 0)
++ return ERR_PTR(unfrag_ip6hlen);
+ fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
+ fptr->frag_off = htons(offset);
+ if (skb->next)
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 58f6288e9ba5..01deecda2f84 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -598,6 +598,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ u8 *prevhdr, nexthdr = 0;
+
+ hlen = ip6_find_1stfragopt(skb, &prevhdr);
++ if (hlen < 0) {
++ err = hlen;
++ goto fail;
++ }
+ nexthdr = *prevhdr;
+
+ mtu = ip6_skb_dst_mtu(skb);
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index cd4252346a32..e9065b8d3af8 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident);
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ {
+ u16 offset = sizeof(struct ipv6hdr);
+- struct ipv6_opt_hdr *exthdr =
+- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
+ unsigned int packet_len = skb_tail_pointer(skb) -
+ skb_network_header(skb);
+ int found_rhdr = 0;
+ *nexthdr = &ipv6_hdr(skb)->nexthdr;
+
+- while (offset + 1 <= packet_len) {
++ while (offset <= packet_len) {
++ struct ipv6_opt_hdr *exthdr;
+
+ switch (**nexthdr) {
+
+@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ return offset;
+ }
+
+- offset += ipv6_optlen(exthdr);
+- *nexthdr = &exthdr->nexthdr;
++ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
++ return -EINVAL;
++
+ exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
+ offset);
++ offset += ipv6_optlen(exthdr);
++ *nexthdr = &exthdr->nexthdr;
+ }
+
+- return offset;
++ return -EINVAL;
+ }
+ EXPORT_SYMBOL(ip6_find_1stfragopt);
+
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index ac858c480f2f..b348cff47395 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -91,6 +91,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+ * bytes to insert fragment header.
+ */
+ unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
++ if (unfrag_ip6hlen < 0)
++ return ERR_PTR(unfrag_ip6hlen);
+ nexthdr = *prevhdr;
+ *prevhdr = NEXTHDR_FRAGMENT;
+ unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
+--
+2.13.0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch new/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
--- old/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200
@@ -0,0 +1,68 @@
+From: WANG Cong
+Date: Tue, 9 May 2017 16:59:54 -0700
+Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
+Patch-mainline: v4.12-rc2
+Git-commit: 83eaddab4378db256d00d295bda6ca997cd13a52
+References: CVE-2017-9076 CVE-2017-9077 bsc#1039885 bsc#1040069
+
+Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
+we should clear ipv6_mc_list etc. for IPv6 sockets too.
+
+Cc: Eric Dumazet
+Signed-off-by: Cong Wang
+Acked-by: Eric Dumazet
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/dccp/ipv6.c | 6 ++++++
+ net/ipv6/tcp_ipv6.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index d9b6a4e403e7..b6bbb71e713e 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
+ newsk->sk_backlog_rcv = dccp_v4_do_rcv;
+ newnp->pktoptions = NULL;
+ newnp->opt = NULL;
++ newnp->ipv6_mc_list = NULL;
++ newnp->ipv6_ac_list = NULL;
++ newnp->ipv6_fl_list = NULL;
+ newnp->mcast_oif = inet6_iif(skb);
+ newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
+
+@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
+ /* Clone RX bits */
+ newnp->rxopt.all = np->rxopt.all;
+
++ newnp->ipv6_mc_list = NULL;
++ newnp->ipv6_ac_list = NULL;
++ newnp->ipv6_fl_list = NULL;
+ newnp->pktoptions = NULL;
+ newnp->opt = NULL;
+ newnp->mcast_oif = inet6_iif(skb);
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 4c4afdca41ff..ff5f87641651 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1070,6 +1070,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+ newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
+ #endif
+
++ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
+ newnp->pktoptions = NULL;
+@@ -1139,6 +1140,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
+ First: no IPv4 options.
+ */
+ newinet->inet_opt = NULL;
++ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
+
+--
+2.13.0
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork new/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork
--- old/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork 2017-05-25 19:55:04.000000000 +0200
@@ -0,0 +1,114 @@
+From: "Eric W. Biederman"
+Date: Mon, 22 May 2017 16:04:48 -0500
+Subject: [PATCH] ptrace: Properly initialize ptracer_cred on fork
+Message-ID: <877f18txfz.fsf_-_@xmission.com>
+Patch-mainline: 4.12-rc3
+Git-commit: c70d9d809fdeecedb96972457ee45c49a232d97f
+References: bsc#1040041
+
+When I introduced ptracer_cred I failed to consider the weirdness of
+fork where the task_struct copies the old value by default. This
+winds up leaving ptracer_cred set even when a process forks and
+the child process does not wind up being ptraced.
+
+Because ptracer_cred is not set on non-ptraced processes whose
+parents were ptraced this has broken the ability of the enlightenment
+window manager to start setuid children.
+
+Fix this by properly initializing ptracer_cred in ptrace_init_task
+
+This must be done with a little bit of care to preserve the current value
+of ptracer_cred when ptrace carries through fork. Re-reading the
+ptracer_cred from the ptracing process at this point is inconsistent
+with how PT_PTRACE_CAP has been maintained all of these years.
+
+Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
+Signed-off-by: "Eric W. Biederman"
+Signed-off-by: Takashi Iwai
+
+---
+ include/linux/ptrace.h | 7 +++++--
+ kernel/ptrace.c | 20 +++++++++++++-------
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+--- a/include/linux/ptrace.h
++++ b/include/linux/ptrace.h
+@@ -54,7 +54,8 @@ extern int ptrace_request(struct task_st
+ unsigned long addr, unsigned long data);
+ extern void ptrace_notify(int exit_code);
+ extern void __ptrace_link(struct task_struct *child,
+- struct task_struct *new_parent);
++ struct task_struct *new_parent,
++ const struct cred *ptracer_cred);
+ extern void __ptrace_unlink(struct task_struct *child);
+ extern void exit_ptrace(struct task_struct *tracer, struct list_head *dead);
+ #define PTRACE_MODE_READ 0x01
+@@ -206,7 +207,7 @@ static inline void ptrace_init_task(stru
+
+ if (unlikely(ptrace) && current->ptrace) {
+ child->ptrace = current->ptrace;
+- __ptrace_link(child, current->parent);
++ __ptrace_link(child, current->parent, current->ptracer_cred);
+
+ if (child->ptrace & PT_SEIZED)
+ task_set_jobctl_pending(child, JOBCTL_TRAP_STOP);
+@@ -215,6 +216,8 @@ static inline void ptrace_init_task(stru
+
+ set_tsk_thread_flag(child, TIF_SIGPENDING);
+ }
++ else
++ child->ptracer_cred = NULL;
+ }
+
+ /**
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -60,19 +60,25 @@ int ptrace_access_vm(struct task_struct
+ }
+
+
++void __ptrace_link(struct task_struct *child, struct task_struct *new_parent,
++ const struct cred *ptracer_cred)
++{
++ BUG_ON(!list_empty(&child->ptrace_entry));
++ list_add(&child->ptrace_entry, &new_parent->ptraced);
++ child->parent = new_parent;
++ child->ptracer_cred = get_cred(ptracer_cred);
++}
++
+ /*
+ * ptrace a task: make the debugger its new parent and
+ * move it to the ptrace list.
+ *
+ * Must be called with the tasklist lock write-held.
+ */
+-void __ptrace_link(struct task_struct *child, struct task_struct *new_parent)
++static void ptrace_link(struct task_struct *child, struct task_struct *new_parent)
+ {
+- BUG_ON(!list_empty(&child->ptrace_entry));
+- list_add(&child->ptrace_entry, &new_parent->ptraced);
+- child->parent = new_parent;
+ rcu_read_lock();
+- child->ptracer_cred = get_cred(__task_cred(new_parent));
++ __ptrace_link(child, new_parent, __task_cred(new_parent));
+ rcu_read_unlock();
+ }
+
+@@ -386,7 +392,7 @@ static int ptrace_attach(struct task_str
+ flags |= PT_SEIZED;
+ task->ptrace = flags;
+
+- __ptrace_link(task, current);
++ ptrace_link(task, current);
+
+ /* SEIZE doesn't trap tracee on attach */
+ if (!seize)
+@@ -459,7 +465,7 @@ static int ptrace_traceme(void)
+ */
+ if (!ret && !(current->real_parent->flags & PF_EXITING)) {
+ current->ptrace = PT_PTRACED;
+- __ptrace_link(current, current->real_parent);
++ ptrace_link(current, current->real_parent);
+ }
+ }
+ write_unlock_irq(&tasklist_lock);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch new/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
--- old/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch 1970-01-01 01:00:00.000000000 +0100
+++ new/patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch 2017-05-25 19:55:04.000000000 +0200
@@ -0,0 +1,37 @@
+From: Eric Dumazet
+Date: Wed, 17 May 2017 07:16:40 -0700
+Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
+Patch-mainline: v4.12-rc2
+Git-commit: fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
+References: CVE-2017-9075 bsc#1039883
+
+SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
+ipv6_mc_list from parent"), otherwise bad things can happen.
+
+Signed-off-by: Eric Dumazet
+Reported-by: Andrey Konovalov
+Tested-by: Andrey Konovalov
+Signed-off-by: David S. Miller
+Acked-by: Michal Kubecek
+
+---
+ net/sctp/ipv6.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index 961ee59f696a..6d2349bc71a6 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -665,6 +665,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
+ newnp = inet6_sk(newsk);
+
+ memcpy(newnp, np, sizeof(struct ipv6_pinfo));
++ newnp->ipv6_mc_list = NULL;
++ newnp->ipv6_ac_list = NULL;
++ newnp->ipv6_fl_list = NULL;
+
+ rcu_read_lock();
+ opt = rcu_dereference(np->opt);
+--
+2.13.0
+
++++++ patches.kernel.org.tar.bz2 ++++++
++++ 7337 lines of diff (skipped)
++++++ series.conf ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:21.406951879 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:21.410951314 +0200
@@ -29,6 +29,7 @@
########################################################
patches.kernel.org/patch-4.11.1
patches.kernel.org/patch-4.11.1-2
+ patches.kernel.org/patch-4.11.2-3
########################################################
# Build fixes that apply to the vanilla kernel too.
@@ -212,6 +213,11 @@
########################################################
# Networking, IPv6
########################################################
+ patches.fixes/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
+ patches.fixes/ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
+ patches.fixes/ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
+ patches.fixes/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
+ patches.fixes/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
########################################################
# Netfilter
@@ -445,6 +451,8 @@
# Security stuff
#
##########################################################
+ patches.fixes/ptrace-Properly-initialize-ptracer_cred-on-fork
+ patches.fixes/crypto-skcipher-Add-missing-API-setkey-checks
##########################################################
# Audit
++++++ source-timestamp ++++++
--- /var/tmp/diff_new_pack.JFHDbz/_old 2017-05-31 12:12:21.450945669 +0200
+++ /var/tmp/diff_new_pack.JFHDbz/_new 2017-05-31 12:12:21.450945669 +0200
@@ -1,3 +1,3 @@
-2017-05-20 20:13:12 +0200
-GIT Revision: 03903d821e2bb9e4b3e4f22ed40fa0aa04789206
+2017-05-25 19:55:04 +0200
+GIT Revision: 72623535ffa1560169ca6cb8dc05802d2c18962a
GIT Branch: stable