4.4.6-201.fc22.gnu

18 files changed, 1048 insertions, 1 deletions

diff --git a/freed-ora/current/f22/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch b/freed-ora/current/f22/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
new file mode 100644
index 000000000..52b082b36
--- /dev/null
+++ b/freed-ora/current/f22/0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
@@ -0,0 +1,31 @@
+From cb6fcfe5a7e9197ceb7e9eec56e9c526e4e76354 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 14 Mar 2016 19:37:12 +0100
+Subject: [PATCH] Input: synaptics - handle spurious release of trackstick
+ buttons, again
+
+Looks like the fimware 8.2 stall has the extra buttons spurious release
+bug.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+---
+ drivers/input/mouse/synaptics.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
+index 6025eb4..4ef8d7a 100644
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -863,7 +863,8 @@ static void synaptics_report_ext_buttons(struct psmouse *psmouse,
+ 		return;
+ 
+ 	/* Bug in FW 8.1, buttons are reported only when ExtBit is 1 */
+-	if (SYN_ID_FULL(priv->identity) == 0x801 &&
++	if ((SYN_ID_FULL(priv->identity) == 0x801 ||
++	     SYN_ID_FULL(priv->identity) == 0x802) &&
+ 	    !((psmouse->packet[0] ^ psmouse->packet[3]) & 0x02))
+ 		return;
+ 
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch b/freed-ora/current/f22/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch
new file mode 100644
index 000000000..b6c446829
--- /dev/null
+++ b/freed-ora/current/f22/0001-uas-Limit-qdepth-at-the-scsi-host-level.patch
@@ -0,0 +1,45 @@
+From 79abe2bd501d628b165f323098d6972d69bd13d7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 16 Mar 2016 13:20:51 +0100
+Subject: [PATCH] uas: Limit qdepth at the scsi-host level
+
+Commit 64d513ac31bd ("scsi: use host wide tags by default") causes
+the scsi-core to queue more cmnds then we can handle on devices with
+multiple LUNs, limit the qdepth at the scsi-host level instead of
+per slave to fix this.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1315013
+Cc: stable@vger.kernel.org # 4.4.x and 4.5.x
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+---
+ drivers/usb/storage/uas.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index c90a7e4..b5cb7ab 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -800,7 +800,6 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ 	if (devinfo->flags & US_FL_BROKEN_FUA)
+ 		sdev->broken_fua = 1;
+ 
+-	scsi_change_queue_depth(sdev, devinfo->qdepth - 2);
+ 	return 0;
+ }
+ 
+@@ -932,6 +931,12 @@ static int uas_probe(struct usb_interface *intf, const struct usb_device_id *id)
+ 	if (result)
+ 		goto set_alt0;
+ 
++	/*
++	 * 1 tag is reserved for untagged commands +
++	 * 1 tag to avoid of by one errors in some bridge firmwares
++	 */
++	shost->can_queue = devinfo->qdepth - 2;
++
+ 	usb_set_intfdata(intf, shost);
+ 	result = scsi_add_host(shost, &intf->dev);
+ 	if (result)
+-- 
+2.7.3
+
diff --git a/freed-ora/current/f22/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch b/freed-ora/current/f22/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch
new file mode 100644
index 000000000..e2dbabe83
--- /dev/null
+++ b/freed-ora/current/f22/09-29-drm-udl-Use-unlocked-gem-unreferencing.patch
@@ -0,0 +1,58 @@
+From patchwork Mon Nov 23 09:32:42 2015
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [09/29] drm/udl: Use unlocked gem unreferencing
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+X-Patchwork-Id: 65722
+Message-Id: <1448271183-20523-10-git-send-email-daniel.vetter@ffwll.ch>
+To: DRI Development <dri-devel@lists.freedesktop.org>
+Cc: Daniel Vetter <daniel.vetter@intel.com>,
+ Daniel Vetter <daniel.vetter@ffwll.ch>,
+ Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
+ Dave Airlie <airlied@redhat.com>
+Date: Mon, 23 Nov 2015 10:32:42 +0100
+
+For drm_gem_object_unreference callers are required to hold
+dev->struct_mutex, which these paths don't. Enforcing this requirement
+has become a bit more strict with
+
+commit ef4c6270bf2867e2f8032e9614d1a8cfc6c71663
+Author: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date:   Thu Oct 15 09:36:25 2015 +0200
+
+    drm/gem: Check locking in drm_gem_object_unreference
+
+Cc: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+---
+ drivers/gpu/drm/udl/udl_fb.c  | 2 +-
+ drivers/gpu/drm/udl/udl_gem.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
+index 200419d4d43c..18a2acbccb7d 100644
+--- a/drivers/gpu/drm/udl/udl_fb.c
++++ b/drivers/gpu/drm/udl/udl_fb.c
+@@ -538,7 +538,7 @@ static int udlfb_create(struct drm_fb_helper *helper,
+ out_destroy_fbi:
+ 	drm_fb_helper_release_fbi(helper);
+ out_gfree:
+-	drm_gem_object_unreference(&ufbdev->ufb.obj->base);
++	drm_gem_object_unreference_unlocked(&ufbdev->ufb.obj->base);
+ out:
+ 	return ret;
+ }
+diff --git a/drivers/gpu/drm/udl/udl_gem.c b/drivers/gpu/drm/udl/udl_gem.c
+index 2a0a784ab6ee..d7528e0d8442 100644
+--- a/drivers/gpu/drm/udl/udl_gem.c
++++ b/drivers/gpu/drm/udl/udl_gem.c
+@@ -52,7 +52,7 @@ udl_gem_create(struct drm_file *file,
+ 		return ret;
+ 	}
+ 
+-	drm_gem_object_unreference(&obj->base);
++	drm_gem_object_unreference_unlocked(&obj->base);
+ 	*handle_p = handle;
+ 	return 0;
+ }
diff --git a/freed-ora/current/f22/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch b/freed-ora/current/f22/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
new file mode 100644
index 000000000..801434a26
--- /dev/null
+++ b/freed-ora/current/f22/ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
@@ -0,0 +1,80 @@
+From 873156565ca67779bbf5a3475ccd08ea3bb92522 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 15:20:58 +0100
+Subject: [PATCH 2/2] ALSA: usb-audio: Add sanity checks for endpoint accesses
+
+Add some sanity check codes before actually accessing the endpoint via
+get_endpoint() in order to avoid the invalid access through a
+malformed USB descriptor.  Mostly just checking bNumEndpoints, but in
+one place (snd_microii_spdif_default_get()), the validity of iface and
+altsetting index is checked as well.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/clock.c        | 2 ++
+ sound/usb/endpoint.c     | 3 +++
+ sound/usb/mixer_quirks.c | 4 ++++
+ sound/usb/pcm.c          | 2 ++
+ 4 files changed, 11 insertions(+)
+
+diff --git a/sound/usb/clock.c b/sound/usb/clock.c
+index 2ed260b10f6d..7ccbcaf6a147 100644
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -285,6 +285,8 @@ static int set_sample_rate_v1(struct snd_usb_audio *chip, int iface,
+ 	unsigned char data[3];
+ 	int err, crate;
+ 
++	if (get_iface_desc(alts)->bNumEndpoints < 1)
++		return -EINVAL;
+ 	ep = get_endpoint(alts, 0)->bEndpointAddress;
+ 
+ 	/* if endpoint doesn't have sampling rate control, bail out */
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index e6f71894ecdc..c2131b851602 100644
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -415,6 +415,9 @@ exit_clear:
+  *
+  * New endpoints will be added to chip->ep_list and must be freed by
+  * calling snd_usb_endpoint_free().
++ *
++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
++ * bNumEndpoints > 1 beforehand.
+  */
+ struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
+ 					      struct usb_host_interface *alts,
+diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
+index d3608c0a29f3..2d724e3c4cc0 100644
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1518,7 +1518,11 @@ static int snd_microii_spdif_default_get(struct snd_kcontrol *kcontrol,
+ 
+ 	/* use known values for that card: interface#1 altsetting#1 */
+ 	iface = usb_ifnum_to_if(chip->dev, 1);
++	if (!iface || iface->num_altsetting < 2)
++		return -EINVAL;
+ 	alts = &iface->altsetting[1];
++	if (get_iface_desc(alts)->bNumEndpoints < 1)
++		return -EINVAL;
+ 	ep = get_endpoint(alts, 0)->bEndpointAddress;
+ 
+ 	err = snd_usb_ctl_msg(chip->dev,
+diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
+index cdac5179db3f..4da64896df6d 100644
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_audio *chip, int iface,
+ 	unsigned char data[1];
+ 	int err;
+ 
++	if (get_iface_desc(alts)->bNumEndpoints < 1)
++		return -EINVAL;
+ 	ep = get_endpoint(alts, 0)->bEndpointAddress;
+ 
+ 	data[0] = 1;
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch b/freed-ora/current/f22/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
new file mode 100644
index 000000000..37cdb213a
--- /dev/null
+++ b/freed-ora/current/f22/ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
@@ -0,0 +1,40 @@
+From b0bb5691b38e2f439b071e226bad9f699c33b77d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 12:09:10 +0100
+Subject: [PATCH 1/2] ALSA: usb-audio: Fix NULL dereference in
+ create_fixed_stream_quirk()
+
+create_fixed_stream_quirk() may cause a NULL-pointer dereference by
+accessing the non-existing endpoint when a USB device with a malformed
+USB descriptor is used.
+
+This patch avoids it simply by adding a sanity check of bNumEndpoints
+before the accesses.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index eef9b8e4b949..e128ca62eb44 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -177,6 +177,12 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	}
+ 	alts = &iface->altsetting[fp->altset_idx];
+ 	altsd = get_iface_desc(alts);
++	if (altsd->bNumEndpoints < 1) {
++		kfree(fp);
++		kfree(rate_table);
++		return -EINVAL;
++	}
++
+ 	fp->protocol = altsd->bInterfaceProtocol;
+ 
+ 	if (fp->datainterval == 0)
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch b/freed-ora/current/f22/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
new file mode 100644
index 000000000..c7a461de8
--- /dev/null
+++ b/freed-ora/current/f22/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
@@ -0,0 +1,107 @@
+From 0f8536022831faaba3a952fa633902d9686f535f Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Wed, 23 Mar 2016 15:53:07 -0400
+Subject: [PATCH] Input: ati_remote2: fix crashes on detecting device with
+ invalid descriptor
+
+The ati_remote2 driver expects at least two interfaces with one
+endpoint each. If given malicious descriptor that specify one
+interface or no endpoints, it will crash in the probe function.
+Ensure there is at least two interfaces and one endpoint for each
+interface before using it.
+
+The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
+index cfd58e87da26..cf5d1e8d92c7 100644
+--- a/drivers/input/misc/ati_remote2.c
++++ b/drivers/input/misc/ati_remote2.c
+@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+ 
+ 	ar2->udev = udev;
+ 
++	/* Sanity check, first interface must have an endpoint */
++	if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
++		dev_err(&interface->dev,
++			"%s(): interface 0 must have an endpoint\n", __func__);
++		r = -ENODEV;
++		goto fail1;
++	}
+ 	ar2->intf[0] = interface;
+ 	ar2->ep[0] = &alt->endpoint[0].desc;
+ 
++	/* Sanity check, the device must have two interfaces */
+ 	ar2->intf[1] = usb_ifnum_to_if(udev, 1);
++	if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
++		dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
++			__func__, udev->actconfig->desc.bNumInterfaces);
++		r = -ENODEV;
++		goto fail1;
++	}
++
+ 	r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
+ 	if (r)
+ 		goto fail1;
++
++	/* Sanity check, second interface must have an endpoint */
+ 	alt = ar2->intf[1]->cur_altsetting;
++	if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
++		dev_err(&interface->dev,
++			"%s(): interface 1 must have an endpoint\n", __func__);
++		r = -ENODEV;
++		goto fail2;
++	}
+ 	ar2->ep[1] = &alt->endpoint[0].desc;
+ 
+ 	r = ati_remote2_urb_init(ar2);
+ 	if (r)
+-		goto fail2;
++		goto fail3;
+ 
+ 	ar2->channel_mask = channel_mask;
+ 	ar2->mode_mask = mode_mask;
+ 
+ 	r = ati_remote2_setup(ar2, ar2->channel_mask);
+ 	if (r)
+-		goto fail2;
++		goto fail3;
+ 
+ 	usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
+ 	strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
+@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+ 
+ 	r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
+ 	if (r)
+-		goto fail2;
++		goto fail3;
+ 
+ 	r = ati_remote2_input_init(ar2);
+ 	if (r)
+-		goto fail3;
++		goto fail4;
+ 
+ 	usb_set_intfdata(interface, ar2);
+ 
+@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+ 
+ 	return 0;
+ 
+- fail3:
++ fail4:
+ 	sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
+- fail2:
++ fail3:
+ 	ati_remote2_urb_cleanup(ar2);
++ fail2:
+ 	usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
+  fail1:
+ 	kfree(ar2);
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch b/freed-ora/current/f22/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
new file mode 100644
index 000000000..7de890e1b
--- /dev/null
+++ b/freed-ora/current/f22/USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
@@ -0,0 +1,38 @@
+From 0383ff3ba89d3e6c604138e3ba46685621d71f98 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 10:02:51 -0400
+Subject: [PATCH] USB: input: powermate: fix oops with malicious USB
+ descriptors
+
+The powermate driver expects at least one valid USB endpoint in its
+probe function.  If given malicious descriptors that specify 0 for
+the number of endpoints, it will crash.  Validate the number of
+endpoints on the interface before using them.
+
+The full report for this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/85
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/input/misc/powermate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
+index 63b539d3daba..84909a12ff36 100644
+--- a/drivers/input/misc/powermate.c
++++ b/drivers/input/misc/powermate.c
+@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
+ 	int error = -ENOMEM;
+ 
+ 	interface = intf->cur_altsetting;
++	if (interface->desc.bNumEndpoints < 1)
++		return -EINVAL;
++
+ 	endpoint = &interface->endpoint[0].desc;
+ 	if (!usb_endpoint_is_int_in(endpoint))
+ 		return -EIO;
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch b/freed-ora/current/f22/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
new file mode 100644
index 000000000..7df3af2b1
--- /dev/null
+++ b/freed-ora/current/f22/USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
@@ -0,0 +1,40 @@
+From 3620ebad64a327113bed34edefd45c3605086fc6 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 10:38:31 -0400
+Subject: [PATCH] USB: iowarrior: fix oops with malicious USB descriptors
+
+The iowarrior driver expects at least one valid endpoint.  If given
+malicious descriptors that specify 0 for the number of endpoints,
+it will crash in the probe function.  Ensure there is at least
+one endpoint on the interface before using it.
+
+The full report of this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/87
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ drivers/usb/misc/iowarrior.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
+index c6bfd13f6c92..1950e87b4219 100644
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface,
+ 	iface_desc = interface->cur_altsetting;
+ 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ 
++	if (iface_desc->desc.bNumEndpoints < 1) {
++		dev_err(&interface->dev, "Invalid number of endpoints\n");
++		retval = -EINVAL;
++		goto error;
++	}
++
+ 	/* set up the endpoint information */
+ 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ 		endpoint = &iface_desc->endpoint[i].desc;
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/cdc-acm-more-sanity-checking.patch b/freed-ora/current/f22/cdc-acm-more-sanity-checking.patch
new file mode 100644
index 000000000..99ad43416
--- /dev/null
+++ b/freed-ora/current/f22/cdc-acm-more-sanity-checking.patch
@@ -0,0 +1,33 @@
+From e6a87f147002fa16adcbafebbc458ff90a463474 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 15 Mar 2016 10:14:04 +0100
+Subject: [PATCH] cdc-acm: more sanity checking
+
+An attack has become available which pretends to be a quirky
+device circumventing normal sanity checks and crashes the kernel
+by an insufficient number of interfaces. This patch adds a check
+to the code path for quirky devices.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 26ca4f910cb0..a7732f80a912 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1113,6 +1113,9 @@ static int acm_probe(struct usb_interface *intf,
+ 	if (quirks == NO_UNION_NORMAL) {
+ 		data_interface = usb_ifnum_to_if(usb_dev, 1);
+ 		control_interface = usb_ifnum_to_if(usb_dev, 0);
++		/* we would crash */
++		if (!data_interface || !control_interface)
++			return -ENODEV;
+ 		goto skip_normal_probe;
+ 	}
+ 
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/cypress_m8-add-sanity-checking.patch b/freed-ora/current/f22/cypress_m8-add-sanity-checking.patch
new file mode 100644
index 000000000..fa8513f94
--- /dev/null
+++ b/freed-ora/current/f22/cypress_m8-add-sanity-checking.patch
@@ -0,0 +1,50 @@
+From f7a3aa353011e38e119adebd845b38551587a26a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 17 Mar 2016 16:25:33 +0100
+Subject: [PATCH] cypress_m8: add sanity checking
+
+An attack using missing endpoints exists.
+CVE-2016-3137
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+
+v1 - add sanity check
+v2 - add error logging
+v3 - correct error message
+---
+ drivers/usb/serial/cypress_m8.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
+index 01bf53392819..5e25443fe4ef 100644
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
+ 	struct usb_serial *serial = port->serial;
+ 	struct cypress_private *priv;
+ 
++	if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
++		dev_err(&port->dev, "A required endpoint is missing\n");
++		return -ENODEV;
++	}
++
+ 	priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
+ 	if (!priv)
+ 		return -ENOMEM;
+@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
+ 		cypress_set_termios(tty, port, &priv->tmp_termios);
+ 
+ 	/* setup the port and start reading from the device */
+-	if (!port->interrupt_in_urb) {
+-		dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
+-			__func__);
+-		return -1;
+-	}
+-
+ 	usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
+ 		usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
+ 		port->interrupt_in_urb->transfer_buffer,
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/digi_acceleport-do-sanity-checking-for-the-number-of.patch b/freed-ora/current/f22/digi_acceleport-do-sanity-checking-for-the-number-of.patch
new file mode 100644
index 000000000..eb060eb08
--- /dev/null
+++ b/freed-ora/current/f22/digi_acceleport-do-sanity-checking-for-the-number-of.patch
@@ -0,0 +1,70 @@
+From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 14 Mar 2016 15:53:38 +0100
+Subject: [PATCH v2] digi_acceleport: do sanity checking for the number of ports
+
+The driver can be crashed with devices that expose crafted
+descriptors with too few endpoints.
+See:
+http://seclists.org/bugtraq/2016/Mar/61
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+
+v1 - added sanity checks
+v2 - moved them to probe() to fix problems Johan pointed out
+---
+ drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
+index 12b0e67..dab1dcf 100644
+--- a/drivers/usb/serial/digi_acceleport.c
++++ b/drivers/usb/serial/digi_acceleport.c
+@@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
+ static int digi_startup(struct usb_serial *serial)
+ {
+ 	struct digi_serial *serial_priv;
+-	int ret;
++	int ret = -ENODEV;
++	int i;
+ 
+ 	serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
+ 	if (!serial_priv)
+@@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial)
+ 
+ 	spin_lock_init(&serial_priv->ds_serial_lock);
+ 	serial_priv->ds_oob_port_num = serial->type->num_ports;
++
++	/* Check whether the expected number of ports matches the device */
++	if (serial->num_ports < serial_priv->ds_oob_port_num)
++		goto error;
++	/* all features must be present */
++	for (i = 0; i < serial->type->num_ports + 1 ; i++) {
++		if (!serial->port[i]->read_urb)
++			goto error;
++		if (!serial->port[i]->write_urb)
++			goto error;
++	}
++
+ 	serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
+ 
+ 	ret = digi_port_init(serial_priv->ds_oob_port,
+ 						serial_priv->ds_oob_port_num);
+-	if (ret) {
+-		kfree(serial_priv);
+-		return ret;
+-	}
++	if (ret)
++		goto error;
+ 
+ 	usb_set_serial_data(serial, serial_priv);
+ 
+ 	return 0;
++error:
++	kfree(serial_priv);
++	return ret;
+ }
+ 
+ 
+-- 
+2.1.4
diff --git a/freed-ora/current/f22/ims-pcu-sanity-check-against-missing-interfaces.patch b/freed-ora/current/f22/ims-pcu-sanity-check-against-missing-interfaces.patch
new file mode 100644
index 000000000..827a2b7ee
--- /dev/null
+++ b/freed-ora/current/f22/ims-pcu-sanity-check-against-missing-interfaces.patch
@@ -0,0 +1,39 @@
+From a4200b7eb26271108586d3a7cf34a2f16d460e48 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 17 Mar 2016 15:10:47 +0100
+Subject: [PATCH] ims-pcu: sanity check against missing interfaces
+
+A malicious device missing interface can make the driver oops.
+Add sanity checking.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+---
+ drivers/input/misc/ims-pcu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
+index ac1fa5f44580..9c0ea36913b4 100644
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
+ 
+ 	pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
+ 					 union_desc->bMasterInterface0);
++	if (!pcu->ctrl_intf)
++		return -EINVAL;
+ 
+ 	alt = pcu->ctrl_intf->cur_altsetting;
+ 	pcu->ep_ctrl = &alt->endpoint[0].desc;
+@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
+ 
+ 	pcu->data_intf = usb_ifnum_to_if(pcu->udev,
+ 					 union_desc->bSlaveInterface0);
++	if (!pcu->data_intf)
++		return -EINVAL;
+ 
+ 	alt = pcu->data_intf->cur_altsetting;
+ 	if (alt->desc.bNumEndpoints != 2) {
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch b/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch
new file mode 100644
index 000000000..849f607a5
--- /dev/null
+++ b/freed-ora/current/f22/input-gtco-fix-crash-on-detecting-device-without-end.patch
@@ -0,0 +1,49 @@
+Subject:    [PATCH] Input: gtco: fix crash on detecting device without endpoints
+From:       Vladis Dronov <vdronov@redhat.com>
+Date:       2016-03-18 18:35:00
+
+The gtco driver expects at least one valid endpoint. If given
+malicious descriptors that specify 0 for the number of endpoints,
+it will crash in the probe function. Ensure there is at least
+one endpoint on the interface before using it. Fix minor coding
+style issue.
+
+The full report of this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/86
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 3a7f3a4..7c18249 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 		goto err_free_buf;
+ 	}
+ 
++	/* Sanity check that a device has an endpoint */
++	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++		dev_err(&usbinterface->dev,
++			"Invalid number of endpoints\n");
++		error = -EINVAL;
++		goto err_free_urb;
++	}
++
+ 	/*
+ 	 * The endpoint is always altsetting 0, we know this since we know
+ 	 * this device only has one interrupt endpoint
+@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 	 * HID report descriptor
+ 	 */
+ 	if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+-				     HID_DEVICE_TYPE, &hid_desc) != 0){
++				     HID_DEVICE_TYPE, &hid_desc) != 0) {
+ 		dev_err(&usbinterface->dev,
+ 			"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ 		error = -EIO;
+-- 
+2.5.0
diff --git a/freed-ora/current/f22/kernel.spec b/freed-ora/current/f22/kernel.spec
index 7873b2dfc..d86f21397 100644
--- a/freed-ora/current/f22/kernel.spec
+++ b/freed-ora/current/f22/kernel.spec
@@ -40,7 +40,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 200
+%global baserelease 201
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -684,6 +684,52 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 #CVE-2016-3135 rhbz 1318172 1318270
 Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
 
+#CVE-2016-2184 rhbz 1317012 1317470
+Patch670: ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
+Patch671: ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
+
+#CVE-2016-3137 rhbz 1317010 1316996
+Patch672: cypress_m8-add-sanity-checking.patch
+
+#CVE-2016-2186 rhbz 1317015 1317464
+Patch673: USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
+
+#CVE-2016-2188 rhbz 1317018 1317467
+Patch674: USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
+
+#CVE-2016-2185 rhbz 1317014 1317471
+Patch675: usb_driver_claim_interface-add-sanity-checking.patch
+Patch669: Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
+
+#CVE-2016-3138 rhbz 1317010 1316204
+Patch676: cdc-acm-more-sanity-checking.patch
+
+#CVE-2016-3140 rhbz 1317010 1316995
+Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch
+
+Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch
+
+#rhbz 1315013
+Patch679: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch
+
+#rhbz 1317190
+Patch680: thermal-fix.patch
+
+#rhbz 1318079
+Patch681: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
+
+#CVE-2016-2187 rhbz 1317017 1317010
+Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
+
+#CVE-2016-3136 rhbz 1317007 1317010
+Patch687: mct_u232-sanity-checking-in-probe.patch
+
+#rhbz 1295646
+Patch688: 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch
+
+# CVE-2016-3157 rhbz 1315711 1321948
+Patch689: x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
+
 # END OF PATCH DEFINITIONS
 %endif
 
@@ -1468,6 +1514,52 @@ ApplyPatch netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 #CVE-2016-3135 rhbz 1318172 1318270
 ApplyPatch ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
 
+#CVE-2016-2184 rhbz 1317012 1317470
+ApplyPatch ALSA-usb-audio-Fix-NULL-dereference-in-create_fixed_.patch
+ApplyPatch ALSA-usb-audio-Add-sanity-checks-for-endpoint-access.patch
+
+#CVE-2016-3137 rhbz 1317010 1316996
+ApplyPatch cypress_m8-add-sanity-checking.patch
+
+#CVE-2016-2186 rhbz 1317015 1317464
+ApplyPatch USB-input-powermate-fix-oops-with-malicious-USB-desc.patch
+
+#CVE-2016-2188 rhbz 1317018 1317467
+ApplyPatch USB-iowarrior-fix-oops-with-malicious-USB-descriptor.patch
+
+#CVE-2016-2185 rhbz 1317014 1317471
+ApplyPatch usb_driver_claim_interface-add-sanity-checking.patch
+ApplyPatch Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
+
+#CVE-2016-3138 rhbz 1317010 1316204
+ApplyPatch cdc-acm-more-sanity-checking.patch
+
+#CVE-2016-3140 rhbz 1317010 1316995
+ApplyPatch digi_acceleport-do-sanity-checking-for-the-number-of.patch
+
+ApplyPatch ims-pcu-sanity-check-against-missing-interfaces.patch
+
+#rhbz 1315013
+ApplyPatch 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch
+
+#rhbz 1317190
+ApplyPatch thermal-fix.patch
+
+#rhbz 1318079
+ApplyPatch 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
+
+#CVE-2016-2187 rhbz 1317017 1317010
+ApplyPatch input-gtco-fix-crash-on-detecting-device-without-end.patch
+
+#CVE-2016-3136 rhbz 1317007 1317010
+ApplyPatch mct_u232-sanity-checking-in-probe.patch
+
+#rhbz 1295646
+ApplyPatch 09-29-drm-udl-Use-unlocked-gem-unreferencing.patch
+
+# CVE-2016-3157 rhbz 1315711 1321948
+ApplyPatch x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2330,6 +2422,34 @@ fi
 #
 # 
 %changelog
+* Wed Mar 30 2016 Laura Abbott <labbott@redhat.com> - 4.4.6-201
+- Bump and build
+
+* Tue Mar 29 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3157 xen: priv escalation on 64bit PV domains with io port access (rhbz 1315711 1321948)
+
+* Wed Mar 23 2016 Laura Abbott <labbott@fedoraproject.org>
+- drm/udl: Use unlocked gem unreferencing (rhbz 1295646)
+
+* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
+- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
+
+* Mon Mar 21 2016 Laura Abbott <labbott@fedoraproject.org>
+- uas: Limit qdepth at the scsi-host level (rhbz 1315013)
+- Fix for performance regression caused by thermal (rhbz 1317190)
+- Input: synaptics - handle spurious release of trackstick buttons, again (rhbz 1318079)
+
+* Fri Mar 18 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- ims-pcu: sanity checking on missing interfaces
+- CVE-2016-3140 digi_acceleport: oops on invalid USB descriptors (rhbz 1317010 1316995)
+- CVE-2016-3138 cdc_acm: oops on invalid USB descriptors (rhbz 1317010 1316204)
+- CVE-2016-2185 ati_remote2: oops on invalid USB descriptors (rhbz 1317014 1317471)
+- CVE-2016-2188 iowarrior: oops on invalid USB descriptors (rhbz 1317018 1317467)
+- CVE-2016-2186 powermate: oops on invalid USB descriptors (rhbz 1317015 1317464)
+- CVE-2016-3137 cypress_m8: oops on invalid USB descriptors (rhbz 1317010 1316996)
+- CVE-2016-2184 alsa: panic on invalid USB descriptors (rhbz 1317012 1317470)
+
 * Fri Mar 18 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 4.4.6-gnu.
 
diff --git a/freed-ora/current/f22/mct_u232-sanity-checking-in-probe.patch b/freed-ora/current/f22/mct_u232-sanity-checking-in-probe.patch
new file mode 100644
index 000000000..006faf15f
--- /dev/null
+++ b/freed-ora/current/f22/mct_u232-sanity-checking-in-probe.patch
@@ -0,0 +1,35 @@
+Subject:    [PATCH v2] mct_u232: sanity checking in probe
+From:       Oliver Neukum <oneukum@suse.com>
+Date:       2016-03-21 13:14:37
+
+An attack using the lack of sanity checking in probe
+is known. This patch checks for the existance of a
+second port.
+CVE-2016-3136
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+
+v1 - add sanity check for presence of a second port
+v2 - add sanity check for an interrupt endpoint
+---
+ drivers/usb/serial/mct_u232.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 4446b8d..3e64538 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ 	struct mct_u232_private *priv;
+ 
++	/* check first to simplify error handling */
++	if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
++		return -ENODEV;
++
+ 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ 	if (!priv)
+ 		return -ENOMEM;
+-- 
+2.1.4
diff --git a/freed-ora/current/f22/thermal-fix.patch b/freed-ora/current/f22/thermal-fix.patch
new file mode 100644
index 000000000..bca27cfbe
--- /dev/null
+++ b/freed-ora/current/f22/thermal-fix.patch
@@ -0,0 +1,77 @@
+From 81ad4276b505e987dd8ebbdf63605f92cd172b52 Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Fri, 18 Mar 2016 10:03:24 +0800
+Subject: [PATCH] Thermal: Ignore invalid trip points
+
+In some cases, platform thermal driver may report invalid trip points,
+thermal core should not take any action for these trip points.
+
+CC: <stable@vger.kernel.org> #3.18+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1317190
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=114551
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+---
+ drivers/thermal/thermal_core.c | 13 ++++++++++++-
+ include/linux/thermal.h        |  2 ++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index a0a8fd1..d4b5465 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -454,6 +454,10 @@ static void handle_thermal_trip(struct thermal_zone_device *tz, int trip)
+ {
+ 	enum thermal_trip_type type;
+ 
++	/* Ignore disabled trip points */
++	if (test_bit(trip, &tz->trips_disabled))
++		return;
++
+ 	tz->ops->get_trip_type(tz, trip, &type);
+ 
+ 	if (type == THERMAL_TRIP_CRITICAL || type == THERMAL_TRIP_HOT)
+@@ -1800,6 +1804,7 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
+ {
+ 	struct thermal_zone_device *tz;
+ 	enum thermal_trip_type trip_type;
++	int trip_temp;
+ 	int result;
+ 	int count;
+ 	int passive = 0;
+@@ -1871,9 +1876,15 @@ struct thermal_zone_device *thermal_zone_device_register(const char *type,
+ 		goto unregister;
+ 
+ 	for (count = 0; count < trips; count++) {
+-		tz->ops->get_trip_type(tz, count, &trip_type);
++		if (tz->ops->get_trip_type(tz, count, &trip_type))
++			set_bit(count, &tz->trips_disabled);
+ 		if (trip_type == THERMAL_TRIP_PASSIVE)
+ 			passive = 1;
++		if (tz->ops->get_trip_temp(tz, count, &trip_temp))
++			set_bit(count, &tz->trips_disabled);
++		/* Check for bogus trip points */
++		if (trip_temp == 0)
++			set_bit(count, &tz->trips_disabled);
+ 	}
+ 
+ 	if (!passive) {
+diff --git a/include/linux/thermal.h b/include/linux/thermal.h
+index 9c48199..a55d052 100644
+--- a/include/linux/thermal.h
++++ b/include/linux/thermal.h
+@@ -156,6 +156,7 @@ struct thermal_attr {
+  * @trip_hyst_attrs:	attributes for trip points for sysfs: trip hysteresis
+  * @devdata:	private pointer for device private data
+  * @trips:	number of trip points the thermal zone supports
++ * @trips_disabled;	bitmap for disabled trips
+  * @passive_delay:	number of milliseconds to wait between polls when
+  *			performing passive cooling.
+  * @polling_delay:	number of milliseconds to wait between polls when
+@@ -191,6 +192,7 @@ struct thermal_zone_device {
+ 	struct thermal_attr *trip_hyst_attrs;
+ 	void *devdata;
+ 	int trips;
++	unsigned long trips_disabled;	/* bitmap for disabled trips */
+ 	int passive_delay;
+ 	int polling_delay;
+ 	int temperature;
diff --git a/freed-ora/current/f22/usb_driver_claim_interface-add-sanity-checking.patch b/freed-ora/current/f22/usb_driver_claim_interface-add-sanity-checking.patch
new file mode 100644
index 000000000..079ff03fd
--- /dev/null
+++ b/freed-ora/current/f22/usb_driver_claim_interface-add-sanity-checking.patch
@@ -0,0 +1,39 @@
+From de0784bdf6314b70c69416d8c576eb83237d5b1e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 16 Mar 2016 12:26:17 -0400
+Subject: [PATCH] usb_driver_claim_interface: add sanity checking
+
+Attacks that trick drivers into passing a NULL pointer
+to usb_driver_claim_interface() using forged descriptors are
+known. This thwarts them by sanity checking.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+---
+ drivers/usb/core/driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
+index 6b5063e7943f..e2d242b68d4b 100644
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -500,11 +500,15 @@ static int usb_unbind_interface(struct device *dev)
+ int usb_driver_claim_interface(struct usb_driver *driver,
+ 				struct usb_interface *iface, void *priv)
+ {
+-	struct device *dev = &iface->dev;
++	struct device *dev;
+ 	struct usb_device *udev;
+ 	int retval = 0;
+ 	int lpm_disable_error;
+ 
++	if (!iface)
++		return -ENODEV;
++
++	dev = &iface->dev;
+ 	if (dev->driver)
+ 		return -EBUSY;
+ 
+-- 
+2.5.0
+
diff --git a/freed-ora/current/f22/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch b/freed-ora/current/f22/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
new file mode 100644
index 000000000..38f7bfbb0
--- /dev/null
+++ b/freed-ora/current/f22/x86-iopl-64-Properly-context-switch-IOPL-on-Xen-PV.patch
@@ -0,0 +1,96 @@
+From b7a584598aea7ca73140cb87b40319944dd3393f Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 16 Mar 2016 14:14:21 -0700
+Subject: [PATCH] x86/iopl/64: Properly context-switch IOPL on Xen PV
+
+On Xen PV, regs->flags doesn't reliably reflect IOPL and the
+exit-to-userspace code doesn't change IOPL.  We need to context
+switch it manually.
+
+I'm doing this without going through paravirt because this is
+specific to Xen PV.  After the dust settles, we can merge this with
+the 32-bit code, tidy up the iopl syscall implementation, and remove
+the set_iopl pvop entirely.
+
+Fixes XSA-171.
+
+Reviewewd-by: Jan Beulich <JBeulich@suse.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: David Vrabel <david.vrabel@citrix.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Jan Beulich <JBeulich@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/693c3bd7aeb4d3c27c92c622b7d0f554a458173c.1458162709.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/include/asm/xen/hypervisor.h |  2 ++
+ arch/x86/kernel/process_64.c          | 12 ++++++++++++
+ arch/x86/xen/enlighten.c              |  2 +-
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/xen/hypervisor.h b/arch/x86/include/asm/xen/hypervisor.h
+index 8b2d4bea9962..39171b3646bb 100644
+--- a/arch/x86/include/asm/xen/hypervisor.h
++++ b/arch/x86/include/asm/xen/hypervisor.h
+@@ -62,4 +62,6 @@ void xen_arch_register_cpu(int num);
+ void xen_arch_unregister_cpu(int num);
+ #endif
+ 
++extern void xen_set_iopl_mask(unsigned mask);
++
+ #endif /* _ASM_X86_XEN_HYPERVISOR_H */
+diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
+index b9d99e0f82c4..9f751876066f 100644
+--- a/arch/x86/kernel/process_64.c
++++ b/arch/x86/kernel/process_64.c
+@@ -48,6 +48,7 @@
+ #include <asm/syscalls.h>
+ #include <asm/debugreg.h>
+ #include <asm/switch_to.h>
++#include <asm/xen/hypervisor.h>
+ 
+ asmlinkage extern void ret_from_fork(void);
+ 
+@@ -411,6 +412,17 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
+ 		     task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV))
+ 		__switch_to_xtra(prev_p, next_p, tss);
+ 
++#ifdef CONFIG_XEN
++	/*
++	 * On Xen PV, IOPL bits in pt_regs->flags have no effect, and
++	 * current_pt_regs()->flags may not match the current task's
++	 * intended IOPL.  We need to switch it manually.
++	 */
++	if (unlikely(static_cpu_has(X86_FEATURE_XENPV) &&
++		     prev->iopl != next->iopl))
++		xen_set_iopl_mask(next->iopl);
++#endif
++
+ 	if (static_cpu_has_bug(X86_BUG_SYSRET_SS_ATTRS)) {
+ 		/*
+ 		 * AMD CPUs have a misfeature: SYSRET sets the SS selector but
+diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
+index 2c261082eadf..8381fb990c7f 100644
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -961,7 +961,7 @@ static void xen_load_sp0(struct tss_struct *tss,
+ 	tss->x86_tss.sp0 = thread->sp0;
+ }
+ 
+-static void xen_set_iopl_mask(unsigned mask)
++void xen_set_iopl_mask(unsigned mask)
+ {
+ 	struct physdev_set_iopl set_iopl;
+ 
+-- 
+2.5.5
+