3.10.13-100.fc18.gnu

author: Alexandre Oliva <lxoliva@fsfla.org> 2013-09-29 13:49:22 +0000
committer: Alexandre Oliva <lxoliva@fsfla.org> 2013-09-29 13:49:22 +0000
commit: 02f5bb7ecb02a2bb5e28170e8ca743073ca0177c (patch)
tree: 5626be11a95a78df460d8ad8f625ab6eb4238157 /freed-ora/current/f18
parent: d36c0410d1ed2ab1d8b06cde7033d6a85fab791f (diff)
download: linux-libre-raptor-02f5bb7ecb02a2bb5e28170e8ca743073ca0177c.tar.gz
linux-libre-raptor-02f5bb7ecb02a2bb5e28170e8ca743073ca0177c.zip
10 files changed, 356 insertions, 350 deletions
diff --git a/freed-ora/current/f18/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch b/freed-ora/current/f18/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
new file mode 100644
index 000000000..b7bbf77b6
--- /dev/null
+++ b/freed-ora/current/f18/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
@@ -0,0 +1,118 @@
+From 0adb9c2c5ed42f199cb2a630c37d18dee385fae2 Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 15 Jul 2013 10:12:18 +0200
+Subject: [PATCH] HID: kye: Add report fixup for Genius Gx Imperator Keyboard
+
+Genius Gx Imperator Keyboard presents the same problem in its report
+descriptors than Genius Gila Gaming Mouse.
+Use the same fixup for both.
+
+Fixes:
+https://bugzilla.redhat.com/show_bug.cgi?id=928561
+
+Reported-and-tested-by: Honza Brazdil <jbrazdil@redhat.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-core.c |  1 +
+ drivers/hid/hid-ids.h  |  1 +
+ drivers/hid/hid-kye.c  | 45 ++++++++++++++++++++++++++++-----------------
+ 3 files changed, 30 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 8de5cb8..b0f2f45 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1594,6 +1594,7 @@ static const struct hid_device_id hid_have_special_driver[] = {
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
++	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GX_IMPERATOR) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) },
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index c5aea29..0288531 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -479,6 +479,7 @@
+ #define USB_VENDOR_ID_KYE		0x0458
+ #define USB_DEVICE_ID_KYE_ERGO_525V	0x0087
+ #define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE	0x0138
++#define USB_DEVICE_ID_GENIUS_GX_IMPERATOR	0x4018
+ #define USB_DEVICE_ID_KYE_GPEN_560	0x5003
+ #define USB_DEVICE_ID_KYE_EASYPEN_I405X	0x5010
+ #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X	0x5011
+diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c
+index 1e2ee2aa..7384512 100644
+--- a/drivers/hid/hid-kye.c
++++ b/drivers/hid/hid-kye.c
+@@ -268,6 +268,26 @@ static __u8 easypen_m610x_rdesc_fixed[] = {
+ 	0xC0                          /*  End Collection                  */
+ };
+ 
++static __u8 *kye_consumer_control_fixup(struct hid_device *hdev, __u8 *rdesc,
++		unsigned int *rsize, int offset, const char *device_name) {
++	/*
++	 * the fixup that need to be done:
++	 *   - change Usage Maximum in the Comsumer Control
++	 *     (report ID 3) to a reasonable value
++	 */
++	if (*rsize >= offset + 31 &&
++	    /* Usage Page (Consumer Devices) */
++	    rdesc[offset] == 0x05 && rdesc[offset + 1] == 0x0c &&
++	    /* Usage (Consumer Control) */
++	    rdesc[offset + 2] == 0x09 && rdesc[offset + 3] == 0x01 &&
++	    /*   Usage Maximum > 12287 */
++	    rdesc[offset + 10] == 0x2a && rdesc[offset + 12] > 0x2f) {
++		hid_info(hdev, "fixing up %s report descriptor\n", device_name);
++		rdesc[offset + 12] = 0x2f;
++	}
++	return rdesc;
++}
++
+ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		unsigned int *rsize)
+ {
+@@ -315,23 +335,12 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ 		}
+ 		break;
+ 	case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE:
+-		/*
+-		 * the fixup that need to be done:
+-		 *   - change Usage Maximum in the Comsumer Control
+-		 *     (report ID 3) to a reasonable value
+-		 */
+-		if (*rsize >= 135 &&
+-			/* Usage Page (Consumer Devices) */
+-			rdesc[104] == 0x05 && rdesc[105] == 0x0c &&
+-			/* Usage (Consumer Control) */
+-			rdesc[106] == 0x09 && rdesc[107] == 0x01 &&
+-			/*   Usage Maximum > 12287 */
+-			rdesc[114] == 0x2a && rdesc[116] > 0x2f) {
+-			hid_info(hdev,
+-				 "fixing up Genius Gila Gaming Mouse "
+-				 "report descriptor\n");
+-			rdesc[116] = 0x2f;
+-		}
++		rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 104,
++					"Genius Gila Gaming Mouse");
++		break;
++	case USB_DEVICE_ID_GENIUS_GX_IMPERATOR:
++		rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 83,
++					"Genius Gx Imperator Keyboard");
+ 		break;
+ 	}
+ 	return rdesc;
+@@ -428,6 +437,8 @@ static const struct hid_device_id kye_devices[] = {
+ 				USB_DEVICE_ID_KYE_EASYPEN_M610X) },
+ 	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE,
+ 				USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) },
++	{ HID_USB_DEVICE(USB_VENDOR_ID_KYE,
++				USB_DEVICE_ID_GENIUS_GX_IMPERATOR) },
+ 	{ }
+ };
+ MODULE_DEVICE_TABLE(hid, kye_devices);
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/HID-CVE-fixes.patch b/freed-ora/current/f18/HID-CVE-fixes.patch
index a1fcf6da5..921ad9cb0 100644
--- a/freed-ora/current/f18/HID-CVE-fixes.patch
+++ b/freed-ora/current/f18/HID-CVE-fixes.patch
@@ -1,83 +1,3 @@
-From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:29:55 +0200
-Subject: [PATCH 01/16] HID: validate HID report id size
-
-The "Report ID" field of a HID report is used to build indexes of
-reports. The kernel's index of these is limited to 256 entries, so any
-malicious device that sets a Report ID greater than 255 will trigger
-memory corruption on the host:
-
-[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
-[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
-
-CVE-2013-2888
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-core.c | 10 +++++++---
- include/linux/hid.h    |  4 +++-
- 2 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 36668d1..5ea7d51 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
- 	struct hid_report_enum *report_enum = device->report_enum + type;
- 	struct hid_report *report;
- 
-+	if (id >= HID_MAX_IDS)
-+		return NULL;
- 	if (report_enum->report_id_hash[id])
- 		return report_enum->report_id_hash[id];
- 
-@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
- 
- 	case HID_GLOBAL_ITEM_TAG_REPORT_ID:
- 		parser->global.report_id = item_udata(item);
--		if (parser->global.report_id == 0) {
--			hid_err(parser->device, "report_id 0 is invalid\n");
-+		if (parser->global.report_id == 0 ||
-+		    parser->global.report_id >= HID_MAX_IDS) {
-+			hid_err(parser->device, "report_id %u is invalid\n",
-+				parser->global.report_id);
- 			return -1;
- 		}
- 		return 0;
-@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
- 	for (i = 0; i < HID_REPORT_TYPES; i++) {
- 		struct hid_report_enum *report_enum = device->report_enum + i;
- 
--		for (j = 0; j < 256; j++) {
-+		for (j = 0; j < HID_MAX_IDS; j++) {
- 			struct hid_report *report = report_enum->report_id_hash[j];
- 			if (report)
- 				hid_free_report(report);
-diff --git a/include/linux/hid.h b/include/linux/hid.h
-index 0c48991..ff545cc 100644
---- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -393,10 +393,12 @@ struct hid_report {
- 	struct hid_device *device;			/* associated device */
- };
- 
-+#define HID_MAX_IDS 256
-+
- struct hid_report_enum {
- 	unsigned numbered;
- 	struct list_head report_list;
--	struct hid_report *report_id_hash[256];
-+	struct hid_report *report_id_hash[HID_MAX_IDS];
- };
- 
- #define HID_REPORT_TYPES 3
--- 
-1.8.3.1
-
-
 From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001
 From: Kees Cook <keescook@chromium.org>
 Date: Wed, 11 Sep 2013 21:56:50 +0200
@@ -864,214 +784,3 @@ index 762d988..31cf29a 100644
  
 -- 
 1.8.3.1
-
-
-From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:32:01 +0200
-Subject: [PATCH 12/16] HID: check for NULL field when setting values
-
-Defensively check that the field to be worked on is not NULL.
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-core.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 08500bc..e331cb1 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
- 
- int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
- {
--	unsigned size = field->report_size;
-+	unsigned size;
-+
-+	if (!field)
-+		return -1;
-+
-+	size = field->report_size;
- 
- 	hid_dump_input(field->report->device, field->usage + offset, value);
- 
--- 
-1.8.3.1
-
-
-From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:30:49 +0200
-Subject: [PATCH 13/16] HID: pantherlord: validate output report details
-
-A HID device could send a malicious output report that would cause the
-pantherlord HID driver to write beyond the output report allocation
-during initialization, causing a heap overflow:
-
-[  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
-...
-[  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
-
-CVE-2013-2892
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-pl.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
-index d29112f..2dcd7d9 100644
---- a/drivers/hid/hid-pl.c
-+++ b/drivers/hid/hid-pl.c
-@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
- 			strong = &report->field[0]->value[2];
- 			weak = &report->field[0]->value[3];
- 			debug("detected single-field device");
--		} else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
--				report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
-+		} else if (report->field[0]->maxusage == 1 &&
-+			   report->field[0]->usage[0].hid ==
-+				(HID_UP_LED | 0x43) &&
-+			   report->maxfield >= 4 &&
-+			   report->field[0]->report_count >= 1 &&
-+			   report->field[1]->report_count >= 1 &&
-+			   report->field[2]->report_count >= 1 &&
-+			   report->field[3]->report_count >= 1) {
- 			report->field[0]->value[0] = 0x00;
- 			report->field[1]->value[0] = 0x00;
- 			strong = &report->field[2]->value[0];
--- 
-1.8.3.1
-
-
-From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:31:28 +0200
-Subject: [PATCH 14/16] HID: ntrig: validate feature report details
-
-A HID device could send a malicious feature report that would cause the
-ntrig HID driver to trigger a NULL dereference during initialization:
-
-[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
-...
-[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
-[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
-
-CVE-2013-2896
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-ntrig.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
-index ef95102..5482156 100644
---- a/drivers/hid/hid-ntrig.c
-+++ b/drivers/hid/hid-ntrig.c
-@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
- 	struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
- 				    report_id_hash[0x0d];
- 
--	if (!report)
-+	if (!report || report->maxfield < 1 ||
-+	    report->field[0]->report_count < 1)
- 		return -EINVAL;
- 
- 	hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
--- 
-1.8.3.1
-
-
-From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:31:44 +0200
-Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details
-
-A HID device could send a malicious feature report that would cause the
-sensor-hub HID driver to read past the end of heap allocation, leaking
-kernel memory contents to the caller.
-
-CVE-2013-2898
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-sensor-hub.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
-index ca749810..aa34755 100644
---- a/drivers/hid/hid-sensor-hub.c
-+++ b/drivers/hid/hid-sensor-hub.c
-@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
- 
- 	mutex_lock(&data->mutex);
- 	report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
--	if (!report || (field_index >=  report->maxfield)) {
-+	if (!report || (field_index >=  report->maxfield) ||
-+	    report->field[field_index]->report_count < 1) {
- 		ret = -EINVAL;
- 		goto done_proc;
- 	}
--- 
-1.8.3.1
-
-
-From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:31:52 +0200
-Subject: [PATCH 16/16] HID: picolcd_core: validate output report details
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A HID device could send a malicious output report that would cause the
-picolcd HID driver to trigger a NULL dereference during attr file writing.
-
-[jkosina@suse.cz: changed
-
-	report->maxfield < 1
-
-to
-
-	report->maxfield != 1
-
-as suggested by Bruno].
-
-CVE-2013-2899
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
-Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
----
- drivers/hid/hid-picolcd_core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
-index b48092d..acbb0210 100644
---- a/drivers/hid/hid-picolcd_core.c
-+++ b/drivers/hid/hid-picolcd_core.c
-@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
- 		buf += 10;
- 		cnt -= 10;
- 	}
--	if (!report)
-+	if (!report || report->maxfield != 1)
- 		return -EINVAL;
- 
- 	while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
--- 
-1.8.3.1
-
diff --git a/freed-ora/current/f18/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch b/freed-ora/current/f18/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
index acdd66d48..d0a021c4c 100644
--- a/freed-ora/current/f18/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
+++ b/freed-ora/current/f18/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch
@@ -45,6 +45,7 @@ index 945b815..c526a3c 100644
 -			if (ret >= 0)
 -				ret = -EINVAL;
 +			ret = -ENODATA;
+ 			kfree(buf);
  			break;
  		}
 +		ret = 0;
diff --git a/freed-ora/current/f18/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/freed-ora/current/f18/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
new file mode 100644
index 000000000..c8d015491
--- /dev/null
+++ b/freed-ora/current/f18/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
@@ -0,0 +1,40 @@
+Stephan Mueller reported to me recently a error in random number generation in
+the ansi cprng. If several small requests are made that are less than the
+instances block size, the remainder for loop code doesn't increment
+rand_data_valid in the last iteration, meaning that the last bytes in the
+rand_data buffer gets reused on the subsequent smaller-than-a-block request for
+random data.
+
+The fix is pretty easy, just re-code the for loop to make sure that
+rand_data_valid gets incremented appropriately
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Stephan Mueller <stephan.mueller@atsec.com>
+CC: Petr Matousek <pmatouse@redhat.com>
+CC: Herbert Xu <herbert@gondor.apana.org.au>
+CC: "David S. Miller" <davem@davemloft.net>
+---
+ crypto/ansi_cprng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
+index c0bb377..666f196 100644
+--- a/crypto/ansi_cprng.c
++++ b/crypto/ansi_cprng.c
+@@ -230,11 +230,11 @@ remainder:
+ 	 */
+ 	if (byte_count < DEFAULT_BLK_SZ) {
+ empty_rbuf:
+-		for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
+-			ctx->rand_data_valid++) {
++		while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
+ 			*ptr = ctx->rand_data[ctx->rand_data_valid];
+ 			ptr++;
+ 			byte_count--;
++			ctx->rand_data_valid++;
+ 			if (byte_count == 0)
+ 				goto done;
+ 		}
+-- 
+1.8.3.1
diff --git a/freed-ora/current/f18/bonding-driver-alb-learning.patch b/freed-ora/current/f18/bonding-driver-alb-learning.patch
new file mode 100644
index 000000000..c7f8e8f6b
--- /dev/null
+++ b/freed-ora/current/f18/bonding-driver-alb-learning.patch
@@ -0,0 +1,155 @@
+commit 7eacd03810960823393521063734fc8188446bca
+Author: Neil Horman <nhorman@tuxdriver.com>
+Date:   Fri Sep 13 11:05:33 2013 -0400
+
+    bonding: Make alb learning packet interval configurable
+    
+    running bonding in ALB mode requires that learning packets be sent periodically,
+    so that the switch knows where to send responding traffic.  However, depending
+    on switch configuration, there may not be any need to send traffic at the
+    default rate of 3 packets per second, which represents little more than wasted
+    data.  Allow the ALB learning packet interval to be made configurable via sysfs
+    
+    Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+    Acked-by: Acked-by: Veaceslav Falico <vfalico@redhat.com>
+    CC: Jay Vosburgh <fubar@us.ibm.com>
+    CC: Andy Gospodarek <andy@greyhouse.net>
+    CC: "David S. Miller" <davem@davemloft.net>
+    Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
+    Signed-off-by: David S. Miller <davem@davemloft.net>
+
+diff --git a/Documentation/networking/bonding.txt b/Documentation/networking/bonding.txt
+index 87bbcfe..9b28e71 100644
+--- a/Documentation/networking/bonding.txt
++++ b/Documentation/networking/bonding.txt
+@@ -1362,6 +1362,12 @@ To add ARP targets:
+ To remove an ARP target:
+ # echo -192.168.0.100 > /sys/class/net/bond0/bonding/arp_ip_target
+ 
++To configure the interval between learning packet transmits:
++# echo 12 > /sys/class/net/bond0/bonding/lp_interval
++	NOTE: the lp_inteval is the number of seconds between instances where
++the bonding driver sends learning packets to each slaves peer switch.  The
++default interval is 1 second.
++
+ Example Configuration
+ ---------------------
+ 	We begin with the same example that is shown in section 3.3,
+diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c
+index 91f179d..f428ef57 100644
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -1472,7 +1472,7 @@ void bond_alb_monitor(struct work_struct *work)
+ 	bond_info->lp_counter++;
+ 
+ 	/* send learning packets */
+-	if (bond_info->lp_counter >= BOND_ALB_LP_TICKS) {
++	if (bond_info->lp_counter >= BOND_ALB_LP_TICKS(bond)) {
+ 		/* change of curr_active_slave involves swapping of mac addresses.
+ 		 * in order to avoid this swapping from happening while
+ 		 * sending the learning packets, the curr_slave_lock must be held for
+diff --git a/drivers/net/bonding/bond_alb.h b/drivers/net/bonding/bond_alb.h
+index 28d8e4c..c5eff5d 100644
+--- a/drivers/net/bonding/bond_alb.h
++++ b/drivers/net/bonding/bond_alb.h
+@@ -36,14 +36,15 @@ struct slave;
+ 					 * Used for division - never set
+ 					 * to zero !!!
+ 					 */
+-#define BOND_ALB_LP_INTERVAL	    1	/* In seconds, periodic send of
+-					 * learning packets to the switch
+-					 */
++#define BOND_ALB_DEFAULT_LP_INTERVAL 1
++#define BOND_ALB_LP_INTERVAL(bond) (bond->params.lp_interval)	/* In seconds, periodic send of
++								 * learning packets to the switch
++								 */
+ 
+ #define BOND_TLB_REBALANCE_TICKS (BOND_TLB_REBALANCE_INTERVAL \
+ 				  * ALB_TIMER_TICKS_PER_SEC)
+ 
+-#define BOND_ALB_LP_TICKS (BOND_ALB_LP_INTERVAL \
++#define BOND_ALB_LP_TICKS(bond) (BOND_ALB_LP_INTERVAL(bond) \
+ 			   * ALB_TIMER_TICKS_PER_SEC)
+ 
+ #define TLB_HASH_TABLE_SIZE 256	/* The size of the clients hash table.
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 72df399..55bbb8b 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4416,6 +4416,7 @@ static int bond_check_params(struct bond_params *params)
+ 	params->all_slaves_active = all_slaves_active;
+ 	params->resend_igmp = resend_igmp;
+ 	params->min_links = min_links;
++	params->lp_interval = BOND_ALB_DEFAULT_LP_INTERVAL;
+ 
+ 	if (primary) {
+ 		strncpy(params->primary, primary, IFNAMSIZ);
+diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c
+index eeab40b..c29b836 100644
+--- a/drivers/net/bonding/bond_sysfs.c
++++ b/drivers/net/bonding/bond_sysfs.c
+@@ -1699,6 +1699,44 @@ out:
+ static DEVICE_ATTR(resend_igmp, S_IRUGO | S_IWUSR,
+ 		   bonding_show_resend_igmp, bonding_store_resend_igmp);
+ 
++
++static ssize_t bonding_show_lp_interval(struct device *d,
++					struct device_attribute *attr,
++					char *buf)
++{
++	struct bonding *bond = to_bond(d);
++	return sprintf(buf, "%d\n", bond->params.lp_interval);
++}
++
++static ssize_t bonding_store_lp_interval(struct device *d,
++					 struct device_attribute *attr,
++					 const char *buf, size_t count)
++{
++	struct bonding *bond = to_bond(d);
++	int new_value, ret = count;
++
++	if (sscanf(buf, "%d", &new_value) != 1) {
++		pr_err("%s: no lp interval value specified.\n",
++			bond->dev->name);
++		ret = -EINVAL;
++		goto out;
++	}
++
++	if (new_value <= 0) {
++		pr_err ("%s: lp_interval must be between 1 and %d\n",
++			bond->dev->name, INT_MAX);
++		ret = -EINVAL;
++		goto out;
++	}
++
++	bond->params.lp_interval = new_value;
++out:
++	return ret;
++}
++
++static DEVICE_ATTR(lp_interval, S_IRUGO | S_IWUSR,
++		   bonding_show_lp_interval, bonding_store_lp_interval);
++
+ static struct attribute *per_bond_attrs[] = {
+ 	&dev_attr_slaves.attr,
+ 	&dev_attr_mode.attr,
+@@ -1729,6 +1767,7 @@ static struct attribute *per_bond_attrs[] = {
+ 	&dev_attr_all_slaves_active.attr,
+ 	&dev_attr_resend_igmp.attr,
+ 	&dev_attr_min_links.attr,
++	&dev_attr_lp_interval.attr,
+ 	NULL,
+ };
+ 
+diff --git a/drivers/net/bonding/bonding.h b/drivers/net/bonding/bonding.h
+index 7ad8bd5..03cf3fd 100644
+--- a/drivers/net/bonding/bonding.h
++++ b/drivers/net/bonding/bonding.h
+@@ -176,6 +176,7 @@ struct bond_params {
+ 	int tx_queues;
+ 	int all_slaves_active;
+ 	int resend_igmp;
++	int lp_interval;
+ };
+ 
+ struct bond_parm_tbl {
diff --git a/freed-ora/current/f18/crypto-fix-race-in-larval-lookup.patch b/freed-ora/current/f18/crypto-fix-race-in-larval-lookup.patch
deleted file mode 100644
index d1b19419e..000000000
--- a/freed-ora/current/f18/crypto-fix-race-in-larval-lookup.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa
-Author: Herbert Xu <herbert@gondor.apana.org.au>
-Date:   Sun Sep 8 14:33:50 2013 +1000
-
-    crypto: api - Fix race condition in larval lookup
-    
-    crypto_larval_lookup should only return a larval if it created one.
-    Any larval created by another entity must be processed through
-    crypto_larval_wait before being returned.
-    
-    Otherwise this will lead to a larval being killed twice, which
-    will most likely lead to a crash.
-    
-    Cc: stable@vger.kernel.org
-    Reported-by: Kees Cook <keescook@chromium.org>
-    Tested-by: Kees Cook <keescook@chromium.org>
-    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
-diff --git a/crypto/api.c b/crypto/api.c
-index 320ea4d..a2b39c5 100644
---- a/crypto/api.c
-+++ b/crypto/api.c
-@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
- BLOCKING_NOTIFIER_HEAD(crypto_chain);
- EXPORT_SYMBOL_GPL(crypto_chain);
- 
-+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
-+
- struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
- {
- 	return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
-@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
- 	}
- 	up_write(&crypto_alg_sem);
- 
--	if (alg != &larval->alg)
-+	if (alg != &larval->alg) {
- 		kfree(larval);
-+		if (crypto_is_larval(alg))
-+			alg = crypto_larval_wait(alg);
-+	}
- 
- 	return alg;
- }
diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec
index 43e30558a..fa651a7d0 100644
--- a/freed-ora/current/f18/kernel.spec
+++ b/freed-ora/current/f18/kernel.spec
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 12
+%define stable_update 13
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -840,15 +840,21 @@ Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch
 #CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604
 Patch25099: HID-CVE-fixes.patch
 
-#rhbz 1002351
-Patch25100: crypto-fix-race-in-larval-lookup.patch
-
 #CVE-2013-4343 rhbz 1007733 1007741
 Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch
 
 #CVE-2013-4350 rhbz 1007872 1007903
 Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
 
+#CVE-2013-4345 rhbz 1007690 1009136
+Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
+#rhbz 928561
+Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
+
+#rhbz 971893
+Patch25106: bonding-driver-alb-learning.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1624,15 +1630,21 @@ ApplyPatch HID-CVE-fixes.patch
 #rhbz 1000679
 ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch
 
-#rhbz1002351
-ApplyPatch crypto-fix-race-in-larval-lookup.patch
-
 #CVE-2013-4343 rhbz 1007733 1007741
 ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch
 
 #CVE-2013-4350 rhbz 1007872 1007903
 ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch
 
+#CVE-2013-4345 rhbz 1007690 1009136
+ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+
+#rhbz 928561
+ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch
+
+#rhbz 971893
+ApplyPatch bonding-driver-alb-learning.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2485,6 +2497,21 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Fri Sep 27 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 3.10.13-gnu.
+
+* Fri Sep 27 2013 Justin M. Forbes <jforbes@fedoraproject.org> 3.10.13-100
+- Linux v3.10.13
+
+* Mon Sep 23 2013 Neil Horman <nhorman@redhat.com>
+- Add alb learning packet config knob (rhbz 971893)
+
+* Fri Sep 20 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix multimedia keys on Genius GX keyboard (rhbz 928561)
+
+* Tue Sep 17 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136)
+
 * Mon Sep 16 2013 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 3.10.12-gnu.
 
diff --git a/freed-ora/current/f18/patch-3.10-gnu-3.10.12-gnu.xz.sign b/freed-ora/current/f18/patch-3.10-gnu-3.10.12-gnu.xz.sign
deleted file mode 100644
index 8d055e90c..000000000
--- a/freed-ora/current/f18/patch-3.10-gnu-3.10.12-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.19 (GNU/Linux)
-
-iEYEABECAAYFAlI0ngMACgkQvLfPh359R6eq5QCcDmxf4WMIuyWePOdI1r/ZEbSg
-2UwAn2ZDYlHZOq3bltX0+LU3HbaZI4UX
-=EilL
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/f18/patch-3.10-gnu-3.10.13-gnu.xz.sign b/freed-ora/current/f18/patch-3.10-gnu-3.10.13-gnu.xz.sign
new file mode 100644
index 000000000..7b0f4d1e7
--- /dev/null
+++ b/freed-ora/current/f18/patch-3.10-gnu-3.10.13-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+iEYEABECAAYFAlJFYlUACgkQvLfPh359R6cmzgCfRJadj/HKHvfFD5/Kj1AiaXQy
+yiYAnRfPx5OWR6d9cgpRtxF9Q+eKhgmO
+=jsCV
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/f18/sources b/freed-ora/current/f18/sources
index 42afe464f..d47730b5c 100644
--- a/freed-ora/current/f18/sources
+++ b/freed-ora/current/f18/sources
@@ -1,2 +1,2 @@
 d562fd52580a3b6b18b6eeb5921d1d5c  linux-libre-3.10-gnu.tar.xz
-d2cfd95d71d64950b77d534793272486  patch-3.10-gnu-3.10.12-gnu.xz
+eb4cce22fe3290eb98660b2c5a737279  patch-3.10-gnu-3.10.13-gnu.xz
author	Alexandre Oliva <lxoliva@fsfla.org>	2013-09-29 13:49:22 +0000
committer	Alexandre Oliva <lxoliva@fsfla.org>	2013-09-29 13:49:22 +0000
commit	02f5bb7ecb02a2bb5e28170e8ca743073ca0177c (patch)
tree	5626be11a95a78df460d8ad8f625ab6eb4238157 /freed-ora/current/f18
parent	d36c0410d1ed2ab1d8b06cde7033d6a85fab791f (diff)
download	linux-libre-raptor-02f5bb7ecb02a2bb5e28170e8ca743073ca0177c.tar.gz linux-libre-raptor-02f5bb7ecb02a2bb5e28170e8ca743073ca0177c.zip