3.11.10-100.fc18.gnu

14 files changed, 1320 insertions, 119 deletions

diff --git a/freed-ora/current/f18/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/freed-ora/current/f18/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
deleted file mode 100644
index c8d015491..000000000
--- a/freed-ora/current/f18/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Stephan Mueller reported to me recently a error in random number generation in
-the ansi cprng. If several small requests are made that are less than the
-instances block size, the remainder for loop code doesn't increment
-rand_data_valid in the last iteration, meaning that the last bytes in the
-rand_data buffer gets reused on the subsequent smaller-than-a-block request for
-random data.
-
-The fix is pretty easy, just re-code the for loop to make sure that
-rand_data_valid gets incremented appropriately
-
-Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
-Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
-CC: Stephan Mueller <stephan.mueller@atsec.com>
-CC: Petr Matousek <pmatouse@redhat.com>
-CC: Herbert Xu <herbert@gondor.apana.org.au>
-CC: "David S. Miller" <davem@davemloft.net>
----
- crypto/ansi_cprng.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
-index c0bb377..666f196 100644
---- a/crypto/ansi_cprng.c
-+++ b/crypto/ansi_cprng.c
-@@ -230,11 +230,11 @@ remainder:
- 	 */
- 	if (byte_count < DEFAULT_BLK_SZ) {
- empty_rbuf:
--		for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
--			ctx->rand_data_valid++) {
-+		while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
- 			*ptr = ctx->rand_data[ctx->rand_data_valid];
- 			ptr++;
- 			byte_count--;
-+			ctx->rand_data_valid++;
- 			if (byte_count == 0)
- 				goto done;
- 		}
--- 
-1.8.3.1
diff --git a/freed-ora/current/f18/btrfs-relocate-csums-properly-with-prealloc-ext.patch b/freed-ora/current/f18/btrfs-relocate-csums-properly-with-prealloc-ext.patch
deleted file mode 100644
index e103f703a..000000000
--- a/freed-ora/current/f18/btrfs-relocate-csums-properly-with-prealloc-ext.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-A user reported a problem where they were getting csum errors when running a
-balance and running systemd's journal.  This is because systemd is awesome and
-fallocate()'s its log space and writes into it.  Unfortunately we assume that
-when we read in all the csums for an extent that they are sequential starting at
-the bytenr we care about.  This obviously isn't the case for prealloc extents,
-where we could have written to the middle of the prealloc extent only, which
-means the csum would be for the bytenr in the middle of our range and not the
-front of our range.  Fix this by offsetting the new bytenr we are logging to
-based on the original bytenr the csum was for.  With this patch I no longer see
-the csum errors I was seeing.  Thanks,
-
-Cc: stable@xxxxxxxxxxxxxxx
-Reported-by: Chris Murphy <lists@xxxxxxxxxxxxxxxxx>
-Signed-off-by: Josef Bacik <jbacik@xxxxxxxxxxxx>
----
- fs/btrfs/relocation.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
-index 5ca7ea9..b7afeaa 100644
---- a/fs/btrfs/relocation.c
-+++ b/fs/btrfs/relocation.c
-@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
- 	struct btrfs_root *root = BTRFS_I(inode)->root;
- 	int ret;
- 	u64 disk_bytenr;
-+	u64 new_bytenr;
- 	LIST_HEAD(list);
- 
- 	ordered = btrfs_lookup_ordered_extent(inode, file_pos);
-@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
- 	if (ret)
- 		goto out;
- 
--	disk_bytenr = ordered->start;
- 	while (!list_empty(&list)) {
- 		sums = list_entry(list.next, struct btrfs_ordered_sum, list);
- 		list_del_init(&sums->list);
- 
--		sums->bytenr = disk_bytenr;
--		disk_bytenr += sums->len;
-+		/*
-+		 * We need to offset the new_bytenr based on where the csum is.
-+		 * We need to do this because we will read in entire prealloc
-+		 * extents but we may have written to say the middle of the
-+		 * prealloc extent, so we need to make sure the csum goes with
-+		 * the right disk offset.
-+		 *
-+		 * We can do this because the data reloc inode refers strictly
-+		 * to the on disk bytes, so we don't have to worry about
-+		 * disk_len vs real len like with real inodes since it's all
-+		 * disk length.
-+		 */
-+		new_bytenr = ordered->start + (sums->bytenr - disk_bytenr);
-+		sums->bytenr = new_bytenr;
- 
- 		btrfs_add_ordered_sum(inode, ordered, sums);
- 	}
--- 
-1.8.3.1
diff --git a/freed-ora/current/f18/config-x86_64-generic b/freed-ora/current/f18/config-x86_64-generic
index 85f588bc1..b1bfed734 100644
--- a/freed-ora/current/f18/config-x86_64-generic
+++ b/freed-ora/current/f18/config-x86_64-generic
@@ -145,11 +145,6 @@ CONFIG_CHECKPOINT_RESTORE=y
 CONFIG_NTB=m
 CONFIG_NTB_NETDEV=m
 
-CONFIG_SFC=m
-CONFIG_SFC_MCDI_MON=y
-CONFIG_SFC_SRIOV=y
-CONFIG_SFC_PTP=y
-
 # 10GigE
 #
 CONFIG_IP1000=m
diff --git a/freed-ora/current/f18/drm-qxl-fix-memory-leak-in-release-list-handling.patch b/freed-ora/current/f18/drm-qxl-fix-memory-leak-in-release-list-handling.patch
new file mode 100644
index 000000000..8ed4819f2
--- /dev/null
+++ b/freed-ora/current/f18/drm-qxl-fix-memory-leak-in-release-list-handling.patch
@@ -0,0 +1,30 @@
+Bugzilla: N/A
+Upstream-status: 3.13
+
+From 1b28c3e628315ac0d9ef2d3fac0403f05ae692db Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Thu, 28 Nov 2013 05:39:03 +0000
+Subject: drm/qxl: fix memory leak in release list handling
+
+wow no idea how I got this far without seeing this,
+leaking the entries in the list makes kmalloc-64 slab grow.
+
+References: https://bugzilla.kernel.org/show_bug.cgi?id=65121
+Cc: stable@vger.kernel.org
+Reported-by: Matthew Stapleton <matthew4196@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+---
+diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c
+index 0109a96..821ab7b 100644
+--- a/drivers/gpu/drm/qxl/qxl_release.c
++++ b/drivers/gpu/drm/qxl/qxl_release.c
+@@ -92,6 +92,7 @@ qxl_release_free(struct qxl_device *qdev,
+ 						- DRM_FILE_OFFSET);
+ 		qxl_fence_remove_release(&bo->fence, release->id);
+ 		qxl_bo_unref(&bo);
++		kfree(entry);
+ 	}
+ 	spin_lock(&qdev->release_idr_lock);
+ 	idr_remove(&qdev->release_idr, release->id);
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/freed-ora/current/f18/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch b/freed-ora/current/f18/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch
new file mode 100644
index 000000000..b76fd2a36
--- /dev/null
+++ b/freed-ora/current/f18/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch
@@ -0,0 +1,253 @@
+Bugzilla: 1035887
+Upstream-status: 3.13
+
+From 4be402ba6158068d53ab0268f1affa9d82dae2ec Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 22 Nov 2013 23:46:12 +0000
+Subject: [PATCH] inet: fix addr_len/msg->msg_namelen assignment in recv_error
+ and rxpmtu functions
+
+Commit bceaa90240b6019ed73b49965eac7d167610be69 ("inet: prevent leakage
+of uninitialized memory to user in recv syscalls") conditionally updated
+addr_len if the msg_name is written to. The recv_error and rxpmtu
+functions relied on the recvmsg functions to set up addr_len before.
+
+As this does not happen any more we have to pass addr_len to those
+functions as well and set it to the size of the corresponding sockaddr
+length.
+
+This broke traceroute and such.
+
+Fixes: bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
+Reported-by: Brad Spengler <spender@grsecurity.net>
+Reported-by: Tom Labanowski
+Cc: mpb <mpb.mail@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/ip.h       | 2 +-
+ include/net/ipv6.h     | 4 ++--
+ include/net/ping.h     | 3 ++-
+ net/ipv4/ip_sockglue.c | 3 ++-
+ net/ipv4/ping.c        | 5 +++--
+ net/ipv4/raw.c         | 2 +-
+ net/ipv4/udp.c         | 2 +-
+ net/ipv6/datagram.c    | 7 +++++--
+ net/ipv6/ping.c        | 3 ++-
+ net/ipv6/raw.c         | 4 ++--
+ net/ipv6/udp.c         | 4 ++--
+ net/l2tp/l2tp_ip6.c    | 2 +-
+ 12 files changed, 24 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 5e52688..301f10c 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -464,7 +464,7 @@ extern int	compat_ip_getsockopt(struct sock *sk, int level,
+ 			int optname, char __user *optval, int __user *optlen);
+ extern int	ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *));
+ 
+-extern int 	ip_recv_error(struct sock *sk, struct msghdr *msg, int len);
++extern int 	ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len);
+ extern void	ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, 
+ 			      __be16 port, u32 info, u8 *payload);
+ extern void	ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport,
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index bbf1c8f..5529d79 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -802,8 +802,8 @@ extern int			compat_ipv6_getsockopt(struct sock *sk,
+ extern int			ip6_datagram_connect(struct sock *sk, 
+ 						     struct sockaddr *addr, int addr_len);
+ 
+-extern int 			ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len);
+-extern int 			ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len);
++extern int 			ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len);
++extern int 			ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, int *addr_len);
+ extern void			ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port,
+ 						u32 info, u8 *payload);
+ extern void			ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info);
+diff --git a/include/net/ping.h b/include/net/ping.h
+index 5db0224..2b496e9 100644
+--- a/include/net/ping.h
++++ b/include/net/ping.h
+@@ -31,7 +31,8 @@
+ 
+ /* Compatibility glue so we can support IPv6 when it's compiled as a module */
+ struct pingv6_ops {
+-	int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len);
++	int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len,
++			       int *addr_len);
+ 	int (*ip6_datagram_recv_ctl)(struct sock *sk, struct msghdr *msg,
+ 				     struct sk_buff *skb);
+ 	int (*icmpv6_err_convert)(u8 type, u8 code, int *err);
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index d9c4f11..23e6ab0 100644
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -368,7 +368,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf
+ /*
+  *	Handle MSG_ERRQUEUE
+  */
+-int ip_recv_error(struct sock *sk, struct msghdr *msg, int len)
++int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ {
+ 	struct sock_exterr_skb *serr;
+ 	struct sk_buff *skb, *skb2;
+@@ -405,6 +405,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ 						   serr->addr_offset);
+ 		sin->sin_port = serr->port;
+ 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 
+ 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 92fb6ff..ac31877 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -838,10 +838,11 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 
+ 	if (flags & MSG_ERRQUEUE) {
+ 		if (family == AF_INET) {
+-			return ip_recv_error(sk, msg, len);
++			return ip_recv_error(sk, msg, len, addr_len);
+ #if IS_ENABLED(CONFIG_IPV6)
+ 		} else if (family == AF_INET6) {
+-			return pingv6_ops.ipv6_recv_error(sk, msg, len);
++			return pingv6_ops.ipv6_recv_error(sk, msg, len,
++							  addr_len);
+ #endif
+ 		}
+ 	}
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index ca4c3f1..7d3db78 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -695,7 +695,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 		goto out;
+ 
+ 	if (flags & MSG_ERRQUEUE) {
+-		err = ip_recv_error(sk, msg, len);
++		err = ip_recv_error(sk, msg, len, addr_len);
+ 		goto out;
+ 	}
+ 
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index a7003de..1ef8794 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1210,7 +1210,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	bool slow;
+ 
+ 	if (flags & MSG_ERRQUEUE)
+-		return ip_recv_error(sk, msg, len);
++		return ip_recv_error(sk, msg, len, addr_len);
+ 
+ try_again:
+ 	skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0),
+diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
+index 48b6bd2..7a0fd80 100644
+--- a/net/ipv6/datagram.c
++++ b/net/ipv6/datagram.c
+@@ -318,7 +318,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu)
+ /*
+  *	Handle MSG_ERRQUEUE
+  */
+-int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
++int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
+ {
+ 	struct ipv6_pinfo *np = inet6_sk(sk);
+ 	struct sock_exterr_skb *serr;
+@@ -369,6 +369,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
+ 					       &sin->sin6_addr);
+ 			sin->sin6_scope_id = 0;
+ 		}
++		*addr_len = sizeof(*sin);
+ 	}
+ 
+ 	memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
+@@ -423,7 +424,8 @@ EXPORT_SYMBOL_GPL(ipv6_recv_error);
+ /*
+  *	Handle IPV6_RECVPATHMTU
+  */
+-int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len)
++int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len,
++		     int *addr_len)
+ {
+ 	struct ipv6_pinfo *np = inet6_sk(sk);
+ 	struct sk_buff *skb;
+@@ -457,6 +459,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len)
+ 		sin->sin6_port = 0;
+ 		sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id;
+ 		sin->sin6_addr = mtu_info.ip6m_addr.sin6_addr;
++		*addr_len = sizeof(*sin);
+ 	}
+ 
+ 	put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info);
+diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
+index 18f19df..7856e96 100644
+--- a/net/ipv6/ping.c
++++ b/net/ipv6/ping.c
+@@ -57,7 +57,8 @@ static struct inet_protosw pingv6_protosw = {
+ 
+ 
+ /* Compatibility glue so we can support IPv6 when it's compiled as a module */
+-static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
++static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,
++				 int *addr_len)
+ {
+ 	return -EAFNOSUPPORT;
+ }
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
+index 2f303bf..430067c 100644
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -467,10 +467,10 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 		return -EOPNOTSUPP;
+ 
+ 	if (flags & MSG_ERRQUEUE)
+-		return ipv6_recv_error(sk, msg, len);
++		return ipv6_recv_error(sk, msg, len, addr_len);
+ 
+ 	if (np->rxpmtu && np->rxopt.bits.rxpmtu)
+-		return ipv6_recv_rxpmtu(sk, msg, len);
++		return ipv6_recv_rxpmtu(sk, msg, len, addr_len);
+ 
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb)
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index a59beed..3d2758d 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -375,10 +375,10 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 	bool slow;
+ 
+ 	if (flags & MSG_ERRQUEUE)
+-		return ipv6_recv_error(sk, msg, len);
++		return ipv6_recv_error(sk, msg, len, addr_len);
+ 
+ 	if (np->rxpmtu && np->rxopt.bits.rxpmtu)
+-		return ipv6_recv_rxpmtu(sk, msg, len);
++		return ipv6_recv_rxpmtu(sk, msg, len, addr_len);
+ 
+ try_again:
+ 	skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0),
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index b8a6039..e6e8408 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -665,7 +665,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 		*addr_len = sizeof(*lsa);
+ 
+ 	if (flags & MSG_ERRQUEUE)
+-		return ipv6_recv_error(sk, msg, len);
++		return ipv6_recv_error(sk, msg, len, addr_len);
+ 
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb)
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/inet-prevent-leakage-of-uninitialized-memory-to-user.patch b/freed-ora/current/f18/inet-prevent-leakage-of-uninitialized-memory-to-user.patch
new file mode 100644
index 000000000..c5b941134
--- /dev/null
+++ b/freed-ora/current/f18/inet-prevent-leakage-of-uninitialized-memory-to-user.patch
@@ -0,0 +1,256 @@
+Bugzilla: 1035887
+Upstream-status: 3.13
+
+From bceaa90240b6019ed73b49965eac7d167610be69 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 18 Nov 2013 04:20:45 +0100
+Subject: [PATCH] inet: prevent leakage of uninitialized memory to user in recv
+ syscalls
+
+Only update *addr_len when we actually fill in sockaddr, otherwise we
+can return uninitialized memory from the stack to the caller in the
+recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL)
+checks because we only get called with a valid addr_len pointer either
+from sock_common_recvmsg or inet_recvmsg.
+
+If a blocking read waits on a socket which is concurrently shut down we
+now return zero and set msg_msgnamelen to 0.
+
+Reported-by: mpb <mpb.mail@gmail.com>
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ieee802154/dgram.c |  3 +--
+ net/ipv4/ping.c        | 19 +++++++------------
+ net/ipv4/raw.c         |  4 +---
+ net/ipv4/udp.c         |  7 +------
+ net/ipv6/raw.c         |  4 +---
+ net/ipv6/udp.c         |  5 +----
+ net/l2tp/l2tp_ip.c     |  4 +---
+ net/phonet/datagram.c  |  9 ++++-----
+ 8 files changed, 17 insertions(+), 38 deletions(-)
+
+diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c
+index 581a595..1865fdf 100644
+--- a/net/ieee802154/dgram.c
++++ b/net/ieee802154/dgram.c
+@@ -315,9 +315,8 @@ static int dgram_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 	if (saddr) {
+ 		saddr->family = AF_IEEE802154;
+ 		saddr->addr = mac_cb(skb)->sa;
+-	}
+-	if (addr_len)
+ 		*addr_len = sizeof(*saddr);
++	}
+ 
+ 	if (flags & MSG_TRUNC)
+ 		copied = skb->len;
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 9afbdb1..aacefa0 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -830,8 +830,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ {
+ 	struct inet_sock *isk = inet_sk(sk);
+ 	int family = sk->sk_family;
+-	struct sockaddr_in *sin;
+-	struct sockaddr_in6 *sin6;
+ 	struct sk_buff *skb;
+ 	int copied, err;
+ 
+@@ -841,13 +839,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	if (flags & MSG_OOB)
+ 		goto out;
+ 
+-	if (addr_len) {
+-		if (family == AF_INET)
+-			*addr_len = sizeof(*sin);
+-		else if (family == AF_INET6 && addr_len)
+-			*addr_len = sizeof(*sin6);
+-	}
+-
+ 	if (flags & MSG_ERRQUEUE) {
+ 		if (family == AF_INET) {
+ 			return ip_recv_error(sk, msg, len);
+@@ -877,11 +868,13 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 
+ 	/* Copy the address and add cmsg data. */
+ 	if (family == AF_INET) {
+-		sin = (struct sockaddr_in *) msg->msg_name;
++		struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
++
+ 		sin->sin_family = AF_INET;
+ 		sin->sin_port = 0 /* skb->h.uh->source */;
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 
+ 		if (isk->cmsg_flags)
+ 			ip_cmsg_recv(msg, skb);
+@@ -890,17 +883,19 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	} else if (family == AF_INET6) {
+ 		struct ipv6_pinfo *np = inet6_sk(sk);
+ 		struct ipv6hdr *ip6 = ipv6_hdr(skb);
+-		sin6 = (struct sockaddr_in6 *) msg->msg_name;
++		struct sockaddr_in6 *sin6 =
++			(struct sockaddr_in6 *)msg->msg_name;
++
+ 		sin6->sin6_family = AF_INET6;
+ 		sin6->sin6_port = 0;
+ 		sin6->sin6_addr = ip6->saddr;
+-
+ 		sin6->sin6_flowinfo = 0;
+ 		if (np->sndflow)
+ 			sin6->sin6_flowinfo = ip6_flowinfo(ip6);
+ 
+ 		sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,
+ 							  IP6CB(skb)->iif);
++		*addr_len = sizeof(*sin6);
+ 
+ 		if (inet6_sk(sk)->rxopt.all)
+ 			pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb);
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 41e1d28..5cb8ddb 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -696,9 +696,6 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	if (flags & MSG_OOB)
+ 		goto out;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(*sin);
+-
+ 	if (flags & MSG_ERRQUEUE) {
+ 		err = ip_recv_error(sk, msg, len);
+ 		goto out;
+@@ -726,6 +723,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		sin->sin_port = 0;
+ 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 	if (inet->cmsg_flags)
+ 		ip_cmsg_recv(msg, skb);
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 89909dd..998431c 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1235,12 +1235,6 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+ 	int is_udplite = IS_UDPLITE(sk);
+ 	bool slow;
+ 
+-	/*
+-	 *	Check any passed addresses
+-	 */
+-	if (addr_len)
+-		*addr_len = sizeof(*sin);
+-
+ 	if (flags & MSG_ERRQUEUE)
+ 		return ip_recv_error(sk, msg, len);
+ 
+@@ -1302,6 +1296,7 @@ try_again:
+ 		sin->sin_port = udp_hdr(skb)->source;
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 	if (inet->cmsg_flags)
+ 		ip_cmsg_recv(msg, skb);
+diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
+index 3c00842..e24ff1d 100644
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -465,9 +465,6 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 	if (flags & MSG_OOB)
+ 		return -EOPNOTSUPP;
+ 
+-	if (addr_len)
+-		*addr_len=sizeof(*sin6);
+-
+ 	if (flags & MSG_ERRQUEUE)
+ 		return ipv6_recv_error(sk, msg, len);
+ 
+@@ -506,6 +503,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 		sin6->sin6_flowinfo = 0;
+ 		sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr,
+ 							  IP6CB(skb)->iif);
++		*addr_len = sizeof(*sin6);
+ 	}
+ 
+ 	sock_recv_ts_and_drops(msg, sk, skb);
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index f3893e8..81eb8cf 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -392,9 +392,6 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 	int is_udp4;
+ 	bool slow;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(struct sockaddr_in6);
+-
+ 	if (flags & MSG_ERRQUEUE)
+ 		return ipv6_recv_error(sk, msg, len);
+ 
+@@ -480,7 +477,7 @@ try_again:
+ 				ipv6_iface_scope_id(&sin6->sin6_addr,
+ 						    IP6CB(skb)->iif);
+ 		}
+-
++		*addr_len = sizeof(*sin6);
+ 	}
+ 	if (is_udp4) {
+ 		if (inet->cmsg_flags)
+diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
+index 571db8d..da1a1ce 100644
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -518,9 +518,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
+ 	if (flags & MSG_OOB)
+ 		goto out;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(*sin);
+-
+ 	skb = skb_recv_datagram(sk, flags, noblock, &err);
+ 	if (!skb)
+ 		goto out;
+@@ -543,6 +540,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
+ 		sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+ 		sin->sin_port = 0;
+ 		memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
++		*addr_len = sizeof(*sin);
+ 	}
+ 	if (inet->cmsg_flags)
+ 		ip_cmsg_recv(msg, skb);
+diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c
+index 12c30f3..38946b2 100644
+--- a/net/phonet/datagram.c
++++ b/net/phonet/datagram.c
+@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 			MSG_CMSG_COMPAT))
+ 		goto out_nofree;
+ 
+-	if (addr_len)
+-		*addr_len = sizeof(sa);
+-
+ 	skb = skb_recv_datagram(sk, flags, noblock, &rval);
+ 	if (skb == NULL)
+ 		goto out_nofree;
+@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk,
+ 
+ 	rval = (flags & MSG_TRUNC) ? skb->len : copylen;
+ 
+-	if (msg->msg_name != NULL)
+-		memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn));
++	if (msg->msg_name != NULL) {
++		memcpy(msg->msg_name, &sa, sizeof(sa));
++		*addr_len = sizeof(sa);
++	}
+ 
+ out:
+ 	skb_free_datagram(sk, skb);
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/kernel.spec b/freed-ora/current/f18/kernel.spec
index 7e054aa1f..28c0f7927 100644
--- a/freed-ora/current/f18/kernel.spec
+++ b/freed-ora/current/f18/kernel.spec
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -797,9 +797,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch
 #rhbz 963715
 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 
-#CVE-2013-4345 rhbz 1007690 1009136
-Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
-
 #rhbz 971893
 Patch25106: bonding-driver-alb-learning.patch
 
@@ -836,9 +833,6 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
 Patch25130: fix-radeon-sound.patch
 Patch25149: drm-radeon-24hz-audio-fixes.patch
 
-#rhbz 1011714
-Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch
-
 #rhbz 984696
 Patch25132: rt2800usb-slow-down-TX-status-polling.patch
 
@@ -852,6 +846,7 @@ Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch
 Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch
 
 Patch25143: drm-qxl-backport-fixes-for-Fedora.patch
+Patch25160: drm-qxl-fix-memory-leak-in-release-list-handling.patch
 
 Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
@@ -871,6 +866,24 @@ Patch25150: slab_common-Do-not-check-for-duplicate-slab-names.patch
 #rhbz 967652
 Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
 
+# Fix 15sec NFS mount delay
+Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
+Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
+Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
+
+#CVE-2013-6382 rhbz 1033603 1034670
+Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
+
+#rhbz 1022733
+Patch25158: via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch
+
+#rhbz 998342
+Patch25159: usbnet-fix-status-interrupt-urb-handling.patch
+
+#CVE-2013-6405 rhbz 1035875 1035887
+Patch25161: inet-prevent-leakage-of-uninitialized-memory-to-user.patch
+Patch25162: inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1605,9 +1618,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
 #rhbz 963715
 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 
-#CVE-2013-4345 rhbz 1007690 1009136
-ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
-
 #rhbz 985522
 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch
 
@@ -1644,9 +1654,6 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
 ApplyPatch fix-radeon-sound.patch
 ApplyPatch drm-radeon-24hz-audio-fixes.patch
 
-#rhbz 1011714
-ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch
-
 #rhbz 984696
 ApplyPatch rt2800usb-slow-down-TX-status-polling.patch
 
@@ -1660,6 +1667,7 @@ ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch
 ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch
 
 ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
+ApplyPatch drm-qxl-fix-memory-leak-in-release-list-handling.patch
 
 ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
 
@@ -1679,6 +1687,24 @@ ApplyPatch slab_common-Do-not-check-for-duplicate-slab-names.patch
 #rhbz 967652
 ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
 
+# Fix 15sec NFS mount delay
+ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
+ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
+ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
+
+#CVE-2013-6382 rhbz 1033603 1034670
+ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
+
+#rhbz 1022733
+ApplyPatch via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch
+
+#rhbz 998342
+ApplyPatch usbnet-fix-status-interrupt-urb-handling.patch
+
+#CVE-2013-6405 rhbz 1035875 1035887
+ApplyPatch inet-prevent-leakage-of-uninitialized-memory-to-user.patch
+ApplyPatch inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2531,6 +2557,25 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Sat Nov 30 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-6405 net: leak of uninited mem to userspace via recv syscalls (rhbz 1035875 1035887)
+
+* Fri Nov 29 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.10-100
+- Linux v3.11.10
+- Fix memory leak in qxl (from Dave Airlie)
+
+* Tue Nov 26 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- Add patch to fix usbnet URB handling (rhbz 998342)
+- Fix crash in via-velocity driver (rhbz 1022733)
+- CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)
+
+* Mon Nov 25 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
+- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
+
+* Fri Nov 22 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- Add patches from Jeff Layton to fix 15sec NFS mount hang
+
 * Wed Nov 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.9-100
 - Linux v3.11.9
 
diff --git a/freed-ora/current/f18/nfs-check-gssd-running-before-krb5i-auth.patch b/freed-ora/current/f18/nfs-check-gssd-running-before-krb5i-auth.patch
new file mode 100644
index 000000000..be81fec76
--- /dev/null
+++ b/freed-ora/current/f18/nfs-check-gssd-running-before-krb5i-auth.patch
@@ -0,0 +1,48 @@
+Bugzilla: N/A
+Upstream-status: queued in NFS git tree (for 3.13/3.14?)
+
+Currently, the client will attempt to use krb5i in the SETCLIENTID call
+even if rpc.gssd isn't running. When that fails, it'll then fall back to
+RPC_AUTH_UNIX. This introduced a delay when mounting if rpc.gssd isn't
+running, and causes warning messages to pop up in the ring buffer.
+
+Check to see if rpc.gssd is running before even attempting to use krb5i
+auth, and just silently skip trying to do so if it isn't. In the event
+that the admin is actually trying to mount with krb5*, it will still
+fail at a later stage of the mount attempt.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+---
+ fs/nfs/nfs4client.c |    7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+diff -up linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c.orig linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c
+--- linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c.orig	2013-09-02 16:46:10.000000000 -0400
++++ linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c	2013-11-21 10:20:27.288286000 -0500
+@@ -10,6 +10,7 @@
+ #include <linux/sunrpc/auth.h>
+ #include <linux/sunrpc/xprt.h>
+ #include <linux/sunrpc/bc_xprt.h>
++#include <linux/sunrpc/rpc_pipe_fs.h>
+ #include "internal.h"
+ #include "callback.h"
+ #include "delegation.h"
+@@ -206,7 +207,11 @@ struct nfs_client *nfs4_init_client(stru
+ 	if (clp->cl_minorversion != 0)
+ 		__set_bit(NFS_CS_INFINITE_SLOTS, &clp->cl_flags);
+ 	__set_bit(NFS_CS_DISCRTRY, &clp->cl_flags);
+-	error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_GSS_KRB5I);
++
++	error = -EINVAL;
++	if (gssd_running(clp->cl_net))
++		error = nfs_create_rpc_client(clp, timeparms,
++					      RPC_AUTH_GSS_KRB5I);
+ 	if (error == -EINVAL)
+ 		error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_UNIX);
+ 	if (error < 0)
+
+_______________________________________________
+kernel mailing list
+kernel@lists.fedoraproject.org
+https://admin.fedoraproject.org/mailman/listinfo/kernel
diff --git a/freed-ora/current/f18/sources b/freed-ora/current/f18/sources
index b282e0624..5eb6871a2 100644
--- a/freed-ora/current/f18/sources
+++ b/freed-ora/current/f18/sources
@@ -1,2 +1,2 @@
 7ec84223c7adcf01a5287eb7af96b7e7  linux-libre-3.11-gnu.tar.xz
-6cea7db9419cefdf4c3a4bcc89bf904b  patch-3.11.9.xz
+c918da07cf5ad4240945ae56c4de3bc0  patch-3.11.10.xz
diff --git a/freed-ora/current/f18/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch b/freed-ora/current/f18/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
new file mode 100644
index 000000000..805498a70
--- /dev/null
+++ b/freed-ora/current/f18/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
@@ -0,0 +1,233 @@
+Bugzilla: N/A
+Upstream-status: queued in NFS git tree (for 3.13/3.14?)
+
+rpc.gssd will naturally hold open any pipe named */clnt*/gssd that shows
+up under rpc_pipefs. That behavior gives us a reliable mechanism to tell
+whether it's actually running or not.
+
+Create a new toplevel "gssd" directory in rpc_pipefs when it's mounted.
+Under that directory create another directory called "clntXX", and then
+within that a pipe called "gssd".
+
+We'll never send an upcall along that pipe, and any downcall written to
+it will just return -EINVAL.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+---
+ include/linux/sunrpc/rpc_pipe_fs.h |    3 +-
+ net/sunrpc/netns.h                 |    1 +
+ net/sunrpc/rpc_pipe.c              |   93 ++++++++++++++++++++++++++++++++++-
+ net/sunrpc/sunrpc_syms.c           |    8 +++-
+ 4 files changed, 100 insertions(+), 5 deletions(-)
+
+diff -up linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h
+--- linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig	2013-09-02 16:46:10.000000000 -0400
++++ linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h	2013-11-21 10:11:17.893026000 -0500
+@@ -64,7 +64,8 @@ enum {
+ 
+ extern struct dentry *rpc_d_lookup_sb(const struct super_block *sb,
+ 				      const unsigned char *dir_name);
+-extern void rpc_pipefs_init_net(struct net *net);
++extern int rpc_pipefs_init_net(struct net *net);
++extern void rpc_pipefs_exit_net(struct net *net);
+ extern struct super_block *rpc_get_sb_net(const struct net *net);
+ extern void rpc_put_sb_net(const struct net *net);
+ 
+diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h
+--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig	2013-09-02 16:46:10.000000000 -0400
++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h	2013-11-21 10:11:17.897029000 -0500
+@@ -14,6 +14,7 @@ struct sunrpc_net {
+ 	struct cache_detail *rsi_cache;
+ 
+ 	struct super_block *pipefs_sb;
++	struct rpc_pipe *gssd_dummy;
+ 	struct mutex pipefs_sb_lock;
+ 
+ 	struct list_head all_clients;
+diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c
+--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig	2013-09-02 16:46:10.000000000 -0400
++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c	2013-11-21 10:11:17.903026000 -0500
+@@ -38,7 +38,7 @@
+ #define NET_NAME(net)	((net == &init_net) ? " (init_net)" : "")
+ 
+ static struct file_system_type rpc_pipe_fs_type;
+-
++static const struct rpc_pipe_ops gssd_dummy_pipe_ops;
+ 
+ static struct kmem_cache *rpc_inode_cachep __read_mostly;
+ 
+@@ -1019,6 +1019,7 @@ enum {
+ 	RPCAUTH_nfsd4_cb,
+ 	RPCAUTH_cache,
+ 	RPCAUTH_nfsd,
++	RPCAUTH_gssd,
+ 	RPCAUTH_RootEOF
+ };
+ 
+@@ -1055,6 +1056,10 @@ static const struct rpc_filelist files[]
+ 		.name = "nfsd",
+ 		.mode = S_IFDIR | S_IRUGO | S_IXUGO,
+ 	},
++	[RPCAUTH_gssd] = {
++		.name = "gssd",
++		.mode = S_IFDIR | S_IRUGO | S_IXUGO,
++	},
+ };
+ 
+ /*
+@@ -1068,13 +1073,25 @@ struct dentry *rpc_d_lookup_sb(const str
+ }
+ EXPORT_SYMBOL_GPL(rpc_d_lookup_sb);
+ 
+-void rpc_pipefs_init_net(struct net *net)
++int rpc_pipefs_init_net(struct net *net)
+ {
+ 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+ 
++	sn->gssd_dummy = rpc_mkpipe_data(&gssd_dummy_pipe_ops, 0);
++	if (IS_ERR(sn->gssd_dummy))
++		return PTR_ERR(sn->gssd_dummy);
++
+ 	mutex_init(&sn->pipefs_sb_lock);
+ 	sn->gssd_running = 1;
+ 	sn->pipe_version = -1;
++	return 0;
++}
++
++void rpc_pipefs_exit_net(struct net *net)
++{
++	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
++
++	rpc_destroy_pipe_data(sn->gssd_dummy);
+ }
+ 
+ /*
+@@ -1104,11 +1121,73 @@ void rpc_put_sb_net(const struct net *ne
+ }
+ EXPORT_SYMBOL_GPL(rpc_put_sb_net);
+ 
++static const struct rpc_filelist gssd_dummy_clnt_dir[] = {
++	[0] = {
++		.name = "clntXX",
++		.mode = S_IFDIR | S_IRUGO | S_IXUGO,
++	},
++};
++
++static ssize_t
++dummy_downcall(struct file *filp, const char __user *src, size_t len)
++{
++	return -EINVAL;
++}
++
++static const struct rpc_pipe_ops gssd_dummy_pipe_ops = {
++	.upcall		= rpc_pipe_generic_upcall,
++	.downcall	= dummy_downcall,
++};
++
++/**
++ * rpc_gssd_dummy_populate - create a dummy gssd pipe
++ * @root:	root of the rpc_pipefs filesystem
++ * @pipe_data:	pipe data created when netns is initialized
++ *
++ * Create a dummy set of directories and a pipe that gssd can hold open to
++ * indicate that it is up and running.
++ */
++static struct dentry *
++rpc_gssd_dummy_populate(struct dentry *root, struct rpc_pipe *pipe_data)
++{
++	int ret = 0;
++	struct dentry *gssd_dentry;
++	struct dentry *clnt_dentry = NULL;
++	struct dentry *pipe_dentry = NULL;
++	struct qstr q = QSTR_INIT(files[RPCAUTH_gssd].name,
++				  strlen(files[RPCAUTH_gssd].name));
++
++	/* We should never get this far if "gssd" doesn't exist */
++	gssd_dentry = d_hash_and_lookup(root, &q);
++	if (!gssd_dentry)
++		return ERR_PTR(-ENOENT);
++
++	ret = rpc_populate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1, NULL);
++	if (ret) {
++		pipe_dentry = ERR_PTR(ret);
++		goto out;
++	}
++
++	q.name = gssd_dummy_clnt_dir[0].name;
++	q.len = strlen(gssd_dummy_clnt_dir[0].name);
++	clnt_dentry = d_hash_and_lookup(gssd_dentry, &q);
++	if (!clnt_dentry) {
++		pipe_dentry = ERR_PTR(-ENOENT);
++		goto out;
++	}
++
++	pipe_dentry = rpc_mkpipe_dentry(clnt_dentry, "gssd", NULL, pipe_data);
++out:
++	dput(clnt_dentry);
++	dput(gssd_dentry);
++	return pipe_dentry;
++}
++
+ static int
+ rpc_fill_super(struct super_block *sb, void *data, int silent)
+ {
+ 	struct inode *inode;
+-	struct dentry *root;
++	struct dentry *root, *gssd_dentry;
+ 	struct net *net = data;
+ 	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+ 	int err;
+@@ -1126,6 +1205,13 @@ rpc_fill_super(struct super_block *sb, v
+ 		return -ENOMEM;
+ 	if (rpc_populate(root, files, RPCAUTH_lockd, RPCAUTH_RootEOF, NULL))
+ 		return -ENOMEM;
++
++	gssd_dentry = rpc_gssd_dummy_populate(root, sn->gssd_dummy);
++	if (IS_ERR(gssd_dentry)) {
++		__rpc_depopulate(root, files, RPCAUTH_lockd, RPCAUTH_RootEOF);
++		return PTR_ERR(gssd_dentry);
++	}
++
+ 	dprintk("RPC:       sending pipefs MOUNT notification for net %p%s\n",
+ 		net, NET_NAME(net));
+ 	mutex_lock(&sn->pipefs_sb_lock);
+@@ -1140,6 +1226,7 @@ rpc_fill_super(struct super_block *sb, v
+ 	return 0;
+ 
+ err_depopulate:
++	dput(gssd_dentry);
+ 	blocking_notifier_call_chain(&rpc_pipefs_notifier_list,
+ 					   RPC_PIPEFS_UMOUNT,
+ 					   sb);
+diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c
+--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c.orig	2013-09-02 16:46:10.000000000 -0400
++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c	2013-11-21 10:11:17.908026000 -0500
+@@ -44,12 +44,17 @@ static __net_init int sunrpc_init_net(st
+ 	if (err)
+ 		goto err_unixgid;
+ 
+-	rpc_pipefs_init_net(net);
++	err = rpc_pipefs_init_net(net);
++	if (err)
++		goto err_pipefs;
++
+ 	INIT_LIST_HEAD(&sn->all_clients);
+ 	spin_lock_init(&sn->rpc_client_lock);
+ 	spin_lock_init(&sn->rpcb_clnt_lock);
+ 	return 0;
+ 
++err_pipefs:
++	unix_gid_cache_destroy(net);
+ err_unixgid:
+ 	ip_map_cache_destroy(net);
+ err_ipmap:
+@@ -60,6 +65,7 @@ err_proc:
+ 
+ static __net_exit void sunrpc_exit_net(struct net *net)
+ {
++	rpc_pipefs_exit_net(net);
+ 	unix_gid_cache_destroy(net);
+ 	ip_map_cache_destroy(net);
+ 	rpc_proc_exit(net);
+
diff --git a/freed-ora/current/f18/sunrpc-replace-gssd_running-with-more-reliable-check.patch b/freed-ora/current/f18/sunrpc-replace-gssd_running-with-more-reliable-check.patch
new file mode 100644
index 000000000..f2ca18555
--- /dev/null
+++ b/freed-ora/current/f18/sunrpc-replace-gssd_running-with-more-reliable-check.patch
@@ -0,0 +1,134 @@
+Bugzilla: N/A
+Upstream-status: queued in NFS git tree (for 3.13/3.14?)
+
+Now that we have a more reliable method to tell if gssd is running, we
+can replace the sn->gssd_running flag with a function that will query to
+see if it's up and running.
+
+There's also no need to attempt an upcall that we know will fail, so
+just return -EACCES if gssd isn't running. Finally, fix the warn_gss()
+message not to claim that that the upcall timed out since we don't
+necesarily perform one now when gssd isn't running, and remove the
+extraneous newline from the message.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+---
+ include/linux/sunrpc/rpc_pipe_fs.h |    2 ++
+ net/sunrpc/auth_gss/auth_gss.c     |   17 +++++++----------
+ net/sunrpc/netns.h                 |    2 --
+ net/sunrpc/rpc_pipe.c              |   14 ++++++++++----
+ 4 files changed, 19 insertions(+), 16 deletions(-)
+
+diff -up linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h
+--- linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig	2013-11-21 10:11:17.893026000 -0500
++++ linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h	2013-11-21 10:14:17.709348000 -0500
+@@ -94,5 +94,7 @@ extern int rpc_unlink(struct dentry *);
+ extern int register_rpc_pipefs(void);
+ extern void unregister_rpc_pipefs(void);
+ 
++extern bool gssd_running(struct net *net);
++
+ #endif
+ #endif
+diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c
+--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig	2013-09-02 16:46:10.000000000 -0400
++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c	2013-11-21 10:18:33.681923000 -0500
+@@ -507,8 +507,7 @@ static void warn_gssd(void)
+ 	unsigned long now = jiffies;
+ 
+ 	if (time_after(now, ratelimit)) {
+-		printk(KERN_WARNING "RPC: AUTH_GSS upcall timed out.\n"
+-				"Please check user daemon is running.\n");
++		pr_warn("RPC: AUTH_GSS upcall failed. Please check user daemon is running.\n");
+ 		ratelimit = now + 15*HZ;
+ 	}
+ }
+@@ -571,7 +570,6 @@ gss_create_upcall(struct gss_auth *gss_a
+ 	struct rpc_pipe *pipe;
+ 	struct rpc_cred *cred = &gss_cred->gc_base;
+ 	struct gss_upcall_msg *gss_msg;
+-	unsigned long timeout;
+ 	DEFINE_WAIT(wait);
+ 	int err;
+ 
+@@ -579,17 +577,16 @@ gss_create_upcall(struct gss_auth *gss_a
+ 		__func__, from_kuid(&init_user_ns, cred->cr_uid));
+ retry:
+ 	err = 0;
+-	/* Default timeout is 15s unless we know that gssd is not running */
+-	timeout = 15 * HZ;
+-	if (!sn->gssd_running)
+-		timeout = HZ >> 2;
++	/* if gssd is down, just skip upcalling altogether */
++	if (!gssd_running(net)) {
++		warn_gssd();
++		return -EACCES;
++	}
+ 	gss_msg = gss_setup_upcall(gss_auth->client, gss_auth, cred);
+ 	if (PTR_ERR(gss_msg) == -EAGAIN) {
+ 		err = wait_event_interruptible_timeout(pipe_version_waitqueue,
+-				sn->pipe_version >= 0, timeout);
++				sn->pipe_version >= 0, 15 * HZ);
+ 		if (sn->pipe_version < 0) {
+-			if (err == 0)
+-				sn->gssd_running = 0;
+ 			warn_gssd();
+ 			err = -EACCES;
+ 		}
+diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h
+--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig	2013-11-21 10:11:17.897029000 -0500
++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h	2013-11-21 10:14:17.722351000 -0500
+@@ -33,8 +33,6 @@ struct sunrpc_net {
+ 	int pipe_version;
+ 	atomic_t pipe_users;
+ 	struct proc_dir_entry *use_gssp_proc;
+-
+-	unsigned int gssd_running;
+ };
+ 
+ extern int sunrpc_net_id;
+diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c
+--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig	2013-11-21 10:11:17.903026000 -0500
++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c	2013-11-21 10:14:17.727348000 -0500
+@@ -216,14 +216,11 @@ rpc_destroy_inode(struct inode *inode)
+ static int
+ rpc_pipe_open(struct inode *inode, struct file *filp)
+ {
+-	struct net *net = inode->i_sb->s_fs_info;
+-	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
+ 	struct rpc_pipe *pipe;
+ 	int first_open;
+ 	int res = -ENXIO;
+ 
+ 	mutex_lock(&inode->i_mutex);
+-	sn->gssd_running = 1;
+ 	pipe = RPC_I(inode)->pipe;
+ 	if (pipe == NULL)
+ 		goto out;
+@@ -1082,7 +1079,6 @@ int rpc_pipefs_init_net(struct net *net)
+ 		return PTR_ERR(sn->gssd_dummy);
+ 
+ 	mutex_init(&sn->pipefs_sb_lock);
+-	sn->gssd_running = 1;
+ 	sn->pipe_version = -1;
+ 	return 0;
+ }
+@@ -1236,6 +1232,16 @@ err_depopulate:
+ 	return err;
+ }
+ 
++bool
++gssd_running(struct net *net)
++{
++	struct sunrpc_net *sn = net_generic(net, sunrpc_net_id);
++	struct rpc_pipe *pipe = sn->gssd_dummy;
++
++	return pipe->nreaders || pipe->nwriters;
++}
++EXPORT_SYMBOL_GPL(gssd_running);
++
+ static struct dentry *
+ rpc_mount(struct file_system_type *fs_type,
+ 		int flags, const char *dev_name, void *data)
+
diff --git a/freed-ora/current/f18/usbnet-fix-status-interrupt-urb-handling.patch b/freed-ora/current/f18/usbnet-fix-status-interrupt-urb-handling.patch
new file mode 100644
index 000000000..74bf3978d
--- /dev/null
+++ b/freed-ora/current/f18/usbnet-fix-status-interrupt-urb-handling.patch
@@ -0,0 +1,37 @@
+From 52f48d0d9aaa621ffa5e08d79da99a3f8c93b848 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Tue, 12 Nov 2013 16:34:41 +0100
+Subject: [PATCH] usbnet: fix status interrupt urb handling
+
+Since commit 7b0c5f21f348a66de495868b8df0284e8dfd6bbf
+"sierra_net: keep status interrupt URB active", sierra_net triggers
+status interrupt polling before the net_device is opened (in order to
+properly receive the sync message response).
+
+To be able to receive further interrupts, the interrupt urb needs to be
+re-submitted, so this patch removes the bogus check for netif_running().
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Tested-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/usb/usbnet.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 90a429b..8494bb5 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -204,9 +204,6 @@ static void intr_complete (struct urb *urb)
+ 		break;
+ 	}
+ 
+-	if (!netif_running (dev->net))
+-		return;
+-
+ 	status = usb_submit_urb (urb, GFP_ATOMIC);
+ 	if (status != 0)
+ 		netif_err(dev, timer, dev->net,
+-- 
+1.8.3.1
+
diff --git a/freed-ora/current/f18/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch b/freed-ora/current/f18/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch
new file mode 100644
index 000000000..820f47056
--- /dev/null
+++ b/freed-ora/current/f18/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch
@@ -0,0 +1,121 @@
+Bugzilla: 1022733
+Upstream: Submitted for 3.13 and 3.12.y stable                                                                                                                                                                                                                                                               
+Delivered-To: jwboyer@gmail.com
+Received: by 10.76.104.107 with SMTP id gd11csp116929oab;
+        Mon, 25 Nov 2013 15:45:36 -0800 (PST)
+X-Received: by 10.68.254.105 with SMTP id ah9mr20726084pbd.87.1385423136297;
+        Mon, 25 Nov 2013 15:45:36 -0800 (PST)
+Return-Path: <netdev-owner@vger.kernel.org>
+Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
+        by mx.google.com with ESMTP id am2si28999873pad.96.2013.11.25.15.44.53
+        for <multiple recipients>;
+        Mon, 25 Nov 2013 15:45:36 -0800 (PST)
+Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
+Authentication-Results: mx.google.com;
+       spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=netdev-owner@vger.kernel.org
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+	id S1753536Ab3KYXl6 (ORCPT <rfc822;lnxuff@gmail.com> + 99 others);
+	Mon, 25 Nov 2013 18:41:58 -0500
+Received: from violet.fr.zoreil.com ([92.243.8.30]:57806 "EHLO
+	violet.fr.zoreil.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1751913Ab3KYXlz (ORCPT
+	<rfc822;netdev@vger.kernel.org>); Mon, 25 Nov 2013 18:41:55 -0500
+Received: from violet.fr.zoreil.com (localhost [127.0.0.1])
+	by violet.fr.zoreil.com (8.14.5/8.14.5) with ESMTP id rAPNewrt012676;
+	Tue, 26 Nov 2013 00:40:58 +0100
+Received: (from romieu@localhost)
+	by violet.fr.zoreil.com (8.14.5/8.14.5/Submit) id rAPNewbX012675;
+	Tue, 26 Nov 2013 00:40:58 +0100
+Date:	Tue, 26 Nov 2013 00:40:58 +0100
+From:	Francois Romieu <romieu@fr.zoreil.com>
+To:	netdev@vger.kernel.org
+Cc:	David Miller <davem@davemloft.net>,
+	"Alex A. Schmidt" <aaschmidt1@gmail.com>,
+	Michele Baldessari <michele@acksyn.org>,
+	Jamie Heilman <jamie@audible.transient.net>,
+	Julia Lawall <Julia.Lawall@lip6.fr>
+Subject: [PATCH net 1/1] via-velocity: fix netif_receive_skb use in irq
+ disabled section.
+Message-ID: <20131125234058.GA12566@electric-eye.fr.zoreil.com>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+X-Organisation:	Land of Sunshine Inc.
+User-Agent: Mutt/1.5.21 (2010-09-15)
+Sender:	netdev-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <netdev.vger.kernel.org>
+X-Mailing-List:	netdev@vger.kernel.org
+
+2fdac010bdcf10a30711b6924612dfc40daf19b8 ("via-velocity.c: update napi
+implementation") overlooked an irq disabling spinlock when the Rx part
+of the NAPI poll handler was converted from netif_rx to netif_receive_skb.
+
+NAPI Rx processing can be taken out of the locked section with a pair of
+napi_{disable / enable} since it only races with the MTU change function.
+
+An heavier rework of the NAPI locking would be able to perform NAPI Tx
+before Rx where I simply removed one of velocity_tx_srv calls.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1022733
+Fixes: 2fdac010bdcf (via-velocity.c: update napi implementation)
+Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+Tested-by: Alex A. Schmidt <aaschmidt1@gmail.com>
+Cc: Jamie Heilman <jamie@audible.transient.net>
+Cc: Michele Baldessari <michele@acksyn.org>
+Cc: Julia Lawall <Julia.Lawall@lip6.fr>
+---
+
+ It is relevant for stable 3.11.x and 3.12.y.
+
+ drivers/net/ethernet/via/via-velocity.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c
+index d022bf9..ad61d26 100644
+--- a/drivers/net/ethernet/via/via-velocity.c
++++ b/drivers/net/ethernet/via/via-velocity.c
+@@ -2172,16 +2172,13 @@ static int velocity_poll(struct napi_struct *napi, int budget)
+ 	unsigned int rx_done;
+ 	unsigned long flags;
+ 
+-	spin_lock_irqsave(&vptr->lock, flags);
+ 	/*
+ 	 * Do rx and tx twice for performance (taken from the VIA
+ 	 * out-of-tree driver).
+ 	 */
+-	rx_done = velocity_rx_srv(vptr, budget / 2);
+-	velocity_tx_srv(vptr);
+-	rx_done += velocity_rx_srv(vptr, budget - rx_done);
++	rx_done = velocity_rx_srv(vptr, budget);
++	spin_lock_irqsave(&vptr->lock, flags);
+ 	velocity_tx_srv(vptr);
+-
+ 	/* If budget not fully consumed, exit the polling mode */
+ 	if (rx_done < budget) {
+ 		napi_complete(napi);
+@@ -2342,6 +2339,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu)
+ 		if (ret < 0)
+ 			goto out_free_tmp_vptr_1;
+ 
++		napi_disable(&vptr->napi);
++
+ 		spin_lock_irqsave(&vptr->lock, flags);
+ 
+ 		netif_stop_queue(dev);
+@@ -2362,6 +2361,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu)
+ 
+ 		velocity_give_many_rx_descs(vptr);
+ 
++		napi_enable(&vptr->napi);
++
+ 		mac_enable_int(vptr->mac_regs);
+ 		netif_start_queue(dev);
+ 
+-- 
+1.8.3.1
+
+--
+To unsubscribe from this list: send the line "unsubscribe netdev" in
+the body of a message to majordomo@vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff --git a/freed-ora/current/f18/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch b/freed-ora/current/f18/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
new file mode 100644
index 000000000..6c7f60dd9
--- /dev/null
+++ b/freed-ora/current/f18/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
@@ -0,0 +1,149 @@
+Bugzilla: 1033603
+Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
+
+Path: news.gmane.org!not-for-mail
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Newsgroups: gmane.comp.file-systems.xfs.general
+Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
+Date: Thu, 31 Oct 2013 21:00:10 +0300
+Lines: 43
+Approved: news@gmane.org
+Message-ID: <20131031180010.GA24839@longonot.mountain>
+References: <20131025144452.GA28451@ngolde.de>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: text/plain; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
+X-Complaints-To: usenet@ger.gmane.org
+NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
+Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org,
+	Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com
+To: Ben Myers <bpm@sgi.com>
+Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013
+Return-path: <xfs-bounces@oss.sgi.com>
+Envelope-to: sgi-linux-xfs@gmane.org
+Original-Received: from oss.sgi.com ([192.48.182.195])
+	by plane.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <xfs-bounces@oss.sgi.com>)
+	id 1Vbwag-0001Ow-Sv
+	for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
+Original-Received: from oss.sgi.com (localhost [IPv6:::1])
+	by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
+	Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
+X-Spam-Level: 
+X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
+	autolearn=ham version=3.3.1
+X-Original-To: xfs@oss.sgi.com
+Delivered-To: xfs@oss.sgi.com
+Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
+	by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
+	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
+Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
+	by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
+	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
+X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
+Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
+	cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
+	cipher=AES256-SHA bits=256 verify=NO);
+	Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
+X-Barracuda-Envelope-From: dan.carpenter@oracle.com
+X-Barracuda-Apparent-Source-IP: 156.151.31.81
+Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
+	by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
+	ESMTP id r9VI3AZn009606
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
+	Thu, 31 Oct 2013 18:03:11 GMT
+Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
+	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
+	r9VI39qG016923
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
+	Thu, 31 Oct 2013 18:03:10 GMT
+Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
+	by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
+	r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
+Original-Received: from longonot.mountain (/105.160.144.228)
+	by default (Oracle Beehive Gateway v4.0)
+	with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
+X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
+Content-Disposition: inline
+In-Reply-To: <20131025144452.GA28451@ngolde.de>
+User-Agent: Mutt/1.5.21 (2010-09-15)
+X-Source-IP: acsinet22.oracle.com [141.146.126.238]
+X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
+X-Barracuda-Start-Time: 1383242600
+X-Barracuda-Encrypted: AES256-SHA
+X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
+X-Virus-Scanned: by bsmtpd at sgi.com
+X-Barracuda-BRTS-Status: 1
+X-Barracuda-Spam-Score: 0.00
+X-Barracuda-Spam-Status: No,
+	SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
+	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
+X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
+	Rule breakdown below
+	pts rule name              description
+	---- ----------------------
+	--------------------------------------------------
+	0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
+	lines
+X-BeenThere: xfs@oss.sgi.com
+X-Mailman-Version: 2.1.14
+Precedence: list
+List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
+List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
+	<mailto:xfs-request@oss.sgi.com?subject=unsubscribe>
+List-Archive: <http://oss.sgi.com/pipermail/xfs>
+List-Post: <mailto:xfs@oss.sgi.com>
+List-Help: <mailto:xfs-request@oss.sgi.com?subject=help>
+List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
+	<mailto:xfs-request@oss.sgi.com?subject=subscribe>
+Errors-To: xfs-bounces@oss.sgi.com
+Original-Sender: xfs-bounces@oss.sgi.com
+Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
+Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>
+
+If we allocate less than sizeof(struct attrlist) then we end up
+corrupting memory or doing a ZERO_PTR_SIZE dereference.
+
+This can only be triggered with CAP_SYS_ADMIN.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index 4d61340..33ad9a7 100644
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
+ 		return -XFS_ERROR(EPERM);
+ 	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
+ 		return -XFS_ERROR(EFAULT);
+-	if (al_hreq.buflen > XATTR_LIST_MAX)
++	if (al_hreq.buflen < sizeof(struct attrlist) ||
++	    al_hreq.buflen > XATTR_LIST_MAX)
+ 		return -XFS_ERROR(EINVAL);
+ 
+ 	/*
+diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
+index e8fb123..a7992f8 100644
+--- a/fs/xfs/xfs_ioctl32.c
++++ b/fs/xfs/xfs_ioctl32.c
+@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
+ 	if (copy_from_user(&al_hreq, arg,
+ 			   sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
+ 		return -XFS_ERROR(EFAULT);
+-	if (al_hreq.buflen > XATTR_LIST_MAX)
++	if (al_hreq.buflen < sizeof(struct attrlist) ||
++	    al_hreq.buflen > XATTR_LIST_MAX)
+ 		return -XFS_ERROR(EINVAL);
+ 
+ 	/*
+
+_______________________________________________
+xfs mailing list
+xfs@oss.sgi.com
+http://oss.sgi.com/mailman/listinfo/xfs
+