4.6.0-0.rc7.git0.1.fc25.gnu

14 files changed, 170 insertions, 284 deletions

diff --git a/freed-ora/current/master/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch b/freed-ora/current/master/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
deleted file mode 100644
index d26c5d52d..000000000
--- a/freed-ora/current/master/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 88fd0f33c3cc5aa6a26f56902241941ac717e9f8 Mon Sep 17 00:00:00 2001
-From: Peter Robinson <pbrobinson@gmail.com>
-Date: Wed, 27 Apr 2016 13:44:05 +0100
-Subject: [PATCH] gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading
-
----
- drivers/gpu/ipu-v3/ipu-common.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
-index e00db3f..abb98c7 100644
---- a/drivers/gpu/ipu-v3/ipu-common.c
-+++ b/drivers/gpu/ipu-v3/ipu-common.c
-@@ -1068,7 +1068,6 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base)
- 			goto err_register;
- 		}
- 
--		pdev->dev.of_node = of_node;
- 		pdev->dev.parent = dev;
- 
- 		ret = platform_device_add_data(pdev, &reg->pdata,
-@@ -1079,6 +1078,12 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base)
- 			platform_device_put(pdev);
- 			goto err_register;
- 		}
-+
-+		/*
-+		 * Set of_node only after calling platform_device_add. Otherwise
-+		 * the platform:imx-ipuv3-crtc modalias won't be used.
-+		 */
-+		pdev->dev.of_node = of_node;
- 	}
- 
- 	return 0;
--- 
-2.7.4
-
diff --git a/freed-ora/current/master/USB-usbfs-fix-potential-infoleak-in-devio.patch b/freed-ora/current/master/USB-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 000000000..48360c930
--- /dev/null
+++ b/freed-ora/current/master/USB-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,41 @@
+From 7adc5cbc25dcc47dc3856108d9823d08da75da9d Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: [PATCH] USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 52c4461dfccd..9b7f1f75e887 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
+ 
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
+-- 
+2.5.5
+
diff --git a/freed-ora/current/master/config-arm64 b/freed-ora/current/master/config-arm64
index c036de9c2..e461c8cb2 100644
--- a/freed-ora/current/master/config-arm64
+++ b/freed-ora/current/master/config-arm64
@@ -193,6 +193,7 @@ CONFIG_DMIID=y
 CONFIG_DMI_SYSFS=y
 
 CONFIG_SATA_AHCI_PLATFORM=y
+CONFIG_SATA_AHCI_SEATTLE=m
 
 CONFIG_LIBNVDIMM=m
 CONFIG_BTT=y
diff --git a/freed-ora/current/master/config-generic b/freed-ora/current/master/config-generic
index 357a43dac..8064f34f7 100644
--- a/freed-ora/current/master/config-generic
+++ b/freed-ora/current/master/config-generic
@@ -2112,7 +2112,8 @@ CONFIG_NFC_TRF7970A=m
 CONFIG_NFC_ST21NFCA=m
 CONFIG_NFC_ST21NFCA_I2C=m
 # CONFIG_NFC_ST95HF is not set
-# CONFIG_NFC_NXP_NCI is not set
+CONFIG_NFC_NXP_NCI=m
+CONFIG_NFC_NXP_NCI_I2C=m
 # CONFIG_NFC_NCI_SPI is not set
 # CONFIG_NFC_NCI_UART is not set
 # CONFIG_NFC_ST_NCI is not set
diff --git a/freed-ora/current/master/deblob-check b/freed-ora/current/master/deblob-check
index 2c6ec88bb..eac4738c6 100755
--- a/freed-ora/current/master/deblob-check
+++ b/freed-ora/current/master/deblob-check
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# deblob-check version 2016-05-08
+# deblob-check version 2016-05-09
 # Inspired in gNewSense's find-firmware script.
 # Written by Alexandre Oliva <lxoliva@fsfla.org>
 
@@ -3694,7 +3694,7 @@ set_except () {
     accept '[	]err[ ]=[ ]request_firmware_nowait[(][^\n]*,[ ]CARL9170FW_NAME,' drivers/net/wireless/carl9170/usb.c
     defsnc 'static[ ]const[ ]struct[ ]b43_nphy_channeltab_entry_rev3[ ]b43_nphy_channeltab_\(phy\|radio\)_rev\([34568]\|7_9\|11\)\[\][ ]=' drivers/net/wireless/b43/radio_2056.c
     defsnc 'static[ ]const[ ]u32[ ]b43_ntab_noisevar_r3\[\][ ]=' drivers/net/wireless/b43/tables_nphy.c
-    blobname 'iwlwifi-8000-' drivers/net/wireless/iwlwifi/iwl-8000.c
+    blobname 'iwlwifi-8000C\?-' drivers/net/wireless/intel/iwlwifi/iwl-8000.c
     blobname 'iwl_nvm_8000\.bin' drivers/net/wireless/iwlwifi/iwl-8000.c
     defsnc 'static[ ]const[ ]u8[ ]iwl_nvm_channels_family_8000\[\][ ]=' drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
     defsnc 'static[ ]const[ ]u16[ ]expected_tpt_\(siso\|mimo2\)_[248]0MHz\[4\]\[IWL_RATE_COUNT\][ ]=' drivers/net/wireless/iwlwifi/mvm/rs.c
@@ -4031,7 +4031,7 @@ set_except () {
     blobname 'firmware-4\.bin' drivers/net/wireless/ath/ath10k/hw.h
     blobname 'brcm[/]brcmfmac43340-sdio\.bin' drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
     blobname 'iwlwifi-7260-' drivers/net/wireless/iwlwifi/pcie/7000.c
-    blobname 'iwlwifi-8000' drivers/net/wireless/iwlwifi/iwl-8000.c
+    blobname 'iwlwifi-8000' drivers/net/wireless/intel/iwlwifi/iwl-8000.c
     blobname 'iwl_nvm_8000B\.bin' drivers/net/wireless/iwlwifi/iwl-8000.c
     blobname 'mrvl[/]sd8801_uapsta\.bin' drivers/net/wireless/mwifiex/sdio.h
     blobname 'mrvl[/]usb8801_uapsta\.bin' drivers/net/wireless/mwifiex/usb.h
@@ -4422,6 +4422,7 @@ set_except () {
     blobname 'intel[/]ibt-hw-%x\.%x\.bddata' drivers/bluetooth/hci_ag6xx.c
     blobname 'intel[/]ibt-hw-%x\.%x\.%x-fw-%x\.%x\.%x\.%x\.%x\.pbn' drivers/bluetooth/hci_ag6xx.c
     blobname 'melfas_mip4\.fw' drivers/input/touchscreen/melfas_mip4.c
+    blobname 'iwlwifi-8000C-' drivers/net/wireless/intel/iwlwifi/iwl-8000.c
     ;;
 
   */*freedo*.patch | */*logo*.patch)
diff --git a/freed-ora/current/master/gitrev b/freed-ora/current/master/gitrev
index 475ea2ec9..9e88e8850 100644
--- a/freed-ora/current/master/gitrev
+++ b/freed-ora/current/master/gitrev
@@ -1 +1 @@
-92c19ea9535707701861b7533253a516c7d115c9
+9caa7e78481f17fb6ff77dfaca774998e7440430
diff --git a/freed-ora/current/master/kernel.spec b/freed-ora/current/master/kernel.spec
index d802076cd..efb188991 100644
--- a/freed-ora/current/master/kernel.spec
+++ b/freed-ora/current/master/kernel.spec
@@ -105,7 +105,7 @@ Summary: The Linux kernel
 # The next upstream release sublevel (base_sublevel+1)
 %define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
 # The rc snapshot level
-%define rcrev 6
+%define rcrev 7
 # The git snapshot level
 %define gitrev 0
 # Set rpm version accordingly
@@ -555,9 +555,6 @@ Patch422: geekbox-v4-device-tree-support.patch
 # http://www.spinics.net/lists/arm-kernel/msg483898.html
 Patch423: Initial-AllWinner-A64-and-PINE64-support.patch
 
-# rhbz 1321330  http://www.spinics.net/lists/dri-devel/msg105829.html
-Patch425: 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
-
 # http://www.spinics.net/lists/linux-tegra/msg26029.html
 Patch426: usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch
 
@@ -662,11 +659,12 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 #rhbz 1309487
 Patch701: antenna_select.patch
 
-# Stop splashing crap about broken firmware BGRT
-Patch702: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
+#CVE-2016-4482 rhbz 1332931 1332932
+Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
 
-#rhbz 1331092
-Patch703: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
+#CVE-2016-4486 CVE-2016-4485 rhbz 1333316 1333309 1333321
+Patch707: net-fix-infoleak-in-llc.patch
+Patch708: net-fix-infoleak-in-rtnetlink.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1239,7 +1237,7 @@ if [ ! -d kernel-%{kversion}%{?dist}/vanilla-%{vanillaversion} ]; then
 
   fi
 
-perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?stablegnux}/" vanilla-%{kversion}/Makefile
+perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?stablelibre: }%{?stablegnux}/" vanilla-%{kversion}/Makefile
 
 %if "%{kversion}" != "%{vanillaversion}"
 
@@ -1262,7 +1260,7 @@ perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?stablegnux}/" vanilla-%{kversi
 # (non-released_kernel case only)
 %if 0%{?rcrev}
 %if "%{?stablelibre}" != "%{?rcrevlibre}"
-    perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = %{?rcrevgnux}/" Makefile
+    perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?rcrevlibre: }%{?rcrevgnux}/" Makefile
 %endif
     xzcat %{SOURCE5000} | patch -p1 -F1 -s
 %if 0%{?gitrev}
@@ -1272,7 +1270,7 @@ perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?stablegnux}/" vanilla-%{kversi
 %else
 # pre-{base_sublevel+1}-rc1 case
 %if "%{?stablelibre}" != "%{?gitrevlibre}"
-    perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = %{?gitrevgnux}/" Makefile
+    perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION =%{?gitrevlibre: }%{?gitrevgnux}/" Makefile
 %endif
 %if 0%{?gitrev}
     xzcat %{SOURCE5000} | patch -p1 -F1 -s
@@ -2291,7 +2289,28 @@ fi
 #
 # 
 %changelog
-* Sun May  8 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre
+* Sat May 14 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 4.6-rc7-gnu.
+
+* Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc7.git0.1
+- Linux v4.6-rc7
+
+* Fri May 06 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc6.git4.1
+- Linux v4.6-rc6-165-g9caa7e78481f
+
+* Thu May 05 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc6.git3.1
+- Linux v4.6-rc6-123-g21a9703de304
+- CVE-2016-4486 CVE-2016-4485 info leaks (rhbz 1333316 1333309 1333321)
+
+* Wed May 04 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc6.git2.1
+- Linux v4.6-rc6-113-g83858a701cf3
+- Enable NFC_NXP_NCI options (rhbz 1290556)
+- CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932)
+
+* Tue May 03 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc6.git1.1
+- Linux v4.6-rc6-72-g33656a1f2ee5
+
+* Mon May  2 2016 Alexandre Oliva <lxoliva@fsfla.org> -libre Sun May  8
 - GNU Linux-libre 4.6-rc6-gnu.
 
 * Mon May 02 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc6.git0.1
diff --git a/freed-ora/current/master/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch b/freed-ora/current/master/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
deleted file mode 100644
index 2f90ec8e5..000000000
--- a/freed-ora/current/master/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
+++ /dev/null
@@ -1,126 +0,0 @@
-From 94f984ff563d1777652b822d7a282cacc1e481c2 Mon Sep 17 00:00:00 2001
-From: Andrea Arcangeli <aarcange@redhat.com>
-Date: Wed, 27 Apr 2016 12:04:46 -0500
-Subject: [PATCH] mm: thp: kvm: fix memory corruption in KVM with THP enabled
-
-After the THP refcounting change, obtaining a compound pages from
-get_user_pages() no longer allows us to assume the entire compound
-page is immediately mappable from a secondary MMU.
-
-A secondary MMU doesn't want to call get_user_pages() more than once
-for each compound page, in order to know if it can map the whole
-compound page. So a secondary MMU needs to know from a single
-get_user_pages() invocation when it can map immediately the entire
-compound page to avoid a flood of unnecessary secondary MMU faults and
-spurious atomic_inc()/atomic_dec() (pages don't have to be pinned by
-MMU notifier users).
-
-Ideally instead of the page->_mapcount < 1 check, get_user_pages()
-should return the granularity of the "page" mapping in the "mm" passed
-to get_user_pages(). However it's non trivial change to pass the "pmd"
-status belonging to the "mm" walked by get_user_pages up the stack (up
-to the caller of get_user_pages). So the fix just checks if there is
-not a single pte mapping on the page returned by get_user_pages, and
-in turn if the caller can assume that the whole compound page is
-mapped in the current "mm" (in a pmd_trans_huge()). In such case the
-entire compound page is safe to map into the secondary MMU without
-additional get_user_pages() calls on the surrounding tail/head
-pages. In addition of being faster, not having to run other
-get_user_pages() calls also reduces the memory footprint of the
-secondary MMU fault in case the pmd split happened as result of memory
-pressure.
-
-Without this fix after a MADV_DONTNEED (like invoked by QEMU during
-postcopy live migration or balloning) or after generic swapping (with
-a failure in split_huge_page() that would only result in pmd splitting
-and not a physical page split), KVM would map the whole compound page
-into the shadow pagetables, despite regular faults or userfaults (like
-UFFDIO_COPY) may map regular pages into the primary MMU as result of
-the pte faults, leading to the guest mode and userland mode going out
-of sync and not working on the same memory at all times.
-
-Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
----
- arch/arm/kvm/mmu.c         |  2 +-
- arch/x86/kvm/mmu.c         |  4 ++--
- include/linux/page-flags.h | 22 ++++++++++++++++++++++
- 3 files changed, 25 insertions(+), 3 deletions(-)
-
-diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
-index aba61fd..8dafe97 100644
---- a/arch/arm/kvm/mmu.c
-+++ b/arch/arm/kvm/mmu.c
-@@ -997,7 +997,7 @@ static bool transparent_hugepage_adjust(kvm_pfn_t *pfnp, phys_addr_t *ipap)
- 	kvm_pfn_t pfn = *pfnp;
- 	gfn_t gfn = *ipap >> PAGE_SHIFT;
-
--	if (PageTransCompound(pfn_to_page(pfn))) {
-+	if (PageTransCompoundMap(pfn_to_page(pfn))) {
- 		unsigned long mask;
- 		/*
- 		 * The address we faulted on is backed by a transparent huge
-diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
-index 1e7a49b..3a371f7 100644
---- a/arch/x86/kvm/mmu.c
-+++ b/arch/x86/kvm/mmu.c
-@@ -2767,7 +2767,7 @@ static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
- 	 */
- 	if (!is_error_noslot_pfn(pfn) && !kvm_is_reserved_pfn(pfn) &&
- 	    level == PT_PAGE_TABLE_LEVEL &&
--	    PageTransCompound(pfn_to_page(pfn)) &&
-+	    PageTransCompoundMap(pfn_to_page(pfn)) &&
- 	    !mmu_gfn_lpage_is_disallowed(vcpu, gfn, PT_DIRECTORY_LEVEL)) {
- 		unsigned long mask;
- 		/*
-@@ -4621,7 +4621,7 @@ restart:
- 		 */
- 		if (sp->role.direct &&
- 			!kvm_is_reserved_pfn(pfn) &&
--			PageTransCompound(pfn_to_page(pfn))) {
-+			PageTransCompoundMap(pfn_to_page(pfn))) {
- 			drop_spte(kvm, sptep);
- 			need_tlb_flush = 1;
- 			goto restart;
-diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
-index 19724e6..522bd6d 100644
---- a/include/linux/page-flags.h
-+++ b/include/linux/page-flags.h
-@@ -517,6 +517,27 @@ static inline int PageTransCompound(struct page *page)
- }
-
- /*
-+ * PageTransCompoundMap is the same as PageTransCompound, but it also
-+ * guarantees the primary MMU has the entire compound page mapped
-+ * through pmd_trans_huge, which in turn guarantees the secondary MMUs
-+ * can also map the entire compound page. This allows the secondary
-+ * MMUs to call get_user_pages() only once for each compound page and
-+ * to immediately map the entire compound page with a single secondary
-+ * MMU fault. If there will be a pmd split later, the secondary MMUs
-+ * will get an update through the MMU notifier invalidation through
-+ * split_huge_pmd().
-+ *
-+ * Unlike PageTransCompound, this is safe to be called only while
-+ * split_huge_pmd() cannot run from under us, like if protected by the
-+ * MMU notifier, otherwise it may result in page->_mapcount < 0 false
-+ * positives.
-+ */
-+static inline int PageTransCompoundMap(struct page *page)
-+{
-+	return PageTransCompound(page) && atomic_read(&page->_mapcount) < 0;
-+}
-+
-+/*
-  * PageTransTail returns true for both transparent huge pages
-  * and hugetlbfs pages, so it should only be called when it's known
-  * that hugetlbfs pages aren't involved.
-@@ -559,6 +580,7 @@ static inline int TestClearPageDoubleMap(struct page *page)
- #else
- TESTPAGEFLAG_FALSE(TransHuge)
- TESTPAGEFLAG_FALSE(TransCompound)
-+TESTPAGEFLAG_FALSE(TransCompoundMap)
- TESTPAGEFLAG_FALSE(TransTail)
- TESTPAGEFLAG_FALSE(DoubleMap)
- 	TESTSETFLAG_FALSE(DoubleMap)
--- 
-2.7.4
-
diff --git a/freed-ora/current/master/net-fix-infoleak-in-llc.patch b/freed-ora/current/master/net-fix-infoleak-in-llc.patch
new file mode 100644
index 000000000..38f0d506a
--- /dev/null
+++ b/freed-ora/current/master/net-fix-infoleak-in-llc.patch
@@ -0,0 +1,32 @@
+From ec0de35ded8c4a8588290a1b442aa3aa4bdf4de1 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:35:05 -0400
+Subject: [PATCH 2/2] net: fix infoleak in llc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “info” has a total size of 12 bytes. Its last byte
+is padding which is not initialized and leaked via “put_cmsg”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/llc/af_llc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index b3c52e3f689a..8ae3ed97d95c 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -626,6 +626,7 @@ static void llc_cmsg_rcv(struct msghdr *msg, struct sk_buff *skb)
+ 	if (llc->cmsg_flags & LLC_CMSG_PKTINFO) {
+ 		struct llc_pktinfo info;
+ 
++		memset(&info, 0, sizeof(info));
+ 		info.lpi_ifindex = llc_sk(skb->sk)->dev->ifindex;
+ 		llc_pdu_decode_dsap(skb, &info.lpi_sap);
+ 		llc_pdu_decode_da(skb, info.lpi_mac);
+-- 
+2.5.5
+
diff --git a/freed-ora/current/master/net-fix-infoleak-in-rtnetlink.patch b/freed-ora/current/master/net-fix-infoleak-in-rtnetlink.patch
new file mode 100644
index 000000000..0da35108d
--- /dev/null
+++ b/freed-ora/current/master/net-fix-infoleak-in-rtnetlink.patch
@@ -0,0 +1,50 @@
+From 55a8a812d867ec9953bde7d86eef255a1abbf93e Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:46:24 -0400
+Subject: [PATCH 1/2] net: fix infoleak in rtnetlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “map” has a total size of 32 bytes. Its last 4
+bytes are padding generated by compiler. These padding bytes are
+not initialized and sent out via “nla_put”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/core/rtnetlink.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index a75f7e94b445..65763c29f845 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1180,14 +1180,16 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb,
+ 
+ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
+ {
+-	struct rtnl_link_ifmap map = {
+-		.mem_start   = dev->mem_start,
+-		.mem_end     = dev->mem_end,
+-		.base_addr   = dev->base_addr,
+-		.irq         = dev->irq,
+-		.dma         = dev->dma,
+-		.port        = dev->if_port,
+-	};
++	struct rtnl_link_ifmap map;
++
++	memset(&map, 0, sizeof(map));
++	map.mem_start   = dev->mem_start;
++	map.mem_end     = dev->mem_end;
++	map.base_addr   = dev->base_addr;
++	map.irq         = dev->irq;
++	map.dma         = dev->dma;
++	map.port        = dev->if_port;
++
+ 	if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
+ 		return -EMSGSIZE;
+ 
+-- 
+2.5.5
+
diff --git a/freed-ora/current/master/patch-4.5-gnu-4.6-rc6-gnu.xz.sign b/freed-ora/current/master/patch-4.5-gnu-4.6-rc6-gnu.xz.sign
deleted file mode 100644
index b86074164..000000000
--- a/freed-ora/current/master/patch-4.5-gnu-4.6-rc6-gnu.xz.sign
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAlcvZ48ACgkQvLfPh359R6e1pACglCWeb/zs4sYFKEMTvS97gZLF
-IRoAoKcCLPTEE3LZ+zIdvhBMW0CtRbD6
-=j3l3
------END PGP SIGNATURE-----
diff --git a/freed-ora/current/master/patch-4.5-gnu-4.6-rc7-gnu.xz.sign b/freed-ora/current/master/patch-4.5-gnu-4.6-rc7-gnu.xz.sign
new file mode 100644
index 000000000..d0b06e960
--- /dev/null
+++ b/freed-ora/current/master/patch-4.5-gnu-4.6-rc7-gnu.xz.sign
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iEYEABECAAYFAlcwNesACgkQvLfPh359R6fvywCbByVBRB5g84ObFwtnmlIwZXoV
+9QoAnR+/Ks8h9UefwY1Dhg1bQGfd+0DK
+=bsV0
+-----END PGP SIGNATURE-----
diff --git a/freed-ora/current/master/sources b/freed-ora/current/master/sources
index 84c4f1faf..4e8b2c196 100644
--- a/freed-ora/current/master/sources
+++ b/freed-ora/current/master/sources
@@ -1,3 +1,3 @@
 6f50fd17d93c7cafa3810640f3e4c066  linux-libre-4.5-gnu.tar.xz
 6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
-d7512eb7732f7cffc594815b822a67d0  patch-4.5-gnu-4.6-rc6-gnu.xz
+63bbacdc46881b39f9892297f97ca92c  patch-4.5-gnu-4.6-rc7-gnu.xz
diff --git a/freed-ora/current/master/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch b/freed-ora/current/master/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
deleted file mode 100644
index e23b4723b..000000000
--- a/freed-ora/current/master/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 5b252532b1785a82b71d16e3c134f58d7c7fee3d Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Wed, 27 Apr 2016 08:37:41 -0400
-Subject: [PATCH] x86/efi-bgrt: Switch all pr_err() to pr_debug() for invalid
- BGRT
-
-The promise of pretty boot splashes from firmware via BGRT was at
-best only that; a promise.  The kernel diligently checks to make
-sure the BGRT data firmware gives it is valid, and dutifully warns
-the user when it isn't.  However, it does so via the pr_err log
-level which seems unnecessary.  The user cannot do anything about
-this and there really isn't an error on the part of Linux to
-correct.
-
-This lowers the log level by using pr_debug instead.  Users will
-no longer have their boot process uglified by the kernel reminding
-us that firmware can and often is broken.  Ironic, considering
-BGRT is supposed to make boot pretty to begin with.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- arch/x86/platform/efi/efi-bgrt.c | 18 +++++++++---------
- 1 file changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/arch/x86/platform/efi/efi-bgrt.c b/arch/x86/platform/efi/efi-bgrt.c
-index a2433817c987..6f70d2ac8029 100644
---- a/arch/x86/platform/efi/efi-bgrt.c
-+++ b/arch/x86/platform/efi/efi-bgrt.c
-@@ -43,40 +43,40 @@ void __init efi_bgrt_init(void)
- 		return;
- 
- 	if (bgrt_tab->header.length < sizeof(*bgrt_tab)) {
--		pr_err("Ignoring BGRT: invalid length %u (expected %zu)\n",
-+		pr_debug("Ignoring BGRT: invalid length %u (expected %zu)\n",
- 		       bgrt_tab->header.length, sizeof(*bgrt_tab));
- 		return;
- 	}
- 	if (bgrt_tab->version != 1) {
--		pr_err("Ignoring BGRT: invalid version %u (expected 1)\n",
-+		pr_debug("Ignoring BGRT: invalid version %u (expected 1)\n",
- 		       bgrt_tab->version);
- 		return;
- 	}
- 	if (bgrt_tab->status & 0xfe) {
--		pr_err("Ignoring BGRT: reserved status bits are non-zero %u\n",
-+		pr_debug("Ignoring BGRT: reserved status bits are non-zero %u\n",
- 		       bgrt_tab->status);
- 		return;
- 	}
- 	if (bgrt_tab->image_type != 0) {
--		pr_err("Ignoring BGRT: invalid image type %u (expected 0)\n",
-+		pr_debug("Ignoring BGRT: invalid image type %u (expected 0)\n",
- 		       bgrt_tab->image_type);
- 		return;
- 	}
- 	if (!bgrt_tab->image_address) {
--		pr_err("Ignoring BGRT: null image address\n");
-+		pr_debug("Ignoring BGRT: null image address\n");
- 		return;
- 	}
- 
- 	image = memremap(bgrt_tab->image_address, sizeof(bmp_header), MEMREMAP_WB);
- 	if (!image) {
--		pr_err("Ignoring BGRT: failed to map image header memory\n");
-+		pr_debug("Ignoring BGRT: failed to map image header memory\n");
- 		return;
- 	}
- 
- 	memcpy(&bmp_header, image, sizeof(bmp_header));
- 	memunmap(image);
- 	if (bmp_header.id != 0x4d42) {
--		pr_err("Ignoring BGRT: Incorrect BMP magic number 0x%x (expected 0x4d42)\n",
-+		pr_debug("Ignoring BGRT: Incorrect BMP magic number 0x%x (expected 0x4d42)\n",
- 			bmp_header.id);
- 		return;
- 	}
-@@ -84,14 +84,14 @@ void __init efi_bgrt_init(void)
- 
- 	bgrt_image = kmalloc(bgrt_image_size, GFP_KERNEL | __GFP_NOWARN);
- 	if (!bgrt_image) {
--		pr_err("Ignoring BGRT: failed to allocate memory for image (wanted %zu bytes)\n",
-+		pr_debug("Ignoring BGRT: failed to allocate memory for image (wanted %zu bytes)\n",
- 		       bgrt_image_size);
- 		return;
- 	}
- 
- 	image = memremap(bgrt_tab->image_address, bmp_header.size, MEMREMAP_WB);
- 	if (!image) {
--		pr_err("Ignoring BGRT: failed to map image memory\n");
-+		pr_debug("Ignoring BGRT: failed to map image memory\n");
- 		kfree(bgrt_image);
- 		bgrt_image = NULL;
- 		return;
--- 
-2.5.5
-