3.17.4-200.fc20.gnu

18 files changed, 25 insertions, 1184 deletions

diff --git a/freed-ora/current/f20/GFS2-Make-rename-not-save-dirent-location.patch b/freed-ora/current/f20/GFS2-Make-rename-not-save-dirent-location.patch
deleted file mode 100644
index adb4e6d73..000000000
--- a/freed-ora/current/f20/GFS2-Make-rename-not-save-dirent-location.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From: Bob Peterson <rpeterso@redhat.com>
-Date: Mon, 29 Sep 2014 08:52:04 -0400
-Subject: [PATCH] GFS2: Make rename not save dirent location
-
-This patch fixes a regression in the patch "GFS2: Remember directory
-insert point", commit 2b47dad866d04f14c328f888ba5406057b8c7d33.
-The problem had to do with the rename function: The function found
-space for the new dirent, and remembered that location. But then the
-old dirent was removed, which often moved the eligible location for
-the renamed dirent. Putting the new dirent at the saved location
-caused file system corruption.
-
-This patch adds a new "save_loc" variable to struct gfs2_diradd.
-If 1, the dirent location is saved. If 0, the dirent location is not
-saved and the buffer_head is released as per previous behavior.
-
-Signed-off-by: Bob Peterson <rpeterso@redhat.com>
-Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
----
- fs/gfs2/dir.c   | 9 +++++++--
- fs/gfs2/dir.h   | 1 +
- fs/gfs2/inode.c | 6 +++---
- 3 files changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
-index 1a349f9a9685..5d4261ff5d23 100644
---- a/fs/gfs2/dir.c
-+++ b/fs/gfs2/dir.c
-@@ -2100,8 +2100,13 @@ int gfs2_diradd_alloc_required(struct inode *inode, const struct qstr *name,
- 	}
- 	if (IS_ERR(dent))
- 		return PTR_ERR(dent);
--	da->bh = bh;
--	da->dent = dent;
-+
-+	if (da->save_loc) {
-+		da->bh = bh;
-+		da->dent = dent;
-+	} else {
-+		brelse(bh);
-+	}
- 	return 0;
- }
- 
-diff --git a/fs/gfs2/dir.h b/fs/gfs2/dir.h
-index 126c65dda028..e1b309c24dab 100644
---- a/fs/gfs2/dir.h
-+++ b/fs/gfs2/dir.h
-@@ -23,6 +23,7 @@ struct gfs2_diradd {
- 	unsigned nr_blocks;
- 	struct gfs2_dirent *dent;
- 	struct buffer_head *bh;
-+	int save_loc;
- };
- 
- extern struct inode *gfs2_dir_search(struct inode *dir,
-diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
-index fc8ac2ee0667..7d2723ce067e 100644
---- a/fs/gfs2/inode.c
-+++ b/fs/gfs2/inode.c
-@@ -600,7 +600,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
- 	int error, free_vfs_inode = 0;
- 	u32 aflags = 0;
- 	unsigned blocks = 1;
--	struct gfs2_diradd da = { .bh = NULL, };
-+	struct gfs2_diradd da = { .bh = NULL, .save_loc = 1, };
- 
- 	if (!name->len || name->len > GFS2_FNAMESIZE)
- 		return -ENAMETOOLONG;
-@@ -899,7 +899,7 @@ static int gfs2_link(struct dentry *old_dentry, struct inode *dir,
- 	struct gfs2_inode *ip = GFS2_I(inode);
- 	struct gfs2_holder ghs[2];
- 	struct buffer_head *dibh;
--	struct gfs2_diradd da = { .bh = NULL, };
-+	struct gfs2_diradd da = { .bh = NULL, .save_loc = 1, };
- 	int error;
- 
- 	if (S_ISDIR(inode->i_mode))
-@@ -1337,7 +1337,7 @@ static int gfs2_rename(struct inode *odir, struct dentry *odentry,
- 	struct gfs2_rgrpd *nrgd;
- 	unsigned int num_gh;
- 	int dir_rename = 0;
--	struct gfs2_diradd da = { .nr_blocks = 0, };
-+	struct gfs2_diradd da = { .nr_blocks = 0, .save_loc = 0, };
- 	unsigned int x;
- 	int error;
- 
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch b/freed-ora/current/f20/KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
deleted file mode 100644
index cd141ea8d..000000000
--- a/freed-ora/current/f20/KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: David Howells <dhowells@redhat.com>
-Date: Tue, 16 Sep 2014 17:29:03 +0100
-Subject: [PATCH] KEYS: Reinstate EPERM for a key type name beginning with a
- '.'
-
-Reinstate the generation of EPERM for a key type name beginning with a '.' in
-a userspace call.  Types whose name begins with a '.' are internal only.
-
-The test was removed by:
-
-	commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
-	Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
-	Date:   Thu May 22 14:02:23 2014 -0400
-	Subject: KEYS: special dot prefixed keyring name bug fix
-
-I think we want to keep the restriction on type name so that userspace can't
-add keys of a special internal type.
-
-Note that removal of the test causes several of the tests in the keyutils
-testsuite to fail.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Vivek Goyal <vgoyal@redhat.com>
-cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- security/keys/keyctl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
-index e26f860e5f2e..eff88a5f5d40 100644
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -37,6 +37,8 @@ static int key_get_type_from_user(char *type,
- 		return ret;
- 	if (ret == 0 || ret >= len)
- 		return -EINVAL;
-+	if (type[0] == '.')
-+		return -EPERM;
- 	type[len - 1] = '\0';
- 	return 0;
- }
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/KVM-x86-Don-t-report-guest-userspace-emulation-error.patch b/freed-ora/current/f20/KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
deleted file mode 100644
index 3f0270c8f..000000000
--- a/freed-ora/current/f20/KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From eeb55bed9ae80e1e860a1451986ce2ee0e5e52a7 Mon Sep 17 00:00:00 2001
-From: Nadav Amit <namit@cs.technion.ac.il>
-Date: Wed, 17 Sep 2014 02:50:50 +0300
-Subject: [PATCH] KVM: x86: Don't report guest userspace emulation error to
- userspace
-
-Commit fc3a9157d314 ("KVM: X86: Don't report L2 emulation failures to
-user-space") disabled the reporting of L2 (nested guest) emulation failures to
-userspace due to race-condition between a vmexit and the instruction emulator.
-The same rational applies also to userspace applications that are permitted by
-the guest OS to access MMIO area or perform PIO.
-
-This patch extends the current behavior - of injecting a #UD instead of
-reporting it to userspace - also for guest userspace code.
-
-Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/kvm/x86.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
-index 9d292e8372d6..d6aeccf116fa 100644
---- a/arch/x86/kvm/x86.c
-+++ b/arch/x86/kvm/x86.c
-@@ -5002,7 +5002,7 @@ static int handle_emulation_failure(struct kvm_vcpu *vcpu)
- 
- 	++vcpu->stat.insn_emulation_fail;
- 	trace_kvm_emulate_insn_failed(vcpu);
--	if (!is_guest_mode(vcpu)) {
-+	if (!is_guest_mode(vcpu) && kvm_x86_ops->get_cpl(vcpu) == 0) {
- 		vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
- 		vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION;
- 		vcpu->run->internal.ndata = 0;
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch b/freed-ora/current/f20/ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
deleted file mode 100644
index cb5f38985..000000000
--- a/freed-ora/current/f20/ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From c6f69fa54729350d1e3be454739993197255fd40 Mon Sep 17 00:00:00 2001
-From: Tejun Heo <tj@kernel.org>
-Date: Mon, 27 Oct 2014 10:30:52 -0400
-Subject: [PATCH] ahci: disable MSI instead of NCQ on Samsung pci-e SSDs on
- macbooks
-
-From 44aecdabc85087e7c299d7a28e095e2b91894a51 Mon Sep 17 00:00:00 2001
-From: Tejun Heo <tj@kernel.org>
-Date: Mon, 27 Oct 2014 10:22:56 -0400
-
-Samsung pci-e SSDs on macbooks failed miserably on NCQ commands, so
-67809f85d31e ("ahci: disable NCQ on Samsung pci-e SSDs on macbooks")
-disabled NCQ on them.  It turns out that NCQ is fine as long as MSI is
-not used, so let's turn off MSI and leave NCQ on.
-
-Signed-off-by: Tejun Heo <tj@kernel.org>
-Link: https://bugzilla.kernel.org/show_bug.cgi?id=60731
-Tested-by: <dorin@i51.org>
-Tested-by: Imre Kaloz <kaloz@openwrt.org>
-Cc: stable@vger.kernel.org
-Fixes: 67809f85d31e ("ahci: disable NCQ on Samsung pci-e SSDs on macbooks")
----
- drivers/ata/ahci.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
-index a0cc0edafc78..3d8a10e4f827 100644
---- a/drivers/ata/ahci.c
-+++ b/drivers/ata/ahci.c
-@@ -60,6 +60,7 @@ enum board_ids {
- 	/* board IDs by feature in alphabetical order */
- 	board_ahci,
- 	board_ahci_ign_iferr,
-+	board_ahci_nomsi,
- 	board_ahci_noncq,
- 	board_ahci_nosntf,
- 	board_ahci_yes_fbs,
-@@ -121,6 +122,13 @@ static const struct ata_port_info ahci_port_info[] = {
- 		.udma_mask	= ATA_UDMA6,
- 		.port_ops	= &ahci_ops,
- 	},
-+	[board_ahci_nomsi] = {
-+		AHCI_HFLAGS	(AHCI_HFLAG_NO_MSI),
-+		.flags		= AHCI_FLAG_COMMON,
-+		.pio_mask	= ATA_PIO4,
-+		.udma_mask	= ATA_UDMA6,
-+		.port_ops	= &ahci_ops,
-+	},
- 	[board_ahci_noncq] = {
- 		AHCI_HFLAGS	(AHCI_HFLAG_NO_NCQ),
- 		.flags		= AHCI_FLAG_COMMON,
-@@ -475,10 +483,10 @@ static const struct pci_device_id ahci_pci_tbl[] = {
- 	{ PCI_VDEVICE(ASMEDIA, 0x0612), board_ahci },	/* ASM1062 */
- 
- 	/*
--	 * Samsung SSDs found on some macbooks.  NCQ times out.
--	 * https://bugzilla.kernel.org/show_bug.cgi?id=60731
-+	 * Samsung SSDs found on some macbooks.  NCQ times out if MSI is
-+	 * enabled.  https://bugzilla.kernel.org/show_bug.cgi?id=60731
- 	 */
--	{ PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_noncq },
-+	{ PCI_VDEVICE(SAMSUNG, 0x1600), board_ahci_nomsi },
- 
- 	/* Enmotus */
- 	{ PCI_DEVICE(0x1c44, 0x8000), board_ahci },
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/arm64-__clear_user-handle-exceptions-on-strb.patch b/freed-ora/current/f20/arm64-__clear_user-handle-exceptions-on-strb.patch
deleted file mode 100644
index 199da5e7c..000000000
--- a/freed-ora/current/f20/arm64-__clear_user-handle-exceptions-on-strb.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Kyle McMartin <kyle@redhat.com>
-Date: Wed, 12 Nov 2014 16:07:44 -0500
-Subject: [PATCH] arm64: __clear_user: handle exceptions on strb
-
-ARM64 currently doesn't fix up faults on the single-byte (strb) case of
-__clear_user... which means that we can cause a nasty kernel panic as an
-ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero.
-i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.)
-
-This is a pretty obscure bug in the general case since we'll only
-__do_kernel_fault (since there's no extable entry for pc) if the
-mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll
-always fault.
-
-if (!down_read_trylock(&mm->mmap_sem)) {
-	if (!user_mode(regs) && !search_exception_tables(regs->pc))
-		goto no_context;
-retry:
-	down_read(&mm->mmap_sem);
-} else {
-	/*
-	 * The above down_read_trylock() might have succeeded in
-	 * which
-	 * case, we'll have missed the might_sleep() from
-	 * down_read().
-	 */
-	might_sleep();
-#ifdef CONFIG_DEBUG_VM
-	if (!user_mode(regs) && !search_exception_tables(regs->pc))
-		goto no_context;
-#endif
-}
-
-Fix that by adding an extable entry for the strb instruction, since it
-touches user memory, similar to the other stores in __clear_user.
-
-Signed-off-by: Kyle McMartin <kyle@redhat.com>
-Cc: stable@vger.kernel.org
----
- arch/arm64/lib/clear_user.S | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S
-index 6e0ed93d51fe..c17967fdf5f6 100644
---- a/arch/arm64/lib/clear_user.S
-+++ b/arch/arm64/lib/clear_user.S
-@@ -46,7 +46,7 @@ USER(9f, strh	wzr, [x0], #2	)
- 	sub	x1, x1, #2
- 4:	adds	x1, x1, #1
- 	b.mi	5f
--	strb	wzr, [x0]
-+USER(9f, strb	wzr, [x0]	)
- 5:	mov	x0, #0
- 	ret
- ENDPROC(__clear_user)
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/config-s390x b/freed-ora/current/f20/config-s390x
index f9472348d..78ba8e947 100644
--- a/freed-ora/current/f20/config-s390x
+++ b/freed-ora/current/f20/config-s390x
@@ -234,6 +234,7 @@ CONFIG_HOTPLUG_PCI_S390=y
 # CONFIG_HID is not set
 # CONFIG_MTD is not set
 
+# CONFIG_SERIAL_8250 is not set
 # CONFIG_PARPORT is not set
 # CONFIG_UWB is not set
 # CONFIG_MMC is not set
diff --git a/freed-ora/current/f20/config-x86-generic b/freed-ora/current/f20/config-x86-generic
index 686972fdd..49f46c473 100644
--- a/freed-ora/current/f20/config-x86-generic
+++ b/freed-ora/current/f20/config-x86-generic
@@ -10,12 +10,12 @@ CONFIG_HPET_TIMER=y
 
 CONFIG_I8K=m
 CONFIG_SONYPI_COMPAT=y
-CONFIG_MICROCODE=y
-CONFIG_MICROCODE_EARLY=y
+CONFIG_MICROCODE=m
+# CONFIG_MICROCODE_EARLY is not set
 CONFIG_MICROCODE_INTEL=y
 CONFIG_MICROCODE_INTEL_EARLY=y
 CONFIG_MICROCODE_AMD=y
-CONFIG_MICROCODE_AMD_EARLY=y
+# CONFIG_MICROCODE_AMD_EARLY is not set
 
 CONFIG_X86_MSR=y
 CONFIG_X86_CPUID=y
diff --git a/freed-ora/current/f20/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch b/freed-ora/current/f20/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch
index 097a71403..dfffefc87 100644
--- a/freed-ora/current/f20/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch
+++ b/freed-ora/current/f20/drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch
@@ -1,4 +1,3 @@
-From 267eb54f9e4be5e78a1375553f3ea0f5768cd117 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 14 Nov 2014 09:17:39 -0500
 Subject: [PATCH] drm/i915: Don't WARN in edp_panel_vdd_off
@@ -9,22 +8,22 @@ larger than we want to backport.  Just shut it up for now.
 
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- drivers/gpu/drm/i915/intel_dp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ drivers/gpu/drm/i915/intel_dp.c | 2 --
+ 1 file changed, 2 deletions(-)
 
 diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
-index fdff1d420c14..37d576141a36 100644
+index 9222e20e230c..952d7dcf9c3f 100644
 --- a/drivers/gpu/drm/i915/intel_dp.c
 +++ b/drivers/gpu/drm/i915/intel_dp.c
-@@ -1303,7 +1303,7 @@ static void edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync)
+@@ -1303,8 +1303,6 @@ static void edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync)
  	if (!is_edp(intel_dp))
  		return;
  
 -	WARN(!intel_dp->want_panel_vdd, "eDP VDD not forced on");
-+	DRM_DEBUG_KMS(!intel_dp->want_panel_vdd, "eDP VDD not forced on");
- 
+-
  	intel_dp->want_panel_vdd = false;
  
+ 	if (sync)
 -- 
 1.9.3
 
diff --git a/freed-ora/current/f20/i8042-Add-notimeout-quirk-for-Fujitsu-Lifebook-A544-.patch b/freed-ora/current/f20/i8042-Add-notimeout-quirk-for-Fujitsu-Lifebook-A544-.patch
deleted file mode 100644
index 0f9c858bd..000000000
--- a/freed-ora/current/f20/i8042-Add-notimeout-quirk-for-Fujitsu-Lifebook-A544-.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Fri, 24 Oct 2014 11:30:19 +0200
-Subject: [PATCH] i8042: Add notimeout quirk for Fujitsu Lifebook A544 and
- Lifebook AH544
-
-These models need i8042.notimeout, otherwise the touchpad will not work.
-
-BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=69731
-BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1111138
-Cc: stable@vger.kernel.org
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/input/serio/i8042-x86ia64io.h | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
-index 40b7d6c0ff17..eeabb7e717d2 100644
---- a/drivers/input/serio/i8042-x86ia64io.h
-+++ b/drivers/input/serio/i8042-x86ia64io.h
-@@ -623,6 +623,22 @@ static const struct dmi_system_id __initconst i8042_dmi_notimeout_table[] = {
- 		},
- 	},
- 	{
-+		/* Fujitsu A544 laptop */
-+		/* https://bugzilla.redhat.com/show_bug.cgi?id=1111138 */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
-+			DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK A544"),
-+		},
-+	},
-+	{
-+		/* Fujitsu AH544 laptop */
-+		/* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
-+			DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK AH544"),
-+		},
-+	},
-+	{
- 		/* Fujitsu U574 laptop */
- 		/* https://bugzilla.kernel.org/show_bug.cgi?id=69731 */
- 		.matches = {
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/kernel.spec b/freed-ora/current/f20/kernel.spec
index 2076b5945..1f359a32b 100644
--- a/freed-ora/current/f20/kernel.spec
+++ b/freed-ora/current/f20/kernel.spec
@@ -112,7 +112,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -793,44 +793,9 @@ Patch26016: HID-wacom-Add-support-for-the-Cintiq-Companion.patch
 Patch26019: psmouse-Add-psmouse_matches_pnp_id-helper-function.patch
 Patch26020: psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
 
-#rhbz 1145318
-Patch26029: KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
-
-Patch26030: GFS2-Make-rename-not-save-dirent-location.patch
-
 #rhbz 1089731
 Patch26058: asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
 
-#CVE-2014-3688 rhbz 1155745 1155751
-Patch26061: net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
-
-#CVE-2014-3687 rhbz 1155731 1155738
-Patch26062: net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
-
-#CVE-2014-3673 rhbz 1147850 1155727
-Patch26063: net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
-
-#rhbz 1111138
-Patch26064: i8042-Add-notimeout-quirk-for-Fujitsu-Lifebook-A544-.patch
-
-#rhbz 1157327
-Patch26083: quirk-for-Lenovo-Yoga-3-no-rfkill-switch.patch
-
-#rhbz 1159592
-Patch26084: x86-microcode-AMD-Fix-early-ucode-loading-on-32-bit.patch
-
-#rhbz 1161805
-Patch26066: ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
-
-#CVE-2014-7841 rhbz 1163087 1163095
-Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
-
-#CVE-2014-7842 rhbz 1163762 1163767
-Patch26068: KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
-
-#CVE-2014-7843 rhbz 1163744 1163745
-Patch26069: arm64-__clear_user-handle-exceptions-on-strb.patch
-
 #rhbz 1135338
 Patch26090: HID-add-support-for-MS-Surface-Pro-3-Type-Cover.patch
 
@@ -1598,45 +1563,9 @@ ApplyPatch HID-wacom-Add-support-for-the-Cintiq-Companion.patch
 ApplyPatch psmouse-Add-psmouse_matches_pnp_id-helper-function.patch
 ApplyPatch psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch
 
-#rhbz 1145318
-ApplyPatch KEYS-Reinstate-EPERM-for-a-key-type-name-beginning-w.patch
-
-ApplyPatch GFS2-Make-rename-not-save-dirent-location.patch
-
-
 #rhbz 1089731
 ApplyPatch asus-nb-wmi-Add-wapf4-quirk-for-the-X550VB.patch
 
-#CVE-2014-3688 rhbz 1155745 1155751
-ApplyPatch net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
-
-#CVE-2014-3687 rhbz 1155731 1155738
-ApplyPatch net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
-
-#CVE-2014-3673 rhbz 1147850 1155727
-ApplyPatch net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
-
-#rhbz 1111138
-ApplyPatch i8042-Add-notimeout-quirk-for-Fujitsu-Lifebook-A544-.patch
-
-#rhbz 1157327
-ApplyPatch quirk-for-Lenovo-Yoga-3-no-rfkill-switch.patch
-
-#rhbz 1159592
-ApplyPatch x86-microcode-AMD-Fix-early-ucode-loading-on-32-bit.patch
-
-#rhbz 1161805
-ApplyPatch ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
-
-#CVE-2014-7841 rhbz 1163087 1163095
-ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
-
-#CVE-2014-7842 rhbz 1163762 1163767
-ApplyPatch KVM-x86-Don-t-report-guest-userspace-emulation-error.patch
-
-#CVE-2014-7843 rhbz 1163744 1163745
-ApplyPatch arm64-__clear_user-handle-exceptions-on-strb.patch
-
 #rhbz 1135338
 ApplyPatch HID-add-support-for-MS-Surface-Pro-3-Type-Cover.patch
 
@@ -2469,6 +2398,19 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Sat Nov 22 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
+- GNU Linux-libre 3.17.4-gnu.
+
+* Fri Nov 21 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.17.4-200
+- Linux v3.17.4
+- disable early microcode load (rhbz 1163520)
+
+* Fri Nov 21 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- Move TPM drivers to main kernel package (rhbz 1164937)
+
+* Wed Nov 19 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- Disable SERIAL_8250 on s390x (rhbz 1158848)
+
 * Sat Nov 15 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre
 - GNU Linux-libre 3.17.3-gnu.
 
diff --git a/freed-ora/current/f20/mod-extra.list b/freed-ora/current/f20/mod-extra.list
index 2803a4325..6e980f6aa 100644
--- a/freed-ora/current/f20/mod-extra.list
+++ b/freed-ora/current/f20/mod-extra.list
@@ -164,10 +164,6 @@ ksdazzle-sir.ko
 ma600-sir.ko
 mcp2120-sir.ko
 toim3232-sir.ko
-tpm_atmel.ko
-tpm_infineon.ko
-tpm_nsc.ko
-tpm_tis.ko
 slip.ko
 nilfs2.ko
 batman-adv.ko
diff --git a/freed-ora/current/f20/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch b/freed-ora/current/f20/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
deleted file mode 100644
index 34dae532b..000000000
--- a/freed-ora/current/f20/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Mon, 10 Nov 2014 17:54:26 +0100
-Subject: [PATCH] net: sctp: fix NULL pointer dereference in
- af->from_addr_param on malformed packet
-
-An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
-in the form of:
-
-  ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
-
-While the INIT chunk parameter verification dissects through many things
-in order to detect malformed input, it misses to actually check parameters
-inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
-IP address' parameter in ASCONF, which has as a subparameter an address
-parameter.
-
-So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
-or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
-and thus sctp_get_af_specific() returns NULL, too, which we then happily
-dereference unconditionally through af->from_addr_param().
-
-The trace for the log:
-
-BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
-IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
-PGD 0
-Oops: 0000 [#1] SMP
-[...]
-Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
-RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
-[...]
-Call Trace:
- <IRQ>
- [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
- [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
- [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
- [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
- [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
- [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
- [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
- [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
- [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
-[...]
-
-A minimal way to address this is to check for NULL as we do on all
-other such occasions where we know sctp_get_af_specific() could
-possibly return with NULL.
-
-Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Cc: Vlad Yasevich <vyasevich@gmail.com>
-Acked-by: Neil Horman <nhorman@tuxdriver.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/sm_make_chunk.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index ab734be8cb20..9f32741abb1c 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -2609,6 +2609,9 @@ do_addr_param:
- 		addr_param = param.v + sizeof(sctp_addip_param_t);
- 
- 		af = sctp_get_af_specific(param_type2af(param.p->type));
-+		if (af == NULL)
-+			break;
-+
- 		af->from_addr_param(&addr, addr_param,
- 				    htons(asoc->peer.port), 0);
- 
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch b/freed-ora/current/f20/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
deleted file mode 100644
index 815ea7d17..000000000
--- a/freed-ora/current/f20/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Thu, 9 Oct 2014 22:55:32 +0200
-Subject: [PATCH] net: sctp: fix panic on duplicate ASCONF chunks
-
-Upstream commit b69040d8e39f20d5215a03502a8e8b4c6ab78395 CVE-2014-3687
-
-When receiving a e.g. semi-good formed connection scan in the
-form of ...
-
-  -------------- INIT[ASCONF; ASCONF_ACK] ------------->
-  <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-  -------------------- COOKIE-ECHO -------------------->
-  <-------------------- COOKIE-ACK ---------------------
-  ---------------- ASCONF_a; ASCONF_b ----------------->
-
-... where ASCONF_a equals ASCONF_b chunk (at least both serials
-need to be equal), we panic an SCTP server!
-
-The problem is that good-formed ASCONF chunks that we reply with
-ASCONF_ACK chunks are cached per serial. Thus, when we receive a
-same ASCONF chunk twice (e.g. through a lost ASCONF_ACK), we do
-not need to process them again on the server side (that was the
-idea, also proposed in the RFC). Instead, we know it was cached
-and we just resend the cached chunk instead. So far, so good.
-
-Where things get nasty is in SCTP's side effect interpreter, that
-is, sctp_cmd_interpreter():
-
-While incoming ASCONF_a (chunk = event_arg) is being marked
-!end_of_packet and !singleton, and we have an association context,
-we do not flush the outqueue the first time after processing the
-ASCONF_ACK singleton chunk via SCTP_CMD_REPLY. Instead, we keep it
-queued up, although we set local_cork to 1. Commit 2e3216cd54b1
-changed the precedence, so that as long as we get bundled, incoming
-chunks we try possible bundling on outgoing queue as well. Before
-this commit, we would just flush the output queue.
-
-Now, while ASCONF_a's ASCONF_ACK sits in the corked outq, we
-continue to process the same ASCONF_b chunk from the packet. As
-we have cached the previous ASCONF_ACK, we find it, grab it and
-do another SCTP_CMD_REPLY command on it. So, effectively, we rip
-the chunk->list pointers and requeue the same ASCONF_ACK chunk
-another time. Since we process ASCONF_b, it's correctly marked
-with end_of_packet and we enforce an uncork, and thus flush, thus
-crashing the kernel.
-
-Fix it by testing if the ASCONF_ACK is currently pending and if
-that is the case, do not requeue it. When flushing the output
-queue we may relink the chunk for preparing an outgoing packet,
-but eventually unlink it when it's copied into the skb right
-before transmission.
-
-Joint work with Vlad Yasevich.
-
-Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/sctp/sctp.h | 5 +++++
- net/sctp/associola.c    | 2 ++
- 2 files changed, 7 insertions(+)
-
-diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
-index 9fbd856e6713..856f01cb51dd 100644
---- a/include/net/sctp/sctp.h
-+++ b/include/net/sctp/sctp.h
-@@ -426,6 +426,11 @@ static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_associat
- 	asoc->pmtu_pending = 0;
- }
- 
-+static inline bool sctp_chunk_pending(const struct sctp_chunk *chunk)
-+{
-+	return !list_empty(&chunk->list);
-+}
-+
- /* Walk through a list of TLV parameters.  Don't trust the
-  * individual parameter lengths and instead depend on
-  * the chunk length to indicate when to stop.  Make sure
-diff --git a/net/sctp/associola.c b/net/sctp/associola.c
-index a88b8524846e..f791edd64d6c 100644
---- a/net/sctp/associola.c
-+++ b/net/sctp/associola.c
-@@ -1668,6 +1668,8 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
- 	 * ack chunk whose serial number matches that of the request.
- 	 */
- 	list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
-+		if (sctp_chunk_pending(ack))
-+			continue;
- 		if (ack->subh.addip_hdr->serial == serial) {
- 			sctp_chunk_hold(ack);
- 			return ack;
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch b/freed-ora/current/f20/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
deleted file mode 100644
index a017be159..000000000
--- a/freed-ora/current/f20/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Thu, 9 Oct 2014 22:55:33 +0200
-Subject: [PATCH] net: sctp: fix remote memory pressure from excessive queueing
-
-Upstream commit 26b87c7881006311828bb0ab271a551a62dcceb4 CVE-2014-3688
-
-This scenario is not limited to ASCONF, just taken as one
-example triggering the issue. When receiving ASCONF probes
-in the form of ...
-
-  -------------- INIT[ASCONF; ASCONF_ACK] ------------->
-  <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-  -------------------- COOKIE-ECHO -------------------->
-  <-------------------- COOKIE-ACK ---------------------
-  ---- ASCONF_a; [ASCONF_b; ...; ASCONF_n;] JUNK ------>
-  [...]
-  ---- ASCONF_m; [ASCONF_o; ...; ASCONF_z;] JUNK ------>
-
-... where ASCONF_a, ASCONF_b, ..., ASCONF_z are good-formed
-ASCONFs and have increasing serial numbers, we process such
-ASCONF chunk(s) marked with !end_of_packet and !singleton,
-since we have not yet reached the SCTP packet end. SCTP does
-only do verification on a chunk by chunk basis, as an SCTP
-packet is nothing more than just a container of a stream of
-chunks which it eats up one by one.
-
-We could run into the case that we receive a packet with a
-malformed tail, above marked as trailing JUNK. All previous
-chunks are here goodformed, so the stack will eat up all
-previous chunks up to this point. In case JUNK does not fit
-into a chunk header and there are no more other chunks in
-the input queue, or in case JUNK contains a garbage chunk
-header, but the encoded chunk length would exceed the skb
-tail, or we came here from an entirely different scenario
-and the chunk has pdiscard=1 mark (without having had a flush
-point), it will happen, that we will excessively queue up
-the association's output queue (a correct final chunk may
-then turn it into a response flood when flushing the
-queue ;)): I ran a simple script with incremental ASCONF
-serial numbers and could see the server side consuming
-excessive amount of RAM [before/after: up to 2GB and more].
-
-The issue at heart is that the chunk train basically ends
-with !end_of_packet and !singleton markers and since commit
-2e3216cd54b1 ("sctp: Follow security requirement of responding
-with 1 packet") therefore preventing an output queue flush
-point in sctp_do_sm() -> sctp_cmd_interpreter() on the input
-chunk (chunk = event_arg) even though local_cork is set,
-but its precedence has changed since then. In the normal
-case, the last chunk with end_of_packet=1 would trigger the
-queue flush to accommodate possible outgoing bundling.
-
-In the input queue, sctp_inq_pop() seems to do the right thing
-in terms of discarding invalid chunks. So, above JUNK will
-not enter the state machine and instead be released and exit
-the sctp_assoc_bh_rcv() chunk processing loop. It's simply
-the flush point being missing at loop exit. Adding a try-flush
-approach on the output queue might not work as the underlying
-infrastructure might be long gone at this point due to the
-side-effect interpreter run.
-
-One possibility, albeit a bit of a kludge, would be to defer
-invalid chunk freeing into the state machine in order to
-possibly trigger packet discards and thus indirectly a queue
-flush on error. It would surely be better to discard chunks
-as in the current, perhaps better controlled environment, but
-going back and forth, it's simply architecturally not possible.
-I tried various trailing JUNK attack cases and it seems to
-look good now.
-
-Joint work with Vlad Yasevich.
-
-Fixes: 2e3216cd54b1 ("sctp: Follow security requirement of responding with 1 packet")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/sctp/inqueue.c      | 33 +++++++--------------------------
- net/sctp/sm_statefuns.c |  3 +++
- 2 files changed, 10 insertions(+), 26 deletions(-)
-
-diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
-index 4de12afa13d4..7e8a16c77039 100644
---- a/net/sctp/inqueue.c
-+++ b/net/sctp/inqueue.c
-@@ -140,18 +140,9 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
- 		} else {
- 			/* Nothing to do. Next chunk in the packet, please. */
- 			ch = (sctp_chunkhdr_t *) chunk->chunk_end;
--
- 			/* Force chunk->skb->data to chunk->chunk_end.  */
--			skb_pull(chunk->skb,
--				 chunk->chunk_end - chunk->skb->data);
--
--			/* Verify that we have at least chunk headers
--			 * worth of buffer left.
--			 */
--			if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
--				sctp_chunk_free(chunk);
--				chunk = queue->in_progress = NULL;
--			}
-+			skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
-+			/* We are guaranteed to pull a SCTP header. */
- 		}
- 	}
- 
-@@ -187,24 +178,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
- 	skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
- 	chunk->subh.v = NULL; /* Subheader is no longer valid.  */
- 
--	if (chunk->chunk_end < skb_tail_pointer(chunk->skb)) {
-+	if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
-+	    skb_tail_pointer(chunk->skb)) {
- 		/* This is not a singleton */
- 		chunk->singleton = 0;
- 	} else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
--		/* RFC 2960, Section 6.10  Bundling
--		 *
--		 * Partial chunks MUST NOT be placed in an SCTP packet.
--		 * If the receiver detects a partial chunk, it MUST drop
--		 * the chunk.
--		 *
--		 * Since the end of the chunk is past the end of our buffer
--		 * (which contains the whole packet, we can freely discard
--		 * the whole packet.
--		 */
--		sctp_chunk_free(chunk);
--		chunk = queue->in_progress = NULL;
--
--		return NULL;
-+		/* Discard inside state machine. */
-+		chunk->pdiscard = 1;
-+		chunk->chunk_end = skb_tail_pointer(chunk->skb);
- 	} else {
- 		/* We are at the end of the packet, so mark the chunk
- 		 * in case we need to send a SACK.
-diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index bdea3dfbad31..3ee27b7704ff 100644
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -170,6 +170,9 @@ sctp_chunk_length_valid(struct sctp_chunk *chunk,
- {
- 	__u16 chunk_length = ntohs(chunk->chunk_hdr->length);
- 
-+	/* Previously already marked? */
-+	if (unlikely(chunk->pdiscard))
-+		return 0;
- 	if (unlikely(chunk_length < required_length))
- 		return 0;
- 
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch b/freed-ora/current/f20/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
deleted file mode 100644
index cf42fdea7..000000000
--- a/freed-ora/current/f20/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
+++ /dev/null
@@ -1,341 +0,0 @@
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Thu, 9 Oct 2014 22:55:31 +0200
-Subject: [PATCH] net: sctp: fix skb_over_panic when receiving malformed ASCONF
- chunks
-
-Upstream commit 9de7922bc709eee2f609cd01d98aaedc4cf5ea74 CVE-2014-3673
-
-Commit 6f4c618ddb0 ("SCTP : Add paramters validity check for
-ASCONF chunk") added basic verification of ASCONF chunks, however,
-it is still possible to remotely crash a server by sending a
-special crafted ASCONF chunk, even up to pre 2.6.12 kernels:
-
-skb_over_panic: text:ffffffffa01ea1c3 len:31056 put:30768
- head:ffff88011bd81800 data:ffff88011bd81800 tail:0x7950
- end:0x440 dev:<NULL>
- ------------[ cut here ]------------
-kernel BUG at net/core/skbuff.c:129!
-[...]
-Call Trace:
- <IRQ>
- [<ffffffff8144fb1c>] skb_put+0x5c/0x70
- [<ffffffffa01ea1c3>] sctp_addto_chunk+0x63/0xd0 [sctp]
- [<ffffffffa01eadaf>] sctp_process_asconf+0x1af/0x540 [sctp]
- [<ffffffff8152d025>] ? _read_unlock_bh+0x15/0x20
- [<ffffffffa01e0038>] sctp_sf_do_asconf+0x168/0x240 [sctp]
- [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
- [<ffffffff8147645d>] ? fib_rules_lookup+0xad/0xf0
- [<ffffffffa01e6b22>] ? sctp_cmp_addr_exact+0x32/0x40 [sctp]
- [<ffffffffa01e8393>] sctp_assoc_bh_rcv+0xd3/0x180 [sctp]
- [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
- [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
- [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
- [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
- [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
- [<ffffffff81496ded>] ip_local_deliver_finish+0xdd/0x2d0
- [<ffffffff81497078>] ip_local_deliver+0x98/0xa0
- [<ffffffff8149653d>] ip_rcv_finish+0x12d/0x440
- [<ffffffff81496ac5>] ip_rcv+0x275/0x350
- [<ffffffff8145c88b>] __netif_receive_skb+0x4ab/0x750
- [<ffffffff81460588>] netif_receive_skb+0x58/0x60
-
-This can be triggered e.g., through a simple scripted nmap
-connection scan injecting the chunk after the handshake, for
-example, ...
-
-  -------------- INIT[ASCONF; ASCONF_ACK] ------------->
-  <----------- INIT-ACK[ASCONF; ASCONF_ACK] ------------
-  -------------------- COOKIE-ECHO -------------------->
-  <-------------------- COOKIE-ACK ---------------------
-  ------------------ ASCONF; UNKNOWN ------------------>
-
-... where ASCONF chunk of length 280 contains 2 parameters ...
-
-  1) Add IP address parameter (param length: 16)
-  2) Add/del IP address parameter (param length: 255)
-
-... followed by an UNKNOWN chunk of e.g. 4 bytes. Here, the
-Address Parameter in the ASCONF chunk is even missing, too.
-This is just an example and similarly-crafted ASCONF chunks
-could be used just as well.
-
-The ASCONF chunk passes through sctp_verify_asconf() as all
-parameters passed sanity checks, and after walking, we ended
-up successfully at the chunk end boundary, and thus may invoke
-sctp_process_asconf(). Parameter walking is done with
-WORD_ROUND() to take padding into account.
-
-In sctp_process_asconf()'s TLV processing, we may fail in
-sctp_process_asconf_param() e.g., due to removal of the IP
-address that is also the source address of the packet containing
-the ASCONF chunk, and thus we need to add all TLVs after the
-failure to our ASCONF response to remote via helper function
-sctp_add_asconf_response(), which basically invokes a
-sctp_addto_chunk() adding the error parameters to the given
-skb.
-
-When walking to the next parameter this time, we proceed
-with ...
-
-  length = ntohs(asconf_param->param_hdr.length);
-  asconf_param = (void *)asconf_param + length;
-
-... instead of the WORD_ROUND()'ed length, thus resulting here
-in an off-by-one that leads to reading the follow-up garbage
-parameter length of 12336, and thus throwing an skb_over_panic
-for the reply when trying to sctp_addto_chunk() next time,
-which implicitly calls the skb_put() with that length.
-
-Fix it by using sctp_walk_params() [ which is also used in
-INIT parameter processing ] macro in the verification *and*
-in ASCONF processing: it will make sure we don't spill over,
-that we walk parameters WORD_ROUND()'ed. Moreover, we're being
-more defensive and guard against unknown parameter types and
-missized addresses.
-
-Joint work with Vlad Yasevich.
-
-Fixes: b896b82be4ae ("[SCTP] ADDIP: Support for processing incoming ASCONF_ACK chunks.")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
-Acked-by: Neil Horman <nhorman@tuxdriver.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/net/sctp/sm.h    |  6 +--
- net/sctp/sm_make_chunk.c | 99 +++++++++++++++++++++++++++---------------------
- net/sctp/sm_statefuns.c  | 18 +--------
- 3 files changed, 60 insertions(+), 63 deletions(-)
-
-diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
-index 7f4eeb340a54..72a31db47ded 100644
---- a/include/net/sctp/sm.h
-+++ b/include/net/sctp/sm.h
-@@ -248,9 +248,9 @@ struct sctp_chunk *sctp_make_asconf_update_ip(struct sctp_association *,
- 					      int, __be16);
- struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc,
- 					     union sctp_addr *addr);
--int sctp_verify_asconf(const struct sctp_association *asoc,
--		       struct sctp_paramhdr *param_hdr, void *chunk_end,
--		       struct sctp_paramhdr **errp);
-+bool sctp_verify_asconf(const struct sctp_association *asoc,
-+			struct sctp_chunk *chunk, bool addr_param_needed,
-+			struct sctp_paramhdr **errp);
- struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 				       struct sctp_chunk *asconf);
- int sctp_process_asconf_ack(struct sctp_association *asoc,
-diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
-index ae0e616a7ca5..ab734be8cb20 100644
---- a/net/sctp/sm_make_chunk.c
-+++ b/net/sctp/sm_make_chunk.c
-@@ -3110,50 +3110,63 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
- 	return SCTP_ERROR_NO_ERROR;
- }
- 
--/* Verify the ASCONF packet before we process it.  */
--int sctp_verify_asconf(const struct sctp_association *asoc,
--		       struct sctp_paramhdr *param_hdr, void *chunk_end,
--		       struct sctp_paramhdr **errp) {
--	sctp_addip_param_t *asconf_param;
-+/* Verify the ASCONF packet before we process it. */
-+bool sctp_verify_asconf(const struct sctp_association *asoc,
-+			struct sctp_chunk *chunk, bool addr_param_needed,
-+			struct sctp_paramhdr **errp)
-+{
-+	sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) chunk->chunk_hdr;
- 	union sctp_params param;
--	int length, plen;
--
--	param.v = (sctp_paramhdr_t *) param_hdr;
--	while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
--		length = ntohs(param.p->length);
--		*errp = param.p;
-+	bool addr_param_seen = false;
- 
--		if (param.v > chunk_end - length ||
--		    length < sizeof(sctp_paramhdr_t))
--			return 0;
-+	sctp_walk_params(param, addip, addip_hdr.params) {
-+		size_t length = ntohs(param.p->length);
- 
-+		*errp = param.p;
- 		switch (param.p->type) {
-+		case SCTP_PARAM_ERR_CAUSE:
-+			break;
-+		case SCTP_PARAM_IPV4_ADDRESS:
-+			if (length != sizeof(sctp_ipv4addr_param_t))
-+				return false;
-+			addr_param_seen = true;
-+			break;
-+		case SCTP_PARAM_IPV6_ADDRESS:
-+			if (length != sizeof(sctp_ipv6addr_param_t))
-+				return false;
-+			addr_param_seen = true;
-+			break;
- 		case SCTP_PARAM_ADD_IP:
- 		case SCTP_PARAM_DEL_IP:
- 		case SCTP_PARAM_SET_PRIMARY:
--			asconf_param = (sctp_addip_param_t *)param.v;
--			plen = ntohs(asconf_param->param_hdr.length);
--			if (plen < sizeof(sctp_addip_param_t) +
--			    sizeof(sctp_paramhdr_t))
--				return 0;
-+			/* In ASCONF chunks, these need to be first. */
-+			if (addr_param_needed && !addr_param_seen)
-+				return false;
-+			length = ntohs(param.addip->param_hdr.length);
-+			if (length < sizeof(sctp_addip_param_t) +
-+				     sizeof(sctp_paramhdr_t))
-+				return false;
- 			break;
- 		case SCTP_PARAM_SUCCESS_REPORT:
- 		case SCTP_PARAM_ADAPTATION_LAYER_IND:
- 			if (length != sizeof(sctp_addip_param_t))
--				return 0;
--
-+				return false;
- 			break;
- 		default:
--			break;
-+			/* This is unkown to us, reject! */
-+			return false;
- 		}
--
--		param.v += WORD_ROUND(length);
- 	}
- 
--	if (param.v != chunk_end)
--		return 0;
-+	/* Remaining sanity checks. */
-+	if (addr_param_needed && !addr_param_seen)
-+		return false;
-+	if (!addr_param_needed && addr_param_seen)
-+		return false;
-+	if (param.v != chunk->chunk_end)
-+		return false;
- 
--	return 1;
-+	return true;
- }
- 
- /* Process an incoming ASCONF chunk with the next expected serial no. and
-@@ -3162,16 +3175,17 @@ int sctp_verify_asconf(const struct sctp_association *asoc,
- struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 				       struct sctp_chunk *asconf)
- {
-+	sctp_addip_chunk_t *addip = (sctp_addip_chunk_t *) asconf->chunk_hdr;
-+	bool all_param_pass = true;
-+	union sctp_params param;
- 	sctp_addiphdr_t		*hdr;
- 	union sctp_addr_param	*addr_param;
- 	sctp_addip_param_t	*asconf_param;
- 	struct sctp_chunk	*asconf_ack;
--
- 	__be16	err_code;
- 	int	length = 0;
- 	int	chunk_len;
- 	__u32	serial;
--	int	all_param_pass = 1;
- 
- 	chunk_len = ntohs(asconf->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
- 	hdr = (sctp_addiphdr_t *)asconf->skb->data;
-@@ -3199,9 +3213,14 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 		goto done;
- 
- 	/* Process the TLVs contained within the ASCONF chunk. */
--	while (chunk_len > 0) {
-+	sctp_walk_params(param, addip, addip_hdr.params) {
-+		/* Skip preceeding address parameters. */
-+		if (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
-+		    param.p->type == SCTP_PARAM_IPV6_ADDRESS)
-+			continue;
-+
- 		err_code = sctp_process_asconf_param(asoc, asconf,
--						     asconf_param);
-+						     param.addip);
- 		/* ADDIP 4.1 A7)
- 		 * If an error response is received for a TLV parameter,
- 		 * all TLVs with no response before the failed TLV are
-@@ -3209,28 +3228,20 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
- 		 * the failed response are considered unsuccessful unless
- 		 * a specific success indication is present for the parameter.
- 		 */
--		if (SCTP_ERROR_NO_ERROR != err_code)
--			all_param_pass = 0;
--
-+		if (err_code != SCTP_ERROR_NO_ERROR)
-+			all_param_pass = false;
- 		if (!all_param_pass)
--			sctp_add_asconf_response(asconf_ack,
--						 asconf_param->crr_id, err_code,
--						 asconf_param);
-+			sctp_add_asconf_response(asconf_ack, param.addip->crr_id,
-+						 err_code, param.addip);
- 
- 		/* ADDIP 4.3 D11) When an endpoint receiving an ASCONF to add
- 		 * an IP address sends an 'Out of Resource' in its response, it
- 		 * MUST also fail any subsequent add or delete requests bundled
- 		 * in the ASCONF.
- 		 */
--		if (SCTP_ERROR_RSRC_LOW == err_code)
-+		if (err_code == SCTP_ERROR_RSRC_LOW)
- 			goto done;
--
--		/* Move to the next ASCONF param. */
--		length = ntohs(asconf_param->param_hdr.length);
--		asconf_param = (void *)asconf_param + length;
--		chunk_len -= length;
- 	}
--
- done:
- 	asoc->peer.addip_serial++;
- 
-diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index c8f606324134..bdea3dfbad31 100644
---- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -3591,9 +3591,7 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
- 	struct sctp_chunk	*asconf_ack = NULL;
- 	struct sctp_paramhdr	*err_param = NULL;
- 	sctp_addiphdr_t		*hdr;
--	union sctp_addr_param	*addr_param;
- 	__u32			serial;
--	int			length;
- 
- 	if (!sctp_vtag_verify(chunk, asoc)) {
- 		sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG,
-@@ -3618,17 +3616,8 @@ sctp_disposition_t sctp_sf_do_asconf(struct net *net,
- 	hdr = (sctp_addiphdr_t *)chunk->skb->data;
- 	serial = ntohl(hdr->serial);
- 
--	addr_param = (union sctp_addr_param *)hdr->params;
--	length = ntohs(addr_param->p.length);
--	if (length < sizeof(sctp_paramhdr_t))
--		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
--			   (void *)addr_param, commands);
--
- 	/* Verify the ASCONF chunk before processing it. */
--	if (!sctp_verify_asconf(asoc,
--			    (sctp_paramhdr_t *)((void *)addr_param + length),
--			    (void *)chunk->chunk_end,
--			    &err_param))
-+	if (!sctp_verify_asconf(asoc, chunk, true, &err_param))
- 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
- 						  (void *)err_param, commands);
- 
-@@ -3745,10 +3734,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack(struct net *net,
- 	rcvd_serial = ntohl(addip_hdr->serial);
- 
- 	/* Verify the ASCONF-ACK chunk before processing it. */
--	if (!sctp_verify_asconf(asoc,
--	    (sctp_paramhdr_t *)addip_hdr->params,
--	    (void *)asconf_ack->chunk_end,
--	    &err_param))
-+	if (!sctp_verify_asconf(asoc, asconf_ack, false, &err_param))
- 		return sctp_sf_violation_paramlen(net, ep, asoc, type, arg,
- 			   (void *)err_param, commands);
- 
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/quirk-for-Lenovo-Yoga-3-no-rfkill-switch.patch b/freed-ora/current/f20/quirk-for-Lenovo-Yoga-3-no-rfkill-switch.patch
deleted file mode 100644
index 3d517414b..000000000
--- a/freed-ora/current/f20/quirk-for-Lenovo-Yoga-3-no-rfkill-switch.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Stephan Mueller <smueller@chronox.de>
-Date: Mon, 27 Oct 2014 04:09:50 +0100
-Subject: [PATCH] quirk for Lenovo Yoga 3: no rfkill switch
-
-The Yoga 3 does not contain any physical rfkill switch. Therefore
-disable the rfkill switch identically to the Yoga 2 approach.
-
-Signed-off-by: Stephan Mueller <smueller@chronox.de>
----
- drivers/platform/x86/ideapad-laptop.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
-index 02152de135b5..ed494f37c40f 100644
---- a/drivers/platform/x86/ideapad-laptop.c
-+++ b/drivers/platform/x86/ideapad-laptop.c
-@@ -837,6 +837,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = {
- 			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Yoga 2"),
- 		},
- 	},
-+	{
-+		.ident = "Lenovo Yoga 3 Pro 1370",
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 3 Pro-1370"),
-+		},
-+	},
- 	{}
- };
- 
--- 
-1.9.3
-
diff --git a/freed-ora/current/f20/sources b/freed-ora/current/f20/sources
index 879087d45..715c92d67 100644
--- a/freed-ora/current/f20/sources
+++ b/freed-ora/current/f20/sources
@@ -1,3 +1,3 @@
 61aaf05e9ccb9be9bcf9135993e9ee3e  linux-libre-3.17-gnu.tar.xz
 159e969cbc27201d8e2fa0f609dc722f  perf-man-3.17.tar.gz
-13f495e3ce72ed6ccefb38591587a6ef  patch-3.17.3.xz
+df86f9de60a651ce3312af09729f7b1e  patch-3.17.4.xz
diff --git a/freed-ora/current/f20/x86-microcode-AMD-Fix-early-ucode-loading-on-32-bit.patch b/freed-ora/current/f20/x86-microcode-AMD-Fix-early-ucode-loading-on-32-bit.patch
deleted file mode 100644
index de0960684..000000000
--- a/freed-ora/current/f20/x86-microcode-AMD-Fix-early-ucode-loading-on-32-bit.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 4232c1bb6b7ed45b96d2112e6f151cf5c9c28470 Mon Sep 17 00:00:00 2001
-From: Borislav Petkov <bp@alien8.de>
-Date: Sat, 1 Nov 2014 11:01:00 +0100
-Subject: [PATCH] x86, microcode, AMD: Fix early ucode loading on 32-bit
-
-Hi guys,
-
-please queue this for the next batch to Linus.
-
-Thanks.
----
- arch/x86/kernel/cpu/microcode/amd_early.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/microcode/amd_early.c b/arch/x86/kernel/cpu/microcode/amd_early.c
-index 617a9e284245..65bdfb598880 100644
---- a/arch/x86/kernel/cpu/microcode/amd_early.c
-+++ b/arch/x86/kernel/cpu/microcode/amd_early.c
-@@ -348,6 +348,7 @@ int __init save_microcode_in_initrd_amd(void)
- {
- 	unsigned long cont;
- 	enum ucode_state ret;
-+	u8 *cont_va;
- 	u32 eax;
- 
- 	if (!container)
-@@ -355,13 +356,15 @@ int __init save_microcode_in_initrd_amd(void)
- 
- #ifdef CONFIG_X86_32
- 	get_bsp_sig();
--	cont = (unsigned long)container;
-+	cont	= (unsigned long)container;
-+	cont_va = __va(container);
- #else
- 	/*
- 	 * We need the physical address of the container for both bitness since
- 	 * boot_params.hdr.ramdisk_image is a physical address.
- 	 */
--	cont = __pa(container);
-+	cont    = __pa(container);
-+	cont_va = container;
- #endif
- 
- 	/*
-@@ -372,6 +375,8 @@ int __init save_microcode_in_initrd_amd(void)
- 	if (relocated_ramdisk)
- 		container = (u8 *)(__va(relocated_ramdisk) +
- 			     (cont - boot_params.hdr.ramdisk_image));
-+	else
-+		container = cont_va;
- 
- 	if (ucode_new_rev)
- 		pr_info("microcode: updated early to new patch_level=0x%08x\n",
--- 
-1.9.3
-