diff options
17 files changed, 708 insertions, 425 deletions
diff --git a/freed-ora/current/f19/ACPI-EC-Clear-stale-EC-events-on-Samsung-systems.patch b/freed-ora/current/f19/ACPI-EC-Clear-stale-EC-events-on-Samsung-systems.patch new file mode 100644 index 000000000..de1367bfa --- /dev/null +++ b/freed-ora/current/f19/ACPI-EC-Clear-stale-EC-events-on-Samsung-systems.patch @@ -0,0 +1,175 @@ +Bugzilla: 1003602 +Upstream-status: Queued for 3.15 https://git.kernel.org/cgit/linux/kernel/git/rafael/linux-pm.git/commit/?id=27095111cbafd3212c7e9a4a8cef1099b7520ca8 + +From 27095111cbafd3212c7e9a4a8cef1099b7520ca8 Mon Sep 17 00:00:00 2001 +From: Kieran Clancy <clancy.kieran@gmail.com> +Date: Fri, 28 Feb 2014 14:12:28 +0000 +Subject: ACPI / EC: Clear stale EC events on Samsung systems + +A number of Samsung notebooks (530Uxx/535Uxx/540Uxx/550Pxx/900Xxx/etc) +continue to log events during sleep (lid open/close, AC plug/unplug, +battery level change), which accumulate in the EC until a buffer fills. +After the buffer is full (tests suggest it holds 8 events), GPEs stop +being triggered for new events. This state persists on wake or even on +power cycle, and prevents new events from being registered until the EC +is manually polled. + +This is the root cause of a number of bugs, including AC not being +detected properly, lid close not triggering suspend, and low ambient +light not triggering the keyboard backlight. The bug also seemed to be +responsible for performance issues on at least one user's machine. + +Juan Manuel Cabo found the cause of bug and the workaround of polling +the EC manually on wake. + +The loop which clears the stale events is based on an earlier patch by +Lan Tianyu (see referenced attachment). + +This patch: + - Adds a function acpi_ec_clear() which polls the EC for stale _Q + events at most ACPI_EC_CLEAR_MAX (currently 100) times. A warning is + logged if this limit is reached. + - Adds a flag EC_FLAGS_CLEAR_ON_RESUME which is set to 1 if the DMI + system vendor is Samsung. This check could be replaced by several + more specific DMI vendor/product pairs, but it's likely that the bug + affects more Samsung products than just the five series mentioned + above. Further, it should not be harmful to run acpi_ec_clear() on + systems without the bug; it will return immediately after finding no + data waiting. + - Runs acpi_ec_clear() on initialisation (boot), from acpi_ec_add() + - Runs acpi_ec_clear() on wake, from acpi_ec_unblock_transactions() + +References: https://bugzilla.kernel.org/show_bug.cgi?id=44161 +References: https://bugzilla.kernel.org/show_bug.cgi?id=45461 +References: https://bugzilla.kernel.org/show_bug.cgi?id=57271 +References: https://bugzilla.kernel.org/attachment.cgi?id=126801 +Suggested-by: Juan Manuel Cabo <juanmanuel.cabo@gmail.com> +Signed-off-by: Kieran Clancy <clancy.kieran@gmail.com> +Reviewed-by: Lan Tianyu <tianyu.lan@intel.com> +Reviewed-by: Dennis Jansen <dennis.jansen@web.de> +Tested-by: Kieran Clancy <clancy.kieran@gmail.com> +Tested-by: Juan Manuel Cabo <juanmanuel.cabo@gmail.com> +Tested-by: Dennis Jansen <dennis.jansen@web.de> +Tested-by: Maurizio D'Addona <mauritiusdadd@gmail.com> +Tested-by: San Zamoyski <san@plusnet.pl> +Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> +--- +diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c +index 959d41a..d7d32c2 100644 +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -67,6 +67,8 @@ enum ec_command { + #define ACPI_EC_DELAY 500 /* Wait 500ms max. during EC ops */ + #define ACPI_EC_UDELAY_GLK 1000 /* Wait 1ms max. to get global lock */ + #define ACPI_EC_MSI_UDELAY 550 /* Wait 550us for MSI EC */ ++#define ACPI_EC_CLEAR_MAX 100 /* Maximum number of events to query ++ * when trying to clear the EC */ + + enum { + EC_FLAGS_QUERY_PENDING, /* Query is pending */ +@@ -116,6 +118,7 @@ EXPORT_SYMBOL(first_ec); + static int EC_FLAGS_MSI; /* Out-of-spec MSI controller */ + static int EC_FLAGS_VALIDATE_ECDT; /* ASUStec ECDTs need to be validated */ + static int EC_FLAGS_SKIP_DSDT_SCAN; /* Not all BIOS survive early DSDT scan */ ++static int EC_FLAGS_CLEAR_ON_RESUME; /* Needs acpi_ec_clear() on boot/resume */ + + /* -------------------------------------------------------------------------- + Transaction Management +@@ -440,6 +443,29 @@ acpi_handle ec_get_handle(void) + + EXPORT_SYMBOL(ec_get_handle); + ++static int acpi_ec_query_unlocked(struct acpi_ec *ec, u8 *data); ++ ++/* ++ * Clears stale _Q events that might have accumulated in the EC. ++ * Run with locked ec mutex. ++ */ ++static void acpi_ec_clear(struct acpi_ec *ec) ++{ ++ int i, status; ++ u8 value = 0; ++ ++ for (i = 0; i < ACPI_EC_CLEAR_MAX; i++) { ++ status = acpi_ec_query_unlocked(ec, &value); ++ if (status || !value) ++ break; ++ } ++ ++ if (unlikely(i == ACPI_EC_CLEAR_MAX)) ++ pr_warn("Warning: Maximum of %d stale EC events cleared\n", i); ++ else ++ pr_info("%d stale EC events cleared\n", i); ++} ++ + void acpi_ec_block_transactions(void) + { + struct acpi_ec *ec = first_ec; +@@ -463,6 +489,10 @@ void acpi_ec_unblock_transactions(void) + mutex_lock(&ec->mutex); + /* Allow transactions to be carried out again */ + clear_bit(EC_FLAGS_BLOCKED, &ec->flags); ++ ++ if (EC_FLAGS_CLEAR_ON_RESUME) ++ acpi_ec_clear(ec); ++ + mutex_unlock(&ec->mutex); + } + +@@ -821,6 +851,13 @@ static int acpi_ec_add(struct acpi_device *device) + + /* EC is fully operational, allow queries */ + clear_bit(EC_FLAGS_QUERY_PENDING, &ec->flags); ++ ++ /* Clear stale _Q events if hardware might require that */ ++ if (EC_FLAGS_CLEAR_ON_RESUME) { ++ mutex_lock(&ec->mutex); ++ acpi_ec_clear(ec); ++ mutex_unlock(&ec->mutex); ++ } + return ret; + } + +@@ -922,6 +959,30 @@ static int ec_enlarge_storm_threshold(const struct dmi_system_id *id) + return 0; + } + ++/* ++ * On some hardware it is necessary to clear events accumulated by the EC during ++ * sleep. These ECs stop reporting GPEs until they are manually polled, if too ++ * many events are accumulated. (e.g. Samsung Series 5/9 notebooks) ++ * ++ * https://bugzilla.kernel.org/show_bug.cgi?id=44161 ++ * ++ * Ideally, the EC should also be instructed NOT to accumulate events during ++ * sleep (which Windows seems to do somehow), but the interface to control this ++ * behaviour is not known at this time. ++ * ++ * Models known to be affected are Samsung 530Uxx/535Uxx/540Uxx/550Pxx/900Xxx, ++ * however it is very likely that other Samsung models are affected. ++ * ++ * On systems which don't accumulate _Q events during sleep, this extra check ++ * should be harmless. ++ */ ++static int ec_clear_on_resume(const struct dmi_system_id *id) ++{ ++ pr_debug("Detected system needing EC poll on resume.\n"); ++ EC_FLAGS_CLEAR_ON_RESUME = 1; ++ return 0; ++} ++ + static struct dmi_system_id ec_dmi_table[] __initdata = { + { + ec_skip_dsdt_scan, "Compal JFL92", { +@@ -965,6 +1026,9 @@ static struct dmi_system_id ec_dmi_table[] __initdata = { + ec_validate_ecdt, "ASUS hardware", { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek Computer Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "L4R"),}, NULL}, ++ { ++ ec_clear_on_resume, "Samsung hardware", { ++ DMI_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD.")}, NULL}, + {}, + }; + +-- +cgit v0.9.2 diff --git a/freed-ora/current/f19/Bluetooth-allocate-static-minor-for-vhci.patch b/freed-ora/current/f19/Bluetooth-allocate-static-minor-for-vhci.patch new file mode 100644 index 000000000..8acfb308f --- /dev/null +++ b/freed-ora/current/f19/Bluetooth-allocate-static-minor-for-vhci.patch @@ -0,0 +1,71 @@ +Bugzilla: 1051748 +Upstream-status: Queued for 3.15 + +From b075dd40c95d11c2c8690f6c4d6232fc0d9e7f56 Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi <lucas.demarchi@intel.com> +Date: Tue, 18 Feb 2014 05:19:26 +0000 +Subject: Bluetooth: allocate static minor for vhci + +Commit bfacbb9 (Bluetooth: Use devname:vhci module alias for virtual HCI +driver) added the module alias to hci_vhci module so it's possible to +create the /dev/vhci node. However creating an alias without +specifying the minor doesn't allow us to create the node ahead, +triggerring module auto-load when it's first accessed. + +Starting with depmod from kmod 16 we started to warn if there's a +devname alias without specifying the major and minor. + +Let's do the same done for uhid, kvm, fuse and others, specifying a +fixed minor. In systems with systemd as the init the following will +happen: on early boot systemd will call "kmod static-nodes" to read +/lib/modules/$(uname -r)/modules.devname and then create the nodes. When +first accessed these "dead" nodes will trigger the module loading. + +Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com> +Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Marcel Holtmann <marcel@holtmann.org> +--- +diff --git a/Documentation/devices.txt b/Documentation/devices.txt +index 10378cc..04356f5 100644 +--- a/Documentation/devices.txt ++++ b/Documentation/devices.txt +@@ -353,6 +353,7 @@ Your cooperation is appreciated. + 133 = /dev/exttrp External device trap + 134 = /dev/apm_bios Advanced Power Management BIOS + 135 = /dev/rtc Real Time Clock ++ 137 = /dev/vhci Bluetooth virtual HCI driver + 139 = /dev/openprom SPARC OpenBoot PROM + 140 = /dev/relay8 Berkshire Products Octal relay card + 141 = /dev/relay16 Berkshire Products ISO-16 relay card +diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c +index 1ef6990..add1c6a 100644 +--- a/drivers/bluetooth/hci_vhci.c ++++ b/drivers/bluetooth/hci_vhci.c +@@ -359,7 +359,7 @@ static const struct file_operations vhci_fops = { + static struct miscdevice vhci_miscdev= { + .name = "vhci", + .fops = &vhci_fops, +- .minor = MISC_DYNAMIC_MINOR, ++ .minor = VHCI_MINOR, + }; + + static int __init vhci_init(void) +@@ -385,3 +385,4 @@ MODULE_DESCRIPTION("Bluetooth virtual HCI driver ver " VERSION); + MODULE_VERSION(VERSION); + MODULE_LICENSE("GPL"); + MODULE_ALIAS("devname:vhci"); ++MODULE_ALIAS_MISCDEV(VHCI_MINOR); +diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h +index 3737f72..7bb6148 100644 +--- a/include/linux/miscdevice.h ++++ b/include/linux/miscdevice.h +@@ -23,6 +23,7 @@ + #define TEMP_MINOR 131 /* Temperature Sensor */ + #define RTC_MINOR 135 + #define EFI_RTC_MINOR 136 /* EFI Time services */ ++#define VHCI_MINOR 137 + #define SUN_OPENPROM_MINOR 139 + #define DMAPI_MINOR 140 /* DMAPI */ + #define NVRAM_MINOR 144 +-- +cgit v0.9.2 diff --git a/freed-ora/current/f19/HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch b/freed-ora/current/f19/HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch new file mode 100644 index 000000000..0fb3cc4b4 --- /dev/null +++ b/freed-ora/current/f19/HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch @@ -0,0 +1,95 @@ +Bugzilla: 1027465 +Upstream-status: 3.14 + +From a4b1b5877b514b276f0f31efe02388a9c2836728 Mon Sep 17 00:00:00 2001 +From: David Herrmann <dh.herrmann@gmail.com> +Date: Thu, 19 Dec 2013 12:09:32 +0100 +Subject: [PATCH] HID: Bluetooth: hidp: make sure input buffers are big enough + +HID core expects the input buffers to be at least of size 4096 +(HID_MAX_BUFFER_SIZE). Other sizes will result in buffer-overflows if an +input-report is smaller than advertised. We could, like i2c, compute the +biggest report-size instead of using HID_MAX_BUFFER_SIZE, but this will +blow up if report-descriptors are changed after ->start() has been called. +So lets be safe and just use the biggest buffer we have. + +Note that this adds an additional copy to the HIDP input path. If there is +a way to make sure the skb-buf is big enough, we should use that instead. + +The best way would be to make hid-core honor the @size argument, though, +that sounds easier than it is. So lets just fix the buffer-overflows for +now and afterwards look for a faster way for all transport drivers. + +Signed-off-by: David Herrmann <dh.herrmann@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +--- + net/bluetooth/hidp/core.c | 16 ++++++++++++++-- + net/bluetooth/hidp/hidp.h | 4 ++++ + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 292e619..d9fb934 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -430,6 +430,16 @@ static void hidp_del_timer(struct hidp_session *session) + del_timer(&session->timer); + } + ++static void hidp_process_report(struct hidp_session *session, ++ int type, const u8 *data, int len, int intr) ++{ ++ if (len > HID_MAX_BUFFER_SIZE) ++ len = HID_MAX_BUFFER_SIZE; ++ ++ memcpy(session->input_buf, data, len); ++ hid_input_report(session->hid, type, session->input_buf, len, intr); ++} ++ + static void hidp_process_handshake(struct hidp_session *session, + unsigned char param) + { +@@ -502,7 +512,8 @@ static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb, + hidp_input_report(session, skb); + + if (session->hid) +- hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0); ++ hidp_process_report(session, HID_INPUT_REPORT, ++ skb->data, skb->len, 0); + break; + + case HIDP_DATA_RTYPE_OTHER: +@@ -584,7 +595,8 @@ static void hidp_recv_intr_frame(struct hidp_session *session, + hidp_input_report(session, skb); + + if (session->hid) { +- hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 1); ++ hidp_process_report(session, HID_INPUT_REPORT, ++ skb->data, skb->len, 1); + BT_DBG("report len %d", skb->len); + } + } else { +diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h +index ab52414..8798492 100644 +--- a/net/bluetooth/hidp/hidp.h ++++ b/net/bluetooth/hidp/hidp.h +@@ -24,6 +24,7 @@ + #define __HIDP_H + + #include <linux/types.h> ++#include <linux/hid.h> + #include <linux/kref.h> + #include <net/bluetooth/bluetooth.h> + #include <net/bluetooth/l2cap.h> +@@ -179,6 +180,9 @@ struct hidp_session { + + /* Used in hidp_output_raw_report() */ + int output_report_success; /* boolean */ ++ ++ /* temporary input buffer */ ++ u8 input_buf[HID_MAX_BUFFER_SIZE]; + }; + + /* HIDP init defines */ +-- +1.8.5.3 + diff --git a/freed-ora/current/f19/Revert-USBNET-ax88179_178a-enable-tso-if-usb-host-supports-sg-dma.patch b/freed-ora/current/f19/Revert-USBNET-ax88179_178a-enable-tso-if-usb-host-supports-sg-dma.patch new file mode 100644 index 000000000..4efb2b3f3 --- /dev/null +++ b/freed-ora/current/f19/Revert-USBNET-ax88179_178a-enable-tso-if-usb-host-supports-sg-dma.patch @@ -0,0 +1,50 @@ +From 1b4b61e873240faea96995cd87cfbe7bc51a2b39 Mon Sep 17 00:00:00 2001 +From: Sarah Sharp <sarah.a.sharp@linux.intel.com> +Date: Tue, 04 Mar 2014 22:23:47 +0000 +Subject: Revert "USBNET: ax88179_178a: enable tso if usb host supports sg dma" + +This reverts commit 3804fad45411b48233b48003e33a78f290d227c8. + +The xHCI driver does not implement TD fragment rules yet, so we can't +properly support arbitrary-length scatter gather. USB storage seems +immune to these issues, and only the ASIX host seems to hit them, so +disable scatter gather. + +Note that we can't simply work around this by clearing the +no_sg_constraint flag for 1.0 xHCI hosts that need TD fragments (and +thus would cause the ASIX chipsets to drop packets). We tried that with +commit 247bf557273d "xhci 1.0: Limit arbitrarily-aligned scatter +gather." We found that commit breaks USB 3.0 mass storage devices. It +needs to get reverted, and this commit needs to get reverted before it +to avoid dropped packets with the ASIX ethernet adapters. + +Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> +Cc: stable@vger.kernel.org # 3.12 +--- +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 955df81..42085e6 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1029,20 +1029,12 @@ static int ax88179_bind(struct usbnet *dev, struct usb_interface *intf) + dev->mii.phy_id = 0x03; + dev->mii.supports_gmii = 1; + +- if (usb_device_no_sg_constraint(dev->udev)) +- dev->can_dma_sg = 1; +- + dev->net->features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_RXCSUM; + + dev->net->hw_features |= NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM | + NETIF_F_RXCSUM; + +- if (dev->can_dma_sg) { +- dev->net->features |= NETIF_F_SG | NETIF_F_TSO; +- dev->net->hw_features |= NETIF_F_SG | NETIF_F_TSO; +- } +- + /* Enable checksum offload */ + *tmp = AX_RXCOE_IP | AX_RXCOE_TCP | AX_RXCOE_UDP | + AX_RXCOE_TCPV6 | AX_RXCOE_UDPV6; +-- +cgit v0.9.2 diff --git a/freed-ora/current/f19/Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch b/freed-ora/current/f19/Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch new file mode 100644 index 000000000..a1920dd6f --- /dev/null +++ b/freed-ora/current/f19/Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch @@ -0,0 +1,86 @@ +From 7efb6dbd0d825899955fd4035504823bb5c1124c Mon Sep 17 00:00:00 2001 +From: Sarah Sharp <sarah.a.sharp@linux.intel.com> +Date: Tue, 04 Mar 2014 22:28:16 +0000 +Subject: Revert "xhci 1.0: Limit arbitrarily-aligned scatter gather." + +This reverts commit 247bf557273dd775505fb9240d2d152f4f20d304, since it +causes USB 3.0 mass storage devices to fail on xHCI 1.0 hosts. + +The block layer may submit scatter-gather lists with entries that +are multiples of 512-byte blocks. That's fine for USB 2.0 devices, +where the bulk endpoint max packet size is 512 bytes. But USB 3.0 +devices have bulk endpoints with a 1024 byte max packet size. + +That means when the block layer submits a scatter-gather list with one +entry that includes, say, three 512-byte blocks, this code will reject +the URB if it's submitted to a USB 3.0 bulk endpoint: + +int usb_submit_urb(struct urb *urb, gfp_t mem_flags) +{ +... + max = usb_endpoint_maxp(&ep->desc); +... + } else if (urb->num_sgs && !urb->dev->bus->no_sg_constraint && + dev->speed != USB_SPEED_WIRELESS) { + struct scatterlist *sg; + int i; + + for_each_sg(urb->sg, sg, urb->num_sgs - 1, i) + if (sg->length % max) + return -EINVAL; + } + +This results in failures with USB 3.0 drives. For me, a failure to +auto-mount the device. For others, a read or write SCSI command +failure. + +This commit was put in place so that we could get scatter-gather support +for the ASIX USB ethernet adapter on non-1.0 hosts. It was a quick fix +until we implemented TD fragments properly in the driver. Since it +breaks USB 3.0 mass storage, we need to revert it, and revert +scatter-gather support for the ASIX devices. + +Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> +Cc: stable@vger.kernel.org # 3.12 +--- +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 652be21..8fe4e12 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4762,6 +4762,9 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) + /* Accept arbitrarily long scatter-gather lists */ + hcd->self.sg_tablesize = ~0; + ++ /* support to build packet from discontinuous buffers */ ++ hcd->self.no_sg_constraint = 1; ++ + /* XHCI controllers don't stop the ep queue on short packets :| */ + hcd->self.no_stop_on_short = 1; + +@@ -4786,14 +4789,6 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) + /* xHCI private pointer was set in xhci_pci_probe for the second + * registered roothub. + */ +- xhci = hcd_to_xhci(hcd); +- /* +- * Support arbitrarily aligned sg-list entries on hosts without +- * TD fragment rules (which are currently unsupported). +- */ +- if (xhci->hci_version < 0x100) +- hcd->self.no_sg_constraint = 1; +- + return 0; + } + +@@ -4822,9 +4817,6 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks) + if (xhci->hci_version > 0x96) + xhci->quirks |= XHCI_SPURIOUS_SUCCESS; + +- if (xhci->hci_version < 0x100) +- hcd->self.no_sg_constraint = 1; +- + /* Make sure the HC is halted. */ + retval = xhci_halt(xhci); + if (retval) +-- +cgit v0.9.2 diff --git a/freed-ora/current/f19/bug-1071998.patch b/freed-ora/current/f19/bug-1071998.patch new file mode 100644 index 000000000..d1b438567 --- /dev/null +++ b/freed-ora/current/f19/bug-1071998.patch @@ -0,0 +1,21 @@ +@@ -, +, @@ +--- + drivers/net/wireless/iwlwifi/mvm/coex.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) +--- a/drivers/net/wireless/iwlwifi/mvm/bt-coex.c ++++ a/drivers/net/wireless/iwlwifi/mvm/bt-coex.c +@@ -1119,8 +1119,11 @@ void iwl_mvm_bt_rssi_event(struct iwl_mvm *mvm, struct ieee80211_vif *vif, + + lockdep_assert_held(&mvm->mutex); + +- /* Rssi update while not associated ?! */ +- if (WARN_ON_ONCE(mvmvif->ap_sta_id == IWL_MVM_STATION_COUNT)) ++ /* ++ * Rssi update while not associated - can happen since the statistics ++ * are handled asynchronously ++ */ ++ if (mvmvif->ap_sta_id == IWL_MVM_STATION_COUNT) + return; + + /* No BT - reports should be disabled */ +-- diff --git a/freed-ora/current/f19/cgroup-fixes.patch b/freed-ora/current/f19/cgroup-fixes.patch index 0f6f1a578..d03418907 100644 --- a/freed-ora/current/f19/cgroup-fixes.patch +++ b/freed-ora/current/f19/cgroup-fixes.patch @@ -120,7 +120,7 @@ Signed-off-by: Michal Hocko <mhocko@suse.cz> --- a/kernel/cgroup.c +++ b/kernel/cgroup.c -@@ -4410,14 +4410,6 @@ static long cgroup_create(struct cgroup +@@ -4410,16 +4410,6 @@ static long cgroup_create(struct cgroup rcu_assign_pointer(cgrp->name, name); /* @@ -128,8 +128,10 @@ Signed-off-by: Michal Hocko <mhocko@suse.cz> - * a half-baked cgroup. - */ - cgrp->id = idr_alloc(&root->cgroup_idr, NULL, 1, 0, GFP_KERNEL); -- if (cgrp->id < 0) +- if (cgrp->id < 0) { +- err = -ENOMEM; - goto err_free_name; +- } - - /* * Only live parents can have children. Note that the liveliness diff --git a/freed-ora/current/f19/cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch b/freed-ora/current/f19/cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch deleted file mode 100644 index dbd5b4622..000000000 --- a/freed-ora/current/f19/cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch +++ /dev/null @@ -1,149 +0,0 @@ -Path: news.gmane.org!not-for-mail -From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> -Newsgroups: gmane.linux.kernel.cifs -Subject: [PATCH] cifs: ensure that uncached writes handle unmapped areas correctly -Date: Fri, 14 Feb 2014 07:20:35 -0500 -Lines: 92 -Approved: news@gmane.org -Message-ID: <1392380435-6903-1-git-send-email-jlayton@redhat.com> -NNTP-Posting-Host: plane.gmane.org -X-Trace: ger.gmane.org 1392380436 7379 80.91.229.3 (14 Feb 2014 12:20:36 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Fri, 14 Feb 2014 12:20:36 +0000 (UTC) -Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org -To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org -Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Fri Feb 14 13:20:44 2014 -Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> -Envelope-to: glkc-linux-cifs-wOFGN7rlS/M9smdsby/KFg@public.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>) - id 1WEHl6-0001gj-3d - for glkc-linux-cifs-wOFGN7rlS/M9smdsby/KFg@public.gmane.org; Fri, 14 Feb 2014 13:20:44 +0100 -Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand - id S1752014AbaBNMUn (ORCPT <rfc822;glkc-linux-cifs@m.gmane.org>); - Fri, 14 Feb 2014 07:20:43 -0500 -Original-Received: from mail-qa0-f41.google.com ([209.85.216.41]:53300 "EHLO - mail-qa0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1751935AbaBNMUn (ORCPT - <rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); Fri, 14 Feb 2014 07:20:43 -0500 -Original-Received: by mail-qa0-f41.google.com with SMTP id w8so18341449qac.0 - for <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>; Fri, 14 Feb 2014 04:20:42 -0800 (PST) -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20130820; - h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; - bh=U+Hg0/eYYIJkioXu/lkD6lkFJ0tCG+CokyC++yC+DQM=; - b=k0jKxn6Oe6WzaA8qsSjcTaszuxeetSkSa7zALlqcXb5ZMePVPSZXV4ceIYOs3RRg3T - ABfigeWTQiCwmRFobeOh77zBI4vsGXRx9UkDYTwNVzMIVGD+eFm90m4gB2DtSl0HqPFI - vUaBZDWNIduFFfuTEADF4FoguV+lX07T9lgAPXO6F05sC/dxQ5ffrTFrao0k1kzJO/tg - 72LueH0aRcwWHxA9e+WW3KkvRZALlcqWIe+Bnomw51qdtpetKPmag3/BTtLwwUSbAU0e - uppFe/6fHJHN+SHYgVGrVLFH2OXbRSyv8R4wC1BWlau6khtclu/R0X22jk5Okd+zM8Jd - DvkA== -X-Gm-Message-State: ALoCoQlx+9xv55qz9RE2vMXqhqjy8E3xo9guNbdH3Gwu3BbXxDqM4CRvLyHWarIQK4MEnf47FoZK -X-Received: by 10.140.31.247 with SMTP id f110mr11536194qgf.58.1392380442431; - Fri, 14 Feb 2014 04:20:42 -0800 (PST) -Original-Received: from tlielax.poochiereds.net ([2001:470:8:d63:3a60:77ff:fe93:a95d]) - by mx.google.com with ESMTPSA id r40sm7432383qga.23.2014.02.14.04.20.41 - for <multiple recipients> - (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); - Fri, 14 Feb 2014 04:20:41 -0800 (PST) -X-Mailer: git-send-email 1.8.5.3 -Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org -Precedence: bulk -List-ID: <linux-cifs.vger.kernel.org> -X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org -Xref: news.gmane.org gmane.linux.kernel.cifs:9401 -Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/9401> - -It's possible for userland to pass down an iovec via writev() that has a -bogus user pointer in it. If that happens and we're doing an uncached -write, then we can end up getting less bytes than we expect from the -call to iov_iter_copy_from_user. - -cifs_iovec_write isn't set up to handle that situation however. It'll -blindly keep chugging through the page array and not filling those pages -with anything useful. Worse yet, we'll later end up with a negative -number in wdata->tailsz, which will confuse the sending routines and -cause an oops at the very least. - -Fix this by having the copy phase of cifs_iovec_write stop copying data -in this situation and send the last write as a short one. At the same -time, we want to avoid sending a zero-length write to the server, so -break out of the loop and set rc to -EFAULT if that happens. This also -allows us to handle the case where no address in the iovec is valid. - -[Note: Marking this for stable on v3.4+ kernels, but kernels as old as - v2.6.38 may have a similar problem and may need similar fix] - -Cc: <stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> # v3.4+ -Reviewed-by: Pavel Shilovsky <piastry-7qunaywFIewox3rIn2DAYQ@public.gmane.org> -Reported-by: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> -Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> ---- - fs/cifs/file.c | 37 ++++++++++++++++++++++++++++++++++--- - 1 file changed, 34 insertions(+), 3 deletions(-) - -diff --git a/fs/cifs/file.c b/fs/cifs/file.c -index 03d1f454c713..ae1a4d58e672 100644 ---- a/fs/cifs/file.c -+++ b/fs/cifs/file.c -@@ -2387,7 +2387,7 @@ cifs_iovec_write(struct file *file, const struct iovec *iov, - unsigned long nr_segs, loff_t *poffset) - { - unsigned long nr_pages, i; -- size_t copied, len, cur_len; -+ size_t bytes, copied, len, cur_len; - ssize_t total_written = 0; - loff_t offset; - struct iov_iter it; -@@ -2442,14 +2442,45 @@ cifs_iovec_write(struct file *file, const struct iovec *iov, - - save_len = cur_len; - for (i = 0; i < nr_pages; i++) { -- copied = min_t(const size_t, cur_len, PAGE_SIZE); -+ bytes = min_t(const size_t, cur_len, PAGE_SIZE); - copied = iov_iter_copy_from_user(wdata->pages[i], &it, -- 0, copied); -+ 0, bytes); - cur_len -= copied; - iov_iter_advance(&it, copied); -+ /* -+ * If we didn't copy as much as we expected, then that -+ * may mean we trod into an unmapped area. Stop copying -+ * at that point. On the next pass through the big -+ * loop, we'll likely end up getting a zero-length -+ * write and bailing out of it. -+ */ -+ if (copied < bytes) -+ break; - } - cur_len = save_len - cur_len; - -+ /* -+ * If we have no data to send, then that probably means that -+ * the copy above failed altogether. That's most likely because -+ * the address in the iovec was bogus. Set the rc to -EFAULT, -+ * free anything we allocated and bail out. -+ */ -+ if (!cur_len) { -+ for (i = 0; i < nr_pages; i++) -+ put_page(wdata->pages[i]); -+ kfree(wdata); -+ rc = -EFAULT; -+ break; -+ } -+ -+ /* -+ * i + 1 now represents the number of pages we actually used in -+ * the copy phase above. Bring nr_pages down to that, and free -+ * any pages that we didn't use. -+ */ -+ for ( ; nr_pages > i + 1; nr_pages--) -+ put_page(wdata->pages[nr_pages - 1]); -+ - wdata->sync_mode = WB_SYNC_ALL; - wdata->nr_pages = nr_pages; - wdata->offset = (__u64)offset; --- -1.8.5.3 - diff --git a/freed-ora/current/f19/cpufreq-powernow-k8-Initialize-per-cpu-data-structures-properly.patch b/freed-ora/current/f19/cpufreq-powernow-k8-Initialize-per-cpu-data-structures-properly.patch deleted file mode 100644 index 70a553d2c..000000000 --- a/freed-ora/current/f19/cpufreq-powernow-k8-Initialize-per-cpu-data-structures-properly.patch +++ /dev/null @@ -1,138 +0,0 @@ -Bugzilla: 1054408 -Upstream-status: Queued for 3.14 and CC'd to stable -Delivered-To: jwboyer@gmail.com -Received: by 10.76.82.162 with SMTP id j2csp112184oay; - Mon, 17 Feb 2014 03:01:52 -0800 (PST) -X-Received: by 10.68.164.4 with SMTP id ym4mr26078759pbb.53.1392634911720; - Mon, 17 Feb 2014 03:01:51 -0800 (PST) -Return-Path: <linux-kernel-owner@vger.kernel.org> -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id xf4si14383267pab.191.2014.02.17.03.01.15 - for <multiple recipients>; - Mon, 17 Feb 2014 03:01:51 -0800 (PST) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1752151AbaBQKyA (ORCPT <rfc822;gardner.ben.linux@gmail.com> - + 99 others); Mon, 17 Feb 2014 05:54:00 -0500 -Received: from e28smtp06.in.ibm.com ([122.248.162.6]:51044 "EHLO - e28smtp06.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752134AbaBQKx6 (ORCPT - <rfc822;linux-kernel@vger.kernel.org>); - Mon, 17 Feb 2014 05:53:58 -0500 -Received: from /spool/local - by e28smtp06.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted - for <linux-kernel@vger.kernel.org> from <srivatsa.bhat@linux.vnet.ibm.com>; - Mon, 17 Feb 2014 16:23:53 +0530 -Received: from d28dlp03.in.ibm.com (9.184.220.128) - by e28smtp06.in.ibm.com (192.168.1.136) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; - Mon, 17 Feb 2014 16:23:50 +0530 -Received: from d28relay01.in.ibm.com (d28relay01.in.ibm.com [9.184.220.58]) - by d28dlp03.in.ibm.com (Postfix) with ESMTP id 80C82125805C; - Mon, 17 Feb 2014 16:25:47 +0530 (IST) -Received: from d28av03.in.ibm.com (d28av03.in.ibm.com [9.184.220.65]) - by d28relay01.in.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s1HArhEA64749632; - Mon, 17 Feb 2014 16:23:44 +0530 -Received: from d28av03.in.ibm.com (localhost [127.0.0.1]) - by d28av03.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s1HArkHs009945; - Mon, 17 Feb 2014 16:23:47 +0530 -Received: from srivatsabhat.in.ibm.com ([9.79.254.57]) - by d28av03.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id s1HAriQk009844; - Mon, 17 Feb 2014 16:23:45 +0530 -From: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com> -Subject: [PATCH] cpufreq, - powernow-k8: Initialize per-cpu data-structures properly -To: pierre-list@ossman.eu, rjw@rjwysocki.net -Cc: viresh.kumar@linaro.org, linux-pm@vger.kernel.org, - linux-kernel@vger.kernel.org, - "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com> -Date: Mon, 17 Feb 2014 16:18:21 +0530 -Message-ID: <20140217104821.21147.71463.stgit@srivatsabhat.in.ibm.com> -User-Agent: StGIT/0.14.3 -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 7bit -X-TM-AS-MML: disable -X-Content-Scanned: Fidelis XPS MAILER -x-cbid: 14021710-9574-0000-0000-00000BFDA307 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: <linux-kernel.vger.kernel.org> -X-Mailing-List: linux-kernel@vger.kernel.org - -The powernow-k8 driver maintains a per-cpu data-structure called powernow_data -that is used to perform the frequency transitions. It initializes this data- -structure only for the policy->cpu. So, accesses to this data-structure by -other CPUs results in various problems because they would have been -uninitialized. - -Specifically, if a cpu (!= policy->cpu) invokes the drivers' ->get() function, -it returns 0 as the KHz value, since its per-cpu memory doesn't point to -anything valid. This causes problems during suspend/resume since -cpufreq_update_policy() tries to enforce this (0 KHz) as the current frequency -of the CPU, and this madness gets propagated to adjust_jiffies() as well. -Eventually, lots of things start breaking down, including the r8169 ethernet -card, in one particularly interesting case reported by Pierre Ossman. - -https://bugzilla.kernel.org/show_bug.cgi?id=70311 - -Fix this by initializing the per-cpu data-structures of _all_ the CPUs -in the policy appropriately. - -Cc: stable@vger.kernel.org -Reported-by: Pierre Ossman <pierre@ossman.eu> -Signed-off-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com> ---- - - drivers/cpufreq/powernow-k8.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/drivers/cpufreq/powernow-k8.c b/drivers/cpufreq/powernow-k8.c -index e10b646..6684e03 100644 ---- a/drivers/cpufreq/powernow-k8.c -+++ b/drivers/cpufreq/powernow-k8.c -@@ -1076,7 +1076,7 @@ static int powernowk8_cpu_init(struct cpufreq_policy *pol) - { - struct powernow_k8_data *data; - struct init_on_cpu init_on_cpu; -- int rc; -+ int rc, cpu; - - smp_call_function_single(pol->cpu, check_supported_cpu, &rc, 1); - if (rc) -@@ -1140,7 +1140,9 @@ static int powernowk8_cpu_init(struct cpufreq_policy *pol) - pr_debug("cpu_init done, current fid 0x%x, vid 0x%x\n", - data->currfid, data->currvid); - -- per_cpu(powernow_data, pol->cpu) = data; -+ /* Point all the CPUs in this policy to the same data */ -+ for_each_cpu(cpu, pol->cpus) -+ per_cpu(powernow_data, cpu) = data; - - return 0; - -@@ -1155,6 +1157,7 @@ err_out: - static int powernowk8_cpu_exit(struct cpufreq_policy *pol) - { - struct powernow_k8_data *data = per_cpu(powernow_data, pol->cpu); -+ int cpu; - - if (!data) - return -EINVAL; -@@ -1165,7 +1168,8 @@ static int powernowk8_cpu_exit(struct cpufreq_policy *pol) - - kfree(data->powernow_table); - kfree(data); -- per_cpu(powernow_data, pol->cpu) = NULL; -+ for_each_cpu(cpu, pol->cpus) -+ per_cpu(powernow_data, cpu) = NULL; - - return 0; - } - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/freed-ora/current/f19/iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch b/freed-ora/current/f19/iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch new file mode 100644 index 000000000..6db25b3d8 --- /dev/null +++ b/freed-ora/current/f19/iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch @@ -0,0 +1,39 @@ +Bugzilla: 1065663 +Upstream-status: 3.14 + +From ec6f678c74dbdb06a6a775bbb00f1d26c17c404b Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach <emmanuel.grumbach@intel.com> +Date: Tue, 18 Feb 2014 10:30:18 +0200 +Subject: [PATCH] iwlwifi: dvm: clear IWL_STA_UCODE_INPROGRESS when assoc fails + +We set IWL_STA_UCODE_INPROGRESS flag when we add a station +and clear it when we send the LQ command for it. But the LQ +command is sent only when the association succeeds. +If the association doesn't succeed, we would leave this flag +set and that wouldn't indicate the station entry as vacant. + +This probably fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=1065663 + +Cc: <stable@vger.kernel.org> +Reviewed-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> +--- + drivers/net/wireless/iwlwifi/dvm/sta.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/iwlwifi/dvm/sta.c b/drivers/net/wireless/iwlwifi/dvm/sta.c +index c0d070c..9cdd91c 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/sta.c ++++ b/drivers/net/wireless/iwlwifi/dvm/sta.c +@@ -590,6 +590,7 @@ void iwl_deactivate_station(struct iwl_priv *priv, const u8 sta_id, + sizeof(priv->tid_data[sta_id][tid])); + + priv->stations[sta_id].used &= ~IWL_STA_DRIVER_ACTIVE; ++ priv->stations[sta_id].used &= ~IWL_STA_UCODE_INPROGRESS; + + priv->num_stations--; + +-- +1.8.5.3 + diff --git a/freed-ora/current/f19/kernel.spec b/freed-ora/current/f19/kernel.spec index 5e90ec0cd..18d44be97 100644 --- a/freed-ora/current/f19/kernel.spec +++ b/freed-ora/current/f19/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 103 +%global baserelease 100 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -112,7 +112,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -818,27 +818,17 @@ Patch25196: ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.pa Patch25197: ipv6-addrconf-revert-if_inet6ifa_flag-format.patch #CVE-2014-0069 rhbz 1064253 1062584 -Patch25200: cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch Patch25201: cifs-sanity-check-length-of-data-to-send-before-sending.patch #rhbz 1068862 Patch25002: cifs-mask-off-top-byte-in-get_rfc1002_length.patch -#rhbz 1054408 -Patch25203: cpufreq-powernow-k8-Initialize-per-cpu-data-structures-properly.patch - #rhbz 994438 Patch25024: e100-Fix-disabling-already-disabled-device-warning.patch -#rhbz 1056170 -Patch25025: usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch - #CVE-2014-0102 rhbz 1071396 Patch25026: keyring-fix.patch -#CVE-2014-0049 rhbz 1062368 1071837 -Patch25027: kvm-x86-fix-emulator-buffer-overflow.patch - #rhbz 1065087 Patch25028: tty-Fix-low_latency-BUG.patch @@ -851,6 +841,28 @@ Patch25030: net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-cap #CVE-2014-0100 rhbz 1072026 1070618 Patch25031: net-fix-for-a-race-condition-in-the-inet-frag-code.patch +#rhbz 1027465 +Patch25032: HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch + +#rhbz 1013466 +Patch25033: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch + +#rhbz 1071998 +Patch25034: bug-1071998.patch + +#rhbz 1051748 +Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch + +#rhbz 1003602 +Patch25037: ACPI-EC-Clear-stale-EC-events-on-Samsung-systems.patch + +#rhbz 1073180 +Patch25038: Revert-USBNET-ax88179_178a-enable-tso-if-usb-host-supports-sg-dma.patch +Patch25039: Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch + +#rhbz 1065663 +Patch25040: iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch + # END OF PATCH DEFINITIONS %endif @@ -1615,27 +1627,17 @@ ApplyPatch ipv6-introduce-IFA_F_NOPREFIXROUTE-and-IFA_F_MANAGETEMPADDR-flags.pat ApplyPatch ipv6-addrconf-revert-if_inet6ifa_flag-format.patch #CVE-2014-0069 rhbz 1064253 1062584 -ApplyPatch cifs-ensure-that-uncached-writes-handle-unmapped-areas-correctly.patch ApplyPatch cifs-sanity-check-length-of-data-to-send-before-sending.patch #rhbz 1068862 ApplyPatch cifs-mask-off-top-byte-in-get_rfc1002_length.patch -#rhbz 1054408 -ApplyPatch cpufreq-powernow-k8-Initialize-per-cpu-data-structures-properly.patch - #rhbz 994438 ApplyPatch e100-Fix-disabling-already-disabled-device-warning.patch -#rhbz 1056170 -ApplyPatch usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch - #CVE-2014-0102 rhbz 1071396 ApplyPatch keyring-fix.patch -#CVE-2014-0049 rhbz 1062368 1071837 -ApplyPatch kvm-x86-fix-emulator-buffer-overflow.patch - #rhbz 1065087 ApplyPatch tty-Fix-low_latency-BUG.patch @@ -1648,6 +1650,28 @@ ApplyPatch net-net-sctp-fix-sctp_sf_do_5_1D_ce-to-verify-if-we-peer-is-AUTH-capa #CVE-2014-0100 rhbz 1072026 1070618 ApplyPatch net-fix-for-a-race-condition-in-the-inet-frag-code.patch +#rhbz 1027465 +ApplyPatch HID-Bluetooth-hidp-make-sure-input-buffers-are-big-e.patch + +#rhbz 1013466 +ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch + +#rhbz 1071998 +ApplyPatch bug-1071998.patch + +#rhbz 1051748 +ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch + +#rhbz 1003602 +ApplyPatch ACPI-EC-Clear-stale-EC-events-on-Samsung-systems.patch + +#rhbz 1073180 +ApplyPatch Revert-USBNET-ax88179_178a-enable-tso-if-usb-host-supports-sg-dma.patch +ApplyPatch Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch + +#rhbz 1065663 +ApplyPatch iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch + # END OF PATCH APPLICATIONS %endif @@ -2471,6 +2495,25 @@ fi # and build. %changelog +* Fri Mar 7 2014 Alexandre Oliva <lxoliva@fsfla.org> -libre +- GNU Linux-libre 3.13.6-gnu. + +* Fri Mar 07 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.13.6-100 +- Linux v3.13.6 + +* Fri Mar 07 2014 Josh Boyer <jwboyer@fedoraproject.org> +- Add patch to fix iwldvm WARN (rhbz 1065663) +- Revert two xhci fixes that break USB mass storage (rhbz 1073180) + +* Thu Mar 06 2014 Josh Boyer <jwboyer@fedoraproject.org> +- Fix stale EC events on Samsung systems (rhbz 1003602) +- Fix depmod error message from hci_vhci module (rhbz 1051748) +- Fix bogus WARN in iwlwifi (rhbz 1071998) + +* Tue Mar 04 2014 Josh Boyer <jwboyer@fedoraproject.org> +- Fix MAC-before-DAC check for mmap_zero (rhbz 1013466) +- Fix hidp crash with apple bluetooth trackpads (rhbz 1027465) + * Mon Mar 03 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.5-103 - CVE-2014-0100 net: inet frag race condition use-after-free (rhbz 1072026 1070618) - CVE-2014-0101 sctp: null ptr deref when processing auth cookie_echo chunk (rhbz 1070209 1070705) diff --git a/freed-ora/current/f19/kvm-x86-fix-emulator-buffer-overflow.patch b/freed-ora/current/f19/kvm-x86-fix-emulator-buffer-overflow.patch deleted file mode 100644 index c159abe66..000000000 --- a/freed-ora/current/f19/kvm-x86-fix-emulator-buffer-overflow.patch +++ /dev/null @@ -1,49 +0,0 @@ -Bugzilla: 1071837 -Upstream-status: 3.14 - -From a08d3b3b99efd509133946056531cdf8f3a0c09b Mon Sep 17 00:00:00 2001 -From: Andrew Honig <ahonig@google.com> -Date: Thu, 27 Feb 2014 18:35:14 +0000 -Subject: kvm: x86: fix emulator buffer overflow (CVE-2014-0049) - -The problem occurs when the guest performs a pusha with the stack -address pointing to an mmio address (or an invalid guest physical -address) to start with, but then extending into an ordinary guest -physical address. When doing repeated emulated pushes -emulator_read_write sets mmio_needed to 1 on the first one. On a -later push when the stack points to regular memory, -mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0. - -As a result, KVM exits to userspace, and then returns to -complete_emulated_mmio. In complete_emulated_mmio -vcpu->mmio_cur_fragment is incremented. The termination condition of -vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved. -The code bounces back and fourth to userspace incrementing -mmio_cur_fragment past it's buffer. If the guest does nothing else it -eventually leads to a a crash on a memcpy from invalid memory address. - -However if a guest code can cause the vm to be destroyed in another -vcpu with excellent timing, then kvm_clear_async_pf_completion_queue -can be used by the guest to control the data that's pointed to by the -call to cancel_work_item, which can be used to gain execution. - -Fixes: f78146b0f9230765c6315b2e14f56112513389ad -Signed-off-by: Andrew Honig <ahonig@google.com> -Cc: stable@vger.kernel.org (3.5+) -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 39c28f09..2b85784 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -6186,7 +6186,7 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu) - frag->len -= len; - } - -- if (vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments) { -+ if (vcpu->mmio_cur_fragment >= vcpu->mmio_nr_fragments) { - vcpu->mmio_needed = 0; - - /* FIXME: return into emulator if single-stepping. */ --- -cgit v0.9.2 diff --git a/freed-ora/current/f19/patch-3.13-gnu-3.13.5-gnu.xz.sign b/freed-ora/current/f19/patch-3.13-gnu-3.13.5-gnu.xz.sign deleted file mode 100644 index df917e734..000000000 --- a/freed-ora/current/f19/patch-3.13-gnu-3.13.5-gnu.xz.sign +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.22 (GNU/Linux) - -iEYEABECAAYFAlMJYOsACgkQvLfPh359R6c1/ACcDxmGAn0m87xQ2q+1nI/qeHcB -gyAAn0owgpOFpJN2IZaqCTcS01Yb35cb -=BUAJ ------END PGP SIGNATURE----- diff --git a/freed-ora/current/f19/patch-3.13-gnu-3.13.6-gnu.xz.sign b/freed-ora/current/f19/patch-3.13-gnu-3.13.6-gnu.xz.sign new file mode 100644 index 000000000..0122ec751 --- /dev/null +++ b/freed-ora/current/f19/patch-3.13-gnu-3.13.6-gnu.xz.sign @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iEYEABECAAYFAlMZhocACgkQvLfPh359R6dwRgCghgaiWfXK7Ow5dqNzXx/7pOk2 +KNUAoKgNN/e/v4gorwcvDGBBVhzIIzr2 +=4ROg +-----END PGP SIGNATURE----- diff --git a/freed-ora/current/f19/selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch b/freed-ora/current/f19/selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch new file mode 100644 index 000000000..31e454884 --- /dev/null +++ b/freed-ora/current/f19/selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch @@ -0,0 +1,94 @@ +Bugzilla: 1013466 +Upstream-status: queued for 3.14/3.15? http://marc.info/?l=selinux&m=139351174702148&w=2 + +It turns out that doing the SELinux MAC checks for mmap() before the +DAC checks was causing users and the SELinux policy folks headaches +as users were seeing a lot of SELinux AVC denials for the +memprotect:mmap_zero permission that would have also been denied by +the normal DAC capability checks (CAP_SYS_RAWIO). + +Example: + + # cat mmap_test.c + #include <stdlib.h> + #include <stdio.h> + #include <errno.h> + #include <sys/mman.h> + + int main(int argc, char *argv[]) + { + int rc; + void *mem; + + mem = mmap(0x0, 4096, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + if (mem == MAP_FAILED) + return errno; + printf("mem = %p\n", mem); + munmap(mem, 4096); + + return 0; + } + # gcc -g -O0 -o mmap_test mmap_test.c + # ./mmap_test + mem = (nil) + # ausearch -m AVC | grep mmap_zero + type=AVC msg=audit(...): avc: denied { mmap_zero } + for pid=1025 comm="mmap_test" + scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + tclass=memprotect + +This patch corrects things so that when the above example is run by a +user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as +the DAC capability check fails before the SELinux permission check. + +Signed-off-by: Paul Moore <pmoore@redhat.com> +--- + security/selinux/hooks.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 57b0b49..e3664ae 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3205,24 +3205,20 @@ error: + + static int selinux_mmap_addr(unsigned long addr) + { +- int rc = 0; +- u32 sid = current_sid(); ++ int rc; ++ ++ /* do DAC check on address space usage */ ++ rc = cap_mmap_addr(addr); ++ if (rc) ++ return rc; + +- /* +- * notice that we are intentionally putting the SELinux check before +- * the secondary cap_file_mmap check. This is such a likely attempt +- * at bad behaviour/exploit that we always want to get the AVC, even +- * if DAC would have also denied the operation. +- */ + if (addr < CONFIG_LSM_MMAP_MIN_ADDR) { ++ u32 sid = current_sid(); + rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT, + MEMPROTECT__MMAP_ZERO, NULL); +- if (rc) +- return rc; + } + +- /* do DAC check on address space usage */ +- return cap_mmap_addr(addr); ++ return rc; + } + + static int selinux_mmap_file(struct file *file, unsigned long reqprot, + +_______________________________________________ +Selinux mailing list +Selinux@tycho.nsa.gov +To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. +To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. diff --git a/freed-ora/current/f19/sources b/freed-ora/current/f19/sources index 5a650e51e..4ff58f840 100644 --- a/freed-ora/current/f19/sources +++ b/freed-ora/current/f19/sources @@ -1,2 +1,2 @@ 98a8e803e0ed08557f3cdd4d56b0ddc1 linux-libre-3.13-gnu.tar.xz -6e59a1e4b891ca5fa8b03d488fa64e04 patch-3.13-gnu-3.13.5-gnu.xz +bd937981937fd3c7a553fc770236e640 patch-3.13-gnu-3.13.6-gnu.xz diff --git a/freed-ora/current/f19/usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch b/freed-ora/current/f19/usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch deleted file mode 100644 index 9593c14e2..000000000 --- a/freed-ora/current/f19/usb-ehci-fix-deadlock-when-threadirqs-option-is-used.patch +++ /dev/null @@ -1,57 +0,0 @@ -ehci_irq() and ehci_hrtimer_func() can deadlock on ehci->lock when -threadirqs option is used. To prevent the deadlock use -spin_lock_irqsave() in ehci_irq(). - -This change can be reverted when hrtimer callbacks become threaded. - -Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> ---- - drivers/usb/host/ehci-hcd.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c -index 4711427..0bc6410 100644 ---- a/drivers/usb/host/ehci-hcd.c -+++ b/drivers/usb/host/ehci-hcd.c -@@ -685,8 +685,15 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd) - struct ehci_hcd *ehci = hcd_to_ehci (hcd); - u32 status, masked_status, pcd_status = 0, cmd; - int bh; -+ unsigned long flags; - -- spin_lock (&ehci->lock); -+ /* -+ * For threadirqs option we use spin_lock_irqsave() variant to prevent -+ * deadlock with ehci hrtimer callback, because hrtimer callbacks run -+ * in interrupt context even when threadirqs is specified. We can go -+ * back to spin_lock() variant when hrtimer callbacks become threaded. -+ */ -+ spin_lock_irqsave(&ehci->lock, flags); - - status = ehci_readl(ehci, &ehci->regs->status); - -@@ -704,7 +711,7 @@ static irqreturn_t ehci_irq (struct usb_hcd *hcd) - - /* Shared IRQ? */ - if (!masked_status || unlikely(ehci->rh_state == EHCI_RH_HALTED)) { -- spin_unlock(&ehci->lock); -+ spin_unlock_irqrestore(&ehci->lock, flags); - return IRQ_NONE; - } - -@@ -815,7 +822,7 @@ dead: - - if (bh) - ehci_work (ehci); -- spin_unlock (&ehci->lock); -+ spin_unlock_irqrestore(&ehci->lock, flags); - if (pcd_status) - usb_hcd_poll_rh_status(hcd); - return IRQ_HANDLED; --- -1.7.11.7 - --- -To unsubscribe from this list: send the line "unsubscribe linux-usb" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html
\ No newline at end of file |
