diff --git a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch b/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch deleted file mode 100644 index 03527a5..0000000 --- a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d1b9785eda70e7638927d294139c6d4796cb7ea6 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Tue, 22 Apr 2014 11:08:16 +0200 -Subject: [PATCH v3] synaptics: Add min/max quirk for ThinkPad Edge E431 - -Cc: stable@vger.kernel.org -Signed-off-by: Hans de Goede ---- - drivers/input/mouse/synaptics.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c -index 7c9f509..93cc8fd 100644 ---- a/drivers/input/mouse/synaptics.c -+++ b/drivers/input/mouse/synaptics.c -@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = { - .driver_data = (int []){1232, 5710, 1156, 4696}, - }, - { -+ /* Lenovo ThinkPad Edge E431 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Edge E431"), -+ }, -+ .driver_data = (int []){1024, 5022, 2508, 4832}, -+ }, -+ { - /* Lenovo ThinkPad T431s */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), --- -1.9.0 - diff --git a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch b/0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch deleted file mode 100644 index e722999..0000000 --- a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 46a2986ebbe18757c2d8c352f8fb6e0f4f0754e3 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Sat, 19 Apr 2014 22:31:18 -0700 -Subject: [PATCH] Input: synaptics - add min/max quirk for ThinkPad T431s, - L440, L540, S1 Yoga and X1 - -We expect that all the Haswell series will need such quirks, sigh. - -The T431s seems to be T430 hardware in a T440s case, using the T440s touchpad, -with the same min/max issue. - -The X1 Carbon 3rd generation name says 2nd while it is a 3rd generation. - -The X1 and T431s share a PnPID with the T540p, but the reported ranges are -closer to those of the T440s. - -HdG: Squashed 5 quirk patches into one. T431s + L440 + L540 are written by me, -S1 Yoga and X1 are written by Benjamin Tissoires. - -Hdg: Standardized S1 Yoga and X1 values, Yoga uses the same touchpad as the -X240, X1 uses the same touchpad as the T440. - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires -Signed-off-by: Hans de Goede -Signed-off-by: Dmitry Torokhov ---- - drivers/input/mouse/synaptics.c | 42 +++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 42 insertions(+) - -diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c -index 9d75410..ef9f491 100644 ---- a/drivers/input/mouse/synaptics.c -+++ b/drivers/input/mouse/synaptics.c -@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = { - .driver_data = (int []){1232, 5710, 1156, 4696}, - }, - { -+ /* Lenovo ThinkPad T431s */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T431"), -+ }, -+ .driver_data = (int []){1024, 5112, 2024, 4832}, -+ }, -+ { - /* Lenovo ThinkPad T440s */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -@@ -1574,6 +1582,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = { - .driver_data = (int []){1024, 5112, 2024, 4832}, - }, - { -+ /* Lenovo ThinkPad L440 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L440"), -+ }, -+ .driver_data = (int []){1024, 5112, 2024, 4832}, -+ }, -+ { - /* Lenovo ThinkPad T540p */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -@@ -1581,6 +1597,32 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = { - }, - .driver_data = (int []){1024, 5056, 2058, 4832}, - }, -+ { -+ /* Lenovo ThinkPad L540 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L540"), -+ }, -+ .driver_data = (int []){1024, 5112, 2024, 4832}, -+ }, -+ { -+ /* Lenovo Yoga S1 */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, -+ "ThinkPad S1 Yoga"), -+ }, -+ .driver_data = (int []){1232, 5710, 1156, 4696}, -+ }, -+ { -+ /* Lenovo ThinkPad X1 Carbon Haswell (3rd generation) */ -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), -+ DMI_MATCH(DMI_PRODUCT_VERSION, -+ "ThinkPad X1 Carbon 2nd"), -+ }, -+ .driver_data = (int []){1024, 5112, 2024, 4832}, -+ }, - #endif - { } - }; --- -1.9.0 - diff --git a/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch b/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch deleted file mode 100644 index 170911e..0000000 --- a/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch +++ /dev/null @@ -1,38 +0,0 @@ -Bugzilla: 1085016 -Upstream-status: Queued for 3.15 - -From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Fri, 28 Mar 2014 20:41:50 +0100 -Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi - (CVE-2014-0155) - -QE reported that they got the BUG_ON in ioapic_service to trigger. -I cannot reproduce it, but there are two reasons why this could happen. - -The less likely but also easiest one, is when kvm_irq_delivery_to_apic -does not deliver to any APIC and returns -1. - -Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that -function is never reached. However, you can target the similar loop in -kvm_irq_delivery_to_apic_fast; just program a zero logical destination -address into the IOAPIC, or an out-of-range physical destination address. - -Signed-off-by: Paolo Bonzini - -diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c -index d4b6015..d98d107 100644 ---- a/virt/kvm/ioapic.c -+++ b/virt/kvm/ioapic.c -@@ -356,7 +356,7 @@ static int ioapic_service(struct kvm_ioapic *ioapic, int irq, bool line_status) - BUG_ON(ioapic->rtc_status.pending_eoi != 0); - ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, - ioapic->rtc_status.dest_map); -- ioapic->rtc_status.pending_eoi = ret; -+ ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret); - } else - ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL); - --- -cgit v0.10.1 - diff --git a/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch b/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch deleted file mode 100644 index 93fce3d..0000000 --- a/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch +++ /dev/null @@ -1,38 +0,0 @@ -Bugzilla: 1096195 -Upstream-status: 3.15 and queued for stable - -From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001 -From: Matthew Daley -Date: Mon, 28 Apr 2014 19:05:21 +1200 -Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output - -From: Matthew Daley - -commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream. - -Do not leak kernel-only floppy_raw_cmd structure members to userspace. -This includes the linked-list pointer and the pointer to the allocated -DMA space. - -Signed-off-by: Matthew Daley -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/block/floppy.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void - int ret; - - while (ptr) { -- ret = copy_to_user(param, ptr, sizeof(*ptr)); -+ struct floppy_raw_cmd cmd = *ptr; -+ cmd.next = NULL; -+ cmd.kernel_data = NULL; -+ ret = copy_to_user(param, &cmd, sizeof(cmd)); - if (ret) - return -EFAULT; - param += sizeof(struct floppy_raw_cmd); diff --git a/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch b/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch deleted file mode 100644 index 712a9e0..0000000 --- a/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch +++ /dev/null @@ -1,48 +0,0 @@ -Bugzilla: 1096195 -Upstream-status: 3.15 and queued for stable - -From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001 -From: Matthew Daley -Date: Mon, 28 Apr 2014 19:05:20 +1200 -Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input - -From: Matthew Daley - -commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream. - -Always clear out these floppy_raw_cmd struct members after copying the -entire structure from userspace so that the in-kernel version is always -valid and never left in an interdeterminate state. - -Signed-off-by: Matthew Daley -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/block/floppy.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/drivers/block/floppy.c -+++ b/drivers/block/floppy.c -@@ -3107,10 +3107,11 @@ loop: - return -ENOMEM; - *rcmd = ptr; - ret = copy_from_user(ptr, param, sizeof(*ptr)); -- if (ret) -- return -EFAULT; - ptr->next = NULL; - ptr->buffer_length = 0; -+ ptr->kernel_data = NULL; -+ if (ret) -+ return -EFAULT; - param += sizeof(struct floppy_raw_cmd); - if (ptr->cmd_count > 33) - /* the command may now also take up the space -@@ -3126,7 +3127,6 @@ loop: - for (i = 0; i < 16; i++) - ptr->reply[i] = 0; - ptr->resultcode = 0; -- ptr->kernel_data = NULL; - - if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { - if (ptr->length <= 0) diff --git a/iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch b/iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch deleted file mode 100644 index ee06d9f..0000000 --- a/iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch +++ /dev/null @@ -1,48 +0,0 @@ -Bugzilla: 1046495 -Upstream-status: Sent for 3.14 http://marc.info/?l=linux-wireless&m=139453882510796&w=2 - -From: Emmanuel Grumbach - -There is a flow in which we send the host command in SYNC -mode, but we don't take priv->mutex. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1046495 - -Cc: -Reviewed-by: Johannes Berg -Signed-off-by: Emmanuel Grumbach ---- - drivers/net/wireless/iwlwifi/dvm/main.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c -index ba1b1ea..ea7e70c 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/main.c -+++ b/drivers/net/wireless/iwlwifi/dvm/main.c -@@ -252,13 +252,17 @@ static void iwl_bg_bt_runtime_config(struct work_struct *work) - struct iwl_priv *priv = - container_of(work, struct iwl_priv, bt_runtime_config); - -+ mutex_lock(&priv->mutex); - if (test_bit(STATUS_EXIT_PENDING, &priv->status)) -- return; -+ goto out; - - /* dont send host command if rf-kill is on */ - if (!iwl_is_ready_rf(priv)) -- return; -+ goto out; -+ - iwlagn_send_advance_bt_config(priv); -+out: -+ mutex_unlock(&priv->mutex); - } - - static void iwl_bg_bt_full_concurrency(struct work_struct *work) --- -1.8.3.2 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index bc76043..d4df484 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -709,21 +709,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 1051748 Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch -#rhbz 1046495 -Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch - -#CVE-2014-0155 rhbz 1081589 1085016 -Patch25036: KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch - -#rhbz 1074235 -Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch - #CVE-2014-2851 rhbz 1086730 1087420 Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch -#rhbz 1085582 1085697 1088588 -Patch25060: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch - #rhbz 1074710 Patch25061: mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch @@ -742,9 +730,6 @@ Patch25072: HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch #rhbz 1013466 Patch25065: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch -#rhbz 1089689 -Patch25066: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch - #rhbz 1090746 Patch25067: ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch @@ -763,12 +748,6 @@ Patch25073: net-Start-with-correct-mac_len-in-skb_network_protoc.patch #rhbz 1089545 Patch25074: 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch -#rhbz 1082586 -Patch25075: locks-allow-__break_lease-to-sleep-even-when-break_t.patch - -#CVE-2014-0196 rhbz 1094232 1094240 -Patch25076: n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch - #misc input fixes Patch25077: 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch Patch25078: 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch @@ -790,10 +769,6 @@ Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-m #rhbz 1082266 Patch25087: jme-fix-dma-unmap-error.patch -#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195 -Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch -Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch - # CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784 Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch @@ -1461,12 +1436,6 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 1051748 ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch -#rhbz 1046495 -ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch - -#CVE-2014-0155 rhbz 1081589 1085016 -ApplyPatch KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch - #rhbz 1048314 ApplyPatch 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch #rhbz 1089583 @@ -1474,15 +1443,9 @@ ApplyPatch 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch #rhbz 1090161 ApplyPatch HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch -#rhbz 1074235 -ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch - #CVE-2014-2851 rhbz 1086730 1087420 ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch -#rhbz 1085582 1085697 -ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch - #rhbz 1074710 ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch @@ -1492,9 +1455,6 @@ ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch #rhbz 1013466 ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch -#rhbz 1089689 -ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch - #rhbz 1090746 ApplyPatch ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch @@ -1513,12 +1473,6 @@ ApplyPatch net-Start-with-correct-mac_len-in-skb_network_protoc.patch #rhbz 1089545 ApplyPatch 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch -#rhbz 1082586 -ApplyPatch locks-allow-__break_lease-to-sleep-even-when-break_t.patch - -#CVE-2014-0196 rhbz 1094232 1094240 -ApplyPatch n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch - #misc input fixes ApplyPatch 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch ApplyPatch 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch @@ -1540,10 +1494,6 @@ ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-me #rhbz 1082266 ApplyPatch jme-fix-dma-unmap-error.patch -#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195 -ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch -ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch - # CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784 ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch @@ -2358,6 +2308,9 @@ fi # ||----w | # || || %changelog +* Tue May 13 2014 Justin M. Forbes +- Linux v3.14.4 + * Mon May 12 2014 Josh Boyer - CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784) diff --git a/lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch b/lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch deleted file mode 100644 index 7cc9d9e..0000000 --- a/lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch +++ /dev/null @@ -1,63 +0,0 @@ -Bugzilla: 1074235 -Upstream-status: 3.15 and CC'd to stable - -From e39435ce68bb4685288f78b1a7e24311f7ef939f Mon Sep 17 00:00:00 2001 -From: Jens Axboe -Date: Tue, 8 Apr 2014 16:04:12 -0700 -Subject: [PATCH] lib/percpu_counter.c: fix bad percpu counter state during - suspend - -I got a bug report yesterday from Laszlo Ersek in which he states that -his kvm instance fails to suspend. Laszlo bisected it down to this -commit 1cf7e9c68fe8 ("virtio_blk: blk-mq support") where virtio-blk is -converted to use the blk-mq infrastructure. - -After digging a bit, it became clear that the issue was with the queue -drain. blk-mq tracks queue usage in a percpu counter, which is -incremented on request alloc and decremented when the request is freed. -The initial hunt was for an inconsistency in blk-mq, but everything -seemed fine. In fact, the counter only returned crazy values when -suspend was in progress. - -When a CPU is unplugged, the percpu counters merges that CPU state with -the general state. blk-mq takes care to register a hotcpu notifier with -the appropriate priority, so we know it runs after the percpu counter -notifier. However, the percpu counter notifier only merges the state -when the CPU is fully gone. This leaves a state transition where the -CPU going away is no longer in the online mask, yet it still holds -private values. This means that in this state, percpu_counter_sum() -returns invalid results, and the suspend then hangs waiting for -abs(dead-cpu-value) requests to complete which of course will never -happen. - -Fix this by clearing the state earlier, so we never have a case where -the CPU isn't in online mask but still holds private state. This bug -has been there since forever, I guess we don't have a lot of users where -percpu counters needs to be reliable during the suspend cycle. - -Signed-off-by: Jens Axboe -Reported-by: Laszlo Ersek -Tested-by: Laszlo Ersek -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds ---- - lib/percpu_counter.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/percpu_counter.c b/lib/percpu_counter.c -index 8280a5dd1727..7dd33577b905 100644 ---- a/lib/percpu_counter.c -+++ b/lib/percpu_counter.c -@@ -169,7 +169,7 @@ static int percpu_counter_hotcpu_callback(struct notifier_block *nb, - struct percpu_counter *fbc; - - compute_batch_value(); -- if (action != CPU_DEAD) -+ if (action != CPU_DEAD && action != CPU_DEAD_FROZEN) - return NOTIFY_OK; - - cpu = (unsigned long)hcpu; --- -1.8.5.3 - diff --git a/locks-allow-__break_lease-to-sleep-even-when-break_t.patch b/locks-allow-__break_lease-to-sleep-even-when-break_t.patch deleted file mode 100644 index ee893f0..0000000 --- a/locks-allow-__break_lease-to-sleep-even-when-break_t.patch +++ /dev/null @@ -1,50 +0,0 @@ -Bugzilla: 1082586 -Upstream-status: 3.15 and sent for stable - -From f1c6bb2cb8b81013e8979806f8e15e3d53efb96d Mon Sep 17 00:00:00 2001 -From: Jeff Layton -Date: Tue, 15 Apr 2014 06:17:49 -0400 -Subject: [PATCH] locks: allow __break_lease to sleep even when break_time is 0 - -A fl->fl_break_time of 0 has a special meaning to the lease break code -that basically means "never break the lease". knfsd uses this to ensure -that leases don't disappear out from under it. - -Unfortunately, the code in __break_lease can end up passing this value -to wait_event_interruptible as a timeout, which prevents it from going -to sleep at all. This makes __break_lease to spin in a tight loop and -causes soft lockups. - -Fix this by ensuring that we pass a minimum value of 1 as a timeout -instead. - -Cc: -Cc: J. Bruce Fields -Reported-by: Terry Barnaby -Signed-off-by: Jeff Layton ---- - fs/locks.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/fs/locks.c b/fs/locks.c -index 13fc7a6d380a..b380f5543614 100644 ---- a/fs/locks.c -+++ b/fs/locks.c -@@ -1391,11 +1391,10 @@ int __break_lease(struct inode *inode, unsigned int mode, unsigned int type) - - restart: - break_time = flock->fl_break_time; -- if (break_time != 0) { -+ if (break_time != 0) - break_time -= jiffies; -- if (break_time == 0) -- break_time++; -- } -+ if (break_time == 0) -+ break_time++; - locks_insert_block(flock, new_fl); - spin_unlock(&inode->i_lock); - error = wait_event_interruptible_timeout(new_fl->fl_wait, --- -1.9.0 - diff --git a/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch b/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch deleted file mode 100644 index d5f980c..0000000 --- a/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch +++ /dev/null @@ -1,86 +0,0 @@ -Bugzilla: 1094240 -Upstream-status: 3.15 and CC'd to stable - -From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001 -From: Peter Hurley -Date: Sat, 3 May 2014 14:04:59 +0200 -Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode - -The tty atomic_write_lock does not provide an exclusion guarantee for -the tty driver if the termios settings are LECHO & !OPOST. And since -it is unexpected and not allowed to call TTY buffer helpers like -tty_insert_flip_string concurrently, this may lead to crashes when -concurrect writers call pty_write. In that case the following two -writers: -* the ECHOing from a workqueue and -* pty_write from the process -race and can overflow the corresponding TTY buffer like follows. - -If we look into tty_insert_flip_string_fixed_flag, there is: - int space = __tty_buffer_request_room(port, goal, flags); - struct tty_buffer *tb = port->buf.tail; - ... - memcpy(char_buf_ptr(tb, tb->used), chars, space); - ... - tb->used += space; - -so the race of the two can result in something like this: - A B -__tty_buffer_request_room - __tty_buffer_request_room -memcpy(buf(tb->used), ...) -tb->used += space; - memcpy(buf(tb->used), ...) ->BOOM - -B's memcpy is past the tty_buffer due to the previous A's tb->used -increment. - -Since the N_TTY line discipline input processing can output -concurrently with a tty write, obtain the N_TTY ldisc output_lock to -serialize echo output with normal tty writes. This ensures the tty -buffer helper tty_insert_flip_string is not called concurrently and -everything is fine. - -Note that this is nicely reproducible by an ordinary user using -forkpty and some setup around that (raw termios + ECHO). And it is -present in kernels at least after commit -d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to -use the normal buffering logic) in 2.6.31-rc3. - -js: add more info to the commit log -js: switch to bool -js: lock unconditionally -js: lock only the tty->ops->write call - -References: CVE-2014-0196 -Reported-and-tested-by: Jiri Slaby -Signed-off-by: Peter Hurley -Signed-off-by: Jiri Slaby -Cc: Linus Torvalds -Cc: Alan Cox -Cc: -Signed-off-by: Greg Kroah-Hartman ---- - drivers/tty/n_tty.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c -index 41fe8a047d37..fe9d129c8735 100644 ---- a/drivers/tty/n_tty.c -+++ b/drivers/tty/n_tty.c -@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file, - if (tty->ops->flush_chars) - tty->ops->flush_chars(tty); - } else { -+ struct n_tty_data *ldata = tty->disc_data; -+ - while (nr > 0) { -+ mutex_lock(&ldata->output_lock); - c = tty->ops->write(tty, b, nr); -+ mutex_unlock(&ldata->output_lock); - if (c < 0) { - retval = c; - goto break_out; --- -1.9.0 - diff --git a/sources b/sources index 7665091..acf61ae 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz -92a784cdb150c798e122ac080dc0f455 patch-3.14.3.xz +116f27cf17c3522716b6678b17516067 patch-3.14.4.xz