Linux v3.14.4

11 files changed, 5 insertions, 556 deletions

diff --git a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch b/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
deleted file mode 100644
index 03527a56..00000000
--- a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From d1b9785eda70e7638927d294139c6d4796cb7ea6 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Tue, 22 Apr 2014 11:08:16 +0200
-Subject: [PATCH v3] synaptics: Add min/max quirk for ThinkPad Edge E431
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
----
- drivers/input/mouse/synaptics.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index 7c9f509..93cc8fd 100644
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
- 		.driver_data = (int []){1232, 5710, 1156, 4696},
- 	},
- 	{
-+		/* Lenovo ThinkPad Edge E431 */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Edge E431"),
-+		},
-+		.driver_data = (int []){1024, 5022, 2508, 4832},
-+	},
-+	{
- 		/* Lenovo ThinkPad T431s */
- 		.matches = {
- 			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
--- 
-1.9.0
-
diff --git a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch b/0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
deleted file mode 100644
index e722999a..00000000
--- a/0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 46a2986ebbe18757c2d8c352f8fb6e0f4f0754e3 Mon Sep 17 00:00:00 2001
-From: Hans de Goede <hdegoede@redhat.com>
-Date: Sat, 19 Apr 2014 22:31:18 -0700
-Subject: [PATCH] Input: synaptics - add min/max quirk for ThinkPad T431s,
- L440, L540, S1 Yoga and X1
-
-We expect that all the Haswell series will need such quirks, sigh.
-
-The T431s seems to be T430 hardware in a T440s case, using the T440s touchpad,
-with the same min/max issue.
-
-The X1 Carbon 3rd generation name says 2nd while it is a 3rd generation.
-
-The X1 and T431s share a PnPID with the T540p, but the reported ranges are
-closer to those of the T440s.
-
-HdG: Squashed 5 quirk patches into one. T431s + L440 + L540 are written by me,
-S1 Yoga and X1 are written by Benjamin Tissoires.
-
-Hdg: Standardized S1 Yoga and X1 values, Yoga uses the same touchpad as the
-X240, X1 uses the same touchpad as the T440.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Hans de Goede <hdegoede@redhat.com>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
----
- drivers/input/mouse/synaptics.c | 42 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 42 insertions(+)
-
-diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index 9d75410..ef9f491 100644
---- a/drivers/input/mouse/synaptics.c
-+++ b/drivers/input/mouse/synaptics.c
-@@ -1566,6 +1566,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
- 		.driver_data = (int []){1232, 5710, 1156, 4696},
- 	},
- 	{
-+		/* Lenovo ThinkPad T431s */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T431"),
-+		},
-+		.driver_data = (int []){1024, 5112, 2024, 4832},
-+	},
-+	{
- 		/* Lenovo ThinkPad T440s */
- 		.matches = {
- 			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-@@ -1574,6 +1582,14 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
- 		.driver_data = (int []){1024, 5112, 2024, 4832},
- 	},
- 	{
-+		/* Lenovo ThinkPad L440 */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L440"),
-+		},
-+		.driver_data = (int []){1024, 5112, 2024, 4832},
-+	},
-+	{
- 		/* Lenovo ThinkPad T540p */
- 		.matches = {
- 			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-@@ -1581,6 +1597,32 @@ static const struct dmi_system_id min_max_dmi_table[] __initconst = {
- 		},
- 		.driver_data = (int []){1024, 5056, 2058, 4832},
- 	},
-+	{
-+		/* Lenovo ThinkPad L540 */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L540"),
-+		},
-+		.driver_data = (int []){1024, 5112, 2024, 4832},
-+	},
-+	{
-+		/* Lenovo Yoga S1 */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_EXACT_MATCH(DMI_PRODUCT_VERSION,
-+					"ThinkPad S1 Yoga"),
-+		},
-+		.driver_data = (int []){1232, 5710, 1156, 4696},
-+	},
-+	{
-+		/* Lenovo ThinkPad X1 Carbon Haswell (3rd generation) */
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION,
-+					"ThinkPad X1 Carbon 2nd"),
-+		},
-+		.driver_data = (int []){1024, 5112, 2024, 4832},
-+	},
- #endif
- 	{ }
- };
--- 
-1.9.0
-
diff --git a/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch b/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
deleted file mode 100644
index 170911e1..00000000
--- a/KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Bugzilla: 1085016
-Upstream-status: Queued for 3.15
-
-From 5678de3f15010b9022ee45673f33bcfc71d47b60 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 28 Mar 2014 20:41:50 +0100
-Subject: KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi
- (CVE-2014-0155)
-
-QE reported that they got the BUG_ON in ioapic_service to trigger.
-I cannot reproduce it, but there are two reasons why this could happen.
-
-The less likely but also easiest one, is when kvm_irq_delivery_to_apic
-does not deliver to any APIC and returns -1.
-
-Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that
-function is never reached.  However, you can target the similar loop in
-kvm_irq_delivery_to_apic_fast; just program a zero logical destination
-address into the IOAPIC, or an out-of-range physical destination address.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-diff --git a/virt/kvm/ioapic.c b/virt/kvm/ioapic.c
-index d4b6015..d98d107 100644
---- a/virt/kvm/ioapic.c
-+++ b/virt/kvm/ioapic.c
-@@ -356,7 +356,7 @@ static int ioapic_service(struct kvm_ioapic *ioapic, int irq, bool line_status)
- 		BUG_ON(ioapic->rtc_status.pending_eoi != 0);
- 		ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe,
- 				ioapic->rtc_status.dest_map);
--		ioapic->rtc_status.pending_eoi = ret;
-+		ioapic->rtc_status.pending_eoi = (ret < 0 ? 0 : ret);
- 	} else
- 		ret = kvm_irq_delivery_to_apic(ioapic->kvm, NULL, &irqe, NULL);
- 
--- 
-cgit v0.10.1
-
diff --git a/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch b/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
deleted file mode 100644
index 93fce3d4..00000000
--- a/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Bugzilla: 1096195
-Upstream-status: 3.15 and queued for stable
-
-From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattd@bugfuzz.com>
-Date: Mon, 28 Apr 2014 19:05:21 +1200
-Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
-
-From: Matthew Daley <mattd@bugfuzz.com>
-
-commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
-
-Do not leak kernel-only floppy_raw_cmd structure members to userspace.
-This includes the linked-list pointer and the pointer to the allocated
-DMA space.
-
-Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/block/floppy.c |    5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/block/floppy.c
-+++ b/drivers/block/floppy.c
-@@ -3053,7 +3053,10 @@ static int raw_cmd_copyout(int cmd, void
- 	int ret;
- 
- 	while (ptr) {
--		ret = copy_to_user(param, ptr, sizeof(*ptr));
-+		struct floppy_raw_cmd cmd = *ptr;
-+		cmd.next = NULL;
-+		cmd.kernel_data = NULL;
-+		ret = copy_to_user(param, &cmd, sizeof(cmd));
- 		if (ret)
- 			return -EFAULT;
- 		param += sizeof(struct floppy_raw_cmd);
diff --git a/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch b/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
deleted file mode 100644
index 712a9e06..00000000
--- a/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Bugzilla: 1096195
-Upstream-status: 3.15 and queued for stable
-
-From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
-From: Matthew Daley <mattd@bugfuzz.com>
-Date: Mon, 28 Apr 2014 19:05:20 +1200
-Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
-
-From: Matthew Daley <mattd@bugfuzz.com>
-
-commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
-
-Always clear out these floppy_raw_cmd struct members after copying the
-entire structure from userspace so that the in-kernel version is always
-valid and never left in an interdeterminate state.
-
-Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/block/floppy.c |    6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/drivers/block/floppy.c
-+++ b/drivers/block/floppy.c
-@@ -3107,10 +3107,11 @@ loop:
- 		return -ENOMEM;
- 	*rcmd = ptr;
- 	ret = copy_from_user(ptr, param, sizeof(*ptr));
--	if (ret)
--		return -EFAULT;
- 	ptr->next = NULL;
- 	ptr->buffer_length = 0;
-+	ptr->kernel_data = NULL;
-+	if (ret)
-+		return -EFAULT;
- 	param += sizeof(struct floppy_raw_cmd);
- 	if (ptr->cmd_count > 33)
- 			/* the command may now also take up the space
-@@ -3126,7 +3127,6 @@ loop:
- 	for (i = 0; i < 16; i++)
- 		ptr->reply[i] = 0;
- 	ptr->resultcode = 0;
--	ptr->kernel_data = NULL;
- 
- 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
- 		if (ptr->length <= 0)
diff --git a/iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch b/iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
deleted file mode 100644
index ee06d9f0..00000000
--- a/iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Bugzilla: 1046495
-Upstream-status: Sent for 3.14 http://marc.info/?l=linux-wireless&m=139453882510796&w=2
-
-From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
-
-There is a flow in which we send the host command in SYNC
-mode, but we don't take priv->mutex.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1046495
-
-Cc: <stable@vger.kernel.org>
-Reviewed-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
----
- drivers/net/wireless/iwlwifi/dvm/main.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c
-index ba1b1ea..ea7e70c 100644
---- a/drivers/net/wireless/iwlwifi/dvm/main.c
-+++ b/drivers/net/wireless/iwlwifi/dvm/main.c
-@@ -252,13 +252,17 @@ static void iwl_bg_bt_runtime_config(struct work_struct *work)
- 	struct iwl_priv *priv =
- 		container_of(work, struct iwl_priv, bt_runtime_config);
- 
-+	mutex_lock(&priv->mutex);
- 	if (test_bit(STATUS_EXIT_PENDING, &priv->status))
--		return;
-+		goto out;
- 
- 	/* dont send host command if rf-kill is on */
- 	if (!iwl_is_ready_rf(priv))
--		return;
-+		goto out;
-+
- 	iwlagn_send_advance_bt_config(priv);
-+out:
-+	mutex_unlock(&priv->mutex);
- }
- 
- static void iwl_bg_bt_full_concurrency(struct work_struct *work)
--- 
-1.8.3.2
-
---
-To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff --git a/kernel.spec b/kernel.spec
index bc76043a..d4df4844 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -74,7 +74,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 3
+%define stable_update 4
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -709,21 +709,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
 #rhbz 1051748
 Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch
 
-#rhbz 1046495
-Patch25044: iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
-
-#CVE-2014-0155 rhbz 1081589 1085016
-Patch25036: KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
-
-#rhbz 1074235
-Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
-
 #CVE-2014-2851 rhbz 1086730 1087420
 Patch25059: net-ipv4-current-group_info-should-be-put-after-using.patch
 
-#rhbz 1085582 1085697 1088588
-Patch25060: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
-
 #rhbz 1074710
 Patch25061: mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
 
@@ -742,9 +730,6 @@ Patch25072: HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
 #rhbz 1013466
 Patch25065: selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
 
-#rhbz 1089689
-Patch25066: 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
-
 #rhbz 1090746
 Patch25067: ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
 
@@ -763,12 +748,6 @@ Patch25073: net-Start-with-correct-mac_len-in-skb_network_protoc.patch
 #rhbz 1089545
 Patch25074: 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
 
-#rhbz 1082586
-Patch25075: locks-allow-__break_lease-to-sleep-even-when-break_t.patch
-
-#CVE-2014-0196 rhbz 1094232 1094240
-Patch25076: n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
-
 #misc input fixes
 Patch25077: 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
 Patch25078: 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
@@ -790,10 +769,6 @@ Patch25086: 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-m
 #rhbz 1082266
 Patch25087: jme-fix-dma-unmap-error.patch
 
-#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
-Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
-Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
-
 # CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
 Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
 
@@ -1461,12 +1436,6 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
 #rhbz 1051748
 ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch
 
-#rhbz 1046495
-ApplyPatch iwlwifi-dvm-take-mutex-when-sending-SYNC-BT-config-command.patch
-
-#CVE-2014-0155 rhbz 1081589 1085016
-ApplyPatch KVM-ioapic-fix-assignment-of-ioapic-rtc_status-pending_eoi.patch
-
 #rhbz 1048314
 ApplyPatch 0001-HID-rmi-introduce-RMI-driver-for-Synaptics-touchpads.patch
 #rhbz 1089583
@@ -1474,15 +1443,9 @@ ApplyPatch 0001-HID-rmi-do-not-handle-touchscreens-through-hid-rmi.patch
 #rhbz 1090161
 ApplyPatch HID-rmi-do-not-fetch-more-than-16-bytes-in-a-query.patch
 
-#rhbz 1074235
-ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
-
 #CVE-2014-2851 rhbz 1086730 1087420
 ApplyPatch net-ipv4-current-group_info-should-be-put-after-using.patch
 
-#rhbz 1085582 1085697
-ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-T431s-L440-.patch
-
 #rhbz 1074710
 ApplyPatch mm-page_alloc.c-change-mm-debug-routines-back-to-EXP.patch
 
@@ -1492,9 +1455,6 @@ ApplyPatch USB-serial-ftdi_sio-add-id-for-Brainboxes-serial-car.patch
 #rhbz 1013466
 ApplyPatch selinux-put-the-mmap-DAC-controls-before-the-MAC-controls.patch
 
-#rhbz 1089689
-ApplyPatch 0001-synaptics-Add-min-max-quirk-for-ThinkPad-Edge-E431.patch
-
 #rhbz 1090746
 ApplyPatch ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch
 
@@ -1513,12 +1473,6 @@ ApplyPatch net-Start-with-correct-mac_len-in-skb_network_protoc.patch
 #rhbz 1089545
 ApplyPatch 0001-acpi-video-Add-use_native_backlight-quirks-for-Think.patch
 
-#rhbz 1082586
-ApplyPatch locks-allow-__break_lease-to-sleep-even-when-break_t.patch
-
-#CVE-2014-0196 rhbz 1094232 1094240
-ApplyPatch n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
-
 #misc input fixes
 ApplyPatch 0001-hid-quirks-Add-NO_INIT_REPORTS-quirk-for-Synaptics-T.patch
 ApplyPatch 0002-elantech-Fix-elantech-on-Gigabyte-U2442.patch
@@ -1540,10 +1494,6 @@ ApplyPatch 5-5-net-Use-netlink_ns_capable-to-verify-the-permisions-of-netlink-me
 #rhbz 1082266
 ApplyPatch jme-fix-dma-unmap-error.patch
 
-#CVE-2014-1738 CVE-2014-1737 rhbz 1094299 1096195
-ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
-ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
-
 # CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
 ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
 
@@ -2358,6 +2308,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue May 13 2014 Justin M. Forbes <jforbes@fedoraproject.org>
+- Linux v3.14.4
+
 * Mon May 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
 
diff --git a/lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch b/lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
deleted file mode 100644
index 7cc9d9ee..00000000
--- a/lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-Bugzilla: 1074235
-Upstream-status: 3.15 and CC'd to stable
-
-From e39435ce68bb4685288f78b1a7e24311f7ef939f Mon Sep 17 00:00:00 2001
-From: Jens Axboe <axboe@fb.com>
-Date: Tue, 8 Apr 2014 16:04:12 -0700
-Subject: [PATCH] lib/percpu_counter.c: fix bad percpu counter state during
- suspend
-
-I got a bug report yesterday from Laszlo Ersek in which he states that
-his kvm instance fails to suspend.  Laszlo bisected it down to this
-commit 1cf7e9c68fe8 ("virtio_blk: blk-mq support") where virtio-blk is
-converted to use the blk-mq infrastructure.
-
-After digging a bit, it became clear that the issue was with the queue
-drain.  blk-mq tracks queue usage in a percpu counter, which is
-incremented on request alloc and decremented when the request is freed.
-The initial hunt was for an inconsistency in blk-mq, but everything
-seemed fine.  In fact, the counter only returned crazy values when
-suspend was in progress.
-
-When a CPU is unplugged, the percpu counters merges that CPU state with
-the general state.  blk-mq takes care to register a hotcpu notifier with
-the appropriate priority, so we know it runs after the percpu counter
-notifier.  However, the percpu counter notifier only merges the state
-when the CPU is fully gone.  This leaves a state transition where the
-CPU going away is no longer in the online mask, yet it still holds
-private values.  This means that in this state, percpu_counter_sum()
-returns invalid results, and the suspend then hangs waiting for
-abs(dead-cpu-value) requests to complete which of course will never
-happen.
-
-Fix this by clearing the state earlier, so we never have a case where
-the CPU isn't in online mask but still holds private state.  This bug
-has been there since forever, I guess we don't have a lot of users where
-percpu counters needs to be reliable during the suspend cycle.
-
-Signed-off-by: Jens Axboe <axboe@fb.com>
-Reported-by: Laszlo Ersek <lersek@redhat.com>
-Tested-by: Laszlo Ersek <lersek@redhat.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- lib/percpu_counter.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/percpu_counter.c b/lib/percpu_counter.c
-index 8280a5dd1727..7dd33577b905 100644
---- a/lib/percpu_counter.c
-+++ b/lib/percpu_counter.c
-@@ -169,7 +169,7 @@ static int percpu_counter_hotcpu_callback(struct notifier_block *nb,
- 	struct percpu_counter *fbc;
- 
- 	compute_batch_value();
--	if (action != CPU_DEAD)
-+	if (action != CPU_DEAD && action != CPU_DEAD_FROZEN)
- 		return NOTIFY_OK;
- 
- 	cpu = (unsigned long)hcpu;
--- 
-1.8.5.3
-
diff --git a/locks-allow-__break_lease-to-sleep-even-when-break_t.patch b/locks-allow-__break_lease-to-sleep-even-when-break_t.patch
deleted file mode 100644
index ee893f09..00000000
--- a/locks-allow-__break_lease-to-sleep-even-when-break_t.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Bugzilla: 1082586
-Upstream-status: 3.15 and sent for stable
-
-From f1c6bb2cb8b81013e8979806f8e15e3d53efb96d Mon Sep 17 00:00:00 2001
-From: Jeff Layton <jlayton@redhat.com>
-Date: Tue, 15 Apr 2014 06:17:49 -0400
-Subject: [PATCH] locks: allow __break_lease to sleep even when break_time is 0
-
-A fl->fl_break_time of 0 has a special meaning to the lease break code
-that basically means "never break the lease". knfsd uses this to ensure
-that leases don't disappear out from under it.
-
-Unfortunately, the code in __break_lease can end up passing this value
-to wait_event_interruptible as a timeout, which prevents it from going
-to sleep at all. This makes __break_lease to spin in a tight loop and
-causes soft lockups.
-
-Fix this by ensuring that we pass a minimum value of 1 as a timeout
-instead.
-
-Cc: <stable@vger.kernel.org>
-Cc: J. Bruce Fields <bfields@fieldses.org>
-Reported-by: Terry Barnaby <terry1@beam.ltd.uk>
-Signed-off-by: Jeff Layton <jlayton@redhat.com>
----
- fs/locks.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/fs/locks.c b/fs/locks.c
-index 13fc7a6d380a..b380f5543614 100644
---- a/fs/locks.c
-+++ b/fs/locks.c
-@@ -1391,11 +1391,10 @@ int __break_lease(struct inode *inode, unsigned int mode, unsigned int type)
- 
- restart:
- 	break_time = flock->fl_break_time;
--	if (break_time != 0) {
-+	if (break_time != 0)
- 		break_time -= jiffies;
--		if (break_time == 0)
--			break_time++;
--	}
-+	if (break_time == 0)
-+		break_time++;
- 	locks_insert_block(flock, new_fl);
- 	spin_unlock(&inode->i_lock);
- 	error = wait_event_interruptible_timeout(new_fl->fl_wait,
--- 
-1.9.0
-
diff --git a/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch b/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
deleted file mode 100644
index d5f980c9..00000000
--- a/n_tty-Fix-n_tty_write-crash-when-echoing-in-raw-mode.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-Bugzilla: 1094240
-Upstream-status: 3.15 and CC'd to stable
-
-From 4291086b1f081b869c6d79e5b7441633dc3ace00 Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Sat, 3 May 2014 14:04:59 +0200
-Subject: [PATCH] n_tty: Fix n_tty_write crash when echoing in raw mode
-
-The tty atomic_write_lock does not provide an exclusion guarantee for
-the tty driver if the termios settings are LECHO & !OPOST.  And since
-it is unexpected and not allowed to call TTY buffer helpers like
-tty_insert_flip_string concurrently, this may lead to crashes when
-concurrect writers call pty_write. In that case the following two
-writers:
-* the ECHOing from a workqueue and
-* pty_write from the process
-race and can overflow the corresponding TTY buffer like follows.
-
-If we look into tty_insert_flip_string_fixed_flag, there is:
-  int space = __tty_buffer_request_room(port, goal, flags);
-  struct tty_buffer *tb = port->buf.tail;
-  ...
-  memcpy(char_buf_ptr(tb, tb->used), chars, space);
-  ...
-  tb->used += space;
-
-so the race of the two can result in something like this:
-              A                                B
-__tty_buffer_request_room
-                                  __tty_buffer_request_room
-memcpy(buf(tb->used), ...)
-tb->used += space;
-                                  memcpy(buf(tb->used), ...) ->BOOM
-
-B's memcpy is past the tty_buffer due to the previous A's tb->used
-increment.
-
-Since the N_TTY line discipline input processing can output
-concurrently with a tty write, obtain the N_TTY ldisc output_lock to
-serialize echo output with normal tty writes.  This ensures the tty
-buffer helper tty_insert_flip_string is not called concurrently and
-everything is fine.
-
-Note that this is nicely reproducible by an ordinary user using
-forkpty and some setup around that (raw termios + ECHO). And it is
-present in kernels at least after commit
-d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
-use the normal buffering logic) in 2.6.31-rc3.
-
-js: add more info to the commit log
-js: switch to bool
-js: lock unconditionally
-js: lock only the tty->ops->write call
-
-References: CVE-2014-0196
-Reported-and-tested-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/tty/n_tty.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
-index 41fe8a047d37..fe9d129c8735 100644
---- a/drivers/tty/n_tty.c
-+++ b/drivers/tty/n_tty.c
-@@ -2353,8 +2353,12 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
- 			if (tty->ops->flush_chars)
- 				tty->ops->flush_chars(tty);
- 		} else {
-+			struct n_tty_data *ldata = tty->disc_data;
-+
- 			while (nr > 0) {
-+				mutex_lock(&ldata->output_lock);
- 				c = tty->ops->write(tty, b, nr);
-+				mutex_unlock(&ldata->output_lock);
- 				if (c < 0) {
- 					retval = c;
- 					goto break_out;
--- 
-1.9.0
-
diff --git a/sources b/sources
index 76650914..acf61ae2 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 b621207b3f6ecbb67db18b13258f8ea8  linux-3.14.tar.xz
-92a784cdb150c798e122ac080dc0f455  patch-3.14.3.xz
+116f27cf17c3522716b6678b17516067  patch-3.14.4.xz