merge originkernel-4.9.14-200.vanilla.knurd.1.fc25

11 files changed, 474 insertions, 486 deletions

diff --git a/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch b/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
new file mode 100644
index 000000000..b6cd8b211
--- /dev/null
+++ b/0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
@@ -0,0 +1,311 @@
+From 1dea7a8061ad9212f4464464a80d0dcd477eceab Mon Sep 17 00:00:00 2001
+From: Alexander Popov <alex.popov@linux.com>
+Date: Tue, 28 Feb 2017 19:28:54 +0300
+Subject: [PATCH 1/1] tty: n_hdlc: get rid of racy n_hdlc.tbuf
+
+Currently N_HDLC line discipline uses a self-made singly linked list for
+data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
+an error.
+
+The commit be10eb7589337e5defbe214dae038a53dd21add8
+("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
+After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
+one data buffer to tx_free_buf_list twice. That causes double free in
+n_hdlc_release().
+
+Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
+in case of tx error put current data buffer after the head of tx_buf_list.
+
+Signed-off-by: Alexander Popov <alex.popov@linux.com>
+---
+ drivers/tty/n_hdlc.c | 132 +++++++++++++++++++++++++++------------------------
+ 1 file changed, 69 insertions(+), 63 deletions(-)
+
+diff --git a/drivers/tty/n_hdlc.c b/drivers/tty/n_hdlc.c
+index eb27883..728c824 100644
+--- a/drivers/tty/n_hdlc.c
++++ b/drivers/tty/n_hdlc.c
+@@ -114,7 +114,7 @@
+ #define DEFAULT_TX_BUF_COUNT 3
+ 
+ struct n_hdlc_buf {
+-	struct n_hdlc_buf *link;
++	struct list_head  list_item;
+ 	int		  count;
+ 	char		  buf[1];
+ };
+@@ -122,8 +122,7 @@ struct n_hdlc_buf {
+ #define	N_HDLC_BUF_SIZE	(sizeof(struct n_hdlc_buf) + maxframe)
+ 
+ struct n_hdlc_buf_list {
+-	struct n_hdlc_buf *head;
+-	struct n_hdlc_buf *tail;
++	struct list_head  list;
+ 	int		  count;
+ 	spinlock_t	  spinlock;
+ };
+@@ -136,7 +135,6 @@ struct n_hdlc_buf_list {
+  * @backup_tty - TTY to use if tty gets closed
+  * @tbusy - reentrancy flag for tx wakeup code
+  * @woke_up - FIXME: describe this field
+- * @tbuf - currently transmitting tx buffer
+  * @tx_buf_list - list of pending transmit frame buffers
+  * @rx_buf_list - list of received frame buffers
+  * @tx_free_buf_list - list unused transmit frame buffers
+@@ -149,7 +147,6 @@ struct n_hdlc {
+ 	struct tty_struct	*backup_tty;
+ 	int			tbusy;
+ 	int			woke_up;
+-	struct n_hdlc_buf	*tbuf;
+ 	struct n_hdlc_buf_list	tx_buf_list;
+ 	struct n_hdlc_buf_list	rx_buf_list;
+ 	struct n_hdlc_buf_list	tx_free_buf_list;
+@@ -159,6 +156,8 @@ struct n_hdlc {
+ /*
+  * HDLC buffer list manipulation functions
+  */
++static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
++						struct n_hdlc_buf *buf);
+ static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
+ 			   struct n_hdlc_buf *buf);
+ static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *list);
+@@ -208,16 +207,9 @@ static void flush_tx_queue(struct tty_struct *tty)
+ {
+ 	struct n_hdlc *n_hdlc = tty2n_hdlc(tty);
+ 	struct n_hdlc_buf *buf;
+-	unsigned long flags;
+ 
+ 	while ((buf = n_hdlc_buf_get(&n_hdlc->tx_buf_list)))
+ 		n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, buf);
+- 	spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock, flags);
+-	if (n_hdlc->tbuf) {
+-		n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, n_hdlc->tbuf);
+-		n_hdlc->tbuf = NULL;
+-	}
+-	spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
+ }
+ 
+ static struct tty_ldisc_ops n_hdlc_ldisc = {
+@@ -283,7 +275,6 @@ static void n_hdlc_release(struct n_hdlc *n_hdlc)
+ 		} else
+ 			break;
+ 	}
+-	kfree(n_hdlc->tbuf);
+ 	kfree(n_hdlc);
+ 	
+ }	/* end of n_hdlc_release() */
+@@ -402,13 +393,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
+ 	n_hdlc->woke_up = 0;
+ 	spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock, flags);
+ 
+-	/* get current transmit buffer or get new transmit */
+-	/* buffer from list of pending transmit buffers */
+-		
+-	tbuf = n_hdlc->tbuf;
+-	if (!tbuf)
+-		tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
+-		
++	tbuf = n_hdlc_buf_get(&n_hdlc->tx_buf_list);
+ 	while (tbuf) {
+ 		if (debuglevel >= DEBUG_LEVEL_INFO)	
+ 			printk("%s(%d)sending frame %p, count=%d\n",
+@@ -420,7 +405,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
+ 
+ 		/* rollback was possible and has been done */
+ 		if (actual == -ERESTARTSYS) {
+-			n_hdlc->tbuf = tbuf;
++			n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
+ 			break;
+ 		}
+ 		/* if transmit error, throw frame away by */
+@@ -435,10 +420,7 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
+ 					
+ 			/* free current transmit buffer */
+ 			n_hdlc_buf_put(&n_hdlc->tx_free_buf_list, tbuf);
+-			
+-			/* this tx buffer is done */
+-			n_hdlc->tbuf = NULL;
+-			
++
+ 			/* wait up sleeping writers */
+ 			wake_up_interruptible(&tty->write_wait);
+ 	
+@@ -448,10 +430,12 @@ static void n_hdlc_send_frames(struct n_hdlc *n_hdlc, struct tty_struct *tty)
+ 			if (debuglevel >= DEBUG_LEVEL_INFO)	
+ 				printk("%s(%d)frame %p pending\n",
+ 					__FILE__,__LINE__,tbuf);
+-					
+-			/* buffer not accepted by driver */
+-			/* set this buffer as pending buffer */
+-			n_hdlc->tbuf = tbuf;
++
++			/*
++			 * the buffer was not accepted by driver,
++			 * return it back into tx queue
++			 */
++			n_hdlc_buf_return(&n_hdlc->tx_buf_list, tbuf);
+ 			break;
+ 		}
+ 	}
+@@ -749,7 +733,8 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
+ 	int error = 0;
+ 	int count;
+ 	unsigned long flags;
+-	
++	struct n_hdlc_buf *buf = NULL;
++
+ 	if (debuglevel >= DEBUG_LEVEL_INFO)	
+ 		printk("%s(%d)n_hdlc_tty_ioctl() called %d\n",
+ 			__FILE__,__LINE__,cmd);
+@@ -763,8 +748,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
+ 		/* report count of read data available */
+ 		/* in next available frame (if any) */
+ 		spin_lock_irqsave(&n_hdlc->rx_buf_list.spinlock,flags);
+-		if (n_hdlc->rx_buf_list.head)
+-			count = n_hdlc->rx_buf_list.head->count;
++		buf = list_first_entry_or_null(&n_hdlc->rx_buf_list.list,
++						struct n_hdlc_buf, list_item);
++		if (buf)
++			count = buf->count;
+ 		else
+ 			count = 0;
+ 		spin_unlock_irqrestore(&n_hdlc->rx_buf_list.spinlock,flags);
+@@ -776,8 +763,10 @@ static int n_hdlc_tty_ioctl(struct tty_struct *tty, struct file *file,
+ 		count = tty_chars_in_buffer(tty);
+ 		/* add size of next output frame in queue */
+ 		spin_lock_irqsave(&n_hdlc->tx_buf_list.spinlock,flags);
+-		if (n_hdlc->tx_buf_list.head)
+-			count += n_hdlc->tx_buf_list.head->count;
++		buf = list_first_entry_or_null(&n_hdlc->tx_buf_list.list,
++						struct n_hdlc_buf, list_item);
++		if (buf)
++			count += buf->count;
+ 		spin_unlock_irqrestore(&n_hdlc->tx_buf_list.spinlock,flags);
+ 		error = put_user(count, (int __user *)arg);
+ 		break;
+@@ -825,14 +814,14 @@ static unsigned int n_hdlc_tty_poll(struct tty_struct *tty, struct file *filp,
+ 		poll_wait(filp, &tty->write_wait, wait);
+ 
+ 		/* set bits for operations that won't block */
+-		if (n_hdlc->rx_buf_list.head)
++		if (!list_empty(&n_hdlc->rx_buf_list.list))
+ 			mask |= POLLIN | POLLRDNORM;	/* readable */
+ 		if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
+ 			mask |= POLLHUP;
+ 		if (tty_hung_up_p(filp))
+ 			mask |= POLLHUP;
+ 		if (!tty_is_writelocked(tty) &&
+-				n_hdlc->tx_free_buf_list.head)
++				!list_empty(&n_hdlc->tx_free_buf_list.list))
+ 			mask |= POLLOUT | POLLWRNORM;	/* writable */
+ 	}
+ 	return mask;
+@@ -856,7 +845,12 @@ static struct n_hdlc *n_hdlc_alloc(void)
+ 	spin_lock_init(&n_hdlc->tx_free_buf_list.spinlock);
+ 	spin_lock_init(&n_hdlc->rx_buf_list.spinlock);
+ 	spin_lock_init(&n_hdlc->tx_buf_list.spinlock);
+-	
++
++	INIT_LIST_HEAD(&n_hdlc->rx_free_buf_list.list);
++	INIT_LIST_HEAD(&n_hdlc->tx_free_buf_list.list);
++	INIT_LIST_HEAD(&n_hdlc->rx_buf_list.list);
++	INIT_LIST_HEAD(&n_hdlc->tx_buf_list.list);
++
+ 	/* allocate free rx buffer list */
+ 	for(i=0;i<DEFAULT_RX_BUF_COUNT;i++) {
+ 		buf = kmalloc(N_HDLC_BUF_SIZE, GFP_KERNEL);
+@@ -884,53 +878,65 @@ static struct n_hdlc *n_hdlc_alloc(void)
+ }	/* end of n_hdlc_alloc() */
+ 
+ /**
++ * n_hdlc_buf_return - put the HDLC buffer after the head of the specified list
++ * @buf_list - pointer to the buffer list
++ * @buf - pointer to the buffer
++ */
++static void n_hdlc_buf_return(struct n_hdlc_buf_list *buf_list,
++						struct n_hdlc_buf *buf)
++{
++	unsigned long flags;
++
++	spin_lock_irqsave(&buf_list->spinlock, flags);
++
++	list_add(&buf->list_item, &buf_list->list);
++	buf_list->count++;
++
++	spin_unlock_irqrestore(&buf_list->spinlock, flags);
++}
++
++/**
+  * n_hdlc_buf_put - add specified HDLC buffer to tail of specified list
+- * @list - pointer to buffer list
++ * @buf_list - pointer to buffer list
+  * @buf	- pointer to buffer
+  */
+-static void n_hdlc_buf_put(struct n_hdlc_buf_list *list,
++static void n_hdlc_buf_put(struct n_hdlc_buf_list *buf_list,
+ 			   struct n_hdlc_buf *buf)
+ {
+ 	unsigned long flags;
+-	spin_lock_irqsave(&list->spinlock,flags);
+-	
+-	buf->link=NULL;
+-	if (list->tail)
+-		list->tail->link = buf;
+-	else
+-		list->head = buf;
+-	list->tail = buf;
+-	(list->count)++;
+-	
+-	spin_unlock_irqrestore(&list->spinlock,flags);
+-	
++
++	spin_lock_irqsave(&buf_list->spinlock, flags);
++
++	list_add_tail(&buf->list_item, &buf_list->list);
++	buf_list->count++;
++
++	spin_unlock_irqrestore(&buf_list->spinlock, flags);
+ }	/* end of n_hdlc_buf_put() */
+ 
+ /**
+  * n_hdlc_buf_get - remove and return an HDLC buffer from list
+- * @list - pointer to HDLC buffer list
++ * @buf_list - pointer to HDLC buffer list
+  * 
+  * Remove and return an HDLC buffer from the head of the specified HDLC buffer
+  * list.
+  * Returns a pointer to HDLC buffer if available, otherwise %NULL.
+  */
+-static struct n_hdlc_buf* n_hdlc_buf_get(struct n_hdlc_buf_list *list)
++static struct n_hdlc_buf *n_hdlc_buf_get(struct n_hdlc_buf_list *buf_list)
+ {
+ 	unsigned long flags;
+ 	struct n_hdlc_buf *buf;
+-	spin_lock_irqsave(&list->spinlock,flags);
+-	
+-	buf = list->head;
++
++	spin_lock_irqsave(&buf_list->spinlock, flags);
++
++	buf = list_first_entry_or_null(&buf_list->list,
++						struct n_hdlc_buf, list_item);
+ 	if (buf) {
+-		list->head = buf->link;
+-		(list->count)--;
++		list_del(&buf->list_item);
++		buf_list->count--;
+ 	}
+-	if (!list->head)
+-		list->tail = NULL;
+-	
+-	spin_unlock_irqrestore(&list->spinlock,flags);
++
++	spin_unlock_irqrestore(&buf_list->spinlock, flags);
+ 	return buf;
+-	
+ }	/* end of n_hdlc_buf_get() */
+ 
+ static char hdlc_banner[] __initdata =
+-- 
+2.7.4
+
diff --git a/arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch b/arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch
deleted file mode 100644
index 2e7f51ec6..000000000
--- a/arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From patchwork Wed Jan 25 18:31:31 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: [v2] arm64: dma-mapping: Fix dma_mapping_error() when bypassing
- SWIOTLB
-From: Robin Murphy <robin.murphy@arm.com>
-X-Patchwork-Id: 9537723
-Message-Id: <840027acb4750542003dff17b4a8902ba8972754.1485368348.git.robin.murphy@arm.com>
-To: will.deacon@arm.com,
-	catalin.marinas@arm.com
-Cc: Jisheng Zhang <jszhang@marvell.com>, arnd@arndb.de,
- konrad.wilk@oracle.com, aaro.koskinen@iki.fi, stable@vger.kernel.org,
- linux-rpi-kernel@lists.infradead.org, linux-arm-kernel@lists.infradead.org
-Date: Wed, 25 Jan 2017 18:31:31 +0000
-
-When bypassing SWIOTLB on small-memory systems, we need to avoid calling
-into swiotlb_dma_mapping_error() in exactly the same way as we avoid
-swiotlb_dma_supported(), because the former also relies on SWIOTLB state
-being initialised.
-
-Under the assumptions for which we skip SWIOTLB, dma_map_{single,page}()
-will only ever return the DMA-offset-adjusted physical address of the
-page passed in, thus we can report success unconditionally.
-
-Fixes: b67a8b29df7e ("arm64: mm: only initialize swiotlb when necessary")
-CC: stable@vger.kernel.org
-CC: Jisheng Zhang <jszhang@marvell.com>
-Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
-Signed-off-by: Robin Murphy <robin.murphy@arm.com>
-Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
----
-
-v2: Get the return value the right way round this time... After some
-    careful reasoning it really is that simple.
-
- arch/arm64/mm/dma-mapping.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
-index e04082700bb1..1ffb7d5d299a 100644
---- a/arch/arm64/mm/dma-mapping.c
-+++ b/arch/arm64/mm/dma-mapping.c
-@@ -352,6 +352,13 @@ static int __swiotlb_dma_supported(struct device *hwdev, u64 mask)
- 	return 1;
- }
- 
-+static int __swiotlb_dma_mapping_error(struct device *hwdev, dma_addr_t addr)
-+{
-+	if (swiotlb)
-+		return swiotlb_dma_mapping_error(hwdev, addr);
-+	return 0;
-+}
-+
- static struct dma_map_ops swiotlb_dma_ops = {
- 	.alloc = __dma_alloc,
- 	.free = __dma_free,
-@@ -366,7 +373,7 @@ static struct dma_map_ops swiotlb_dma_ops = {
- 	.sync_sg_for_cpu = __swiotlb_sync_sg_for_cpu,
- 	.sync_sg_for_device = __swiotlb_sync_sg_for_device,
- 	.dma_supported = __swiotlb_dma_supported,
--	.mapping_error = swiotlb_dma_mapping_error,
-+	.mapping_error = __swiotlb_dma_mapping_error,
- };
- 
- static int __init atomic_pool_init(void)
diff --git a/config-arm64 b/config-arm64
index 8cca6201c..ee6c77087 100644
--- a/config-arm64
+++ b/config-arm64
@@ -210,7 +210,7 @@ CONFIG_SUNXI_WATCHDOG=m
 CONFIG_MFD_SUN6I_PRCM=y
 CONFIG_IR_SUNXI=m
 CONFIG_MMC_SUNXI=m
-CONFIG_RTC_DRV_SUN6I=m
+CONFIG_RTC_DRV_SUN6I=y
 CONFIG_PWM_SUN4I=m
 # CONFIG_PHY_SUN4I_USB is not set
 # CONFIG_PHY_SUN9I_USB is not set
diff --git a/config-armv7-generic b/config-armv7-generic
index 869ee0659..65f612339 100644
--- a/config-armv7-generic
+++ b/config-armv7-generic
@@ -226,7 +226,7 @@ CONFIG_MDIO_SUN4I=m
 CONFIG_DWMAC_SUNXI=m
 CONFIG_SUN4I_EMAC=m
 CONFIG_SUN8I_EMAC=m
-CONFIG_RTC_DRV_SUN6I=m
+CONFIG_RTC_DRV_SUN6I=y
 CONFIG_MTD_NAND_SUNXI=m
 CONFIG_SERIO_SUN4I_PS2=m
 CONFIG_KEYBOARD_SUN4I_LRADC=m
diff --git a/config-generic b/config-generic
index 4da90f2b1..11c3eeb96 100644
--- a/config-generic
+++ b/config-generic
@@ -1921,7 +1921,7 @@ CONFIG_IWLWIFI=m
 CONFIG_IWLDVM=m
 CONFIG_IWLMVM=m
 # CONFIG_IWLWIFI_BCAST_FILTERING is not set
-CONFIG_IWLWIFI_PCIE_RTPM=y
+# CONFIG_IWLWIFI_PCIE_RTPM is not set
 CONFIG_IWLWIFI_DEBUG=y
 CONFIG_IWLWIFI_DEBUGFS=y
 
diff --git a/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch b/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
deleted file mode 100644
index 433fd4b2b..000000000
--- a/dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Thu, 16 Feb 2017 17:22:46 +0100
-Subject: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
-
-In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
-is forcibly freed via __kfree_skb in dccp_rcv_state_process if
-dccp_v6_conn_request successfully returns.
-
-However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
-is saved to ireq->pktopts and the ref count for skb is incremented in
-dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
-in dccp_rcv_state_process.
-
-Fix by calling consume_skb instead of doing goto discard and therefore
-calling __kfree_skb.
-
-Similar fixes for TCP:
-
-fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
-0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
-simply consumed
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/dccp/input.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/dccp/input.c b/net/dccp/input.c
-index ba34718..8fedc2d 100644
---- a/net/dccp/input.c
-+++ b/net/dccp/input.c
-@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
- 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
- 								    skb) < 0)
- 				return 1;
--			goto discard;
-+			consume_skb(skb);
-+			return 0;
- 		}
- 		if (dh->dccph_type == DCCP_PKT_RESET)
- 			goto discard;
--- 
-cgit v0.12
-
diff --git a/kernel.spec b/kernel.spec
index b351a0db0..ffeb4b941 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,8 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 13
+%define stable_update 14
+
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -530,8 +531,6 @@ Patch426: usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch
 # Fix OMAP4 (pandaboard)
 Patch427: arm-revert-mmc-omap_hsmmc-Use-dma_request_chan-for-reque.patch
 
-Patch428: arm64-dma-mapping-Fix-dma_mapping_error-when-bypassing-SWIOTLB.patch
-
 # Not particularly happy we don't yet have a proper upstream resolution this is the right direction
 # https://www.spinics.net/lists/arm-kernel/msg535191.html
 Patch429: arm64-mm-Fix-memmap-to-be-initialized-for-the-entire-section.patch
@@ -548,6 +547,8 @@ Patch433: bcm283x-mmc-imp-speed.patch
 
 Patch434: mm-alloc_contig-re-allow-CMA-to-compact-FS-pages.patch
 
+Patch436: vc4-fix-vblank-cursor-update-issue.patch
+
 Patch440: AllWinner-net-emac.patch
 
 Patch442: ARM-Drop-fixed-200-Hz-timer-requirement-from-Samsung-platforms.patch
@@ -657,14 +658,14 @@ Patch855: kvm-fix-page-struct-leak-in-handle_vmon.patch
 Patch858: 1-2-media-cxusb-Use-a-dma-capable-buffer-also-for-reading.patch
 Patch859: 2-2-media-dvb-usb-firmware-don-t-do-DMA-on-stack.patch
 
-#rhbz 1415397
-Patch861: w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
-
 #rhbz 1422969
 Patch862: rt2800-warning.patch
 
-#CVE-2017-6074
-Patch863: dccp-fix-freeing-skb-too-early-for-IPV6_RECVPKTINFO.patch
+#CVE-2017-6353 rhbz 1428907 1428910
+Patch864: sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
+
+# CVE-2017-2636 rhbz 1430049
+Patch668: 0001-tty-n_hdlc-get-rid-of-racy-n_hdlc.tbuf.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -875,7 +876,6 @@ Summary: Development package for building kernel modules to match the %{?2:%{2}
 Group: System Environment/Kernel\
 Provides: kernel%{?1:-%{1}}-devel-%{_target_cpu} = %{version}-%{release}\
 Provides: kernel-devel-%{_target_cpu} = %{version}-%{release}%{?1:+%{1}}\
-Provides: kernel-devel = %{version}-%{release}%{?1:+%{1}}\
 Provides: kernel-devel-uname-r = %{KVERREL}%{?variant}%{?1:+%{1}}\
 Provides: installonlypkg(kernel)\
 AutoReqProv: no\
@@ -2216,6 +2216,31 @@ fi
 #
 #
 %changelog
+* Mon Mar 13 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.14-200
+- Linux v4.9.14
+
+* Tue Mar 07 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.13-201
+- Build for some CVEs
+
+* Tue Mar 07 2017 Laura Abbott <labbott@fedoraproject.org>
+- CVE-2017-2636 Race condition access to n_hdlc.tbuf causes double free in n_hdlc_release (rhbz 1430049)
+
+* Tue Mar  7 2017 Laura Abbott <labbott@redhat.com>
+- Disable CONFIG_IWLWIFI_PCIE_RTPM (rhbz 1429135)
+
+* Mon Mar  6 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2017-6353 Possible double free in stcp_sendmsg (rhbz 1428907 1428910)
+
+* Wed Mar  1 2017 Peter Robinson <pbrobinson@fedoraproject.org>
+- Add patch to fix desktop lockups on RPi (vc4) RHBZ# 1389163
+
+* Tue Feb 28 2017 Justin M. Forbes <jforbes@fedoraproject.org> 
+- CVE-2017-5669 shmat allows mmap null page protection bypass (rhbz 1427239)
+- Fix kernel-devel virtual provide
+
+* Mon Feb 27 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.13-200
+- Linux v4.9.13
+
 * Thu Feb 23 2017 Laura Abbott <labbott@fedoraproject.org> - 4.9.12-200
 - Linux v4.9.12
 
diff --git a/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch b/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
new file mode 100644
index 000000000..47f586ace
--- /dev/null
+++ b/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
@@ -0,0 +1,66 @@
+From dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Thu, 23 Feb 2017 09:31:18 -0300
+Subject: [PATCH] sctp: deny peeloff operation on asocs with threads sleeping
+ on it
+
+commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+attempted to avoid a BUG_ON call when the association being used for a
+sendmsg() is blocked waiting for more sndbuf and another thread did a
+peeloff operation on such asoc, moving it to another socket.
+
+As Ben Hutchings noticed, then in such case it would return without
+locking back the socket and would cause two unlocks in a row.
+
+Further analysis also revealed that it could allow a double free if the
+application managed to peeloff the asoc that is created during the
+sendmsg call, because then sctp_sendmsg() would try to free the asoc
+that was created only for that call.
+
+This patch takes another approach. It will deny the peeloff operation
+if there is a thread sleeping on the asoc, so this situation doesn't
+exist anymore. This avoids the issues described above and also honors
+the syscalls that are already being handled (it can be multiple sendmsg
+calls).
+
+Joint work with Xin Long.
+
+Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+Cc: Alexander Popov <alex.popov@linux.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/sctp/socket.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index b532148..465a9c8 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4862,6 +4862,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
+ 	if (!asoc)
+ 		return -EINVAL;
+
++	/* If there is a thread waiting on more sndbuf space for
++	 * sending on this asoc, it cannot be peeled.
++	 */
++	if (waitqueue_active(&asoc->wait))
++		return -EBUSY;
++
+ 	/* An association cannot be branched off from an already peeled-off
+ 	 * socket, nor is this supported for tcp style sockets.
+ 	 */
+@@ -7599,8 +7605,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ 		 */
+ 		release_sock(sk);
+ 		current_timeo = schedule_timeout(current_timeo);
+-		if (sk != asoc->base.sk)
+-			goto do_error;
+ 		lock_sock(sk);
+
+ 		*timeo_p = current_timeo;
+-- 
+2.9.3
+
diff --git a/sources b/sources
index 20f1904fb..765bb8c40 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (linux-4.9.tar.xz) = bf67ff812cc3cb7e5059e82cc5db0d9a7c5637f7ed9a42e4730c715bf7047c81ed3a571225f92a33ef0b6d65f35595bc32d773356646df2627da55e9bc7f1f1a
 SHA512 (perf-man-4.9.tar.gz) = d23bb3da1eadd6623fddbf4696948de7675f3dcf57c711a7427dd7ae111394f58d8f42752938bbea7cd219f1e7f6f116fc67a1c74f769711063940a065f37b99
-SHA512 (patch-4.9.12.xz) = 52314315fe960b3b4b11021a5a8a6271bd8a7e3f9f63cd983f72cf7585ac95408872ab48074d2cd578d681a64e10607ba69157a3fed14663736f20c5c2a78b0a
+SHA512 (patch-4.9.14.xz) = 0bfb0f5e27081d96760884726cc44fa0dcb1c4f3658e8131de0a4d8b90689e95e8c2f3a0c95a165ae4a2c95b227392cd9249b3018d6242af4ee81a892edfc94f
diff --git a/vc4-fix-vblank-cursor-update-issue.patch b/vc4-fix-vblank-cursor-update-issue.patch
new file mode 100644
index 000000000..8537d67ca
--- /dev/null
+++ b/vc4-fix-vblank-cursor-update-issue.patch
@@ -0,0 +1,59 @@
+From 6d24c1c5918907ab78a5729b78c0d165deb3cc2b Mon Sep 17 00:00:00 2001
+From: Michael Zoran <mzoran@crowfest.net>
+Date: Thu, 23 Feb 2017 17:54:31 -0800
+Subject: drm/vc4: Don't wait for vblank when updating the cursor
+
+Commonly used desktop environments such as xfce4 and gnome
+on debian sid can flood the graphics drivers with cursor
+updates.  Because the current implementation is waiting
+for a vblank between cursor updates, this will cause the
+display to hang for a long time since a typical refresh
+rate is only 60Hz.
+
+This is unnecessary and unexpected by user mode software,
+so simply swap out the cursor frame buffer without waiting.
+
+Signed-off-by: Michael Zoran <mzoran@crowfest.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: http://patchwork.freedesktop.org/patch/msgid/20170224015431.24583-1-mzoran@crowfest.net
+
+diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
+index f7a229d..110224c 100644
+--- a/drivers/gpu/drm/vc4/vc4_plane.c
++++ b/drivers/gpu/drm/vc4/vc4_plane.c
+@@ -20,6 +20,7 @@
+ 
+ #include "vc4_drv.h"
+ #include "vc4_regs.h"
++#include "drm_atomic.h"
+ #include "drm_atomic_helper.h"
+ #include "drm_fb_cma_helper.h"
+ #include "drm_plane_helper.h"
+@@ -769,12 +770,6 @@ vc4_update_plane(struct drm_plane *plane,
+ 	if (!plane_state)
+ 		goto out;
+ 
+-	/* If we're changing the cursor contents, do that in the
+-	 * normal vblank-synced atomic path.
+-	 */
+-	if (fb != plane_state->fb)
+-		goto out;
+-
+ 	/* No configuring new scaling in the fast path. */
+ 	if (crtc_w != plane_state->crtc_w ||
+ 	    crtc_h != plane_state->crtc_h ||
+@@ -783,6 +778,11 @@ vc4_update_plane(struct drm_plane *plane,
+ 		goto out;
+ 	}
+ 
++	if (fb != plane_state->fb) {
++		drm_atomic_set_fb_for_plane(plane->state, fb);
++		vc4_plane_async_set_fb(plane, fb);
++	}
++
+ 	/* Set the cursor's position on the screen.  This is the
+ 	 * expected change from the drm_mode_cursor_universal()
+ 	 * helper.
+-- 
+cgit v0.10.2
+
diff --git a/w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch b/w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
deleted file mode 100644
index 7e902b100..000000000
--- a/w1-ds2490-USB-transfer-buffers-need-to-be-DMAable.patch
+++ /dev/null
@@ -1,360 +0,0 @@
-From patchwork Wed Jan 18 20:31:11 2017
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: w1: ds2490: USB transfer buffers need to be DMAable
-From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
-X-Patchwork-Id: 9524693
-Message-Id: <5ba98814-d0b0-fbd4-d631-eda3472f4017@maciej.szmigiero.name>
-To: Evgeniy Polyakov <zbr@ioremap.net>
-Cc: linux-kernel <linux-kernel@vger.kernel.org>
-Date: Wed, 18 Jan 2017 21:31:11 +0100
-
-ds2490 driver was doing USB transfers from / to buffers on a stack.
-This is not permitted and made the driver non-working with vmapped stacks.
-
-Since all these transfers are done under the same bus_mutex lock we can
-simply use shared buffers in a device private structure for two most common
-of them.
-
-While we are at it, let's also fix a comparison between int and size_t in
-ds9490r_search() which made the driver spin in this function if state
-register get requests were failing.
-
-Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
-Cc: stable@vger.kernel.org
----
- drivers/w1/masters/ds2490.c | 142 ++++++++++++++++++++++++++------------------
- 1 file changed, 84 insertions(+), 58 deletions(-)
-
-diff --git a/drivers/w1/masters/ds2490.c b/drivers/w1/masters/ds2490.c
-index 049a884a756f..59d74d1b47a8 100644
---- a/drivers/w1/masters/ds2490.c
-+++ b/drivers/w1/masters/ds2490.c
-@@ -153,6 +153,9 @@ struct ds_device
- 	 */
- 	u16			spu_bit;
- 
-+	u8			st_buf[ST_SIZE];
-+	u8			byte_buf;
-+
- 	struct w1_bus_master	master;
- };
- 
-@@ -174,7 +177,6 @@ struct ds_status
- 	u8			data_in_buffer_status;
- 	u8			reserved1;
- 	u8			reserved2;
--
- };
- 
- static struct usb_device_id ds_id_table [] = {
-@@ -244,28 +246,6 @@ static int ds_send_control(struct ds_device *dev, u16 value, u16 index)
- 	return err;
- }
- 
--static int ds_recv_status_nodump(struct ds_device *dev, struct ds_status *st,
--				 unsigned char *buf, int size)
--{
--	int count, err;
--
--	memset(st, 0, sizeof(*st));
--
--	count = 0;
--	err = usb_interrupt_msg(dev->udev, usb_rcvintpipe(dev->udev,
--		dev->ep[EP_STATUS]), buf, size, &count, 1000);
--	if (err < 0) {
--		pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n",
--		       dev->ep[EP_STATUS], err);
--		return err;
--	}
--
--	if (count >= sizeof(*st))
--		memcpy(st, buf, sizeof(*st));
--
--	return count;
--}
--
- static inline void ds_print_msg(unsigned char *buf, unsigned char *str, int off)
- {
- 	pr_info("%45s: %8x\n", str, buf[off]);
-@@ -324,6 +304,35 @@ static void ds_dump_status(struct ds_device *dev, unsigned char *buf, int count)
- 	}
- }
- 
-+static int ds_recv_status(struct ds_device *dev, struct ds_status *st,
-+			  bool dump)
-+{
-+	int count, err;
-+
-+	if (st)
-+		memset(st, 0, sizeof(*st));
-+
-+	count = 0;
-+	err = usb_interrupt_msg(dev->udev,
-+				usb_rcvintpipe(dev->udev,
-+					       dev->ep[EP_STATUS]),
-+				dev->st_buf, sizeof(dev->st_buf),
-+				&count, 1000);
-+	if (err < 0) {
-+		pr_err("Failed to read 1-wire data from 0x%x: err=%d.\n",
-+		       dev->ep[EP_STATUS], err);
-+		return err;
-+	}
-+
-+	if (dump)
-+		ds_dump_status(dev, dev->st_buf, count);
-+
-+	if (st && count >= sizeof(*st))
-+		memcpy(st, dev->st_buf, sizeof(*st));
-+
-+	return count;
-+}
-+
- static void ds_reset_device(struct ds_device *dev)
- {
- 	ds_send_control_cmd(dev, CTL_RESET_DEVICE, 0);
-@@ -344,7 +353,6 @@ static void ds_reset_device(struct ds_device *dev)
- static int ds_recv_data(struct ds_device *dev, unsigned char *buf, int size)
- {
- 	int count, err;
--	struct ds_status st;
- 
- 	/* Careful on size.  If size is less than what is available in
- 	 * the input buffer, the device fails the bulk transfer and
-@@ -359,14 +367,9 @@ static int ds_recv_data(struct ds_device *dev, unsigned char *buf, int size)
- 	err = usb_bulk_msg(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]),
- 				buf, size, &count, 1000);
- 	if (err < 0) {
--		u8 buf[ST_SIZE];
--		int count;
--
- 		pr_info("Clearing ep0x%x.\n", dev->ep[EP_DATA_IN]);
- 		usb_clear_halt(dev->udev, usb_rcvbulkpipe(dev->udev, dev->ep[EP_DATA_IN]));
--
--		count = ds_recv_status_nodump(dev, &st, buf, sizeof(buf));
--		ds_dump_status(dev, buf, count);
-+		ds_recv_status(dev, NULL, true);
- 		return err;
- 	}
- 
-@@ -404,7 +407,6 @@ int ds_stop_pulse(struct ds_device *dev, int limit)
- {
- 	struct ds_status st;
- 	int count = 0, err = 0;
--	u8 buf[ST_SIZE];
- 
- 	do {
- 		err = ds_send_control(dev, CTL_HALT_EXE_IDLE, 0);
-@@ -413,7 +415,7 @@ int ds_stop_pulse(struct ds_device *dev, int limit)
- 		err = ds_send_control(dev, CTL_RESUME_EXE, 0);
- 		if (err)
- 			break;
--		err = ds_recv_status_nodump(dev, &st, buf, sizeof(buf));
-+		err = ds_recv_status(dev, &st, false);
- 		if (err)
- 			break;
- 
-@@ -456,18 +458,17 @@ int ds_detect(struct ds_device *dev, struct ds_status *st)
- 
- static int ds_wait_status(struct ds_device *dev, struct ds_status *st)
- {
--	u8 buf[ST_SIZE];
- 	int err, count = 0;
- 
- 	do {
- 		st->status = 0;
--		err = ds_recv_status_nodump(dev, st, buf, sizeof(buf));
-+		err = ds_recv_status(dev, st, false);
- #if 0
- 		if (err >= 0) {
- 			int i;
- 			printk("0x%x: count=%d, status: ", dev->ep[EP_STATUS], err);
- 			for (i=0; i<err; ++i)
--				printk("%02x ", buf[i]);
-+				printk("%02x ", dev->st_buf[i]);
- 			printk("\n");
- 		}
- #endif
-@@ -485,7 +486,7 @@ static int ds_wait_status(struct ds_device *dev, struct ds_status *st)
- 	 * can do something with it).
- 	 */
- 	if (err > 16 || count >= 100 || err < 0)
--		ds_dump_status(dev, buf, err);
-+		ds_dump_status(dev, dev->st_buf, err);
- 
- 	/* Extended data isn't an error.  Well, a short is, but the dump
- 	 * would have already told the user that and we can't do anything
-@@ -608,7 +609,6 @@ static int ds_write_byte(struct ds_device *dev, u8 byte)
- {
- 	int err;
- 	struct ds_status st;
--	u8 rbyte;
- 
- 	err = ds_send_control(dev, COMM_BYTE_IO | COMM_IM | dev->spu_bit, byte);
- 	if (err)
-@@ -621,11 +621,11 @@ static int ds_write_byte(struct ds_device *dev, u8 byte)
- 	if (err)
- 		return err;
- 
--	err = ds_recv_data(dev, &rbyte, sizeof(rbyte));
-+	err = ds_recv_data(dev, &dev->byte_buf, 1);
- 	if (err < 0)
- 		return err;
- 
--	return !(byte == rbyte);
-+	return !(byte == dev->byte_buf);
- }
- 
- static int ds_read_byte(struct ds_device *dev, u8 *byte)
-@@ -712,7 +712,6 @@ static void ds9490r_search(void *data, struct w1_master *master,
- 	int err;
- 	u16 value, index;
- 	struct ds_status st;
--	u8 st_buf[ST_SIZE];
- 	int search_limit;
- 	int found = 0;
- 	int i;
-@@ -724,7 +723,12 @@ static void ds9490r_search(void *data, struct w1_master *master,
- 	/* FIFO 128 bytes, bulk packet size 64, read a multiple of the
- 	 * packet size.
- 	 */
--	u64 buf[2*64/8];
-+	const size_t bufsize = 2 * 64;
-+	u64 *buf;
-+
-+	buf = kmalloc(bufsize, GFP_KERNEL);
-+	if (!buf)
-+		return;
- 
- 	mutex_lock(&master->bus_mutex);
- 
-@@ -745,10 +749,9 @@ static void ds9490r_search(void *data, struct w1_master *master,
- 	do {
- 		schedule_timeout(jtime);
- 
--		if (ds_recv_status_nodump(dev, &st, st_buf, sizeof(st_buf)) <
--			sizeof(st)) {
-+		err = ds_recv_status(dev, &st, false);
-+		if (err < 0 || err < sizeof(st))
- 			break;
--		}
- 
- 		if (st.data_in_buffer_status) {
- 			/* Bulk in can receive partial ids, but when it does
-@@ -758,7 +761,7 @@ static void ds9490r_search(void *data, struct w1_master *master,
- 			 * bulk without first checking if status says there
- 			 * is data to read.
- 			 */
--			err = ds_recv_data(dev, (u8 *)buf, sizeof(buf));
-+			err = ds_recv_data(dev, (u8 *)buf, bufsize);
- 			if (err < 0)
- 				break;
- 			for (i = 0; i < err/8; ++i) {
-@@ -794,9 +797,14 @@ static void ds9490r_search(void *data, struct w1_master *master,
- 	}
- search_out:
- 	mutex_unlock(&master->bus_mutex);
-+	kfree(buf);
- }
- 
- #if 0
-+/*
-+ * FIXME: if this disabled code is ever used in the future all ds_send_data()
-+ * calls must be changed to use a DMAable buffer.
-+ */
- static int ds_match_access(struct ds_device *dev, u64 init)
- {
- 	int err;
-@@ -845,13 +853,12 @@ static int ds_set_path(struct ds_device *dev, u64 init)
- 
- static u8 ds9490r_touch_bit(void *data, u8 bit)
- {
--	u8 ret;
- 	struct ds_device *dev = data;
- 
--	if (ds_touch_bit(dev, bit, &ret))
-+	if (ds_touch_bit(dev, bit, &dev->byte_buf))
- 		return 0;
- 
--	return ret;
-+	return dev->byte_buf;
- }
- 
- #if 0
-@@ -866,13 +873,12 @@ static u8 ds9490r_read_bit(void *data)
- {
- 	struct ds_device *dev = data;
- 	int err;
--	u8 bit = 0;
- 
--	err = ds_touch_bit(dev, 1, &bit);
-+	err = ds_touch_bit(dev, 1, &dev->byte_buf);
- 	if (err)
- 		return 0;
- 
--	return bit & 1;
-+	return dev->byte_buf & 1;
- }
- #endif
- 
-@@ -887,32 +893,52 @@ static u8 ds9490r_read_byte(void *data)
- {
- 	struct ds_device *dev = data;
- 	int err;
--	u8 byte = 0;
- 
--	err = ds_read_byte(dev, &byte);
-+	err = ds_read_byte(dev, &dev->byte_buf);
- 	if (err)
- 		return 0;
- 
--	return byte;
-+	return dev->byte_buf;
- }
- 
- static void ds9490r_write_block(void *data, const u8 *buf, int len)
- {
- 	struct ds_device *dev = data;
-+	u8 *tbuf;
-+
-+	if (len <= 0)
-+		return;
-+
-+	tbuf = kmalloc(len, GFP_KERNEL);
-+	if (!tbuf)
-+		return;
- 
--	ds_write_block(dev, (u8 *)buf, len);
-+	memcpy(tbuf, buf, len);
-+	ds_write_block(dev, tbuf, len);
-+
-+	kfree(tbuf);
- }
- 
- static u8 ds9490r_read_block(void *data, u8 *buf, int len)
- {
- 	struct ds_device *dev = data;
- 	int err;
-+	u8 *tbuf;
- 
--	err = ds_read_block(dev, buf, len);
--	if (err < 0)
-+	if (len <= 0)
-+		return 0;
-+
-+	tbuf = kmalloc(len, GFP_KERNEL);
-+	if (!tbuf)
- 		return 0;
- 
--	return len;
-+	err = ds_read_block(dev, tbuf, len);
-+	if (err >= 0)
-+		memcpy(buf, tbuf, len);
-+
-+	kfree(tbuf);
-+
-+	return err >= 0 ? len : 0;
- }
- 
- static u8 ds9490r_reset(void *data)