Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.3.5-300.vanilla.knurd.1.fc23

13 files changed, 444 insertions, 412 deletions

diff --git a/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch b/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
new file mode 100644
index 000000000..c469460e5
--- /dev/null
+++ b/HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
@@ -0,0 +1,94 @@
+From cd1e1e286bb3c4fa8714c1e571ae082e510efd5d Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Tue, 1 Dec 2015 12:41:38 +0100
+Subject: [PATCH] HID: multitouch: fix input mode switching on some Elan panels
+
+as reported by https://bugzilla.kernel.org/show_bug.cgi?id=108481
+
+This bug reports mentions 6d4f5440 ("HID: multitouch: Fetch feature
+reports on demand for Win8 devices") as the origin of the problem but this
+commit actually masked 2 firmware bugs that are annihilating each other:
+
+The report descriptor declares two features in reports 3 and 5:
+
+0x05, 0x0d,                    // Usage Page (Digitizers)             318
+0x09, 0x0e,                    // Usage (Device Configuration)        320
+0xa1, 0x01,                    // Collection (Application)            322
+0x85, 0x03,                    //  Report ID (3)                      324
+0x09, 0x22,                    //  Usage (Finger)                     326
+0xa1, 0x00,                    //  Collection (Physical)              328
+0x09, 0x52,                    //   Usage (Inputmode)                 330
+0x15, 0x00,                    //   Logical Minimum (0)               332
+0x25, 0x0a,                    //   Logical Maximum (10)              334
+0x75, 0x08,                    //   Report Size (8)                   336
+0x95, 0x02,                    //   Report Count (2)                  338
+0xb1, 0x02,                    //   Feature (Data,Var,Abs)            340
+0xc0,                          //  End Collection                     342
+0x09, 0x22,                    //  Usage (Finger)                     343
+0xa1, 0x00,                    //  Collection (Physical)              345
+0x85, 0x05,                    //   Report ID (5)                     347
+0x09, 0x57,                    //   Usage (Surface Switch)            349
+0x09, 0x58,                    //   Usage (Button Switch)             351
+0x15, 0x00,                    //   Logical Minimum (0)               353
+0x75, 0x01,                    //   Report Size (1)                   355
+0x95, 0x02,                    //   Report Count (2)                  357
+0x25, 0x03,                    //   Logical Maximum (3)               359
+0xb1, 0x02,                    //   Feature (Data,Var,Abs)            361
+0x95, 0x0e,                    //   Report Count (14)                 363
+0xb1, 0x03,                    //   Feature (Cnst,Var,Abs)            365
+0xc0,                          //  End Collection                     367
+
+The report ID 3 presents 2 input mode features, while only the first one
+is handled by the device. Given that we did not checked if one was
+previously assigned, we were dealing with the ignored featured and we
+should never have been able to switch this panel into the multitouch mode.
+
+However, the firmware presents an other bugs which allowed 6d4f5440
+to counteract the faulty report descriptor. When we request the values
+of the feature 5, the firmware answers "03 03 00". The fields are correct
+but the report id is wrong. Before 6d4f5440, we retrieved all the features
+and injected them in the system. So when we called report 5, we injected
+in the system the report 3 with the values "03 00".
+Setting the second input mode to 03 in this report changed it to "03 03"
+and the touchpad switched to the mt mode. We could have set anything
+in the second field because the actual value (the first 03 in this report)
+was given by the query of report ID 5.
+
+To sum up: 2 bugs in the firmware were hiding that we were accessing the
+wrong feature.
+
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-multitouch.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index ba94044cb859..d866720412cd 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -357,8 +357,19 @@ static void mt_feature_mapping(struct hid_device *hdev,
+ 			break;
+ 		}
+ 
+-		td->inputmode = field->report->id;
+-		td->inputmode_index = usage->usage_index;
++		if (td->inputmode < 0) {
++			td->inputmode = field->report->id;
++			td->inputmode_index = usage->usage_index;
++		} else {
++			/*
++			 * Some elan panels wrongly declare 2 input mode
++			 * features, and silently ignore when we set the
++			 * value in the second field. Skip the second feature
++			 * and hope for the best.
++			 */
++			dev_info(&hdev->dev,
++				 "Ignoring the extra HID_DG_INPUTMODE\n");
++		}
+ 
+ 		break;
+ 	case HID_DG_CONTACTMAX:
+-- 
+2.5.0
+
diff --git a/HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch b/HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
new file mode 100644
index 000000000..b1a789e84
--- /dev/null
+++ b/HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
@@ -0,0 +1,49 @@
+From 954d6154959c8c196fa4b89fc98a4fb377c6a38d Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Fri, 8 Jan 2016 17:58:49 +0100
+Subject: [PATCH] HID: sony: do not bail out when the sixaxis refuses the
+ output report
+
+When setting the operational mode, some third party (Speedlink Strike-FX)
+gamepads refuse the output report. Failing here means we refuse to
+initialize the gamepad while this should be harmless.
+
+The weird part is that the initial commit that added this: a7de9b8
+("HID: sony: Enable Gasia third-party PS3 controllers") mentions this
+very same controller as one requiring this output report.
+Anyway, it's broken for one user at least, so let's change it.
+We will report an error, but at least the controller should work.
+
+And no, these devices present themselves as legacy Sony controllers
+(VID:PID of 054C:0268, as in the official ones) so there are no ways
+of discriminating them from the official ones.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1255325
+
+Reported-and-tested-by: Max Fedotov <thesourcehim@gmail.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ drivers/hid/hid-sony.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index 661f94f8ab8b..11f91c0c2458 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -1411,8 +1411,10 @@ static int sixaxis_set_operational_usb(struct hid_device *hdev)
+ 	}
+ 
+ 	ret = hid_hw_output_report(hdev, buf, 1);
+-	if (ret < 0)
+-		hid_err(hdev, "can't set operational mode: step 3\n");
++	if (ret < 0) {
++		hid_info(hdev, "can't set operational mode: step 3, ignoring\n");
++		ret = 0;
++	}
+ 
+ out:
+ 	kfree(buf);
+-- 
+2.5.0
+
diff --git a/KVM-svm-unconditionally-intercept-DB.patch b/KVM-svm-unconditionally-intercept-DB.patch
deleted file mode 100644
index 021af4ccb..000000000
--- a/KVM-svm-unconditionally-intercept-DB.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 48bb9bb210c6c2f185d891e3e7a401d849409f84 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 10 Nov 2015 13:22:53 +0100
-Subject: [PATCH 2/2] KVM: svm: unconditionally intercept #DB
-
-This is needed to avoid the possibility that the guest triggers
-an infinite stream of #DB exceptions (CVE-2015-8104).
-
-VMX is not affected: because it does not save DR6 in the VMCS,
-it already intercepts #DB unconditionally.
-
-Reported-by: Jan Beulich <jbeulich@suse.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- arch/x86/kvm/svm.c | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 7203b3cc71b5..184e50b3c35a 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1111,6 +1111,7 @@ static void init_vmcb(struct vcpu_svm *svm)
- 	set_exception_intercept(svm, UD_VECTOR);
- 	set_exception_intercept(svm, MC_VECTOR);
- 	set_exception_intercept(svm, AC_VECTOR);
-+	set_exception_intercept(svm, DB_VECTOR);
- 
- 	set_intercept(svm, INTERCEPT_INTR);
- 	set_intercept(svm, INTERCEPT_NMI);
-@@ -1645,20 +1646,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- 	mark_dirty(svm->vmcb, VMCB_SEG);
- }
- 
--static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- 	struct vcpu_svm *svm = to_svm(vcpu);
- 
--	clr_exception_intercept(svm, DB_VECTOR);
- 	clr_exception_intercept(svm, BP_VECTOR);
- 
--	if (svm->nmi_singlestep)
--		set_exception_intercept(svm, DB_VECTOR);
--
- 	if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
--		if (vcpu->guest_debug &
--		    (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
--			set_exception_intercept(svm, DB_VECTOR);
- 		if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- 			set_exception_intercept(svm, BP_VECTOR);
- 	} else
-@@ -1764,7 +1758,6 @@ static int db_interception(struct vcpu_svm *svm)
- 		if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- 			svm->vmcb->save.rflags &=
- 				~(X86_EFLAGS_TF | X86_EFLAGS_RF);
--		update_db_bp_intercept(&svm->vcpu);
- 	}
- 
- 	if (svm->vcpu.guest_debug &
-@@ -3753,7 +3746,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
- 	 */
- 	svm->nmi_singlestep = true;
- 	svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
--	update_db_bp_intercept(vcpu);
- }
- 
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -4379,7 +4371,7 @@ static struct kvm_x86_ops svm_x86_ops = {
- 	.vcpu_load = svm_vcpu_load,
- 	.vcpu_put = svm_vcpu_put,
- 
--	.update_db_bp_intercept = update_db_bp_intercept,
-+	.update_db_bp_intercept = update_bp_intercept,
- 	.get_msr = svm_get_msr,
- 	.set_msr = svm_set_msr,
- 	.get_segment_base = svm_get_segment_base,
--- 
-2.4.3
-
diff --git a/cfg80211-wext-fix-message-ordering.patch b/cfg80211-wext-fix-message-ordering.patch
new file mode 100644
index 000000000..8d3cdfdda
--- /dev/null
+++ b/cfg80211-wext-fix-message-ordering.patch
@@ -0,0 +1,83 @@
+From cb150b9d23be6ee7f3a0fff29784f1c5b5ac514d Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 27 Jan 2016 13:29:34 +0100
+Subject: cfg80211/wext: fix message ordering
+
+Since cfg80211 frequently takes actions from its netdev notifier
+call, wireless extensions messages could still be ordered badly
+since the wext netdev notifier, since wext is built into the
+kernel, runs before the cfg80211 netdev notifier. For example,
+the following can happen:
+
+5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
+    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
+5: wlan1: <BROADCAST,MULTICAST,UP>
+    link/ether
+
+when setting the interface down causes the wext message.
+
+To also fix this, export the wireless_nlevent_flush() function
+and also call it from the cfg80211 notifier.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ include/net/iw_handler.h | 6 ++++++
+ net/wireless/core.c      | 2 ++
+ net/wireless/wext-core.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/iw_handler.h b/include/net/iw_handler.h
+index 8f81bbb..e0f4109 100644
+--- a/include/net/iw_handler.h
++++ b/include/net/iw_handler.h
+@@ -439,6 +439,12 @@ int dev_get_wireless_info(char *buffer, char **start, off_t offset, int length);
+ /* Send a single event to user space */
+ void wireless_send_event(struct net_device *dev, unsigned int cmd,
+ 			 union iwreq_data *wrqu, const char *extra);
++#ifdef CONFIG_WEXT_CORE
++/* flush all previous wext events - if work is done from netdev notifiers */
++void wireless_nlevent_flush(void);
++#else
++static inline void wireless_nlevent_flush(void) {}
++#endif
+ 
+ /* We may need a function to send a stream of events to user space.
+  * More on that later... */
+diff --git a/net/wireless/core.c b/net/wireless/core.c
+index b091551..8f0bac7 100644
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1147,6 +1147,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
+ 		return NOTIFY_DONE;
+ 	}
+ 
++	wireless_nlevent_flush();
++
+ 	return NOTIFY_OK;
+ }
+ 
+diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
+index 87dd619..b50ee5d 100644
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -342,7 +342,7 @@ static const int compat_event_type_size[] = {
+ 
+ /* IW event code */
+ 
+-static void wireless_nlevent_flush(void)
++void wireless_nlevent_flush(void)
+ {
+ 	struct sk_buff *skb;
+ 	struct net *net;
+@@ -355,6 +355,7 @@ static void wireless_nlevent_flush(void)
+ 				    GFP_KERNEL);
+ 	}
+ }
++EXPORT_SYMBOL_GPL(wireless_nlevent_flush);
+ 
+ static int wext_netdev_notifier_call(struct notifier_block *nb,
+ 				     unsigned long state, void *ptr)
+-- 
+cgit v0.12
+
diff --git a/config-arm64 b/config-arm64
index 2c2139bd6..31f4d51c6 100644
--- a/config-arm64
+++ b/config-arm64
@@ -29,6 +29,7 @@ CONFIG_ARM64_ERRATUM_827319=y
 CONFIG_ARM64_ERRATUM_824069=y
 CONFIG_ARM64_ERRATUM_819472=y
 CONFIG_ARM64_ERRATUM_832075=y
+CONFIG_ARM64_ERRATUM_834220=y
 CONFIG_ARM64_ERRATUM_843419=y
 
 # AMBA / VExpress
diff --git a/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch b/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
deleted file mode 100644
index cf8b5a829..000000000
--- a/isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 59f271755df42fce6d38ebdf5b7502666b1e0c36 Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:21:24 +0000
-Subject: [PATCH 1/2] isdn_ppp: Add checks for allocation failure in
- isdn_ppp_open()
-
-Compile-tested only.
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
-index c4198fa490bf..86f9abebcb72 100644
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
- 	is->compflags = 0;
- 
- 	is->reset = isdn_ppp_ccp_reset_alloc(is);
-+	if (!is->reset)
-+		return -ENOMEM;
- 
- 	is->lp = NULL;
- 	is->mp_seqno = 0;       /* MP sequence number */
-@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
- 	 * VJ header compression init
- 	 */
- 	is->slcomp = slhc_init(16, 16);	/* not necessary for 2. link in bundle */
-+	if (!is->slcomp) {
-+		isdn_ppp_ccp_reset_free(is);
-+		return -ENOMEM;
-+	}
- #endif
- #ifdef CONFIG_IPPP_FILTER
- 	is->pass_filter = NULL;
--- 
-2.4.3
-
diff --git a/kernel.spec b/kernel.spec
index 8b668ac8f..b41396f82 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 4
+%define stable_update 5
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -611,13 +611,6 @@ Patch503: drm-i915-turn-off-wc-mmaps.patch
 
 Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
 
-#CVE-2015-7799 rhbz 1271134 1271135
-Patch512: isdn_ppp-Add-checks-for-allocation-failure-in-isdn_p.patch
-Patch513: ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
-
-#CVE-2015-8104 rhbz 1278496 1279691
-Patch551: KVM-svm-unconditionally-intercept-DB.patch
-
 #rhbz 1269300
 Patch552: megaraid_sas-Do-not-use-PAGE_SIZE-for-max_sectors.patch
 
@@ -660,6 +653,7 @@ Patch605: KVM-x86-Reload-pit-counters-for-all-channels-when-re.patch
 
 #rhbz 1296677
 Patch606: HID-multitouch-Fetch-feature-reports-on-demand-for-W.patch
+Patch641: HID-multitouch-fix-input-mode-switching-on-some-Elan.patch
 
 #rhbz 1281368
 Patch607: drm-nouveau-Fix-pre-nv50-pageflip-events-v4.patch
@@ -695,9 +689,6 @@ Patch630: SCSI-fix-bug-in-scsi_dev_info_list-matching.patch
 Patch631: btrfs-handle-invalid-num_stripes-in-sys_array.patch
 Patch632: Btrfs-fix-fitrim-discarding-device-area-reserved-for.patch
 
-#CVE-2013-4312 rhbz 1297813 1300216
-Patch636: unix-properly-account-for-FDs-passed-over-unix-socke.patch
-
 #CVE-2016-0723 rhbz 1296253 1300224
 Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
 
@@ -710,6 +701,17 @@ Patch639: netfilter-nf_nat_redirect-add-missing-NULL-pointer-c.patch
 #rhbz 1300955
 Patch640: PNP-Add-Haswell-ULT-to-Intel-MCH-size-workaround.patch
 
+#rhbz 1278942
+Patch642: media-Revert-media-ivtv-avoid-going-past-input-audio.patch
+Patch643: media-ivtv-avoid-going-past-input-audio-array.patch
+
+#rhbz 1302037
+Patch644: wext-fix-message-delay-ordering.patch
+Patch645: cfg80211-wext-fix-message-ordering.patch
+
+#rhbz 1255325
+Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2156,7 +2158,20 @@ fi
 #
 # 
 %changelog
-* Sat Jan 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.4-300
+* Sun Jan 31 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.5-300
+- Linux v4.3.5
+
+* Fri Jan 29 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Backport HID sony patch to fix some gamepads (rhbz 1255235)
+
+* Thu Jan 28 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix issues with ivtv driver on PVR350 devices (rhbz 1278942)
+- Add patches to fix suprious NEWLINK netlink messages (rhbz 1302037)
+
+* Mon Jan 25 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.3.4-300
+- Add patch to fix some Elan touchpads (rhbz 1296677)
+
+* Sat Jan 23 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - Linux v4.3.4
 
 * Fri Jan 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
diff --git a/media-Revert-media-ivtv-avoid-going-past-input-audio.patch b/media-Revert-media-ivtv-avoid-going-past-input-audio.patch
new file mode 100644
index 000000000..7c00071c6
--- /dev/null
+++ b/media-Revert-media-ivtv-avoid-going-past-input-audio.patch
@@ -0,0 +1,38 @@
+From 823873481b2a17ce5900899f8ef85118f8407b67 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Date: Wed, 11 Nov 2015 09:22:36 -0200
+Subject: [PATCH] [media] Revert "[media] ivtv: avoid going past input/audio
+ array"
+
+This patch broke ivtv logic, as reported at
+ https://bugzilla.redhat.com/show_bug.cgi?id=1278942
+
+This reverts commit 09290cc885937cab3b2d60a6d48fe3d2d3e04061.
+
+Cc: stable@vger.kernel.org # for v4.1 and upper
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+---
+ drivers/media/pci/ivtv/ivtv-driver.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
+index 8616fa8193bc..c2e60b4f292d 100644
+--- a/drivers/media/pci/ivtv/ivtv-driver.c
++++ b/drivers/media/pci/ivtv/ivtv-driver.c
+@@ -805,11 +805,11 @@ static void ivtv_init_struct2(struct ivtv *itv)
+ {
+ 	int i;
+ 
+-	for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS - 1; i++)
++	for (i = 0; i < IVTV_CARD_MAX_VIDEO_INPUTS; i++)
+ 		if (itv->card->video_inputs[i].video_type == 0)
+ 			break;
+ 	itv->nof_inputs = i;
+-	for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS - 1; i++)
++	for (i = 0; i < IVTV_CARD_MAX_AUDIO_INPUTS; i++)
+ 		if (itv->card->audio_inputs[i].audio_type == 0)
+ 			break;
+ 	itv->nof_audio_inputs = i;
+-- 
+2.5.0
+
diff --git a/media-ivtv-avoid-going-past-input-audio-array.patch b/media-ivtv-avoid-going-past-input-audio-array.patch
new file mode 100644
index 000000000..42009eb71
--- /dev/null
+++ b/media-ivtv-avoid-going-past-input-audio-array.patch
@@ -0,0 +1,29 @@
+From d55ebd07b6c21a1c7e3e74f1b73b3b033cece2b5 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Date: Wed, 11 Nov 2015 09:27:42 -0200
+Subject: [PATCH] [media] ivtv: avoid going past input/audio array
+
+As reported by smatch:
+	drivers/media/pci/ivtv/ivtv-driver.c:832 ivtv_init_struct2() error: buffer overflow 'itv->card->video_inputs' 6 <= 6
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+---
+ drivers/media/pci/ivtv/ivtv-driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
+index c2e60b4f292d..2bb10cd9ecfd 100644
+--- a/drivers/media/pci/ivtv/ivtv-driver.c
++++ b/drivers/media/pci/ivtv/ivtv-driver.c
+@@ -826,7 +826,7 @@ static void ivtv_init_struct2(struct ivtv *itv)
+ 				IVTV_CARD_INPUT_VID_TUNER)
+ 			break;
+ 	}
+-	if (i == itv->nof_inputs)
++	if (i >= itv->nof_inputs)
+ 		i = 0;
+ 	itv->active_input = i;
+ 	itv->audio_input = itv->card->video_inputs[i].audio_index;
+-- 
+2.5.0
+
diff --git a/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch b/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
deleted file mode 100644
index eac5aa7de..000000000
--- a/ppp-slip-Validate-VJ-compression-slot-parameters-com.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From a8bc90052f18348718412cebf7b569da95bad264 Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Sun, 1 Nov 2015 16:22:53 +0000
-Subject: [PATCH 2/2] ppp, slip: Validate VJ compression slot parameters
- completely
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently slhc_init() treats out-of-range values of rslots and tslots
-as equivalent to 0, except that if tslots is too large it will
-dereference a null pointer (CVE-2015-7799).
-
-Add a range-check at the top of the function and make it return an
-ERR_PTR() on error instead of NULL.  Change the callers accordingly.
-
-Compile-tested only.
-
-Reported-by: 郭永刚 <guoyonggang@360.cn>
-References: http://article.gmane.org/gmane.comp.security.oss.general/17908
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- drivers/isdn/i4l/isdn_ppp.c   | 10 ++++------
- drivers/net/ppp/ppp_generic.c |  6 ++----
- drivers/net/slip/slhc.c       | 12 ++++++++----
- drivers/net/slip/slip.c       |  2 +-
- 4 files changed, 15 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
-index 86f9abebcb72..9c1e8adaf4fc 100644
---- a/drivers/isdn/i4l/isdn_ppp.c
-+++ b/drivers/isdn/i4l/isdn_ppp.c
-@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file)
- 	 * VJ header compression init
- 	 */
- 	is->slcomp = slhc_init(16, 16);	/* not necessary for 2. link in bundle */
--	if (!is->slcomp) {
-+	if (IS_ERR(is->slcomp)) {
- 		isdn_ppp_ccp_reset_free(is);
--		return -ENOMEM;
-+		return PTR_ERR(is->slcomp);
- 	}
- #endif
- #ifdef CONFIG_IPPP_FILTER
-@@ -573,10 +573,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
- 			is->maxcid = val;
- #ifdef CONFIG_ISDN_PPP_VJ
- 			sltmp = slhc_init(16, val);
--			if (!sltmp) {
--				printk(KERN_ERR "ippp, can't realloc slhc struct\n");
--				return -ENOMEM;
--			}
-+			if (IS_ERR(sltmp))
-+				return PTR_ERR(sltmp);
- 			if (is->slcomp)
- 				slhc_free(is->slcomp);
- 			is->slcomp = sltmp;
-diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index ed00446759b2..9a863c6a6a33 100644
---- a/drivers/net/ppp/ppp_generic.c
-+++ b/drivers/net/ppp/ppp_generic.c
-@@ -721,10 +721,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 			val &= 0xffff;
- 		}
- 		vj = slhc_init(val2+1, val+1);
--		if (!vj) {
--			netdev_err(ppp->dev,
--				   "PPP: no memory (VJ compressor)\n");
--			err = -ENOMEM;
-+		if (IS_ERR(vj)) {
-+			err = PTR_ERR(vj);
- 			break;
- 		}
- 		ppp_lock(ppp);
-diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
-index 079f7adfcde5..27ed25252aac 100644
---- a/drivers/net/slip/slhc.c
-+++ b/drivers/net/slip/slhc.c
-@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
- static unsigned char * put16(unsigned char *cp, unsigned short x);
- static unsigned short pull16(unsigned char **cpp);
- 
--/* Initialize compression data structure
-+/* Allocate compression data structure
-  *	slots must be in range 0 to 255 (zero meaning no compression)
-+ * Returns pointer to structure or ERR_PTR() on error.
-  */
- struct slcompress *
- slhc_init(int rslots, int tslots)
-@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
- 	register struct cstate *ts;
- 	struct slcompress *comp;
- 
-+	if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
-+		return ERR_PTR(-EINVAL);
-+
- 	comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
- 	if (! comp)
- 		goto out_fail;
- 
--	if ( rslots > 0  &&  rslots < 256 ) {
-+	if (rslots > 0) {
- 		size_t rsize = rslots * sizeof(struct cstate);
- 		comp->rstate = kzalloc(rsize, GFP_KERNEL);
- 		if (! comp->rstate)
-@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
- 		comp->rslot_limit = rslots - 1;
- 	}
- 
--	if ( tslots > 0  &&  tslots < 256 ) {
-+	if (tslots > 0) {
- 		size_t tsize = tslots * sizeof(struct cstate);
- 		comp->tstate = kzalloc(tsize, GFP_KERNEL);
- 		if (! comp->tstate)
-@@ -141,7 +145,7 @@ out_free2:
- out_free:
- 	kfree(comp);
- out_fail:
--	return NULL;
-+	return ERR_PTR(-ENOMEM);
- }
- 
- 
-diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
-index 05387b1e2e95..a17d86a57734 100644
---- a/drivers/net/slip/slip.c
-+++ b/drivers/net/slip/slip.c
-@@ -164,7 +164,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
- 	if (cbuff == NULL)
- 		goto err_exit;
- 	slcomp = slhc_init(16, 16);
--	if (slcomp == NULL)
-+	if (IS_ERR(slcomp))
- 		goto err_exit;
- #endif
- 	spin_lock_bh(&sl->lock);
--- 
-2.4.3
-
diff --git a/sources b/sources
index e80ccf89f..7a5dea205 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 58b35794eee3b6d52ce7be39357801e7  linux-4.3.tar.xz
 7c516c9528b9f9aac0136944b0200b7e  perf-man-4.3.tar.gz
-5bbeeb57b8cff23e5c27430e60810d1b  patch-4.3.4.xz
+4786a4b42da54527d6ca0d1fc1f0fade  patch-4.3.5.xz
diff --git a/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/unix-properly-account-for-FDs-passed-over-unix-socke.patch
deleted file mode 100644
index c263abf2b..000000000
--- a/unix-properly-account-for-FDs-passed-over-unix-socke.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-From 0cd038d23b86853d68993c94f3c713e4375fd61f Mon Sep 17 00:00:00 2001
-From: willy tarreau <w@1wt.eu>
-Date: Sun, 10 Jan 2016 07:54:56 +0100
-Subject: [PATCH] unix: properly account for FDs passed over unix sockets
-
-It is possible for a process to allocate and accumulate far more FDs than
-the process' limit by sending them over a unix socket then closing them
-to keep the process' fd count low.
-
-This change addresses this problem by keeping track of the number of FDs
-in flight per user and preventing non-privileged processes from having
-more FDs in flight than their configured FD limit.
-
-Reported-by: socketpair@gmail.com
-Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Mitigates: CVE-2013-4312 (Linux 2.0+)
-Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- include/linux/sched.h |  1 +
- net/unix/af_unix.c    | 24 ++++++++++++++++++++----
- net/unix/garbage.c    | 13 ++++++++-----
- 3 files changed, 29 insertions(+), 9 deletions(-)
-
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index b7b9501b41af..f477e87ca46f 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -830,6 +830,7 @@ struct user_struct {
- 	unsigned long mq_bytes;	/* How many bytes can be allocated to mqueue? */
- #endif
- 	unsigned long locked_shm; /* How many pages of mlocked shm ? */
-+	unsigned long unix_inflight;	/* How many files in flight in unix sockets */
- 
- #ifdef CONFIG_KEYS
- 	struct key *uid_keyring;	/* UID specific keyring */
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index 128b0982c96b..9085de63bb81 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -1498,6 +1498,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
- 	sock_wfree(skb);
- }
- 
-+/*
-+ * The "user->unix_inflight" variable is protected by the garbage
-+ * collection lock, and we just read it locklessly here. If you go
-+ * over the limit, there might be a tiny race in actually noticing
-+ * it across threads. Tough.
-+ */
-+static inline bool too_many_unix_fds(struct task_struct *p)
-+{
-+	struct user_struct *user = current_user();
-+
-+	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
-+		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
-+	return false;
-+}
-+
- #define MAX_RECURSION_LEVEL 4
- 
- static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
-@@ -1506,6 +1521,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	unsigned char max_level = 0;
- 	int unix_sock_count = 0;
- 
-+	if (too_many_unix_fds(current))
-+		return -ETOOMANYREFS;
-+
- 	for (i = scm->fp->count - 1; i >= 0; i--) {
- 		struct sock *sk = unix_get_socket(scm->fp->fp[i]);
- 
-@@ -1527,10 +1545,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
- 	if (!UNIXCB(skb).fp)
- 		return -ENOMEM;
- 
--	if (unix_sock_count) {
--		for (i = scm->fp->count - 1; i >= 0; i--)
--			unix_inflight(scm->fp->fp[i]);
--	}
-+	for (i = scm->fp->count - 1; i >= 0; i--)
-+		unix_inflight(scm->fp->fp[i]);
- 	return max_level;
- }
- 
-diff --git a/net/unix/garbage.c b/net/unix/garbage.c
-index a73a226f2d33..8fcdc2283af5 100644
---- a/net/unix/garbage.c
-+++ b/net/unix/garbage.c
-@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-+	spin_lock(&unix_gc_lock);
-+
- 	if (s) {
- 		struct unix_sock *u = unix_sk(s);
- 
--		spin_lock(&unix_gc_lock);
--
- 		if (atomic_long_inc_return(&u->inflight) == 1) {
- 			BUG_ON(!list_empty(&u->link));
- 			list_add_tail(&u->link, &gc_inflight_list);
-@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
- 			BUG_ON(list_empty(&u->link));
- 		}
- 		unix_tot_inflight++;
--		spin_unlock(&unix_gc_lock);
- 	}
-+	fp->f_cred->user->unix_inflight++;
-+	spin_unlock(&unix_gc_lock);
- }
- 
- void unix_notinflight(struct file *fp)
- {
- 	struct sock *s = unix_get_socket(fp);
- 
-+	spin_lock(&unix_gc_lock);
-+
- 	if (s) {
- 		struct unix_sock *u = unix_sk(s);
- 
--		spin_lock(&unix_gc_lock);
- 		BUG_ON(list_empty(&u->link));
- 
- 		if (atomic_long_dec_and_test(&u->inflight))
- 			list_del_init(&u->link);
- 		unix_tot_inflight--;
--		spin_unlock(&unix_gc_lock);
- 	}
-+	fp->f_cred->user->unix_inflight--;
-+	spin_unlock(&unix_gc_lock);
- }
- 
- static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
--- 
-2.5.0
-
diff --git a/wext-fix-message-delay-ordering.patch b/wext-fix-message-delay-ordering.patch
new file mode 100644
index 000000000..109b68da3
--- /dev/null
+++ b/wext-fix-message-delay-ordering.patch
@@ -0,0 +1,122 @@
+From 8bf862739a7786ae72409220914df960a0aa80d8 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 27 Jan 2016 12:37:52 +0100
+Subject: wext: fix message delay/ordering
+
+Beniamino reported that he was getting an RTM_NEWLINK message for a
+given interface, after the RTM_DELLINK for it. It turns out that the
+message is a wireless extensions message, which was sent because the
+interface had been connected and disconnection while it was deleted
+caused a wext message.
+
+For its netlink messages, wext uses RTM_NEWLINK, but the message is
+without all the regular rtnetlink attributes, so "ip monitor link"
+prints just rudimentary information:
+
+5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default
+    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
+Deleted 5: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
+    link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
+5: wlan1: <BROADCAST,MULTICAST,UP>
+    link/ether
+(from my hwsim reproduction)
+
+This can cause userspace to get confused since it doesn't expect an
+RTM_NEWLINK message after RTM_DELLINK.
+
+The reason for this is that wext schedules a worker to send out the
+messages, and the scheduling delay can cause the messages to get out
+to userspace in different order.
+
+To fix this, have wext register a netdevice notifier and flush out
+any pending messages when netdevice state changes. This fixes any
+ordering whenever the original message wasn't sent by a notifier
+itself.
+
+Cc: stable@vger.kernel.org
+Reported-by: Beniamino Galvani <bgalvani@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ net/wireless/wext-core.c | 51 +++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 40 insertions(+), 11 deletions(-)
+
+diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
+index c8717c1..87dd619 100644
+--- a/net/wireless/wext-core.c
++++ b/net/wireless/wext-core.c
+@@ -342,6 +342,39 @@ static const int compat_event_type_size[] = {
+ 
+ /* IW event code */
+ 
++static void wireless_nlevent_flush(void)
++{
++	struct sk_buff *skb;
++	struct net *net;
++
++	ASSERT_RTNL();
++
++	for_each_net(net) {
++		while ((skb = skb_dequeue(&net->wext_nlevents)))
++			rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
++				    GFP_KERNEL);
++	}
++}
++
++static int wext_netdev_notifier_call(struct notifier_block *nb,
++				     unsigned long state, void *ptr)
++{
++	/*
++	 * When a netdev changes state in any way, flush all pending messages
++	 * to avoid them going out in a strange order, e.g. RTM_NEWLINK after
++	 * RTM_DELLINK, or with IFF_UP after without IFF_UP during dev_close()
++	 * or similar - all of which could otherwise happen due to delays from
++	 * schedule_work().
++	 */
++	wireless_nlevent_flush();
++
++	return NOTIFY_OK;
++}
++
++static struct notifier_block wext_netdev_notifier = {
++	.notifier_call = wext_netdev_notifier_call,
++};
++
+ static int __net_init wext_pernet_init(struct net *net)
+ {
+ 	skb_queue_head_init(&net->wext_nlevents);
+@@ -360,7 +393,12 @@ static struct pernet_operations wext_pernet_ops = {
+ 
+ static int __init wireless_nlevent_init(void)
+ {
+-	return register_pernet_subsys(&wext_pernet_ops);
++	int err = register_pernet_subsys(&wext_pernet_ops);
++
++	if (err)
++		return err;
++
++	return register_netdevice_notifier(&wext_netdev_notifier);
+ }
+ 
+ subsys_initcall(wireless_nlevent_init);
+@@ -368,17 +406,8 @@ subsys_initcall(wireless_nlevent_init);
+ /* Process events generated by the wireless layer or the driver. */
+ static void wireless_nlevent_process(struct work_struct *work)
+ {
+-	struct sk_buff *skb;
+-	struct net *net;
+-
+ 	rtnl_lock();
+-
+-	for_each_net(net) {
+-		while ((skb = skb_dequeue(&net->wext_nlevents)))
+-			rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL,
+-				    GFP_KERNEL);
+-	}
+-
++	wireless_nlevent_flush();
+ 	rtnl_unlock();
+ }
+ 
+-- 
+cgit v0.12
+