Merge remote-tracking branch 'origin/f22' into f22-user-thl-vanilla-fedorakernel-4.4.10-200.vanilla.knurd.1.fc22

11 files changed, 433 insertions, 368 deletions

diff --git a/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch b/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch
deleted file mode 100644
index a76603900..000000000
--- a/0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-From a21211672c9a1d730a39aa65d4a5b3414700adfb Mon Sep 17 00:00:00 2001
-From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
-Date: Wed, 23 Mar 2016 21:07:39 -0700
-Subject: [PATCH] ACPI / processor: Request native thermal interrupt handling
- via _OSC
-
-There are several reports of freeze on enabling HWP (Hardware PStates)
-feature on Skylake-based systems by the Intel P-states driver. The root
-cause is identified as the HWP interrupts causing BIOS code to freeze.
-
-HWP interrupts use the thermal LVT which can be handled by Linux
-natively, but on the affected Skylake-based systems SMM will respond
-to it by default.  This is a problem for several reasons:
- - On the affected systems the SMM thermal LVT handler is broken (it
-   will crash when invoked) and a BIOS update is necessary to fix it.
- - With thermal interrupt handled in SMM we lose all of the reporting
-   features of the arch/x86/kernel/cpu/mcheck/therm_throt driver.
- - Some thermal drivers like x86-package-temp depend on the thermal
-   threshold interrupts signaled via the thermal LVT.
- - The HWP interrupts are useful for debugging and tuning
-   performance (if the kernel can handle them).
-The native handling of thermal interrupts needs to be enabled
-because of that.
-
-This requires some way to tell SMM that the OS can handle thermal
-interrupts.  That can be done by using _OSC/_PDC in processor
-scope very early during ACPI initialization.
-
-The meaning of _OSC/_PDC bit 12 in processor scope is whether or
-not the OS supports native handling of interrupts for Collaborative
-Processor Performance Control (CPPC) notifications.  Since on
-HWP-capable systems CPPC is a firmware interface to HWP, setting
-this bit effectively tells the firmware that the OS will handle
-thermal interrupts natively going forward.
-
-For details on _OSC/_PDC refer to:
-http://www.intel.com/content/www/us/en/standards/processor-vendor-specific-acpi-specification.html
-
-To implement the _OSC/_PDC handshake as described, introduce a new
-function, acpi_early_processor_osc(), that walks the ACPI
-namespace looking for ACPI processor objects and invokes _OSC for
-them with bit 12 in the capabilities buffer set and terminates the
-namespace walk on the first success.
-
-Also modify intel_thermal_interrupt() to clear HWP status bits in
-the HWP_STATUS MSR to acknowledge HWP interrupts (which prevents
-them from firing continuously).
-
-Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
-[ rjw: Subject & changelog, function rename ]
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
----
- arch/x86/kernel/cpu/mcheck/therm_throt.c |  3 ++
- drivers/acpi/acpi_processor.c            | 52 ++++++++++++++++++++++++++++++++
- drivers/acpi/bus.c                       |  3 ++
- drivers/acpi/internal.h                  |  6 ++++
- 4 files changed, 64 insertions(+)
-
-diff --git a/arch/x86/kernel/cpu/mcheck/therm_throt.c b/arch/x86/kernel/cpu/mcheck/therm_throt.c
-index 2c5aaf8..0553858 100644
---- a/arch/x86/kernel/cpu/mcheck/therm_throt.c
-+++ b/arch/x86/kernel/cpu/mcheck/therm_throt.c
-@@ -385,6 +385,9 @@ static void intel_thermal_interrupt(void)
- {
- 	__u64 msr_val;
- 
-+	if (static_cpu_has(X86_FEATURE_HWP))
-+		wrmsrl_safe(MSR_HWP_STATUS, 0);
-+
- 	rdmsrl(MSR_IA32_THERM_STATUS, msr_val);
- 
- 	/* Check for violation of core thermal thresholds*/
-diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
-index b5e54f2..0d92d0f 100644
---- a/drivers/acpi/acpi_processor.c
-+++ b/drivers/acpi/acpi_processor.c
-@@ -491,6 +491,58 @@ static void acpi_processor_remove(struct acpi_device *device)
- }
- #endif /* CONFIG_ACPI_HOTPLUG_CPU */
- 
-+#ifdef CONFIG_X86
-+static bool acpi_hwp_native_thermal_lvt_set;
-+static acpi_status __init acpi_hwp_native_thermal_lvt_osc(acpi_handle handle,
-+							  u32 lvl,
-+							  void *context,
-+							  void **rv)
-+{
-+	u8 sb_uuid_str[] = "4077A616-290C-47BE-9EBD-D87058713953";
-+	u32 capbuf[2];
-+	struct acpi_osc_context osc_context = {
-+		.uuid_str = sb_uuid_str,
-+		.rev = 1,
-+		.cap.length = 8,
-+		.cap.pointer = capbuf,
-+	};
-+
-+	if (acpi_hwp_native_thermal_lvt_set)
-+		return AE_CTRL_TERMINATE;
-+
-+	capbuf[0] = 0x0000;
-+	capbuf[1] = 0x1000; /* set bit 12 */
-+
-+	if (ACPI_SUCCESS(acpi_run_osc(handle, &osc_context))) {
-+		if (osc_context.ret.pointer && osc_context.ret.length > 1) {
-+			u32 *capbuf_ret = osc_context.ret.pointer;
-+
-+			if (capbuf_ret[1] & 0x1000) {
-+				acpi_handle_info(handle,
-+					"_OSC native thermal LVT Acked\n");
-+				acpi_hwp_native_thermal_lvt_set = true;
-+			}
-+		}
-+		kfree(osc_context.ret.pointer);
-+	}
-+
-+	return AE_OK;
-+}
-+
-+void __init acpi_early_processor_osc(void)
-+{
-+	if (boot_cpu_has(X86_FEATURE_HWP)) {
-+		acpi_walk_namespace(ACPI_TYPE_PROCESSOR, ACPI_ROOT_OBJECT,
-+				    ACPI_UINT32_MAX,
-+				    acpi_hwp_native_thermal_lvt_osc,
-+				    NULL, NULL, NULL);
-+		acpi_get_devices(ACPI_PROCESSOR_DEVICE_HID,
-+				 acpi_hwp_native_thermal_lvt_osc,
-+				 NULL, NULL);
-+	}
-+}
-+#endif
-+
- /*
-  * The following ACPI IDs are known to be suitable for representing as
-  * processor devices.
-diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
-index 891c42d..f9081b7 100644
---- a/drivers/acpi/bus.c
-+++ b/drivers/acpi/bus.c
-@@ -1005,6 +1005,9 @@ static int __init acpi_bus_init(void)
- 		goto error1;
- 	}
- 
-+	/* Set capability bits for _OSC under processor scope */
-+	acpi_early_processor_osc();
-+
- 	/*
- 	 * _OSC method may exist in module level code,
- 	 * so it must be run after ACPI_FULL_INITIALIZATION
-diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h
-index 1e6833a..6f41c73 100644
---- a/drivers/acpi/internal.h
-+++ b/drivers/acpi/internal.h
-@@ -138,6 +138,12 @@ void acpi_early_processor_set_pdc(void);
- static inline void acpi_early_processor_set_pdc(void) {}
- #endif
- 
-+#ifdef CONFIG_X86
-+void acpi_early_processor_osc(void);
-+#else
-+static inline void acpi_early_processor_osc(void) {}
-+#endif
-+
- /* --------------------------------------------------------------------------
-                                   Embedded Controller
-    -------------------------------------------------------------------------- */
--- 
-2.5.5
-
diff --git a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch b/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
deleted file mode 100644
index d26c5d52d..000000000
--- a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 88fd0f33c3cc5aa6a26f56902241941ac717e9f8 Mon Sep 17 00:00:00 2001
-From: Peter Robinson <pbrobinson@gmail.com>
-Date: Wed, 27 Apr 2016 13:44:05 +0100
-Subject: [PATCH] gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading
-
----
- drivers/gpu/ipu-v3/ipu-common.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
-index e00db3f..abb98c7 100644
---- a/drivers/gpu/ipu-v3/ipu-common.c
-+++ b/drivers/gpu/ipu-v3/ipu-common.c
-@@ -1068,7 +1068,6 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base)
- 			goto err_register;
- 		}
- 
--		pdev->dev.of_node = of_node;
- 		pdev->dev.parent = dev;
- 
- 		ret = platform_device_add_data(pdev, &reg->pdata,
-@@ -1079,6 +1078,12 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base)
- 			platform_device_put(pdev);
- 			goto err_register;
- 		}
-+
-+		/*
-+		 * Set of_node only after calling platform_device_add. Otherwise
-+		 * the platform:imx-ipuv3-crtc modalias won't be used.
-+		 */
-+		pdev->dev.of_node = of_node;
- 	}
- 
- 	return 0;
--- 
-2.7.4
-
diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
new file mode 100644
index 000000000..3eb8bf183
--- /dev/null
+++ b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
@@ -0,0 +1,33 @@
+From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 6469bedda2f3..964f5ebf495e 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
+ 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ 		if (tu->tread) {
+ 			struct snd_timer_tread tread;
++			memset(&tread, 0, sizeof(tread));
+ 			tread.event = SNDRV_TIMER_EVENT_EARLY;
+ 			tread.tstamp.tv_sec = 0;
+ 			tread.tstamp.tv_nsec = 0;
+-- 
+2.5.5
+
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
new file mode 100644
index 000000000..e6f46f8a8
--- /dev/null
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
@@ -0,0 +1,34 @@
+From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
+ snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 964f5ebf495e..e98fa5feb731 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
+ 		tu->tstamp = *tstamp;
+ 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ 		return;
++	memset(&r1, 0, sizeof(r1));
+ 	r1.event = event;
+ 	r1.tstamp = *tstamp;
+ 	r1.val = resolution;
+-- 
+2.5.5
+
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
new file mode 100644
index 000000000..7851c55a2
--- /dev/null
+++ b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
@@ -0,0 +1,34 @@
+From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
+ snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index e98fa5feb731..c69a27155433 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
+ 	}
+ 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ 	    tu->last_resolution != resolution) {
++		memset(&r1, 0, sizeof(r1));
+ 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ 		r1.tstamp = tstamp;
+ 		r1.val = resolution;
+-- 
+2.5.5
+
diff --git a/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
new file mode 100644
index 000000000..957de0977
--- /dev/null
+++ b/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
@@ -0,0 +1,91 @@
+From 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 23 Feb 2016 11:03:12 +0000
+Subject: [PATCH] KEYS: Fix ASN.1 indefinite length object parsing
+
+This fixes CVE-2016-0758.
+
+In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
+it isn't validated against the remaining amount of data before being added
+to the cursor.  With a sufficiently large size indicated, the check:
+
+	datalen - dp < 2
+
+may then fail due to integer overflow.
+
+Fix this by checking the length indicated against the amount of remaining
+data in both places a definite length is determined.
+
+Whilst we're at it, make the following changes:
+
+ (1) Check the maximum size of extended length does not exceed the capacity
+     of the variable it's being stored in (len) rather than the type that
+     variable is assumed to be (size_t).
+
+ (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
+     integer 0.
+
+ (3) To reduce confusion, move the initialisation of len outside of:
+
+	for (len = 0; n > 0; n--) {
+
+     since it doesn't have anything to do with the loop counter n.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Acked-by: David Woodhouse <David.Woodhouse@intel.com>
+Acked-by: Peter Jones <pjones@redhat.com>
+---
+ lib/asn1_decoder.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
+index 2b3f46c049d4..554522934c44 100644
+--- a/lib/asn1_decoder.c
++++ b/lib/asn1_decoder.c
+@@ -74,7 +74,7 @@ next_tag:
+ 
+ 	/* Extract a tag from the data */
+ 	tag = data[dp++];
+-	if (tag == 0) {
++	if (tag == ASN1_EOC) {
+ 		/* It appears to be an EOC. */
+ 		if (data[dp++] != 0)
+ 			goto invalid_eoc;
+@@ -96,10 +96,8 @@ next_tag:
+ 
+ 	/* Extract the length */
+ 	len = data[dp++];
+-	if (len <= 0x7f) {
+-		dp += len;
+-		goto next_tag;
+-	}
++	if (len <= 0x7f)
++		goto check_length;
+ 
+ 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+ 		/* Indefinite length */
+@@ -110,14 +108,18 @@ next_tag:
+ 	}
+ 
+ 	n = len - 0x80;
+-	if (unlikely(n > sizeof(size_t) - 1))
++	if (unlikely(n > sizeof(len) - 1))
+ 		goto length_too_long;
+ 	if (unlikely(n > datalen - dp))
+ 		goto data_overrun_error;
+-	for (len = 0; n > 0; n--) {
++	len = 0;
++	for (; n > 0; n--) {
+ 		len <<= 8;
+ 		len |= data[dp++];
+ 	}
++check_length:
++	if (len > datalen - dp)
++		goto data_overrun_error;
+ 	dp += len;
+ 	goto next_tag;
+ 
+-- 
+2.5.5
+
diff --git a/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
new file mode 100644
index 000000000..3ba32bae7
--- /dev/null
+++ b/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
@@ -0,0 +1,46 @@
+From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 26 Apr 2016 22:26:26 +0200
+Subject: [PATCH] bpf: fix double-fdput in replace_map_fd_with_map_ptr()
+
+When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
+references a non-map file descriptor as a map file descriptor, the error
+handling code called fdput() twice instead of once (in __bpf_map_get() and
+in replace_map_fd_with_map_ptr()). If the file descriptor table of the
+current task is shared, this causes f_count to be decremented too much,
+allowing the struct file to be freed while it is still in use
+(use-after-free). This can be exploited to gain root privileges by an
+unprivileged user.
+
+This bug was introduced in
+commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
+exploitable since
+commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
+previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
+
+(posted publicly according to request by maintainer)
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ kernel/bpf/verifier.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 618ef77c302a..db2574e7b8b0 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
+ 			if (IS_ERR(map)) {
+ 				verbose("fd %d is not pointing to valid bpf_map\n",
+ 					insn->imm);
+-				fdput(f);
+ 				return PTR_ERR(map);
+ 			}
+ 
+-- 
+2.5.5
+
diff --git a/bpf-fix-refcnt-overflow.patch b/bpf-fix-refcnt-overflow.patch
new file mode 100644
index 000000000..1143c8286
--- /dev/null
+++ b/bpf-fix-refcnt-overflow.patch
@@ -0,0 +1,158 @@
+From 86db8dac9286f8397434184a6b442b6419e54ec0 Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@fb.com>
+Date: Wed, 27 Apr 2016 18:56:20 -0700
+Subject: [PATCH] bpf: fix refcnt overflow
+
+On a system with >32Gbyte of phyiscal memory and infinite RLIMIT_MEMLOCK,
+the malicious application may overflow 32-bit bpf program refcnt.
+It's also possible to overflow map refcnt on 1Tb system.
+Impose 32k hard limit which means that the same bpf program or
+map cannot be shared by more than 32k processes.
+
+Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/linux/bpf.h   |  3 ++-
+ kernel/bpf/inode.c    |  7 ++++---
+ kernel/bpf/syscall.c  | 24 ++++++++++++++++++++----
+ kernel/bpf/verifier.c | 11 +++++++----
+ 4 files changed, 33 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 83d1926c61e4..67bc2da5d233 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -165,12 +165,13 @@ void bpf_register_prog_type(struct bpf_prog_type_list *tl);
+ void bpf_register_map_type(struct bpf_map_type_list *tl);
+ 
+ struct bpf_prog *bpf_prog_get(u32 ufd);
++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog);
+ void bpf_prog_put(struct bpf_prog *prog);
+ void bpf_prog_put_rcu(struct bpf_prog *prog);
+ 
+ struct bpf_map *bpf_map_get_with_uref(u32 ufd);
+ struct bpf_map *__bpf_map_get(struct fd f);
+-void bpf_map_inc(struct bpf_map *map, bool uref);
++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref);
+ void bpf_map_put_with_uref(struct bpf_map *map);
+ void bpf_map_put(struct bpf_map *map);
+ 
+diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
+index 5a8a797d50b7..d1a7646f79c5 100644
+--- a/kernel/bpf/inode.c
++++ b/kernel/bpf/inode.c
+@@ -31,10 +31,10 @@ static void *bpf_any_get(void *raw, enum bpf_type type)
+ {
+ 	switch (type) {
+ 	case BPF_TYPE_PROG:
+-		atomic_inc(&((struct bpf_prog *)raw)->aux->refcnt);
++		raw = bpf_prog_inc(raw);
+ 		break;
+ 	case BPF_TYPE_MAP:
+-		bpf_map_inc(raw, true);
++		raw = bpf_map_inc(raw, true);
+ 		break;
+ 	default:
+ 		WARN_ON_ONCE(1);
+@@ -277,7 +277,8 @@ static void *bpf_obj_do_get(const struct filename *pathname,
+ 		goto out;
+ 
+ 	raw = bpf_any_get(inode->i_private, *type);
+-	touch_atime(&path);
++	if (!IS_ERR(raw))
++		touch_atime(&path);
+ 
+ 	path_put(&path);
+ 	return raw;
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 3b39550d8485..4e32cc94edd9 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -181,11 +181,18 @@ struct bpf_map *__bpf_map_get(struct fd f)
+ 	return f.file->private_data;
+ }
+ 
+-void bpf_map_inc(struct bpf_map *map, bool uref)
++/* prog's and map's refcnt limit */
++#define BPF_MAX_REFCNT 32768
++
++struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
+ {
+-	atomic_inc(&map->refcnt);
++	if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
++		atomic_dec(&map->refcnt);
++		return ERR_PTR(-EBUSY);
++	}
+ 	if (uref)
+ 		atomic_inc(&map->usercnt);
++	return map;
+ }
+ 
+ struct bpf_map *bpf_map_get_with_uref(u32 ufd)
+@@ -197,7 +204,7 @@ struct bpf_map *bpf_map_get_with_uref(u32 ufd)
+ 	if (IS_ERR(map))
+ 		return map;
+ 
+-	bpf_map_inc(map, true);
++	map = bpf_map_inc(map, true);
+ 	fdput(f);
+ 
+ 	return map;
+@@ -580,6 +587,15 @@ static struct bpf_prog *__bpf_prog_get(struct fd f)
+ 	return f.file->private_data;
+ }
+ 
++struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
++{
++	if (atomic_inc_return(&prog->aux->refcnt) > BPF_MAX_REFCNT) {
++		atomic_dec(&prog->aux->refcnt);
++		return ERR_PTR(-EBUSY);
++	}
++	return prog;
++}
++
+ /* called by sockets/tracing/seccomp before attaching program to an event
+  * pairs with bpf_prog_put()
+  */
+@@ -592,7 +608,7 @@ struct bpf_prog *bpf_prog_get(u32 ufd)
+ 	if (IS_ERR(prog))
+ 		return prog;
+ 
+-	atomic_inc(&prog->aux->refcnt);
++	prog = bpf_prog_inc(prog);
+ 	fdput(f);
+ 
+ 	return prog;
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 2e7f7ab739e4..060e4c4c37ea 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2023,15 +2023,18 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
+ 				return -E2BIG;
+ 			}
+ 
+-			/* remember this map */
+-			env->used_maps[env->used_map_cnt++] = map;
+-
+ 			/* hold the map. If the program is rejected by verifier,
+ 			 * the map will be released by release_maps() or it
+ 			 * will be used by the valid program until it's unloaded
+ 			 * and all maps are released in free_bpf_prog_info()
+ 			 */
+-			bpf_map_inc(map, false);
++			map = bpf_map_inc(map, false);
++			if (IS_ERR(map)) {
++				fdput(f);
++				return PTR_ERR(map);
++			}
++			env->used_maps[env->used_map_cnt++] = map;
++
+ 			fdput(f);
+ next_insn:
+ 			insn++;
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index 4134f18c9..683f3187d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -521,8 +521,6 @@ Patch05: kbuild-AFTER_LINK.patch
 
 Patch451: lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch
 
-Patch452: 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
-
 Patch454: arm64-avoid-needing-console-to-enable-serial-console.patch
 
 Patch456: arm64-acpi-drop-expert-patch.patch
@@ -651,9 +649,6 @@ Patch690: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch
 #CVE-2016-3951 rhbz 1324782 1324815
 Patch695: cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
 
-#rhbz 1309980
-Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch
-
 #rhbz 1309487
 Patch701: antenna_select.patch
 
@@ -670,8 +665,17 @@ Patch705: USB-usbfs-fix-potential-infoleak-in-devio.patch
 Patch706: net-fix-infoleak-in-llc.patch
 Patch707: net-fix-infoleak-in-rtnetlink.patch
 
-#CVE-2016-xxxx rhbz 1333712 1333713
-Patch708: propogate_mnt-Handle-the-first-propogated-copy-being.patch
+#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311
+Patch711: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
+Patch712: bpf-fix-refcnt-overflow.patch
+
+#CVE-2016-4569 rhbz 1334643 1334645
+Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
+Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
+Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
+
+#CVE-2016-0758 rhbz 1300257 1335386
+Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 
 # END OF PATCH DEFINITIONS
 %endif
@@ -1246,8 +1250,6 @@ ApplyPatch arm64-avoid-needing-console-to-enable-serial-console.patch
 
 ApplyPatch arm64-acpi-drop-expert-patch.patch
 
-ApplyPatch 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
-
 ApplyPatch ARM-tegra-usb-no-reset.patch
 
 ApplyPatch mfd-wm8994-Ensure-that-the-whole-MFD-is-built-into-a.patch
@@ -1372,9 +1374,6 @@ ApplyPatch x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch
 #CVE-2016-3951 rhbz 1324782 1324815
 ApplyPatch cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
 
-#rhbz 1309980
-ApplyPatch 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch
-
 #rhbz 1309487
 ApplyPatch antenna_select.patch
 
@@ -1388,8 +1387,17 @@ ApplyPatch USB-usbfs-fix-potential-infoleak-in-devio.patch
 ApplyPatch net-fix-infoleak-in-llc.patch
 ApplyPatch net-fix-infoleak-in-rtnetlink.patch
 
-#CVE-2016-xxxx rhbz 1333712 1333713
-ApplyPatch propogate_mnt-Handle-the-first-propogated-copy-being.patch
+#CVE-2016-4557 CVE-2016-4558 rhbz 1334307 1334303 1334311
+ApplyPatch bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch
+ApplyPatch bpf-fix-refcnt-overflow.patch
+
+#CVE-2016-4569 rhbz 1334643 1334645
+ApplyPatch ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
+ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
+ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
+
+#CVE-2016-0758 rhbz 1300257 1335386
+ApplyPatch KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2240,6 +2248,19 @@ fi
 #
 # 
 %changelog
+* Fri May 13 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.10-200
+- Linux v4.4.10
+
+* Fri May 13 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-0758 pointer corruption in asn1 decoder (rhbz 1300257 1335386)
+
+* Tue May 10 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4569 info leak in sound module (rhbz 1334643 1334645)
+
+* Mon May 09 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4557 bpf: Use after free vulnerability via double fdput
+  CVE-2016-4558 bpf: refcnt overflow (rhbz 1334307 1334303 1334311)
+
 * Fri May 06 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.9-200
 - Linux v4.4.9
 
diff --git a/propogate_mnt-Handle-the-first-propogated-copy-being.patch b/propogate_mnt-Handle-the-first-propogated-copy-being.patch
deleted file mode 100644
index b3ae53c5a..000000000
--- a/propogate_mnt-Handle-the-first-propogated-copy-being.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From 27844237d77df76c816034a78178b23c070eef88 Mon Sep 17 00:00:00 2001
-From: "Eric W. Biederman" <ebiederm@xmission.com>
-Date: Thu, 5 May 2016 09:29:29 -0500
-Subject: [PATCH] propogate_mnt: Handle the first propogated copy being a slave
-
-When the first propgated copy was a slave the following oops would result:
-> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
-> IP: [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0
-> PGD bacd4067 PUD bac66067 PMD 0
-> Oops: 0000 [#1] SMP
-> Modules linked in:
-> CPU: 1 PID: 824 Comm: mount Not tainted 4.6.0-rc5userns+ #1523
-> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
-> task: ffff8800bb0a8000 ti: ffff8800bac3c000 task.ti: ffff8800bac3c000
-> RIP: 0010:[<ffffffff811fba4e>]  [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0
-> RSP: 0018:ffff8800bac3fd38  EFLAGS: 00010283
-> RAX: 0000000000000000 RBX: ffff8800bb77ec00 RCX: 0000000000000010
-> RDX: 0000000000000000 RSI: ffff8800bb58c000 RDI: ffff8800bb58c480
-> RBP: ffff8800bac3fd48 R08: 0000000000000001 R09: 0000000000000000
-> R10: 0000000000001ca1 R11: 0000000000001c9d R12: 0000000000000000
-> R13: ffff8800ba713800 R14: ffff8800bac3fda0 R15: ffff8800bb77ec00
-> FS:  00007f3c0cd9b7e0(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000
-> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-> CR2: 0000000000000010 CR3: 00000000bb79d000 CR4: 00000000000006e0
-> Stack:
->  ffff8800bb77ec00 0000000000000000 ffff8800bac3fd88 ffffffff811fbf85
->  ffff8800bac3fd98 ffff8800bb77f080 ffff8800ba713800 ffff8800bb262b40
->  0000000000000000 0000000000000000 ffff8800bac3fdd8 ffffffff811f1da0
-> Call Trace:
->  [<ffffffff811fbf85>] propagate_mnt+0x105/0x140
->  [<ffffffff811f1da0>] attach_recursive_mnt+0x120/0x1e0
->  [<ffffffff811f1ec3>] graft_tree+0x63/0x70
->  [<ffffffff811f1f6b>] do_add_mount+0x9b/0x100
->  [<ffffffff811f2c1a>] do_mount+0x2aa/0xdf0
->  [<ffffffff8117efbe>] ? strndup_user+0x4e/0x70
->  [<ffffffff811f3a45>] SyS_mount+0x75/0xc0
->  [<ffffffff8100242b>] do_syscall_64+0x4b/0xa0
->  [<ffffffff81988f3c>] entry_SYSCALL64_slow_path+0x25/0x25
-> Code: 00 00 75 ec 48 89 0d 02 22 22 01 8b 89 10 01 00 00 48 89 05 fd 21 22 01 39 8e 10 01 00 00 0f 84 e0 00 00 00 48 8b 80 d8 00 00 00 <48> 8b 50 10 48 89 05 df 21 22 01 48 89 15 d0 21 22 01 8b 53 30
-> RIP  [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0
->  RSP <ffff8800bac3fd38>
-> CR2: 0000000000000010
-> ---[ end trace 2725ecd95164f217 ]---
-
-This oops happens with the namespace_sem held and can be triggered by
-non-root users.  An all around not pleasant experience.
-
-To avoid this scenario when finding the appropriate source mount to
-copy stop the walk up the mnt_master chain when the first source mount
-is encountered.
-
-Further rewrite the walk up the last_source mnt_master chain so that
-it is clear what is going on.
-
-The reason why the first source mount is special is that it it's
-mnt_parent is not a mount in the dest_mnt propagation tree, and as
-such termination conditions based up on the dest_mnt mount propgation
-tree do not make sense.
-
-To avoid other kinds of confusion last_dest is not changed when
-computing last_source.  last_dest is only used once in propagate_one
-and that is above the point of the code being modified, so changing
-the global variable is meaningless and confusing.
-
-Cc: stable@vger.kernel.org
-fixes: f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 ("smarter propagate_mnt()")
-Reported-by: Tycho Andersen <tycho.andersen@canonical.com>
-Reviewed-by: Seth Forshee <seth.forshee@canonical.com>
-Tested-by: Seth Forshee <seth.forshee@canonical.com>
-Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
-
-Backported-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- fs/pnode.c | 32 ++++++++++++++++++++------------
- 1 file changed, 20 insertions(+), 12 deletions(-)
-
-diff --git a/fs/pnode.c b/fs/pnode.c
-index 6367e1e435c6..e7705149d430 100644
---- a/fs/pnode.c
-+++ b/fs/pnode.c
-@@ -198,10 +198,15 @@ static struct mount *next_group(struct mount *m, struct mount *origin)
- 
- /* all accesses are serialized by namespace_sem */
- static struct user_namespace *user_ns;
--static struct mount *last_dest, *last_source, *dest_master;
-+static struct mount *last_dest, *first_source, *last_source, *dest_master;
- static struct mountpoint *mp;
- static struct hlist_head *list;
- 
-+static inline bool peers(struct mount *m1, struct mount *m2)
-+{
-+       return m1->mnt_group_id == m2->mnt_group_id && m1->mnt_group_id;
-+}
-+
- static int propagate_one(struct mount *m)
- {
- 	struct mount *child;
-@@ -212,24 +217,26 @@ static int propagate_one(struct mount *m)
- 	/* skip if mountpoint isn't covered by it */
- 	if (!is_subdir(mp->m_dentry, m->mnt.mnt_root))
- 		return 0;
--	if (m->mnt_group_id == last_dest->mnt_group_id) {
-+	if (peers(m,last_dest)) {
- 		type = CL_MAKE_SHARED;
- 	} else {
- 		struct mount *n, *p;
-+		bool done;
- 		for (n = m; ; n = p) {
- 			p = n->mnt_master;
--			if (p == dest_master || IS_MNT_MARKED(p)) {
--				while (last_dest->mnt_master != p) {
--					last_source = last_source->mnt_master;
--					last_dest = last_source->mnt_parent;
--				}
--				if (n->mnt_group_id != last_dest->mnt_group_id) {
--					last_source = last_source->mnt_master;
--					last_dest = last_source->mnt_parent;
--				}
-+			if (p == dest_master || IS_MNT_MARKED(p))
- 				break;
--			}
- 		}
-+		do {
-+			struct mount *parent = last_source->mnt_parent;
-+			if (last_source == first_source)
-+				break;
-+			done = parent->mnt_master == p;
-+			if (done && peers(n, parent))
-+				break;
-+			last_source = last_source->mnt_master;
-+		} while (!done);
-+
- 		type = CL_SLAVE;
- 		/* beginning of peer group among the slaves? */
- 		if (IS_MNT_SHARED(m))
-@@ -281,6 +288,7 @@ int propagate_mnt(struct mount *dest_mnt, struct mountpoint *dest_mp,
- 	 */
- 	user_ns = current->nsproxy->mnt_ns->user_ns;
- 	last_dest = dest_mnt;
-+	first_source = source_mnt;
- 	last_source = source_mnt;
- 	mp = dest_mp;
- 	list = tree_list;
--- 
-2.5.5
-
diff --git a/sources b/sources
index baa462bfc..2739720a7 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 9a78fa2eb6c68ca5a40ed5af08142599  linux-4.4.tar.xz
 dcbc8fe378a676d5d0dd208cf524e144  perf-man-4.4.tar.gz
-b0c445b438e7563f2e33dba9edc926eb  patch-4.4.9.xz
+1b9a296c0d0b778e8173299618f2d84f  patch-4.4.10.xz