Merge remote-tracking branch 'origin/master'kernel-4.5.0-0.rc0.git8.1.vanilla.knurd.1.fc24

12 files changed, 156 insertions, 125 deletions

diff --git a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
deleted file mode 100644
index 5eec95c62..000000000
--- a/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 05fd13592b60c3e9873f56705f80ff934e98b046 Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 18 Jan 2016 10:53:31 +0000
-Subject: [PATCH] KEYS: Fix keyring ref leak in join_session_keyring()
-
-This fixes CVE-2016-0728.
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
-	#include <stddef.h>
-	#include <stdio.h>
-	#include <sys/types.h>
-	#include <keyutils.h>
-
-	int main(int argc, const char *argv[])
-	{
-		int i = 0;
-		key_serial_t serial;
-
-		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-				"leaked-keyring");
-		if (serial < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		if (keyctl(KEYCTL_SETPERM, serial,
-			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		for (i = 0; i < 100; i++) {
-			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-					"leaked-keyring");
-			if (serial < 0) {
-				perror("keyctl");
-				return -1;
-			}
-		}
-
-		return 0;
-	}
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning.  If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
-Signed-off-by: David Howells <dhowells@redhat.com>
-RH-bugzilla: 1298036
----
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 43b4cddbf2b3..7877e5cd4e23 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
--- 
-2.5.0
-
diff --git a/config-arm-generic b/config-arm-generic
index 12cb852cb..987695636 100644
--- a/config-arm-generic
+++ b/config-arm-generic
@@ -209,6 +209,7 @@ CONFIG_USB_CONFIGFS_ACM=y
 CONFIG_USB_CONFIGFS_ECM=y
 CONFIG_USB_CONFIGFS_ECM_SUBSET=y
 CONFIG_USB_CONFIGFS_EEM=y
+CONFIG_USB_CONFIGFS_F_TCM=y
 CONFIG_USB_CONFIGFS_MASS_STORAGE=y
 CONFIG_USB_CONFIGFS_NCM=y
 CONFIG_USB_CONFIGFS_OBEX=y
diff --git a/config-arm64 b/config-arm64
index c6bcff93a..b6698c506 100644
--- a/config-arm64
+++ b/config-arm64
@@ -17,11 +17,13 @@ CONFIG_ARCH_XGENE=y
 # CONFIG_ARCH_LAYERSCAPE is not set
 # CONFIG_ARCH_MEDIATEK is not set
 # CONFIG_ARCH_QCOM is not set
+# CONFIG_ARCH_RENESAS is not set
 # CONFIG_ARCH_SPRD is not set
 # CONFIG_ARCH_STRATIX10 is not set
 # CONFIG_ARCH_TEGRA is not set
 # CONFIG_ARCH_THUNDER is not set
 # CONFIG_ARCH_ZYNQMP is not set
+# CONFIG_ARCH_UNIPHIER is not set
 
 # Erratum
 CONFIG_ARM64_ERRATUM_826319=y
@@ -151,6 +153,7 @@ CONFIG_POWER_RESET_HISI=y
 CONFIG_HISI_THERMAL=m
 CONFIG_STUB_CLK_HI6220=y
 CONFIG_PHY_HI6220_USB=m
+CONFIG_COMMON_RESET_HI6220=m
 
 # ThunderX
 # CONFIG_MDIO_OCTEON is not set
diff --git a/config-armv7 b/config-armv7
index 0cc0fa55a..271751071 100644
--- a/config-armv7
+++ b/config-armv7
@@ -348,6 +348,9 @@ CONFIG_QCOM_SMEM=m
 CONFIG_REGULATOR_QCOM_SMD_RPM=m
 CONFIG_QCOM_SMEM=m
 CONFIG_QCOM_QFPROM=m
+CONFIG_QCOM_WCNSS_CTRL=m
+CONFIG_QCOM_SMSM=y
+CONFIG_QCOM_SMP2P=m
 
 # i.MX
 # CONFIG_MXC_DEBUG_BOARD is not set
diff --git a/config-armv7-generic b/config-armv7-generic
index 4ea4da8dd..48941c0f6 100644
--- a/config-armv7-generic
+++ b/config-armv7-generic
@@ -61,13 +61,17 @@ CONFIG_ARCH_VIRT=y
 # CONFIG_ARCH_HISI is not set
 # CONFIG_ARCH_MEDIATEK is not set
 # CONFIG_ARCH_MESON is not set
+# CONFIG_ARCH_MMP is not set
 # CONFIG_ARCH_QCOM is not set
+# CONFIG_ARCH_REALVIEW is not set
+# CONFIG_ARCH_RENESAS is not set
 # CONFIG_ARCH_S5PV210 is not set
 # CONFIG_ARCH_SHMOBILE_MULTI is not set
 # CONFIG_ARCH_SIRF is not set
 # CONFIG_ARCH_SOCFPGA is not set
 # CONFIG_PLAT_SPEAR is not set
 # CONFIG_ARCH_STI is not set
+# CONFIG_ARCH_TANGO is not set
 # CONFIG_ARCH_U8500 is not set
 # CONFIG_ARCH_VEXPRESS_SPC is not set
 # CONFIG_ARCH_WM8850 is not set
diff --git a/config-x86-generic b/config-x86-generic
index 5648f7a8f..2d41bfbb1 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -226,6 +226,7 @@ CONFIG_X86_PLATFORM_DEVICES=y
 
 CONFIG_AMILO_RFKILL=m
 CONFIG_ASUS_LAPTOP=m
+CONFIG_ASUS_WIRELESS=m
 CONFIG_COMPAL_LAPTOP=m
 CONFIG_DELL_LAPTOP=m
 CONFIG_DELL_RBTN=m
@@ -236,6 +237,7 @@ CONFIG_FUJITSU_TABLET=m
 CONFIG_FUJITSU_LAPTOP=m
 # CONFIG_FUJITSU_LAPTOP_DEBUG is not set
 CONFIG_IDEAPAD_LAPTOP=m
+CONFIG_INTEL_HID_EVENT=m
 CONFIG_MSI_LAPTOP=m
 CONFIG_PANASONIC_LAPTOP=m
 CONFIG_SAMSUNG_LAPTOP=m
@@ -480,6 +482,7 @@ CONFIG_CRYPTO_CRC32_PCLMUL=m
 CONFIG_HP_ACCEL=m
 
 CONFIG_SURFACE_PRO3_BUTTON=m
+CONFIG_INTEL_PUNIT_IPC=m
 
 # CONFIG_RAPIDIO is not set
 
diff --git a/cpupower-Fix-build-error-in-cpufreq-info.patch b/cpupower-Fix-build-error-in-cpufreq-info.patch
deleted file mode 100644
index 618e3edf2..000000000
--- a/cpupower-Fix-build-error-in-cpufreq-info.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From patchwork Mon Jan 18 15:14:43 2016
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Subject: cpupower: Fix build error in cpufreq-info
-From: "Shreyas B. Prabhu" <shreyas@linux.vnet.ibm.com>
-X-Patchwork-Id: 8055301
-Message-Id: <1453130083-16055-1-git-send-email-shreyas@linux.vnet.ibm.com>
-To: trenn@suse.com
-Cc: linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org,
-	rafael.j.wysocki@intel.com, jtanenba@redhat.com,
-	"Shreyas B. Prabhu" <shreyas@linux.vnet.ibm.com>
-Date: Mon, 18 Jan 2016 20:44:43 +0530
-
-Fix the following build error by including limits.h -
-
-utils/cpufreq-info.c: In function ‘get_latency’:
-utils/cpufreq-info.c:437:29: error: ‘UINT_MAX’ undeclared (first use in
-this function)
-  if (!latency || latency == UINT_MAX) {
-                             ^
-Signed-off-by: Shreyas B. Prabhu <shreyas@linux.vnet.ibm.com>
-Fixes: e98f033f94f3 (cpupower: fix how "cpupower frequency-info" interprets latency)
-
----
-tools/power/cpupower/utils/cpufreq-info.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/power/cpupower/utils/cpufreq-info.c b/tools/power/cpupower/utils/cpufreq-info.c
-index 8f3f5bb9c74e..590d12a25f6e 100644
---- a/tools/power/cpupower/utils/cpufreq-info.c
-+++ b/tools/power/cpupower/utils/cpufreq-info.c
-@@ -10,6 +10,7 @@
- #include <errno.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- 
- #include <getopt.h>
- 
diff --git a/gitrev b/gitrev
index d5f87db06..7020928d6 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-a200dcb34693084e56496960d855afdeaaf9578f
+30f05309bde49295e02e45c7e615f73aa4e0ccc2
diff --git a/kernel.spec b/kernel.spec
index 5bbfe10d7..0bddc8c2e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -75,7 +75,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 6
+%define gitrev 8
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -613,11 +613,11 @@ Patch621: drm-udl-Use-unlocked-gem-unreferencing.patch
 #CVE-2015-7566 rhbz 1296466 1297517
 Patch623: usb-serial-visor-fix-crash-on-detecting-device-witho.patch
 
-# https://patchwork.kernel.org/patch/8055301/
-Patch625: cpupower-Fix-build-error-in-cpufreq-info.patch
+#CVE-2016-0723 rhbz 1296253 1300224
+Patch637: tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
 
-#CVE-2016-0728 rhbz 1296623
-Patch626: KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
+#rhbz 1279653
+Patch638: rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2067,6 +2067,18 @@ fi
 #
 # 
 %changelog
+* Thu Jan 21 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git8.1
+- Linux v4.4-10062-g30f0530
+
+* Thu Jan 21 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Fix incorrect country code issue on RTL8812AE devices (rhbz 1279653)
+
+* Wed Jan 20 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git7.1
+- Linux v4.4-8950-g2b4015e
+
+* Wed Jan 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-0723 memory disclosure and crash in tty layer (rhbz 1296253 1300224)
+
 * Tue Jan 19 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.0-0.rc0.git6.1
 - Linux v4.4-8855-ga200dcb
 - CVE-2016-0728 Keys: reference leak in join_session_keyring (rhbz 1296623)
diff --git a/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch b/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
new file mode 100644
index 000000000..eb44e1e08
--- /dev/null
+++ b/rtlwifi-rtl8821ae-Fix-5G-failure-when-EEPROM-is-inco.patch
@@ -0,0 +1,55 @@
+From 933885ecca1a2b8fa03b5756ba1cbb9f094a5861 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 20 Jan 2016 21:26:18 -0600
+Subject: [PATCH] rtlwifi: rtl8821ae: Fix 5G failure when EEPROM is incorrectly
+ encoded
+
+Recently, it has been reported that D-Link DWA-582 cards, which use an
+RTL8812AE chip are not able to scan for 5G networks. The problems started
+with kernel 4.2, which is the first version that had commit d10101a60372
+("rtlwifi: rtl8821ae: Fix problem with regulatory information"). With this
+patch, the driver went from setting a default channel plan to using
+the value derived from EEPROM.
+
+Bug reports at https://bugzilla.kernel.org/show_bug.cgi?id=111031 and
+https://bugzilla.redhat.com/show_bug.cgi?id=1279653 are examples of this
+problem.
+
+The problem was solved once I learned that the internal country code was
+resulting in a regulatory set with only 2.4 GHz channels. With the RTL8821AE
+chips available to me, the country code was such that both 2.4 and 5 GHz
+channels are allowed. The fix is to allow both bands even when the EEPROM
+is incorrectly encoded.
+
+Fixes: d10101a60372 ("rtlwifi: rtl8821ae: Fix problem with regulatory information")
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: littlesmartguy@gmail.com
+Cc: gabe@codehaus.org
+Cc: Stable <stable@vger.kernel.org> [v4.2+]
+---
+ drivers/net/wireless/realtek/rtlwifi/regd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/regd.c b/drivers/net/wireless/realtek/rtlwifi/regd.c
+index a62bf0a65c32..5be34118e0af 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/regd.c
++++ b/drivers/net/wireless/realtek/rtlwifi/regd.c
+@@ -351,7 +351,6 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
+ 	case COUNTRY_CODE_SPAIN:
+ 	case COUNTRY_CODE_FRANCE:
+ 	case COUNTRY_CODE_ISRAEL:
+-	case COUNTRY_CODE_WORLD_WIDE_13:
+ 		return &rtl_regdom_12_13;
+ 	case COUNTRY_CODE_MKK:
+ 	case COUNTRY_CODE_MKK1:
+@@ -360,6 +359,7 @@ static const struct ieee80211_regdomain *_rtl_regdomain_select(
+ 		return &rtl_regdom_14_60_64;
+ 	case COUNTRY_CODE_GLOBAL_DOMAIN:
+ 		return &rtl_regdom_14;
++	case COUNTRY_CODE_WORLD_WIDE_13:
+ 	case COUNTRY_CODE_WORLD_WIDE_13_5G_ALL:
+ 		return &rtl_regdom_12_13_5g_all;
+ 	default:
+-- 
+2.5.0
+
diff --git a/sources b/sources
index 0055051a8..c3d3504fe 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 9a78fa2eb6c68ca5a40ed5af08142599  linux-4.4.tar.xz
 dcbc8fe378a676d5d0dd208cf524e144  perf-man-4.4.tar.gz
-64ceedc19f6080bedbafdc1321d9ac95  patch-4.4-git6.xz
+07568b33575bf864c7a4bb94eb0d29bb  patch-4.4-git8.xz
diff --git a/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
new file mode 100644
index 000000000..d169105db
--- /dev/null
+++ b/tty-Fix-unsafe-ldisc-reference-via-ioctl-TIOCGETD.patch
@@ -0,0 +1,68 @@
+From 938f50fc744cb49892bd42c8f56bdfa63e82a27d Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Sun, 10 Jan 2016 22:40:55 -0800
+Subject: [PATCH] tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
+
+ioctl(TIOCGETD) retrieves the line discipline id directly from the
+ldisc because the line discipline id (c_line) in termios is untrustworthy;
+userspace may have set termios via ioctl(TCSETS*) without actually
+changing the line discipline via ioctl(TIOCSETD).
+
+However, directly accessing the current ldisc via tty->ldisc is
+unsafe; the ldisc ptr dereferenced may be stale if the line discipline
+is changing via ioctl(TIOCSETD) or hangup.
+
+Wait for the line discipline reference (just like read() or write())
+to retrieve the "current" line discipline id.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+---
+ drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index f435977de740..bd4027e36910 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *tty, int __user *p)
+ }
+ 
+ /**
++ *	tiocgetd	-	get line discipline
++ *	@tty: tty device
++ *	@p: pointer to user data
++ *
++ *	Retrieves the line discipline id directly from the ldisc.
++ *
++ *	Locking: waits for ldisc reference (in case the line discipline
++ *		is changing or the tty is being hungup)
++ */
++
++static int tiocgetd(struct tty_struct *tty, int __user *p)
++{
++	struct tty_ldisc *ld;
++	int ret;
++
++	ld = tty_ldisc_ref_wait(tty);
++	ret = put_user(ld->ops->num, p);
++	tty_ldisc_deref(ld);
++	return ret;
++}
++
++/**
+  *	send_break	-	performed time break
+  *	@tty: device to break on
+  *	@duration: timeout in mS
+@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 	case TIOCGSID:
+ 		return tiocgsid(tty, real_tty, p);
+ 	case TIOCGETD:
+-		return put_user(tty->ldisc->ops->num, (int __user *)p);
++		return tiocgetd(tty, p);
+ 	case TIOCSETD:
+ 		return tiocsetd(tty, p);
+ 	case TIOCVHANGUP:
+-- 
+2.5.0
+