Merge remote-tracking branch 'origin/f23' into f23-user-thl-vanilla-fedorakernel-4.6.6-200.vanilla.knurd.1.fc23

9 files changed, 9 insertions, 308 deletions

diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
deleted file mode 100644
index 3eb8bf183..000000000
--- a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:07 -0400
-Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “tread” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 6469bedda2f3..964f5ebf495e 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
- 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
- 		if (tu->tread) {
- 			struct snd_timer_tread tread;
-+			memset(&tread, 0, sizeof(tread));
- 			tread.event = SNDRV_TIMER_EVENT_EARLY;
- 			tread.tstamp.tv_sec = 0;
- 			tread.tstamp.tv_nsec = 0;
--- 
-2.5.5
-
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
deleted file mode 100644
index e6f46f8a8..000000000
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:20 -0400
-Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
- snd_timer_user_ccallback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 964f5ebf495e..e98fa5feb731 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
- 		tu->tstamp = *tstamp;
- 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
- 		return;
-+	memset(&r1, 0, sizeof(r1));
- 	r1.event = event;
- 	r1.tstamp = *tstamp;
- 	r1.val = resolution;
--- 
-2.5.5
-
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
deleted file mode 100644
index 7851c55a2..000000000
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:32 -0400
-Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
- snd_timer_user_tinterrupt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index e98fa5feb731..c69a27155433 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
- 	}
- 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
- 	    tu->last_resolution != resolution) {
-+		memset(&r1, 0, sizeof(r1));
- 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
- 		r1.tstamp = tstamp;
- 		r1.val = resolution;
--- 
-2.5.5
-
diff --git a/airspy-fix-error-logic-during-device-register.patch b/airspy-fix-error-logic-during-device-register.patch
deleted file mode 100644
index 575090d9d..000000000
--- a/airspy-fix-error-logic-during-device-register.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 785ef73dba6e9fefd2e5dd24546e0efa8698e5cd Mon Sep 17 00:00:00 2001
-From: James Patrick-Evans <james@jmp-e.com>
-Date: Fri, 15 Jul 2016 12:40:45 -0300
-Subject: [media] airspy: fix error logic during device register
-
-This patch addresses CVE-2016-5400, a local DOS vulnerability caused by
-a memory leak in the airspy usb device driver.
-
-The vulnerability is triggered when more than 64 usb devices register
-with v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.A badusb device can
-emulate 64 of these devices then through continual emulated
-connect/disconnect of the 65th device, cause the kernel to run out of
-RAM and crash the kernel.
-
-The vulnerability exists in kernel versions from 3.17 to current 4.7.
-
-The memory leak is caused by the probe function of the airspy driver
-mishandeling errors and not freeing the corresponding control structures
-when an error occours registering the device to v4l2 core.
-
-Signed-off-by: James Patrick-Evans <james@jmp-e.com>
-Cc: stable@vger.kernel.org # Up to Kernel 3.17
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
-diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
-index d807d58..19cd64c 100644
---- a/drivers/media/usb/airspy/airspy.c
-+++ b/drivers/media/usb/airspy/airspy.c
-@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_interface *intf,
- 	if (ret) {
- 		dev_err(s->dev, "Failed to register as video device (%d)\n",
- 				ret);
--		goto err_unregister_v4l2_dev;
-+		goto err_free_controls;
- 	}
- 	dev_info(s->dev, "Registered as %s\n",
- 			video_device_node_name(&s->vdev));
--- 
-cgit v0.10.2
-
diff --git a/config-powerpc64-generic b/config-powerpc64-generic
index de387d570..ca5fea962 100644
--- a/config-powerpc64-generic
+++ b/config-powerpc64-generic
@@ -113,7 +113,7 @@ CONFIG_I2C_OPAL=m
 CONFIG_RTC_DRV_OPAL=m
 CONFIG_SENSORS_IBMPOWERNV=y
 CONFIG_HW_RANDOM_POWERNV=m
-CONFIG_POWERNV_CPUFREQ=m
+CONFIG_POWERNV_CPUFREQ=y
 CONFIG_IPMI_POWERNV=m
 CONFIG_RTAS_FLASH=y
 CONFIG_OPAL_PRD=m
diff --git a/kernel.spec b/kernel.spec
index f07deea5d..f9d7782d7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -60,7 +60,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 5
+%define stable_update 6
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -624,11 +624,6 @@ Patch641: disable-CONFIG_EXPERT-for-ZONE_DMA.patch
 #CVE-2016-4482 rhbz 1332931 1332932
 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
 
-#CVE-2016-4569 rhbz 1334643 1334645
-Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
-Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
-Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
-
 #CVE-2016-4440 rhbz 1337806 1337807
 Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
 
@@ -660,12 +655,6 @@ Patch815: 0015-drm-i915-gen9-Calculate-watermarks-during-atomic-che.patch
 Patch816: 0016-drm-i915-gen9-Reject-display-updates-that-exceed-wm-.patch
 Patch817: 0017-drm-i915-Remove-wm_config-from-dev_priv-intel_atomic.patch
 
-#CVE-2016-6156 rhbz 1353490 1353491
-Patch832: platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
-
-#rhbz 1346753
-Patch834: qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch
-
 #CVE-2016-5389 CVE-2016-5969 rhbz 1354708 1355615
 Patch835: tcp-make-challenge-acks-less-predictable.patch
 Patch839: tcp-enable-per-socket-rate-limiting-of-all-challenge.patch
@@ -675,9 +664,6 @@ Patch836: drm-amdgpu-Disable-RPM-helpers-while-reprobing.patch
 Patch837: drm-i915-skl-Add-support-for-the-SAGV-fix-underrun-hangs.patch
 Patch838: Revert-ALSA-hda-remove-controller-dependency-on-i915.patch
 
-#CVE-2016-5400 rhbz 1358184 1358186
-Patch840: airspy-fix-error-logic-during-device-register.patch
-
 #CVE-2016-6136 rhbz 1353533 1353534
 Patch841: audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch
 
@@ -2208,6 +2194,12 @@ fi
 #
 # 
 %changelog
+* Wed Aug 10 2016 Laura Abbott <labbott@fedoraproject.org> - 4.6.6-200
+- Linux v4.6.6
+
+* Mon Aug 08 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Build CONFIG_POWERNV_CPUFREQ in on ppc64* (rhbz 1351346)
+
 * Thu Jul 28 2016 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2016-5412 powerpc: kvm: Infinite loop in HV mode (rhbz 1349916 1361040)
 
diff --git a/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch b/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
deleted file mode 100644
index a685ff697..000000000
--- a/platform-chrome-cros_ec_dev-double-fetch-bug-in-ioct.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 096cdc6f52225835ff503f987a0d68ef770bb78e Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Tue, 21 Jun 2016 16:58:46 +0300
-Subject: [PATCH] platform/chrome: cros_ec_dev - double fetch bug in ioctl
-
-We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure
-that those values have not changed between the two copy_from_user()
-calls.  Otherwise it could lead to a buffer overflow.
-
-Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value.
-We should use the new smaller value so we don't copy too much data to
-the user.
-
-Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
-Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data')
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Tested-by: Gwendal Grignou <gwendal@chromium.org>
-Cc: <stable@vger.kernel.org> # v4.2+
-Signed-off-by: Olof Johansson <olof@lixom.net>
----
- drivers/platform/chrome/cros_ec_dev.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/chrome/cros_ec_dev.c b/drivers/platform/chrome/cros_ec_dev.c
-index 6d8ee3b15872..8abd80dbcbed 100644
---- a/drivers/platform/chrome/cros_ec_dev.c
-+++ b/drivers/platform/chrome/cros_ec_dev.c
-@@ -151,13 +151,19 @@ static long ec_device_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
- 		goto exit;
- 	}
- 
-+	if (u_cmd.outsize != s_cmd->outsize ||
-+	    u_cmd.insize != s_cmd->insize) {
-+		ret = -EINVAL;
-+		goto exit;
-+	}
-+
- 	s_cmd->command += ec->cmd_offset;
- 	ret = cros_ec_cmd_xfer(ec->ec_dev, s_cmd);
- 	/* Only copy data to userland if data was received. */
- 	if (ret < 0)
- 		goto exit;
- 
--	if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + u_cmd.insize))
-+	if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + s_cmd->insize))
- 		ret = -EFAULT;
- exit:
- 	kfree(s_cmd);
--- 
-2.5.5
-
diff --git a/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch b/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch
deleted file mode 100644
index 4e50a65e2..000000000
--- a/qla2xxx-Fix-NULL-pointer-deref-in-QLA-interrupt.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 36d17a40c174c8b77386520ab2a430fea760dcc3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bruno=20Pr=C3=83=C2=A9mont?= <bonbons@linux-vserver.org>
-Date: Thu, 30 Jun 2016 17:00:32 +0200
-Subject: [PATCH] qla2xxx: Fix NULL pointer deref in QLA interrupt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
-pointer dereference when rsp->msix is NULL:
-
-[    5.622457] NULL pointer dereference at 0000000000000050
-[    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
-[    5.622457] PGD 0
-[    5.622457] Oops: 0000 [#1] SMP
-[    5.622457] Modules linked in:
-[    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
-[    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
-[    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
-[    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
-[    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
-[    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
-[    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
-[    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
-[    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
-[    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
-[    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
-[    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
-[    5.622457] Stack:
-[    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
-[    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
-[    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
-[    5.622457] Call Trace:
-[    5.622457]  <IRQ>
-[    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
-[    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
-[    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
-[    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
-[    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
-[    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
-[    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
-[    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
-[    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
-[    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
-[    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
-[    5.622457]  <EOI>
-[    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
-[    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
-[    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
-[    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
-[    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
-[    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
-[    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
-[    5.622457]  RSP <ffff8801afb03de8>
-[    5.622457] CR2: 0000000000000050
-[    5.622457] ---[ end trace fa2b19c25106d42b ]---
-[    5.622457] Kernel panic - not syncing: Fatal exception in interrupt
-
-The affected code was introduced by commit cdb898c52d1dfad4b4800b83a58b3fe5d352edde
-(qla2xxx: Add irq affinity notification).
-
-Only dereference rsp->msix when it has been set so the machine can boot
-fine. Possibly rsp->msix is unset because:
-[    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
-[    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
-[    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
-[    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
-[    3.890145] scsi host0: qla2xxx
-[    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
-[    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
-[    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
-
-Signed-off-by: Bruno Prémont <bonbons@linux-vserver.org>
-Acked-by: Quinn Tran <quinn.tran@qlogic.com>
-CC: <stable@vger.kernel.org>  # 4.5+
-Fixes: cdb898c52d1dfad4b4800b83a58b3fe5d352edde
-Signed-off-by: James Bottomley <jejb@linux.vnet.ibm.com>
----
- drivers/scsi/qla2xxx/qla_isr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
-index 5649c200d37c..a92a62dea793 100644
---- a/drivers/scsi/qla2xxx/qla_isr.c
-+++ b/drivers/scsi/qla2xxx/qla_isr.c
-@@ -2548,7 +2548,7 @@ void qla24xx_process_response_queue(struct scsi_qla_host *vha,
- 	if (!vha->flags.online)
- 		return;
- 
--	if (rsp->msix->cpuid != smp_processor_id()) {
-+	if (rsp->msix && rsp->msix->cpuid != smp_processor_id()) {
- 		/* if kernel does not notify qla of IRQ's CPU change,
- 		 * then set it here.
- 		 */
--- 
-2.5.5
-
diff --git a/sources b/sources
index ee5257660..dbcebdf2e 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-ad32c9ec1c69a99811d160d6014f9b2d  patch-4.6.5.xz
+84f23eb772635b1348d3ea7c5bd67930  patch-4.6.6.xz