Linux v3.11-rc6-139-g89b53e5

4 files changed, 5 insertions, 132 deletions

diff --git a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
deleted file mode 100644
index 3c0153be9..000000000
--- a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 Mon Sep 17 00:00:00 2001
-From: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Date: Fri, 16 Aug 2013 11:02:27 +0000
-Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
-
-Because of the max_addresses check attackers were able to disable privacy
-extensions on an interface by creating enough autoconfigured addresses:
-
-<http://seclists.org/oss-sec/2012/q4/292>
-
-But the check is not actually needed: max_addresses protects the
-kernel to install too many ipv6 addresses on an interface and guards
-addrconf_prefix_rcv to install further addresses as soon as this limit
-is reached. We only generate temporary addresses in direct response of
-a new address showing up. As soon as we filled up the maximum number of
-addresses of an interface, we stop installing more addresses and thus
-also stop generating more temp addresses.
-
-Even if the attacker tries to generate a lot of temporary addresses
-by announcing a prefix and removing it again (lifetime == 0) we won't
-install more temp addresses, because the temporary addresses do count
-to the maximum number of addresses, thus we would stop installing new
-autoconfigured addresses when the limit is reached.
-
-This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
-possible).
-
-Thanks to Ding Tianhong to bring this topic up again.
-
-Cc: Ding Tianhong <dingtianhong@huawei.com>
-Cc: George Kargiotakis <kargig@void.gr>
-Cc: P J P <ppandit@redhat.com>
-Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
-Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Acked-by: Ding Tianhong <dingtianhong@huawei.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
-diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
-index da4241c..498ea99 100644
---- a/net/ipv6/addrconf.c
-+++ b/net/ipv6/addrconf.c
-@@ -1126,12 +1126,10 @@ retry:
- 	if (ifp->flags & IFA_F_OPTIMISTIC)
- 		addr_flags |= IFA_F_OPTIMISTIC;
- 
--	ift = !max_addresses ||
--	      ipv6_count_addresses(idev) < max_addresses ?
--		ipv6_add_addr(idev, &addr, NULL, tmp_plen,
--			      ipv6_addr_scope(&addr), addr_flags,
--			      tmp_valid_lft, tmp_prefered_lft) : NULL;
--	if (IS_ERR_OR_NULL(ift)) {
-+	ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen,
-+			    ipv6_addr_scope(&addr), addr_flags,
-+			    tmp_valid_lft, tmp_prefered_lft);
-+	if (IS_ERR(ift)) {
- 		in6_ifa_put(ifp);
- 		in6_dev_put(idev);
- 		pr_info("%s: retry temporary address regeneration\n", __func__);
---
-cgit v0.9.2
diff --git a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
deleted file mode 100644
index 84d6aa06d..000000000
--- a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-If channel switch is pending and we remove interface we can
-crash like showed below due to passing NULL vif to mac80211:
-
-BUG: unable to handle kernel paging request at fffffffffffff8cc
-IP: [<ffffffff8130924d>] strnlen+0xd/0x40
-Call Trace:
- [<ffffffff8130ad2e>] string.isra.3+0x3e/0xd0
- [<ffffffff8130bf99>] vsnprintf+0x219/0x640
- [<ffffffff8130c481>] vscnprintf+0x11/0x30
- [<ffffffff81061585>] vprintk_emit+0x115/0x4f0
- [<ffffffff81657bd5>] printk+0x61/0x63
- [<ffffffffa048987f>] ieee80211_chswitch_done+0xaf/0xd0 [mac80211]
- [<ffffffffa04e7b34>] iwl_chswitch_done+0x34/0x40 [iwldvm]
- [<ffffffffa04f83c3>] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm]
- [<ffffffffa04ebc50>] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm]
- [<ffffffffa04e5e76>] iwl_set_mode+0x36/0x40 [iwldvm]
- [<ffffffffa04e5f0d>] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm]
- [<ffffffffa0459b3d>] ieee80211_do_stop+0x29d/0x7f0 [mac80211]
-
-This is because we nulify ctx->vif in iwlagn_mac_remove_interface()
-before calling some other functions that teardown interface. To fix
-just check ctx->vif on iwl_chswitch_done(). We should not call
-ieee80211_chswitch_done() as channel switch works were already canceled
-by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop().
-
-Resolve:
-https://bugzilla.redhat.com/show_bug.cgi?id=979581
-
-Cc: stable@vger.kernel.org
-Reported-by: Lukasz Jagiello <jagiello.lukasz@gmail.com>
-Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
----
- drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
-index 323e4a3..9a817df 100644
---- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
-+++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
-@@ -1046,7 +1046,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success)
- 	if (test_bit(STATUS_EXIT_PENDING, &priv->status))
- 		return;
- 
--	if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
-+	if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
-+		return;
-+
-+	if (ctx->vif)
- 		ieee80211_chswitch_done(ctx->vif, is_success);
- }
- 
--- 
-1.7.11.7
-
---
-To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
\ No newline at end of file
diff --git a/kernel.spec b/kernel.spec
index 2be3f69ba..7e0ed1c7f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -95,7 +95,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 6
 # The git snapshot level
-%define gitrev 3
+%define gitrev 4
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@@ -740,15 +740,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
 Patch25056: iwl3945-better-skb-management-in-rx-path.patch
 Patch25057: iwl4965-better-skb-management-in-rx-path.patch
 
-#rhbz 979581
-Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
-
 #rhbz 963715
 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 
-#CVE-2013-0343 rhbz 914664 999380
-Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
-
 #rhbz 989269
 Patch25079: mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch
 
@@ -1445,15 +1439,9 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
 ApplyPatch iwl3945-better-skb-management-in-rx-path.patch
 ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
 
-#rhbz 979581
-ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
-
 #rhbz 963715
 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 
-#CVE-2013-0343 rhbz 914664 999380
-ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
-
 #rhbz 989269
 ApplyPatch mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch
 
@@ -2251,6 +2239,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git4.1
+- Linux v3.11-rc6-139-g89b53e5
+
 * Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git3.1
 - Linux v3.11-rc6-76-g6a7492a
 
diff --git a/sources b/sources
index ba3bfe826..63172be34 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 4f25cd5bec5f8d5a7d935b3f2ccb8481  linux-3.10.tar.xz
 7b8db47226ac7df01065212048233157  patch-3.11-rc6.xz
-c3a0c08f093dd96e708db255f753242e  patch-3.11-rc6-git3.xz
+b58364711465b8307fd412c9b3dd054c  patch-3.11-rc6-git4.xz