Linux v3.12.2

8 files changed, 3 insertions, 336 deletions

diff --git a/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch b/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
deleted file mode 100644
index 65a48c349..000000000
--- a/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Bugzilla: 967652
-Upstream-status: 3.13 (should hit stable)
-
-From daf727225b8abfdfe424716abac3d15a3ac5626a Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 31 Oct 2013 23:05:24 +0100
-Subject: [PATCH] KVM: x86: fix emulation of "movzbl %bpl, %eax"
-
-When I was looking at RHEL5.9's failure to start with
-unrestricted_guest=0/emulate_invalid_guest_state=1, I got it working with a
-slightly older tree than kvm.git.  I now debugged the remaining failure,
-which was introduced by commit 660696d1 (KVM: X86 emulator: fix
-source operand decoding for 8bit mov[zs]x instructions, 2013-04-24)
-introduced a similar mis-emulation to the one in commit 8acb4207 (KVM:
-fix sil/dil/bpl/spl in the mod/rm fields, 2013-05-30).  The incorrect
-decoding occurs in 8-bit movzx/movsx instructions whose 8-bit operand
-is sil/dil/bpl/spl.
-
-Needless to say, "movzbl %bpl, %eax" does occur in RHEL5.9's decompression
-prolog, just a handful of instructions before finally giving control to
-the decompressed vmlinux and getting out of the invalid guest state.
-
-Because OpMem8 bypasses decode_modrm, the same handling of the REX prefix
-must be applied to OpMem8.
-
-Reported-by: Michele Baldessari <michele@redhat.com>
-Cc: stable@vger.kernel.org
-Cc: Gleb Natapov <gleb@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Gleb Natapov <gleb@redhat.com>
----
- arch/x86/kvm/emulate.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
-index 16c037e..282d28c 100644
---- a/arch/x86/kvm/emulate.c
-+++ b/arch/x86/kvm/emulate.c
-@@ -4117,7 +4117,10 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op,
- 	case OpMem8:
- 		ctxt->memop.bytes = 1;
- 		if (ctxt->memop.type == OP_REG) {
--			ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1);
-+			int highbyte_regs = ctxt->rex_prefix == 0;
-+
-+			ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm,
-+					       highbyte_regs);
- 			fetch_register_operand(&ctxt->memop);
- 		}
- 		goto mem_common;
--- 
-1.8.3.1
-
diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch
deleted file mode 100644
index f5517aba9..000000000
--- a/aacraid-prevent-invalid-pointer-dereference.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Bugzilla: 1033593
-Upstream-status: 3.13
-
-From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
-From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
-Date: Thu, 31 Oct 2013 14:01:02 +0530
-Subject: [PATCH] aacraid: prevent invalid pointer dereference
-
-It appears that driver runs into a problem here if fibsize is too small
-because we allocate user_srbcmd with fibsize size only but later we
-access it until user_srbcmd->sg.count to copy it over to srbcmd.
-
-It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
-structure already includes one sg element and this is not needed for
-commands without data.  So, we would recommend to add the following
-(instead of test for fibsize == 0).
-
-Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
-Reported-by: Nico Golde <nico@ngolde.de>
-Reported-by: Fabian Yamaguchi <fabs@goesec.de>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
----
- drivers/scsi/aacraid/commctrl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
-index d85ac1a..fbcd48d 100644
---- a/drivers/scsi/aacraid/commctrl.c
-+++ b/drivers/scsi/aacraid/commctrl.c
-@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
- 		goto cleanup;
- 	}
- 
--	if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
-+	if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
-+	    (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
- 		rcode = -EINVAL;
- 		goto cleanup;
- 	}
--- 
-1.8.3.1
-
diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
deleted file mode 100644
index c8d015491..000000000
--- a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Stephan Mueller reported to me recently a error in random number generation in
-the ansi cprng. If several small requests are made that are less than the
-instances block size, the remainder for loop code doesn't increment
-rand_data_valid in the last iteration, meaning that the last bytes in the
-rand_data buffer gets reused on the subsequent smaller-than-a-block request for
-random data.
-
-The fix is pretty easy, just re-code the for loop to make sure that
-rand_data_valid gets incremented appropriately
-
-Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
-Reported-by: Stephan Mueller <stephan.mueller@atsec.com>
-CC: Stephan Mueller <stephan.mueller@atsec.com>
-CC: Petr Matousek <pmatouse@redhat.com>
-CC: Herbert Xu <herbert@gondor.apana.org.au>
-CC: "David S. Miller" <davem@davemloft.net>
----
- crypto/ansi_cprng.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
-index c0bb377..666f196 100644
---- a/crypto/ansi_cprng.c
-+++ b/crypto/ansi_cprng.c
-@@ -230,11 +230,11 @@ remainder:
- 	 */
- 	if (byte_count < DEFAULT_BLK_SZ) {
- empty_rbuf:
--		for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
--			ctx->rand_data_valid++) {
-+		while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
- 			*ptr = ctx->rand_data[ctx->rand_data_valid];
- 			ptr++;
- 			byte_count--;
-+			ctx->rand_data_valid++;
- 			if (byte_count == 0)
- 				goto done;
- 		}
--- 
-1.8.3.1
diff --git a/btrfs-relocate-csums-properly-with-prealloc-ext.patch b/btrfs-relocate-csums-properly-with-prealloc-ext.patch
deleted file mode 100644
index e103f703a..000000000
--- a/btrfs-relocate-csums-properly-with-prealloc-ext.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-A user reported a problem where they were getting csum errors when running a
-balance and running systemd's journal.  This is because systemd is awesome and
-fallocate()'s its log space and writes into it.  Unfortunately we assume that
-when we read in all the csums for an extent that they are sequential starting at
-the bytenr we care about.  This obviously isn't the case for prealloc extents,
-where we could have written to the middle of the prealloc extent only, which
-means the csum would be for the bytenr in the middle of our range and not the
-front of our range.  Fix this by offsetting the new bytenr we are logging to
-based on the original bytenr the csum was for.  With this patch I no longer see
-the csum errors I was seeing.  Thanks,
-
-Cc: stable@xxxxxxxxxxxxxxx
-Reported-by: Chris Murphy <lists@xxxxxxxxxxxxxxxxx>
-Signed-off-by: Josef Bacik <jbacik@xxxxxxxxxxxx>
----
- fs/btrfs/relocation.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
-index 5ca7ea9..b7afeaa 100644
---- a/fs/btrfs/relocation.c
-+++ b/fs/btrfs/relocation.c
-@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
- 	struct btrfs_root *root = BTRFS_I(inode)->root;
- 	int ret;
- 	u64 disk_bytenr;
-+	u64 new_bytenr;
- 	LIST_HEAD(list);
- 
- 	ordered = btrfs_lookup_ordered_extent(inode, file_pos);
-@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len)
- 	if (ret)
- 		goto out;
- 
--	disk_bytenr = ordered->start;
- 	while (!list_empty(&list)) {
- 		sums = list_entry(list.next, struct btrfs_ordered_sum, list);
- 		list_del_init(&sums->list);
- 
--		sums->bytenr = disk_bytenr;
--		disk_bytenr += sums->len;
-+		/*
-+		 * We need to offset the new_bytenr based on where the csum is.
-+		 * We need to do this because we will read in entire prealloc
-+		 * extents but we may have written to say the middle of the
-+		 * prealloc extent, so we need to make sure the csum goes with
-+		 * the right disk offset.
-+		 *
-+		 * We can do this because the data reloc inode refers strictly
-+		 * to the on disk bytes, so we don't have to worry about
-+		 * disk_len vs real len like with real inodes since it's all
-+		 * disk length.
-+		 */
-+		new_bytenr = ordered->start + (sums->bytenr - disk_bytenr);
-+		sums->bytenr = new_bytenr;
- 
- 		btrfs_add_ordered_sum(inode, ordered, sums);
- 	}
--- 
-1.8.3.1
diff --git a/kernel.spec b/kernel.spec
index 36d2d3b9e..80cbe67bf 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -74,7 +74,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 1
+%define stable_update 2
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -701,9 +701,6 @@ Patch22000: weird-root-dentry-name-debug.patch
 
 Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
 
-#CVE-2013-4345 rhbz 1007690 1009136
-Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
-
 #rhbz 985522
 Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch
 
@@ -729,12 +726,6 @@ Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch
 #rhbz 1000439
 Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
 
-#rhbz 1011714
-Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch
-
-#rhbz 984696
-Patch25132: rt2800usb-slow-down-TX-status-polling.patch
-
 Patch25140: drm-qxl-backport-fixes-for-Fedora.patch
 Patch25160: drm-qxl-fix-memory-leak-in-release-list-handling.patch
 
@@ -753,20 +744,11 @@ Patch25148: alx-Reset-phy-speed-after-resume.patch
 #rhbz 1010679
 Patch25149: drm-radeon-24hz-audio-fixes.patch
 
-#rhbz 967652
-Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
-
 # Fix 15sec NFS mount delay
 Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
 Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch
 Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch
 
-#CVE-2013-6378 rhbz 1033578 1034183
-Patch25155: libertas-potential-oops-in-debugfs.patch
-
-#CVE-2013-6380 rhbz 1033593 1034304
-Patch25156: aacraid-prevent-invalid-pointer-dereference.patch
-
 #CVE-2013-6382 rhbz 1033603 1034670
 Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
 
@@ -1445,9 +1427,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
 
 ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
 
-#CVE-2013-4345 rhbz 1007690 1009136
-ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch
-
 #rhbz 985522
 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch
 
@@ -1473,12 +1452,6 @@ ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch
 #rhbz 1000439
 ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
 
-#rhbz 1011714
-ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch
-
-#rhbz 984696
-ApplyPatch rt2800usb-slow-down-TX-status-polling.patch
-
 ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
 ApplyPatch drm-qxl-fix-memory-leak-in-release-list-handling.patch
 
@@ -1497,20 +1470,11 @@ ApplyPatch alx-Reset-phy-speed-after-resume.patch
 #rhbz 1010679
 ApplyPatch drm-radeon-24hz-audio-fixes.patch
 
-#rhbz 967652
-ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch
-
 # Fix 15sec NFS mount delay
 ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch
 ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch
 ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch
 
-#CVE-2013-6378 rhbz 1033578 1034183
-ApplyPatch libertas-potential-oops-in-debugfs.patch
-
-#CVE-2013-6380 rhbz 1033593 1034304
-ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch
-
 #CVE-2013-6382 rhbz 1033603 1034670
 ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
 
@@ -2324,6 +2288,7 @@ fi
 #                                    ||     ||
 %changelog
 * Fri Nov 29 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- Linux v3.12.2
 - Fix memory leak in qxl (from Dave Airlie)
 
 * Tue Nov 26 2013 Josh Boyer <jwboyer@fedoraproject.org>
diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch
deleted file mode 100644
index 02e72d8f9..000000000
--- a/libertas-potential-oops-in-debugfs.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Bugzilla: 1034183
-Upstream-status: 3.13
-
-From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 30 Oct 2013 20:12:51 +0300
-Subject: [PATCH] libertas: potential oops in debugfs
-
-If we do a zero size allocation then it will oops.  Also we can't be
-sure the user passes us a NUL terminated string so I've added a
-terminator.
-
-This code can only be triggered by root.
-
-Reported-by: Nico Golde <nico@ngolde.de>
-Reported-by: Fabian Yamaguchi <fabs@goesec.de>
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Acked-by: Dan Williams <dcbw@redhat.com>
-Signed-off-by: John W. Linville <linville@tuxdriver.com>
----
- drivers/net/wireless/libertas/debugfs.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
-index 668dd27..cc6a0a5 100644
---- a/drivers/net/wireless/libertas/debugfs.c
-+++ b/drivers/net/wireless/libertas/debugfs.c
-@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
- 	char *p2;
- 	struct debug_data *d = f->private_data;
- 
--	pdata = kmalloc(cnt, GFP_KERNEL);
-+	if (cnt == 0)
-+		return 0;
-+
-+	pdata = kmalloc(cnt + 1, GFP_KERNEL);
- 	if (pdata == NULL)
- 		return 0;
- 
-@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
- 		kfree(pdata);
- 		return 0;
- 	}
-+	pdata[cnt] = '\0';
- 
- 	p0 = pdata;
- 	for (i = 0; i < num_of_items; i++) {
--- 
-1.8.3.1
-
diff --git a/rt2800usb-slow-down-TX-status-polling.patch b/rt2800usb-slow-down-TX-status-polling.patch
deleted file mode 100644
index a76f9b847..000000000
--- a/rt2800usb-slow-down-TX-status-polling.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Polling TX statuses too frequently has two negative effects. First is
-randomly peek CPU usage, causing overall system functioning delays.
-Second bad effect is that device is not able to fill TX statuses in
-H/W register on some workloads and we get lot of timeouts like below:
-
-ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2
-ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2
-ieee80211 phy4: rt2800usb_txdone: Warning - Got TX status for an empty queue 2, dropping
-
-This not only cause flood of messages in dmesg, but also bad throughput,
-since rate scaling algorithm can not work optimally.
-
-In the future, we should probably make polling interval be adjusted
-automatically, but for now just increase values, this make mentioned
-problems gone.
-
-Resolve:
-https://bugzilla.kernel.org/show_bug.cgi?id=62781
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
----
- drivers/net/wireless/rt2x00/rt2800usb.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
-index 96677ce5..e095e61 100644
---- a/drivers/net/wireless/rt2x00/rt2800usb.c
-+++ b/drivers/net/wireless/rt2x00/rt2800usb.c
-@@ -176,8 +176,8 @@ static bool rt2800usb_tx_sta_fifo_read_completed(struct rt2x00_dev *rt2x00dev,
- 		queue_work(rt2x00dev->workqueue, &rt2x00dev->txdone_work);
- 
- 	if (rt2800usb_txstatus_pending(rt2x00dev)) {
--		/* Read register after 250 us */
--		hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 250000),
-+		/* Read register after 1 ms */
-+		hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 1000000),
- 			      HRTIMER_MODE_REL);
- 		return false;
- 	}
-@@ -202,8 +202,8 @@ static void rt2800usb_async_read_tx_status(struct rt2x00_dev *rt2x00dev)
- 	if (test_and_set_bit(TX_STATUS_READING, &rt2x00dev->flags))
- 		return;
- 
--	/* Read TX_STA_FIFO register after 500 us */
--	hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 500000),
-+	/* Read TX_STA_FIFO register after 2 ms */
-+	hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 2000000),
- 		      HRTIMER_MODE_REL);
- }
- 
--- 
-1.8.3.1
diff --git a/sources b/sources
index effa65788..89882616a 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 cc6ee608854e0da4b64f6c1ff8b6398c  linux-3.12.tar.xz
-5a8cb5a659baeeb6df3fe22de8d32df6  patch-3.12.1.xz
+97453b56d6a999b5a4b0899b4e28fabe  patch-3.12.2.xz