7 files changed, 131 insertions, 115 deletions
diff --git a/KEYS-potential-uninitialized-variable.patch b/KEYS-potential-uninitialized-variable.patch
new file mode 100644
index 000000000..23cabbb2e
--- /dev/null
+++ b/KEYS-potential-uninitialized-variable.patch
@@ -0,0 +1,30 @@
+From 82a50018782f84e733e718d4b24e1653d19333be Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 15 Jun 2016 09:31:45 -0400
+Subject: [PATCH] KEYS: potential uninitialized variable
+
+If __key_link_begin() failed then "edit" would be uninitialized.  I've
+added a check to fix that.
+
+Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+---
+ security/keys/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index bd5a272f28a6..346fbf201c22 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -597,7 +597,7 @@ int key_reject_and_link(struct key *key,
+ 
+ 	mutex_unlock(&key_construction_mutex);
+ 
+-	if (keyring)
++	if (keyring && link_ret == 0)
+ 		__key_link_end(keyring, &key->index_key, edit);
+ 
+ 	/* wake up anyone waiting for a key to be constructed */
+-- 
+2.5.5
+
diff --git a/hp-wmi-fix-wifi-cannot-be-hard-unblock.patch b/hp-wmi-fix-wifi-cannot-be-hard-unblock.patch
new file mode 100644
index 000000000..27744a0c3
--- /dev/null
+++ b/hp-wmi-fix-wifi-cannot-be-hard-unblock.patch
@@ -0,0 +1,48 @@
+From patchwork Mon Jun 13 11:44:00 2016
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: hp-wmi: fix wifi cannot be hard-unblock
+From: Alex Hung <alex.hung@canonical.com>
+X-Patchwork-Id: 9172765
+Message-Id: <1465818240-11994-1-git-send-email-alex.hung@canonical.com>
+To: dvhart@infradead.org, platform-driver-x86@vger.kernel.org,
+ alex.hung@canonical.com, david.ward@ll.mit.edu
+Date: Mon, 13 Jun 2016 19:44:00 +0800
+
+Several users reported wifi cannot be unblocked as discussed in [1].
+This patch removes the useof 2009 flag by BIOS but uses the actual WMI
+function calls - it will be skipped if WMI reports unsupported
+
+[1] https://bugzilla.kernel.org/show_bug.cgi?id=69131
+
+Signed-off-by: Alex Hung <alex.hung@canonical.com>
+---
+ drivers/platform/x86/hp-wmi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c
+index 6f145f2..96ffda4 100644
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -718,6 +718,11 @@ static int __init hp_wmi_rfkill_setup(struct platform_device *device)
+ 	if (err)
+ 		return err;
+ 
++	err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless,
++				   sizeof(wireless), 0);
++	if (err)
++		return err;
++
+ 	if (wireless & 0x1) {
+ 		wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev,
+ 					   RFKILL_TYPE_WLAN,
+@@ -882,7 +887,7 @@ static int __init hp_wmi_bios_setup(struct platform_device *device)
+ 	wwan_rfkill = NULL;
+ 	rfkill2_count = 0;
+ 
+-	if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device))
++	if (hp_wmi_rfkill_setup(device))
+ 		hp_wmi_rfkill2_setup(device);
+ 
+ 	err = device_create_file(&device->dev, &dev_attr_display);
diff --git a/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch b/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
deleted file mode 100644
index 16788f756..000000000
--- a/ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 14b627c610f93c2700f9a3825ac10c35d51acfe4 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Mon, 7 Dec 2015 13:50:38 -0500
-Subject: [PATCH] ideapad-laptop: Add Lenovo ideapad Y700-17ISK to no_hw_rfkill
- dmi list
-
-One of the newest ideapad models also lacks a physical hw rfkill switch,
-and trying to read the hw rfkill switch through the ideapad module
-causes it to always reported blocking breaking wifi.
-
-Fix it by adding this model to the DMI list.
-
-BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1286293
-Cc: stable@vger.kernel.org
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- drivers/platform/x86/ideapad-laptop.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c
-index a313dfc0245f..d28db0e793df 100644
---- a/drivers/platform/x86/ideapad-laptop.c
-+++ b/drivers/platform/x86/ideapad-laptop.c
-@@ -865,6 +865,13 @@ static const struct dmi_system_id no_hw_rfkill_list[] = {
- 		},
- 	},
- 	{
-+		.ident = "Lenovo ideapad Y700-17ISK",
-+		.matches = {
-+			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
-+			DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad Y700-17ISK"),
-+		},
-+	},
-+	{
- 		.ident = "Lenovo Yoga 2 11 / 13 / Pro",
- 		.matches = {
- 			DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
--- 
-2.5.0
-
diff --git a/kernel.spec b/kernel.spec
index 70d9d8ec3..c055f5995 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -58,7 +58,7 @@ Summary: The Linux kernel
 %define stable_rc 0
 
 # Do we have a -stable update to apply?
-%define stable_update 13
+%define stable_update 14
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -610,9 +610,6 @@ Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
 #rhbz 1287819
 Patch570: HID-multitouch-enable-palm-rejection-if-device-imple.patch
 
-#rhbz 1286293
-Patch571: ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
-
 #rhbz 1288687
 Patch572: alua_fix.patch
 
@@ -660,15 +657,18 @@ Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
 #CVE-2016-0758 rhbz 1300257 1335386
 Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 
-#CVE-2016-4951 rhbz 1338625 1338626
-Patch720: tipc-check-nl-sock-before-parsing-nested-attributes.patch
-
 #CVE-2016-5243 rhbz 1343338 1343335
 Patch721: tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
 
 #CVE-2016-5244 rhbz 1343338 1343337
 Patch722: rds-fix-an-infoleak-in-rds_inc_info_copy.txt
 
+#CVE-2016-4470 rhbz 1341716 1346626
+Patch727: KEYS-potential-uninitialized-variable.patch
+
+#rhbz 1338025
+Patch728: hp-wmi-fix-wifi-cannot-be-hard-unblock.patch
+
 # END OF PATCH DEFINITIONS
 %endif
 
@@ -1327,9 +1327,6 @@ ApplyPatch kexec-uefi-copy-secure_boot-flag-in-boot-params.patch
 #rhbz 1287819
 ApplyPatch HID-multitouch-enable-palm-rejection-if-device-imple.patch
 
-#rhbz 1286293
-ApplyPatch ideapad-laptop-Add-Lenovo-ideapad-Y700-17ISK-to-no_h.patch
-
 #rhbz 1288687
 ApplyPatch alua_fix.patch
 
@@ -1374,15 +1371,18 @@ ApplyPatch ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
 #CVE-2016-0758 rhbz 1300257 1335386
 ApplyPatch KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 
-#CVE-2016-4951 rhbz 1338625 1338626
-ApplyPatch tipc-check-nl-sock-before-parsing-nested-attributes.patch
-
 #CVE-2016-5243 rhbz 1343338 1343335
 ApplyPatch tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch
 
 #CVE-2016-5244 rhbz 1343338 1343337
 ApplyPatch rds-fix-an-infoleak-in-rds_inc_info_copy.txt
 
+#CVE-2016-4470 rhbz 1341716 1346626
+ApplyPatch KEYS-potential-uninitialized-variable.patch
+
+#rhbz 1338025
+ApplyPatch hp-wmi-fix-wifi-cannot-be-hard-unblock.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2232,6 +2232,18 @@ fi
 #
 # 
 %changelog
+* Fri Jun 24 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.14-200
+- Linux v4.4.14
+
+* Wed Jun 15 2016 Laura Abbott <labbott@fedoraproject.org>
+- hp-wmi: fix wifi cannot be hard-unblock (rhbz 1338025)
+
+* Wed Jun 15 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4470 keys: uninitialized variable crash (rhbz 1341716 1346626)
+
+* Mon Jun 13 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-1583 stack overflow via ecryptfs and /proc (rhbz 1344721 1344722)
+
 * Wed Jun 08 2016 Laura Abbott <labbott@fedoraproject.org> - 4.4.13-200
 - Linux v4.4.13
 
diff --git a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
index ebfe1716f..0a45f1e1f 100644
--- a/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
+++ b/netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
@@ -1,6 +1,7 @@
-Subject:    [PATCH nf] netfilter: x_tables: deal with bogus nextoffset values
-From:       Florian Westphal <fw () strlen ! de>
-Date:       2016-03-10 0:56:02
+From 36d815b56409ca2fb562bb7aec5b17d08db25d8e Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw () strlen ! de>
+Date: Thu, 10 Mar 2016 00:56:02 -0800
+Subject: [PATCH] netfilter: x_tables: deal with bogus nextoffset values
 
 Ben Hawkes says:
 
@@ -28,10 +29,10 @@ Signed-off-by: Florian Westphal <fw@strlen.de>
  3 files changed, 22 insertions(+), 22 deletions(-)
 
 diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index b488cac..5a0b591 100644
+index 6e3e0e8..42b87c7 100644
 --- a/net/ipv4/netfilter/arp_tables.c
 +++ b/net/ipv4/netfilter/arp_tables.c
-@@ -437,6 +437,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+@@ -449,6 +449,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
  
  				/* Move along one */
  				size = e->next_offset;
@@ -41,8 +42,8 @@ index b488cac..5a0b591 100644
 +
  				e = (struct arpt_entry *)
  					(entry0 + pos + size);
- 				e->counters.pcnt = pos;
-@@ -447,14 +451,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (pos + size >= newinfo->size)
+@@ -461,14 +465,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
  				if (strcmp(t->target.u.user.name,
  					   XT_STANDARD_TARGET) == 0 &&
  				    newpos >= 0) {
@@ -57,9 +58,9 @@ index b488cac..5a0b591 100644
  					/* This a jump; chase it. */
  					duprintf("Jump rule %u -> %u\n",
  						 pos, newpos);
-@@ -462,6 +458,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
+@@ -482,6 +478,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 					if (newpos >= newinfo->size)
+ 						return 0;
  				}
 +
 +				if (newpos > newinfo->size - sizeof(*e))
@@ -69,10 +70,10 @@ index b488cac..5a0b591 100644
  					(entry0 + newpos);
  				e->counters.pcnt = pos;
 diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index b99affa..ceb995f 100644
+index a399c54..b08e186 100644
 --- a/net/ipv4/netfilter/ip_tables.c
 +++ b/net/ipv4/netfilter/ip_tables.c
-@@ -519,6 +519,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+@@ -530,6 +530,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
  
  				/* Move along one */
  				size = e->next_offset;
@@ -82,8 +83,8 @@ index b99affa..ceb995f 100644
 +
  				e = (struct ipt_entry *)
  					(entry0 + pos + size);
- 				e->counters.pcnt = pos;
-@@ -529,13 +533,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (pos + size >= newinfo->size)
+@@ -542,13 +546,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
  				if (strcmp(t->target.u.user.name,
  					   XT_STANDARD_TARGET) == 0 &&
  				    newpos >= 0) {
@@ -97,9 +98,9 @@ index b99affa..ceb995f 100644
  					/* This a jump; chase it. */
  					duprintf("Jump rule %u -> %u\n",
  						 pos, newpos);
-@@ -543,6 +540,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
+@@ -562,6 +559,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 					if (newpos >= newinfo->size)
+ 						return 0;
  				}
 +
 +				if (newpos > newinfo->size - sizeof(*e))
@@ -109,10 +110,10 @@ index b99affa..ceb995f 100644
  					(entry0 + newpos);
  				e->counters.pcnt = pos;
 diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index 99425cf..d88a794 100644
+index 22f39e0..1b6d4e7 100644
 --- a/net/ipv6/netfilter/ip6_tables.c
 +++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -531,6 +531,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
+@@ -542,6 +542,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
  
  				/* Move along one */
  				size = e->next_offset;
@@ -120,8 +121,8 @@ index 99425cf..d88a794 100644
 +					return 0;
  				e = (struct ip6t_entry *)
  					(entry0 + pos + size);
- 				e->counters.pcnt = pos;
-@@ -541,13 +543,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 				if (pos + size >= newinfo->size)
+@@ -554,13 +556,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
  				if (strcmp(t->target.u.user.name,
  					   XT_STANDARD_TARGET) == 0 &&
  				    newpos >= 0) {
@@ -135,9 +136,9 @@ index 99425cf..d88a794 100644
  					/* This a jump; chase it. */
  					duprintf("Jump rule %u -> %u\n",
  						 pos, newpos);
-@@ -555,6 +550,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
+@@ -574,6 +569,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 					if (newpos >= newinfo->size)
+ 						return 0;
  				}
 +
 +				if (newpos > newinfo->size - sizeof(*e))
@@ -147,4 +148,5 @@ index 99425cf..d88a794 100644
  					(entry0 + newpos);
  				e->counters.pcnt = pos;
 -- 
-2.4.10
+2.5.5
+
diff --git a/sources b/sources
index 9340eaf24..820e00d9d 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 9a78fa2eb6c68ca5a40ed5af08142599  linux-4.4.tar.xz
 dcbc8fe378a676d5d0dd208cf524e144  perf-man-4.4.tar.gz
-0985afde06951614f594120d7c8ffad7  patch-4.4.13.xz
+24bdcde8502d841d58f1e45fc2de217f  patch-4.4.14.xz
diff --git a/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/tipc-check-nl-sock-before-parsing-nested-attributes.patch
deleted file mode 100644
index 09bfe1485..000000000
--- a/tipc-check-nl-sock-before-parsing-nested-attributes.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 45e093ae2830cd1264677d47ff9a95a71f5d9f9c Mon Sep 17 00:00:00 2001
-From: Richard Alpe <richard.alpe@ericsson.com>
-Date: Mon, 16 May 2016 11:14:54 +0200
-Subject: [PATCH] tipc: check nl sock before parsing nested attributes
-
-Make sure the socket for which the user is listing publication exists
-before parsing the socket netlink attributes.
-
-Prior to this patch a call without any socket caused a NULL pointer
-dereference in tipc_nl_publ_dump().
-
-Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
-Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
-Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/tipc/socket.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/net/tipc/socket.c b/net/tipc/socket.c
-index 12628890c219..3b7a79991d55 100644
---- a/net/tipc/socket.c
-+++ b/net/tipc/socket.c
-@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
- 		if (err)
- 			return err;
- 
-+		if (!attrs[TIPC_NLA_SOCK])
-+			return -EINVAL;
-+
- 		err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
- 				       attrs[TIPC_NLA_SOCK],
- 				       tipc_nl_sock_policy);
--- 
-2.5.5
-