--- /dev/null
+From 64fbff9ae0a0a843365d922e0057fc785f23f0e3 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:04:24 +0200
+Subject: audit: fix info leak in AUDIT_GET requests
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 64fbff9ae0a0a843365d922e0057fc785f23f0e3 upstream.
+
+We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
+we miss to initialize the mask member of status_set. Fix that.
+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric Paris <eparis@redhat.com>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -684,6 +684,7 @@ static int audit_receive_msg(struct sk_b
+
+ switch (msg_type) {
+ case AUDIT_GET:
++ status_set.mask = 0;
+ status_set.enabled = audit_enabled;
+ status_set.failure = audit_failure;
+ status_set.pid = audit_pid;
--- /dev/null
+From 0868a5e150bc4c47e7a003367cd755811eb41e0b Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 25 Jul 2013 18:02:55 -0700
+Subject: audit: printk USER_AVC messages when audit isn't enabled
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream.
+
+When the audit=1 kernel parameter is absent and auditd is not running,
+AUDIT_USER_AVC messages are being silently discarded.
+
+AUDIT_USER_AVC messages should be sent to userspace using printk(), as
+mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
+audit-disabled case for discarding user messages").
+
+When audit_enabled is 0, audit_receive_msg() discards all user messages
+except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
+refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
+special case AUDIT_USER_AVC messages in both functions.
+
+It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
+introduced this bug.
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: linux-audit@redhat.com
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -625,7 +625,7 @@ static int audit_log_common_recv_msg(str
+ char *ctx = NULL;
+ u32 len;
+
+- if (!audit_enabled) {
++ if (!audit_enabled && msg_type != AUDIT_USER_AVC) {
+ *ab = NULL;
+ return rc;
+ }
--- /dev/null
+From 4d8fe7376a12bf4524783dd95cbc00f1fece6232 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Mon, 30 Sep 2013 22:04:25 +0200
+Subject: audit: use nlmsg_len() to get message payload length
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 4d8fe7376a12bf4524783dd95cbc00f1fece6232 upstream.
+
+Using the nlmsg_len member of the netlink header to test if the message
+is valid is wrong as it includes the size of the netlink header itself.
+Thereby allowing to send short netlink messages that pass those checks.
+
+Use nlmsg_len() instead to test for the right message length. The result
+of nlmsg_len() is guaranteed to be non-negative as the netlink message
+already passed the checks of nlmsg_ok().
+
+Also switch to min_t() to please checkpatch.pl.
+
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Eric Paris <eparis@redhat.com>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -695,7 +695,7 @@ static int audit_receive_msg(struct sk_b
+ &status_set, sizeof(status_set));
+ break;
+ case AUDIT_SET:
+- if (nlh->nlmsg_len < sizeof(struct audit_status))
++ if (nlmsg_len(nlh) < sizeof(struct audit_status))
+ return -EINVAL;
+ status_get = (struct audit_status *)data;
+ if (status_get->mask & AUDIT_STATUS_ENABLED) {
--- /dev/null
+From d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 Mon Sep 17 00:00:00 2001
+From: Andreas Bießmann <andreas@biessmann.de>
+Date: Thu, 24 Oct 2013 12:31:04 +0200
+Subject: avr32: fix out-of-range jump in large kernels
+
+From: Andreas Bießmann <andreas@biessmann.de>
+
+commit d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 upstream.
+
+This patch fixes following error (for big kernels):
+
+---8<---
+arch/avr32/boot/u-boot/head.o: In function `no_tag_table':
+(.init.text+0x44): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
+arch/avr32/kernel/built-in.o: In function `bad_return':
+(.ex.text+0x236): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
+--->8---
+
+It comes up when the kernel increases and 'panic()' is too far away to fit in
+the +/- 2MiB range. Which in turn issues from the 21-bit displacement in
+'br{cond4}' mnemonic which is one of the two ways to do jumps (rjmp has just
+10-bit displacement and therefore a way smaller range). This fact was stated
+before in 8d29b7b9f81d6b83d869ff054e6c189d6da73f1f.
+One solution to solve this is to add a local storage for the symbol address
+and just load the $pc with that value.
+
+Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
+Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
+Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/avr32/boot/u-boot/head.S | 5 ++++-
+ arch/avr32/kernel/entry-avr32b.S | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/avr32/boot/u-boot/head.S
++++ b/arch/avr32/boot/u-boot/head.S
+@@ -73,8 +73,11 @@ init_sr:
+ .long 0x007f0000 /* Supervisor mode, everything masked */
+ stack_addr:
+ .long init_thread_union
++panic_addr:
++ .long panic
+
+ no_tag_table:
+ sub r12, pc, (. - 2f)
+- bral panic
++ /* branch to panic() which can be far away with that construct */
++ lddpc pc, panic_addr
+ 2: .asciz "Boot loader didn't provide correct magic number\n"
+--- a/arch/avr32/kernel/entry-avr32b.S
++++ b/arch/avr32/kernel/entry-avr32b.S
+@@ -399,9 +399,10 @@ handle_critical:
+ /* We should never get here... */
+ bad_return:
+ sub r12, pc, (. - 1f)
+- bral panic
++ lddpc pc, 2f
+ .align 2
+ 1: .asciz "Return from critical exception!"
++2: .long panic
+
+ .align 1
+ do_bus_error_write:
--- /dev/null
+From 7a2a74f4b856993218aa7cdeeb6c3103101340db Mon Sep 17 00:00:00 2001
+From: Andreas Bießmann <andreas@biessmann.de>
+Date: Thu, 24 Oct 2013 12:31:03 +0200
+Subject: avr32: setup crt for early panic()
+
+From: Andreas Bießmann <andreas@biessmann.de>
+
+commit 7a2a74f4b856993218aa7cdeeb6c3103101340db upstream.
+
+Before the CRT was (fully) set up in kernel_entry (bss cleared before in
+_start, but also not before jump to panic() in no_tag_table case).
+
+This patch fixes this up to have a fully working CRT when branching to panic()
+in no_tag_table.
+
+Signed-off-by: Andreas Bießmann <andreas@biessmann.de>
+Acked-by: Hans-Christian Egtvedt <egtvedt@samfundet.no>
+Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/avr32/boot/u-boot/head.S | 30 +++++++++++++++++++++++++-----
+ arch/avr32/kernel/head.S | 20 --------------------
+ 2 files changed, 25 insertions(+), 25 deletions(-)
+
+--- a/arch/avr32/boot/u-boot/head.S
++++ b/arch/avr32/boot/u-boot/head.S
+@@ -8,6 +8,8 @@
+ * published by the Free Software Foundation.
+ */
+ #include <asm/setup.h>
++#include <asm/thread_info.h>
++#include <asm/sysreg.h>
+
+ /*
+ * The kernel is loaded where we want it to be and all caches
+@@ -20,11 +22,6 @@
+ .section .init.text,"ax"
+ .global _start
+ _start:
+- /* Check if the boot loader actually provided a tag table */
+- lddpc r0, magic_number
+- cp.w r12, r0
+- brne no_tag_table
+-
+ /* Initialize .bss */
+ lddpc r2, bss_start_addr
+ lddpc r3, end_addr
+@@ -34,6 +31,25 @@ _start:
+ cp r2, r3
+ brlo 1b
+
++ /* Initialize status register */
++ lddpc r0, init_sr
++ mtsr SYSREG_SR, r0
++
++ /* Set initial stack pointer */
++ lddpc sp, stack_addr
++ sub sp, -THREAD_SIZE
++
++#ifdef CONFIG_FRAME_POINTER
++ /* Mark last stack frame */
++ mov lr, 0
++ mov r7, 0
++#endif
++
++ /* Check if the boot loader actually provided a tag table */
++ lddpc r0, magic_number
++ cp.w r12, r0
++ brne no_tag_table
++
+ /*
+ * Save the tag table address for later use. This must be done
+ * _after_ .bss has been initialized...
+@@ -53,6 +69,10 @@ bss_start_addr:
+ .long __bss_start
+ end_addr:
+ .long _end
++init_sr:
++ .long 0x007f0000 /* Supervisor mode, everything masked */
++stack_addr:
++ .long init_thread_union
+
+ no_tag_table:
+ sub r12, pc, (. - 2f)
+--- a/arch/avr32/kernel/head.S
++++ b/arch/avr32/kernel/head.S
+@@ -10,33 +10,13 @@
+ #include <linux/linkage.h>
+
+ #include <asm/page.h>
+-#include <asm/thread_info.h>
+-#include <asm/sysreg.h>
+
+ .section .init.text,"ax"
+ .global kernel_entry
+ kernel_entry:
+- /* Initialize status register */
+- lddpc r0, init_sr
+- mtsr SYSREG_SR, r0
+-
+- /* Set initial stack pointer */
+- lddpc sp, stack_addr
+- sub sp, -THREAD_SIZE
+-
+-#ifdef CONFIG_FRAME_POINTER
+- /* Mark last stack frame */
+- mov lr, 0
+- mov r7, 0
+-#endif
+-
+ /* Start the show */
+ lddpc pc, kernel_start_addr
+
+ .align 2
+-init_sr:
+- .long 0x007f0000 /* Supervisor mode, everything masked */
+-stack_addr:
+- .long init_thread_union
+ kernel_start_addr:
+ .long start_kernel
--- /dev/null
+From 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Mon, 25 Nov 2013 20:59:46 -0500
+Subject: ftrace: Fix function graph with loading of modules
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 upstream.
+
+Commit 8c4f3c3fa9681 "ftrace: Check module functions being traced on reload"
+fixed module loading and unloading with respect to function tracing, but
+it missed the function graph tracer. If you perform the following
+
+ # cd /sys/kernel/debug/tracing
+ # echo function_graph > current_tracer
+ # modprobe nfsd
+ # echo nop > current_tracer
+
+You'll get the following oops message:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 2910 at /linux.git/kernel/trace/ftrace.c:1640 __ftrace_hash_rec_update.part.35+0x168/0x1b9()
+ Modules linked in: nfsd exportfs nfs_acl lockd ipt_MASQUERADE sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables uinput snd_hda_codec_idt
+ CPU: 2 PID: 2910 Comm: bash Not tainted 3.13.0-rc1-test #7
+ Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007
+ 0000000000000668 ffff8800787efcf8 ffffffff814fe193 ffff88007d500000
+ 0000000000000000 ffff8800787efd38 ffffffff8103b80a 0000000000000668
+ ffffffff810b2b9a ffffffff81a48370 0000000000000001 ffff880037aea000
+ Call Trace:
+ [<ffffffff814fe193>] dump_stack+0x4f/0x7c
+ [<ffffffff8103b80a>] warn_slowpath_common+0x81/0x9b
+ [<ffffffff810b2b9a>] ? __ftrace_hash_rec_update.part.35+0x168/0x1b9
+ [<ffffffff8103b83e>] warn_slowpath_null+0x1a/0x1c
+ [<ffffffff810b2b9a>] __ftrace_hash_rec_update.part.35+0x168/0x1b9
+ [<ffffffff81502f89>] ? __mutex_lock_slowpath+0x364/0x364
+ [<ffffffff810b2cc2>] ftrace_shutdown+0xd7/0x12b
+ [<ffffffff810b47f0>] unregister_ftrace_graph+0x49/0x78
+ [<ffffffff810c4b30>] graph_trace_reset+0xe/0x10
+ [<ffffffff810bf393>] tracing_set_tracer+0xa7/0x26a
+ [<ffffffff810bf5e1>] tracing_set_trace_write+0x8b/0xbd
+ [<ffffffff810c501c>] ? ftrace_return_to_handler+0xb2/0xde
+ [<ffffffff811240a8>] ? __sb_end_write+0x5e/0x5e
+ [<ffffffff81122aed>] vfs_write+0xab/0xf6
+ [<ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
+ [<ffffffff81122dbd>] SyS_write+0x59/0x82
+ [<ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
+ [<ffffffff8150a2d2>] system_call_fastpath+0x16/0x1b
+ ---[ end trace 940358030751eafb ]---
+
+The above mentioned commit didn't go far enough. Well, it covered the
+function tracer by adding checks in __register_ftrace_function(). The
+problem is that the function graph tracer circumvents that (for a slight
+efficiency gain when function graph trace is running with a function
+tracer. The gain was not worth this).
+
+The problem came with ftrace_startup() which should always be called after
+__register_ftrace_function(), if you want this bug to be completely fixed.
+
+Anyway, this solution moves __register_ftrace_function() inside of
+ftrace_startup() and removes the need to call them both.
+
+Reported-by: Dave Wysochanski <dwysocha@redhat.com>
+Fixes: ed926f9b35cd ("ftrace: Use counters to enable functions to trace")
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 64 +++++++++++++++++++++++++++-----------------------
+ 1 file changed, 35 insertions(+), 29 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -312,9 +312,6 @@ static int remove_ftrace_list_ops(struct
+
+ static int __register_ftrace_function(struct ftrace_ops *ops)
+ {
+- if (ftrace_disabled)
+- return -ENODEV;
+-
+ if (FTRACE_WARN_ON(ops == &global_ops))
+ return -EINVAL;
+
+@@ -348,9 +345,6 @@ static int __unregister_ftrace_function(
+ {
+ int ret;
+
+- if (ftrace_disabled)
+- return -ENODEV;
+-
+ if (WARN_ON(!(ops->flags & FTRACE_OPS_FL_ENABLED)))
+ return -EBUSY;
+
+@@ -1940,10 +1934,15 @@ static void ftrace_startup_enable(int co
+ static int ftrace_startup(struct ftrace_ops *ops, int command)
+ {
+ bool hash_enable = true;
++ int ret;
+
+ if (unlikely(ftrace_disabled))
+ return -ENODEV;
+
++ ret = __register_ftrace_function(ops);
++ if (ret)
++ return ret;
++
+ ftrace_start_up++;
+ command |= FTRACE_UPDATE_CALLS;
+
+@@ -1965,12 +1964,17 @@ static int ftrace_startup(struct ftrace_
+ return 0;
+ }
+
+-static void ftrace_shutdown(struct ftrace_ops *ops, int command)
++static int ftrace_shutdown(struct ftrace_ops *ops, int command)
+ {
+ bool hash_disable = true;
++ int ret;
+
+ if (unlikely(ftrace_disabled))
+- return;
++ return -ENODEV;
++
++ ret = __unregister_ftrace_function(ops);
++ if (ret)
++ return ret;
+
+ ftrace_start_up--;
+ /*
+@@ -2005,9 +2009,10 @@ static void ftrace_shutdown(struct ftrac
+ }
+
+ if (!command || !ftrace_enabled)
+- return;
++ return 0;
+
+ ftrace_run_update_code(command);
++ return 0;
+ }
+
+ static void ftrace_startup_sysctl(void)
+@@ -2873,16 +2878,13 @@ static void __enable_ftrace_function_pro
+ if (i == FTRACE_FUNC_HASHSIZE)
+ return;
+
+- ret = __register_ftrace_function(&trace_probe_ops);
+- if (!ret)
+- ret = ftrace_startup(&trace_probe_ops, 0);
++ ret = ftrace_startup(&trace_probe_ops, 0);
+
+ ftrace_probe_registered = 1;
+ }
+
+ static void __disable_ftrace_function_probe(void)
+ {
+- int ret;
+ int i;
+
+ if (!ftrace_probe_registered)
+@@ -2895,9 +2897,7 @@ static void __disable_ftrace_function_pr
+ }
+
+ /* no more funcs left */
+- ret = __unregister_ftrace_function(&trace_probe_ops);
+- if (!ret)
+- ftrace_shutdown(&trace_probe_ops, 0);
++ ftrace_shutdown(&trace_probe_ops, 0);
+
+ ftrace_probe_registered = 0;
+ }
+@@ -3948,12 +3948,15 @@ device_initcall(ftrace_nodyn_init);
+ static inline int ftrace_init_dyn_debugfs(struct dentry *d_tracer) { return 0; }
+ static inline void ftrace_startup_enable(int command) { }
+ /* Keep as macros so we do not need to define the commands */
+-# define ftrace_startup(ops, command) \
+- ({ \
+- (ops)->flags |= FTRACE_OPS_FL_ENABLED; \
+- 0; \
++# define ftrace_startup(ops, command) \
++ ({ \
++ int ___ret = __register_ftrace_function(ops); \
++ if (!___ret) \
++ (ops)->flags |= FTRACE_OPS_FL_ENABLED; \
++ ___ret; \
+ })
+-# define ftrace_shutdown(ops, command) do { } while (0)
++# define ftrace_shutdown(ops, command) __unregister_ftrace_function(ops)
++
+ # define ftrace_startup_sysctl() do { } while (0)
+ # define ftrace_shutdown_sysctl() do { } while (0)
+
+@@ -4326,9 +4329,7 @@ int register_ftrace_function(struct ftra
+ if (unlikely(ftrace_disabled))
+ goto out_unlock;
+
+- ret = __register_ftrace_function(ops);
+- if (!ret)
+- ret = ftrace_startup(ops, 0);
++ ret = ftrace_startup(ops, 0);
+
+
+ out_unlock:
+@@ -4348,9 +4349,7 @@ int unregister_ftrace_function(struct ft
+ int ret;
+
+ mutex_lock(&ftrace_lock);
+- ret = __unregister_ftrace_function(ops);
+- if (!ret)
+- ftrace_shutdown(ops, 0);
++ ret = ftrace_shutdown(ops, 0);
+ mutex_unlock(&ftrace_lock);
+
+ return ret;
+@@ -4544,6 +4543,13 @@ ftrace_suspend_notifier_call(struct noti
+ return NOTIFY_DONE;
+ }
+
++/* Just a place holder for function graph */
++static struct ftrace_ops fgraph_ops __read_mostly = {
++ .func = ftrace_stub,
++ .flags = FTRACE_OPS_FL_STUB | FTRACE_OPS_FL_GLOBAL |
++ FTRACE_OPS_FL_RECURSION_SAFE,
++};
++
+ int register_ftrace_graph(trace_func_graph_ret_t retfunc,
+ trace_func_graph_ent_t entryfunc)
+ {
+@@ -4570,7 +4576,7 @@ int register_ftrace_graph(trace_func_gra
+ ftrace_graph_return = retfunc;
+ ftrace_graph_entry = entryfunc;
+
+- ret = ftrace_startup(&global_ops, FTRACE_START_FUNC_RET);
++ ret = ftrace_startup(&fgraph_ops, FTRACE_START_FUNC_RET);
+
+ out:
+ mutex_unlock(&ftrace_lock);
+@@ -4587,7 +4593,7 @@ void unregister_ftrace_graph(void)
+ ftrace_graph_active--;
+ ftrace_graph_return = (trace_func_graph_ret_t)ftrace_stub;
+ ftrace_graph_entry = ftrace_graph_entry_stub;
+- ftrace_shutdown(&global_ops, FTRACE_STOP_FUNC_RET);
++ ftrace_shutdown(&fgraph_ops, FTRACE_STOP_FUNC_RET);
+ unregister_pm_notifier(&ftrace_suspend_notifier);
+ unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL);
+
--- /dev/null
+From d03b4aa77e1187b77dfe37d14a923547f00baa66 Mon Sep 17 00:00:00 2001
+From: Avinash Patil <patila@marvell.com>
+Date: Tue, 5 Nov 2013 15:01:44 -0800
+Subject: mwifiex: correct packet length for packets from SDIO interface
+
+From: Avinash Patil <patila@marvell.com>
+
+commit d03b4aa77e1187b77dfe37d14a923547f00baa66 upstream.
+
+While receiving a packet on SDIO interface, we allocate skb with
+size multiple of SDIO block size. We need to resize this skb
+after RX using packet length from RX header.
+
+Signed-off-by: Avinash Patil <patila@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/sdio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mwifiex/sdio.c
++++ b/drivers/net/wireless/mwifiex/sdio.c
+@@ -938,7 +938,10 @@ static int mwifiex_decode_rx_packet(stru
+ struct sk_buff *skb, u32 upld_typ)
+ {
+ u8 *cmd_buf;
++ __le16 *curr_ptr = (__le16 *)skb->data;
++ u16 pkt_len = le16_to_cpu(*curr_ptr);
+
++ skb_trim(skb, pkt_len);
+ skb_pull(skb, INTF_HEADER_LEN);
+
+ switch (upld_typ) {
--- /dev/null
+From e7cc5cf74544d97d7b69e2701595037474db1f96 Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Mon, 18 Nov 2013 17:02:45 -0700
+Subject: PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove()
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit e7cc5cf74544d97d7b69e2701595037474db1f96 upstream.
+
+The pcie_portdrv .probe() method calls pci_enable_device() once, in
+pcie_port_device_register(), but the .remove() method calls
+pci_disable_device() twice, in pcie_port_device_remove() and in
+pcie_portdrv_remove().
+
+That causes a "disabling already-disabled device" warning when removing a
+PCIe port device. This happens all the time when removing Thunderbolt
+devices, but is also easy to reproduce with, e.g.,
+"echo 0000:00:1c.3 > /sys/bus/pci/drivers/pcieport/unbind"
+
+This patch removes the disable from pcie_portdrv_remove().
+
+[bhelgaas: changelog, tag for stable]
+Reported-by: David Bulkow <David.Bulkow@stratus.com>
+Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/pcie/portdrv_pci.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pci/pcie/portdrv_pci.c
++++ b/drivers/pci/pcie/portdrv_pci.c
+@@ -151,7 +151,6 @@ static int __devinit pcie_portdrv_probe(
+ static void pcie_portdrv_remove(struct pci_dev *dev)
+ {
+ pcie_port_device_remove(dev);
+- pci_disable_device(dev);
+ }
+
+ static int error_detected_iter(struct device *device, void *data)
--- /dev/null
+From 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dcbw@redhat.com>
+Date: Fri, 8 Nov 2013 13:39:44 -0600
+Subject: prism54: set netdev type to "wlan"
+
+From: Dan Williams <dcbw@redhat.com>
+
+commit 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 upstream.
+
+Userspace uses the netdev devtype for stuff like device naming and type
+detection. Be nice and set it. Remove the pointless #if/#endif around
+SET_NETDEV_DEV too.
+
+Signed-off-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/prism54/islpci_dev.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/prism54/islpci_dev.c
++++ b/drivers/net/wireless/prism54/islpci_dev.c
+@@ -811,6 +811,10 @@ static const struct net_device_ops islpc
+ .ndo_validate_addr = eth_validate_addr,
+ };
+
++static struct device_type wlan_type = {
++ .name = "wlan",
++};
++
+ struct net_device *
+ islpci_setup(struct pci_dev *pdev)
+ {
+@@ -821,9 +825,8 @@ islpci_setup(struct pci_dev *pdev)
+ return ndev;
+
+ pci_set_drvdata(pdev, ndev);
+-#if defined(SET_NETDEV_DEV)
+ SET_NETDEV_DEV(ndev, &pdev->dev);
+-#endif
++ SET_NETDEV_DEVTYPE(ndev, &wlan_type);
+
+ /* setup the structure members */
+ ndev->base_addr = pci_resource_start(pdev, 0);
--- /dev/null
+From 42d64e1add3a1ce8a787116036163b8724362145 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Thu, 26 Sep 2013 17:00:46 -0400
+Subject: selinux: correct locking in selinux_netlbl_socket_connect)
+
+From: Paul Moore <pmoore@redhat.com>
+
+commit 42d64e1add3a1ce8a787116036163b8724362145 upstream.
+
+The SELinux/NetLabel glue code has a locking bug that affects systems
+with NetLabel enabled, see the kernel error message below. This patch
+corrects this problem by converting the bottom half socket lock to a
+more conventional, and correct for this call-path, lock_sock() call.
+
+ ===============================
+ [ INFO: suspicious RCU usage. ]
+ 3.11.0-rc3+ #19 Not tainted
+ -------------------------------
+ net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 1, debug_locks = 0
+ 2 locks held by ping/731:
+ #0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect
+ #1: (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr
+
+ stack backtrace:
+ CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ 0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500
+ ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000
+ 000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7
+ Call Trace:
+ [<ffffffff81726b6a>] dump_stack+0x54/0x74
+ [<ffffffff810e4457>] lockdep_rcu_suspicious+0xe7/0x120
+ [<ffffffff8169bec7>] cipso_v4_sock_setattr+0x187/0x1a0
+ [<ffffffff8170f317>] netlbl_conn_setattr+0x187/0x190
+ [<ffffffff8170f195>] ? netlbl_conn_setattr+0x5/0x190
+ [<ffffffff8131ac9e>] selinux_netlbl_socket_connect+0xae/0xc0
+ [<ffffffff81303025>] selinux_socket_connect+0x135/0x170
+ [<ffffffff8119d127>] ? might_fault+0x57/0xb0
+ [<ffffffff812fb146>] security_socket_connect+0x16/0x20
+ [<ffffffff815d3ad3>] SYSC_connect+0x73/0x130
+ [<ffffffff81739a85>] ? sysret_check+0x22/0x5d
+ [<ffffffff810e5e2d>] ? trace_hardirqs_on_caller+0xfd/0x1c0
+ [<ffffffff81373d4e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff815d52be>] SyS_connect+0xe/0x10
+ [<ffffffff81739a59>] system_call_fastpath+0x16/0x1b
+
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/netlabel.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/security/selinux/netlabel.c
++++ b/security/selinux/netlabel.c
+@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct
+ sksec->nlbl_state != NLBL_CONNLABELED)
+ return 0;
+
+- local_bh_disable();
+- bh_lock_sock_nested(sk);
++ lock_sock(sk);
+
+ /* connected sockets are allowed to disconnect when the address family
+ * is set to AF_UNSPEC, if that is what is happening we want to reset
+@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct
+ sksec->nlbl_state = NLBL_CONNLABELED;
+
+ socket_connect_return:
+- bh_unlock_sock(sk);
+- local_bh_enable();
++ release_sock(sk);
+ return rc;
+ }
rt2400pci-fix-rssi-read.patch
dm-allocate-buffer-for-messages-with-small-number-of-arguments-using-gfp_noio.patch
pm-hibernate-avoid-overflow-in-hibernate_preallocate_memory.patch
+mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch
+audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch
+audit-use-nlmsg_len-to-get-message-payload-length.patch
+audit-fix-info-leak-in-audit_get-requests.patch
+pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch
+selinux-correct-locking-in-selinux_netlbl_socket_connect.patch
+avr32-setup-crt-for-early-panic.patch
+avr32-fix-out-of-range-jump-in-large-kernels.patch
+prism54-set-netdev-type-to-wlan.patch
+ftrace-fix-function-graph-with-loading-of-modules.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
