post rebase fixups

ceph-fix.patch

@@ -1,24 +0,0 @@
-diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c
-index 925ca58..0ef2458 100644
---- a/net/ceph/auth_none.c
-+++ b/net/ceph/auth_none.c
-@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac)
- 	return xi->starting;
- }
- 
-+static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
-+{
-+       return 0;
-+}
-+
- /*
-  * the generic auth code decode the global_id, and we carry no actual
-  * authenticate state, so nothing happens here.
-@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = {
- 	.destroy = destroy,
- 	.is_authenticated = is_authenticated,
- 	.should_authenticate = should_authenticate,
-+	.build_request = build_request,
- 	.handle_reply = handle_reply,
- 	.create_authorizer = ceph_auth_none_create_authorizer,
- 	.destroy_authorizer = ceph_auth_none_destroy_authorizer,

cfg80211-mac80211-disconnect-on-suspend.patch

@@ -1,219 +0,0 @@
-From 8125696991194aacb1173b6e8196d19098b44e17 Mon Sep 17 00:00:00 2001
-From: Stanislaw Gruszka <sgruszka@redhat.com>
-Date: Thu, 28 Feb 2013 09:55:25 +0000
-Subject: cfg80211/mac80211: disconnect on suspend
-
-If possible that after suspend, cfg80211 will receive request to
-disconnect what require action on interface that was removed during
-suspend.
-
-Problem can manifest itself by various warnings similar to below one:
-
-WARNING: at net/mac80211/driver-ops.h:12 ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211]()
-wlan0:  Failed check-sdata-in-driver check, flags: 0x4
-Call Trace:
- [<c043e0b3>] warn_slowpath_fmt+0x33/0x40
- [<f83707c9>] ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211]
- [<f83a660a>] ieee80211_recalc_ps_vif+0x2a/0x30 [mac80211]
- [<f83a6706>] ieee80211_set_disassoc+0xf6/0x500 [mac80211]
- [<f83a9441>] ieee80211_mgd_deauth+0x1f1/0x280 [mac80211]
- [<f8381b36>] ieee80211_deauth+0x16/0x20 [mac80211]
- [<f8261e70>] cfg80211_mlme_down+0x70/0xc0 [cfg80211]
- [<f8264de1>] __cfg80211_disconnect+0x1b1/0x1d0 [cfg80211]
-
-To fix the problem disconnect from any associated network before
-suspend. User space is responsible to establish connection again
-after resume. This basically need to be done by user space anyway,
-because associated stations can go away during suspend (for example
-NetworkManager disconnects on suspend and connect on resume by default).
-
-Patch also handle situation when driver refuse to suspend with wowlan
-configured and try to suspend again without it.
-
-Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
-index d0275f3..4d105c7 100644
---- a/net/mac80211/pm.c
-+++ b/net/mac80211/pm.c
-@@ -93,7 +93,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
- 			return err;
- 		} else if (err > 0) {
- 			WARN_ON(err != 1);
--			local->wowlan = false;
-+			return err;
- 		} else {
- 			list_for_each_entry(sdata, &local->interfaces, list)
- 				if (ieee80211_sdata_running(sdata))
-diff --git a/net/wireless/core.c b/net/wireless/core.c
-index ea4155f..f382cae 100644
---- a/net/wireless/core.c
-+++ b/net/wireless/core.c
-@@ -814,6 +814,46 @@ void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev,
- 		rdev->num_running_monitor_ifaces += num;
- }
- 
-+void cfg80211_leave(struct cfg80211_registered_device *rdev,
-+		   struct wireless_dev *wdev)
-+{
-+	struct net_device *dev = wdev->netdev;
-+
-+	switch (wdev->iftype) {
-+	case NL80211_IFTYPE_ADHOC:
-+		cfg80211_leave_ibss(rdev, dev, true);
-+		break;
-+	case NL80211_IFTYPE_P2P_CLIENT:
-+	case NL80211_IFTYPE_STATION:
-+		mutex_lock(&rdev->sched_scan_mtx);
-+		__cfg80211_stop_sched_scan(rdev, false);
-+		mutex_unlock(&rdev->sched_scan_mtx);
-+
-+		wdev_lock(wdev);
-+#ifdef CONFIG_CFG80211_WEXT
-+		kfree(wdev->wext.ie);
-+		wdev->wext.ie = NULL;
-+		wdev->wext.ie_len = 0;
-+		wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
-+#endif
-+		__cfg80211_disconnect(rdev, dev,
-+				      WLAN_REASON_DEAUTH_LEAVING, true);
-+		cfg80211_mlme_down(rdev, dev);
-+		wdev_unlock(wdev);
-+		break;
-+	case NL80211_IFTYPE_MESH_POINT:
-+		cfg80211_leave_mesh(rdev, dev);
-+		break;
-+	case NL80211_IFTYPE_AP:
-+		cfg80211_stop_ap(rdev, dev);
-+		break;
-+	default:
-+		break;
-+	}
-+
-+	wdev->beacon_interval = 0;
-+}
-+
- static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
- 					 unsigned long state,
- 					 void *ndev)
-@@ -882,38 +922,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
- 			dev->priv_flags |= IFF_DONT_BRIDGE;
- 		break;
- 	case NETDEV_GOING_DOWN:
--		switch (wdev->iftype) {
--		case NL80211_IFTYPE_ADHOC:
--			cfg80211_leave_ibss(rdev, dev, true);
--			break;
--		case NL80211_IFTYPE_P2P_CLIENT:
--		case NL80211_IFTYPE_STATION:
--			mutex_lock(&rdev->sched_scan_mtx);
--			__cfg80211_stop_sched_scan(rdev, false);
--			mutex_unlock(&rdev->sched_scan_mtx);
--
--			wdev_lock(wdev);
--#ifdef CONFIG_CFG80211_WEXT
--			kfree(wdev->wext.ie);
--			wdev->wext.ie = NULL;
--			wdev->wext.ie_len = 0;
--			wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
--#endif
--			__cfg80211_disconnect(rdev, dev,
--					      WLAN_REASON_DEAUTH_LEAVING, true);
--			cfg80211_mlme_down(rdev, dev);
--			wdev_unlock(wdev);
--			break;
--		case NL80211_IFTYPE_MESH_POINT:
--			cfg80211_leave_mesh(rdev, dev);
--			break;
--		case NL80211_IFTYPE_AP:
--			cfg80211_stop_ap(rdev, dev);
--			break;
--		default:
--			break;
--		}
--		wdev->beacon_interval = 0;
-+		cfg80211_leave(rdev, wdev);
- 		break;
- 	case NETDEV_DOWN:
- 		cfg80211_update_iface_num(rdev, wdev->iftype, -1);
-diff --git a/net/wireless/core.h b/net/wireless/core.h
-index 9a2be8d..d5d06fd 100644
---- a/net/wireless/core.h
-+++ b/net/wireless/core.h
-@@ -503,6 +503,9 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,
- void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev,
- 			       enum nl80211_iftype iftype, int num);
- 
-+void cfg80211_leave(struct cfg80211_registered_device *rdev,
-+		    struct wireless_dev *wdev);
-+
- void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev,
- 			      struct wireless_dev *wdev);
- 
-diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h
-index 8c8b26f..d77e1c1 100644
---- a/net/wireless/rdev-ops.h
-+++ b/net/wireless/rdev-ops.h
-@@ -6,11 +6,12 @@
- #include "core.h"
- #include "trace.h"
- 
--static inline int rdev_suspend(struct cfg80211_registered_device *rdev)
-+static inline int rdev_suspend(struct cfg80211_registered_device *rdev,
-+			       struct cfg80211_wowlan *wowlan)
- {
- 	int ret;
--	trace_rdev_suspend(&rdev->wiphy, rdev->wowlan);
--	ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan);
-+	trace_rdev_suspend(&rdev->wiphy, wowlan);
-+	ret = rdev->ops->suspend(&rdev->wiphy, wowlan);
- 	trace_rdev_return_int(&rdev->wiphy, ret);
- 	return ret;
- }
-diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c
-index 238ee49..8f28b9f 100644
---- a/net/wireless/sysfs.c
-+++ b/net/wireless/sysfs.c
-@@ -83,6 +83,14 @@ static int wiphy_uevent(struct device *dev, struct kobj_uevent_env *env)
- 	return 0;
- }
- 
-+static void cfg80211_leave_all(struct cfg80211_registered_device *rdev)
-+{
-+	struct wireless_dev *wdev;
-+
-+	list_for_each_entry(wdev, &rdev->wdev_list, list)
-+		cfg80211_leave(rdev, wdev);
-+}
-+
- static int wiphy_suspend(struct device *dev, pm_message_t state)
- {
- 	struct cfg80211_registered_device *rdev = dev_to_rdev(dev);
-@@ -90,12 +98,19 @@ static int wiphy_suspend(struct device *dev, pm_message_t state)
- 
- 	rdev->suspend_at = get_seconds();
- 
--	if (rdev->ops->suspend) {
--		rtnl_lock();
--		if (rdev->wiphy.registered)
--			ret = rdev_suspend(rdev);
--		rtnl_unlock();
-+	rtnl_lock();
-+	if (rdev->wiphy.registered) {
-+		if (!rdev->wowlan)
-+			cfg80211_leave_all(rdev);
-+		if (rdev->ops->suspend)
-+			ret = rdev_suspend(rdev, rdev->wowlan);
-+		if (ret == 1) {
-+			/* Driver refuse to configure wowlan */
-+			cfg80211_leave_all(rdev);
-+			ret = rdev_suspend(rdev, NULL);
-+		}
- 	}
-+	rtnl_unlock();
- 
- 	return ret;
- }
---
-cgit v0.9.1

kernel.spec

@@ -718,10 +718,6 @@ Patch21242: criu-no-expert.patch
 #rhbz 892811
 Patch21247: ath9k_rx_dma_stop_check.patch
 
-#rhbz 856863 892599
-Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch
-Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
-
 Patch22000: weird-root-dentry-name-debug.patch
 Patch22010: debug-idle-sched-warn-once.patch
 
@@ -734,9 +730,6 @@ Patch23006: fix-child-thread-introspection.patch
 #rhbz 948262
 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
 
-# Needed for F19 gssproxy feature
-Patch25030: gssproxy-backport.patch
-
 #CVE-2013-2140 rhbz 971146 971148
 Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch
 
@@ -773,9 +766,6 @@ Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch
 Patch25056: iwl3945-better-skb-management-in-rx-path.patch
 Patch25057: iwl4965-better-skb-management-in-rx-path.patch
 
-#CVE-2013-1059 rhbz 977356 980341
-Patch25059: ceph-fix.patch
-
 #rhbz 976789 980643
 Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch
 
@@ -1460,19 +1450,12 @@ ApplyPatch criu-no-expert.patch
 #rhbz 892811
 ApplyPatch ath9k_rx_dma_stop_check.patch
 
-#rhbz 856863 892599
-#ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch
-#ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
-
 #rhbz 927469
 ApplyPatch fix-child-thread-introspection.patch
 
 #rhbz 948262
 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch
 
-# Needed for F19 gssproxy feature
-#ApplyPatch gssproxy-backport.patch
-
 #CVE-2013-2140 rhbz 971146 971148
 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch
 
@@ -1508,11 +1491,8 @@ ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch
 ApplyPatch iwl3945-better-skb-management-in-rx-path.patch
 ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
 
-#CVE-2013-1059 rhbz 977356 980341
-#ApplyPatch ceph-fix.patch
-
 #rhbz 976789 980643
-#ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch
+ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch
 
 #rhbz 959721
 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch
@@ -2357,14 +2337,11 @@ fi
    tulip-dma-debug-error.patch
    af_key-fix-info-leaks-in-notify-messages.patch
    ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
-  needs fixing:
    arm-tegra-fixclk.patch
    cfg80211-mac80211-disconnect-on-suspend.patch
    mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
    gssproxy-backport.patch
    ceph-fix.patch
-   vhost-net-fix-use-after-free-in-vhost_net_flush.patch
-  ARM currently disabled, requires config changes. (See line 1558)
 
 * Fri Jul 12 2013 Dave Jones <davej@redhat.com> - 3.9.9-304
 - Disable LATENCYTOP/SCHEDSTATS in non-debug builds.

mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch

@@ -1,73 +0,0 @@
-diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index baaa860..7a3d675 100644
---- a/net/mac80211/iface.c
-+++ b/net/mac80211/iface.c
-@@ -748,8 +748,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
- 				 sdata->dev->addr_len);
- 		spin_unlock_bh(&local->filter_lock);
- 		netif_addr_unlock_bh(sdata->dev);
--
--		ieee80211_configure_filter(local);
-+		/* configure filter latter (if not suspended) */
- 	}
- 
- 	del_timer_sync(&local->dynamic_ps_timer);
-@@ -814,10 +813,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
- 		}
- 
- 		ieee80211_adjust_monitor_flags(sdata, -1);
--		ieee80211_configure_filter(local);
--		mutex_lock(&local->mtx);
--		ieee80211_recalc_idle(local);
--		mutex_unlock(&local->mtx);
-+		/* tell driver latter (if not suspended) */
- 		break;
- 	case NL80211_IFTYPE_P2P_DEVICE:
- 		/* relies on synchronize_rcu() below */
-@@ -848,28 +844,31 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
- 
- 		drv_remove_interface_debugfs(local, sdata);
- 
--		if (going_down)
-+		if (going_down && !local->suspended)
- 			drv_remove_interface(local, sdata);
- 	}
- 
- 	sdata->bss = NULL;
- 
--	ieee80211_recalc_ps(local, -1);
--
--	if (local->open_count == 0) {
--		if (local->ops->napi_poll)
--			napi_disable(&local->napi);
--		ieee80211_clear_tx_pending(local);
--		ieee80211_stop_device(local);
--
--		/* no reconfiguring after stop! */
--		hw_reconf_flags = 0;
-+	if (!local->suspended) {
-+		if (local->open_count == 0) {
-+			if (local->ops->napi_poll)
-+				napi_disable(&local->napi);
-+			ieee80211_clear_tx_pending(local);
-+			ieee80211_stop_device(local);
-+		} else {
-+			ieee80211_configure_filter(local);
-+			ieee80211_recalc_ps(local, -1);
-+ 
-+			mutex_lock(&local->mtx);
-+			ieee80211_recalc_idle(local);
-+			mutex_unlock(&local->mtx);
-+
-+			if (hw_reconf_flags)
-+				ieee80211_hw_config(local, hw_reconf_flags);
-+		}
- 	}
- 
--	/* do after stop to avoid reconfiguring when we stop anyway */
--	if (hw_reconf_flags)
--		ieee80211_hw_config(local, hw_reconf_flags);
--
- 	spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
- 	for (i = 0; i < IEEE80211_MAX_QUEUES; i++) {
- 		skb_queue_walk_safe(&local->pending[i], skb, tmp) {

vhost-net-fix-use-after-free-in-vhost_net_flush.patch

@@ -1,76 +1,54 @@
-From 0c9d7f6ea817d5328a09a78e901b16e1836ca4d7 Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Tue, 25 Jun 2013 17:29:46 +0300
-Subject: [PATCH] vhost-net: fix use-after-free in vhost_net_flush
+commit c38e39c378f46f00ce922dd40a91043a9925c28d
+Author: Michael S. Tsirkin <mst@redhat.com>
+Date:   Tue Jun 25 17:29:46 2013 +0300
 
-vhost_net_ubuf_put_and_wait has a confusing name:
-it will actually also free it's argument.
-Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
-    "vhost-net: flush outstanding DMAs on memory change"
-vhost_net_flush tries to use the argument after passing it
-to vhost_net_ubuf_put_and_wait, this results
-in use after free.
-To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
-add an new API for callers that want to free ubufs.
-
-Acked-by: Asias He <asias@redhat.com>
-Acked-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
----
- drivers/vhost/net.c   | 4 ++--
- drivers/vhost/vhost.c | 5 +++++
- drivers/vhost/vhost.h | 1 +
- 3 files changed, 8 insertions(+), 2 deletions(-)
+    vhost-net: fix use-after-free in vhost_net_flush
+    
+    vhost_net_ubuf_put_and_wait has a confusing name:
+    it will actually also free it's argument.
+    Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01
+        "vhost-net: flush outstanding DMAs on memory change"
+    vhost_net_flush tries to use the argument after passing it
+    to vhost_net_ubuf_put_and_wait, this results
+    in use after free.
+    To fix, don't free the argument in vhost_net_ubuf_put_and_wait,
+    add an new API for callers that want to free ubufs.
+    
+    Acked-by: Asias He <asias@redhat.com>
+    Acked-by: Jason Wang <jasowang@redhat.com>
+    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 
 diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
-index dfff647..d8d4f57 100644
+index f80d3dd..8ca5ac7 100644
 --- a/drivers/vhost/net.c
 +++ b/drivers/vhost/net.c
-@@ -857,7 +857,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
- 	mutex_unlock(&vq->mutex);
- 
- 	if (oldubufs) {
--		vhost_ubuf_put_and_wait(oldubufs);
-+		vhost_ubuf_put_wait_and_free(oldubufs);
- 		mutex_lock(&vq->mutex);
- 		vhost_zerocopy_signal_used(n, vq);
- 		mutex_unlock(&vq->mutex);
-@@ -875,7 +875,7 @@ err_used:
- 	rcu_assign_pointer(vq->private_data, oldsock);
- 	vhost_net_enable_vq(n, vq);
- 	if (ubufs)
--		vhost_ubuf_put_and_wait(ubufs);
-+		vhost_ubuf_put_wait_and_free(ubufs);
- err_ubufs:
- 	fput(sock->file);
- err_vq:
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 9759249..ff53c9e 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -1581,5 +1581,10 @@ void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *ubufs)
+@@ -150,6 +150,11 @@ static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs)
  {
- 	kref_put(&ubufs->kref, vhost_zerocopy_done_signal);
+ 	kref_put(&ubufs->kref, vhost_net_zerocopy_done_signal);
  	wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount));
 +}
 +
-+void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *ubufs)
++static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs)
 +{
-+	vhost_ubuf_put_and_wait(ubufs);
++	vhost_net_ubuf_put_and_wait(ubufs);
  	kfree(ubufs);
  }
-diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
-index 17261e2..dd63b35 100644
---- a/drivers/vhost/vhost.h
-+++ b/drivers/vhost/vhost.h
-@@ -63,6 +63,7 @@ struct vhost_ubuf_ref {
- struct vhost_ubuf_ref *vhost_ubuf_alloc(struct vhost_virtqueue *, bool zcopy);
- void vhost_ubuf_put(struct vhost_ubuf_ref *);
- void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *);
-+void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *);
  
- struct ubuf_info;
+@@ -948,7 +953,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
+ 	mutex_unlock(&vq->mutex);
  
--- 
-1.8.2.1
-
+ 	if (oldubufs) {
+-		vhost_net_ubuf_put_and_wait(oldubufs);
++		vhost_net_ubuf_put_wait_and_free(oldubufs);
+ 		mutex_lock(&vq->mutex);
+ 		vhost_zerocopy_signal_used(n, vq);
+ 		mutex_unlock(&vq->mutex);
+@@ -966,7 +971,7 @@ err_used:
+ 	rcu_assign_pointer(vq->private_data, oldsock);
+ 	vhost_net_enable_vq(n, vq);
+ 	if (ubufs)
+-		vhost_net_ubuf_put_and_wait(ubufs);
++		vhost_net_ubuf_put_wait_and_free(ubufs);
+ err_ubufs:
+ 	fput(sock->file);
+ err_vq: