CVE-2014-8133 x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS (rhbz 1172797 1174374)

ACPI-Limit-access-to-custom_method.patch

@@ -26,5 +26,5 @@ index c68e72414a67..4277938af700 100644
  		/* parse the table header to get the table length */
  		if (count <= sizeof(struct acpi_table_header))
 -- 
-1.9.3
+2.1.0
 

ARM-tegra-usb-no-reset.patch

@@ -27,5 +27,5 @@ index 674c262907d9..d3e4c73d56a2 100644
  		 * disconnected while waiting for the lock to succeed. */
  		usb_lock_device(hdev);
 -- 
-1.9.3
+2.1.0
 

Add-EFI-signature-data-types.patch

@@ -52,5 +52,5 @@ index ebe6a24cc1e1..5ce40e215f15 100644
   * All runtime access to EFI goes through this structure:
   */
 -- 
-1.9.3
+2.1.0
 

Add-an-EFI-signature-blob-parser-and-key-loader.patch

@@ -174,5 +174,5 @@ index 5ce40e215f15..41359e548bcb 100644
   * efi_range_is_wc - check the WC bit on an address range
   * @start: starting kvirt address
 -- 
-1.9.3
+2.1.0
 

Add-option-to-automatically-enforce-module-signature.patch

@@ -181,5 +181,5 @@ index f1d78afbe29f..ec12c156ea61 100644
  {
  #ifdef CONFIG_MODULE_SIG
 -- 
-1.9.3
+2.1.0
 

Add-secure_modules-call.patch

@@ -59,5 +59,5 @@ index 1c47139d161c..f1d78afbe29f 100644
 +}
 +EXPORT_SYMBOL(secure_modules);
 -- 
-1.9.3
+2.1.0
 

Add-sysrq-option-to-disable-secure-boot-mode.patch

@@ -244,5 +244,5 @@ index ec12c156ea61..1db033284ad3 100644
  static int param_set_bool_enable_only(const char *val,
  				      const struct kernel_param *kp)
 -- 
-1.9.3
+2.1.0
 

HID-add-support-for-MS-Surface-Pro-3-Type-Cover.patch

@@ -80,5 +80,5 @@ index 5014bb567b29..cebfaf288bd3 100644
  	{ USB_VENDOR_ID_NEXIO, USB_DEVICE_ID_NEXIO_MULTITOUCH_PTI0750, HID_QUIRK_NO_INIT_REPORTS },
  	{ USB_VENDOR_ID_NOVATEK, USB_DEVICE_ID_NOVATEK_MOUSE, HID_QUIRK_NO_INIT_REPORTS },
 -- 
-1.9.3
+2.1.0
 

HID-wacom-Add-support-for-the-Cintiq-Companion.patch

@@ -42,5 +42,5 @@ index aa6a08eb7ad6..c3cbbfb5811f 100644
  	{ USB_DEVICE_WACOM(0x314) },
  	{ USB_DEVICE_WACOM(0x315) },
 -- 
-1.9.3
+2.1.0
 

KEYS-Add-a-system-blacklist-keyring.patch

@@ -107,5 +107,5 @@ index 875f64e8935b..c15e93f5a418 100644
  }
  
 -- 
-1.9.3
+2.1.0
 

MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch

@@ -181,5 +181,5 @@ index 000000000000..94b0eb38a284
 +}
 +late_initcall(load_uefi_certs);
 -- 
-1.9.3
+2.1.0
 

MODSIGN-Support-not-importing-certs-from-db.patch

@@ -79,5 +79,5 @@ index 94b0eb38a284..ae28b974d49a 100644
  
  	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
 -- 
-1.9.3
+2.1.0
 

PCI-Lock-down-BAR-access-when-module-security-is-ena.patch

@@ -112,5 +112,5 @@ index b91c4da68365..98f5637304d1 100644
  
  	dev = pci_get_bus_and_slot(bus, dfn);
 -- 
-1.9.3
+2.1.0
 

Restrict-dev-mem-and-dev-kmem-when-module-loading-is.patch

@@ -37,5 +37,5 @@ index cdf839f9defe..c63cf93b00eb 100644
  		unsigned long to_write = min_t(unsigned long, count,
  					       (unsigned long)high_memory - p);
 -- 
-1.9.3
+2.1.0
 

Revert-Revert-ACPI-video-change-acpi-video-brightnes.patch

@@ -41,5 +41,5 @@ index 8e7e18567ae6..a3d293806f96 100644
  
  /*
 -- 
-1.9.3
+2.1.0
 

acpi-Ignore-acpi_rsdp-kernel-parameter-when-module-l.patch

@@ -34,5 +34,5 @@ index 3abe9b223ba7..ee8f11cf65da 100644
  #endif
  
 -- 
-1.9.3
+2.1.0
 

ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch

@@ -1,4 +1,3 @@
-From 905ef98a83d3782207c0bda8d093e8f654884a94 Mon Sep 17 00:00:00 2001
 From: Tejun Heo <tj@kernel.org>
 Date: Thu, 4 Dec 2014 13:13:28 -0500
 Subject: [PATCH] ahci: disable MSI on SAMSUNG 0xa800 SSD

arm-dts-am335x-bone-common-add-uart2_pins-uart4_pins.patch

@@ -41,5 +41,5 @@ index 86cdb52dbf8a..db4518ef755d 100644
  		pinctrl-single,pins = <
  			0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3)	/* xdma_event_intr1.clkout2 */
 -- 
-1.9.3
+2.1.0
 

arm-dts-am335x-bone-common-enable-and-use-i2c2.patch

@@ -65,5 +65,5 @@ index bde1777b62be..c7357bcc7d5c 100644
  
  /include/ "tps65217.dtsi"
 -- 
-1.9.3
+2.1.0
 

arm-dts-am335x-bone-common-setup-default-pinmux-http.patch

@@ -175,5 +175,5 @@ index c7357bcc7d5c..86cdb52dbf8a 100644
 +	};
 +};
 -- 
-1.9.3
+2.1.0
 

arm-dts-am335x-boneblack-add-cpu0-opp-points.patch

@@ -37,5 +37,5 @@ index bf5349165542..acfff3befff5 100644
  		compatible = "ti,tilcdc,slave";
  		i2c = <&i2c0>;
 -- 
-1.9.3
+2.1.0
 

arm-dts-am335x-boneblack-lcdc-add-panel-info.patch

@@ -34,5 +34,5 @@ index 305975d3f531..bf5349165542 100644
  	};
  };
 -- 
-1.9.3
+2.1.0
 

arm-dts-sun7i-bananapi.patch

@@ -209,5 +209,5 @@ index 000000000000..7214475a3c36
 +	};
 +};
 -- 
-1.9.3
+2.1.0
 

arm-highbank-l2-reverts.patch

@@ -56,5 +56,5 @@ index 8c35ae4ff176..38e1dc3b4c6e 100644
  	.init_machine	= highbank_init,
  	.dt_compat	= highbank_match,
 -- 
-1.9.3
+2.1.0
 

arm-i.MX6-Utilite-device-dtb.patch

@@ -61,5 +61,5 @@ index 99b46f8030ad..8b6ddd16dcc5 100644
 +	status = "okay";
 +};
 -- 
-1.9.3
+2.1.0
 

asus-wmi-Restrict-debugfs-interface-when-module-load.patch

@@ -49,5 +49,5 @@ index 21fc932da3a1..c6d42ad95c08 100644
  				     1, asus->debug.method_id,
  				     &input, &output);
 -- 
-1.9.3
+2.1.0
 

ath9k-rx-dma-stop-check.patch

@@ -37,5 +37,5 @@ index 275205ab5f15..bb842623bdf6 100644
  			"DMA failed to stop in %d ms AR_CR=0x%08x AR_DIAG_SW=0x%08x DMADBG_7=0x%08x\n",
  			AH_RX_STOP_DMA_TIMEOUT / 1000,
 -- 
-1.9.3
+2.1.0
 

cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch

@@ -1,4 +1,3 @@
-From e95a7085483366d52dd93b9fe8258ea77b99b89a Mon Sep 17 00:00:00 2001
 From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
 Date: Tue, 2 Dec 2014 09:53:25 +0200
 Subject: [PATCH] cfg80211: don't WARN about two consecutive Country IE hint
@@ -20,10 +19,10 @@ Acked-by: Luis R. Rodriguez <mcgrof@suse.com>
  1 file changed, 2 insertions(+), 5 deletions(-)
 
 diff --git a/net/wireless/reg.c b/net/wireless/reg.c
-index b725a31a4751..695f12b2c176 100644
+index 1afdf45db38f..e676723e29e2 100644
 --- a/net/wireless/reg.c
 +++ b/net/wireless/reg.c
-@@ -1839,11 +1839,8 @@ __reg_process_hint_country_ie(struct wiphy *wiphy,
+@@ -1799,11 +1799,8 @@ __reg_process_hint_country_ie(struct wiphy *wiphy,
  			return REG_REQ_IGNORE;
  		return REG_REQ_ALREADY_SET;
  	}

crash-driver.patch

@@ -505,5 +505,5 @@ index 000000000000..25ab9869d566
 +
 +#endif /* __CRASH_H__ */
 -- 
-1.9.3
+2.1.0
 

criu-no-expert.patch

@@ -31,5 +31,5 @@ index 3c866db603a7..bfb3c54d5286 100644
  	help
  	  Provides the way to make tasks work with different objects using
 -- 
-1.9.3
+2.1.0
 

die-floppy-die.patch

@@ -28,5 +28,5 @@ index 56d46ffb08e1..1c8db250df88 100644
  #else
  
 -- 
-1.9.3
+2.1.0
 

disable-i8042-check-on-apple-mac.patch

@@ -57,5 +57,5 @@ index 9bb95eab6926..4b5015f27f9e 100644
  	if (err)
  		return err;
 -- 
-1.9.3
+2.1.0
 

disable-libdw-unwind-on-non-x86.patch

@@ -24,5 +24,5 @@ index 1f67aa02d240..86c21a24da46 100644
    NO_LIBUNWIND := 1
  else
 -- 
-1.9.3
+2.1.0
 

drm-i915-Don-t-WARN-in-edp_panel_vdd_off.patch

@@ -12,7 +12,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 deletions(-)
 
 diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c
-index 4b3c09636990..cff7f2e04de2 100644
+index 1b7375efc670..a6fb06cc6cf0 100644
 --- a/drivers/gpu/drm/i915/intel_dp.c
 +++ b/drivers/gpu/drm/i915/intel_dp.c
 @@ -1303,8 +1303,6 @@ static void edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync)
@@ -25,5 +25,5 @@ index 4b3c09636990..cff7f2e04de2 100644
  
  	if (sync)
 -- 
-1.9.3
+2.1.0
 

drm-i915-hush-check-crtc-state.patch

@@ -14,10 +14,10 @@ Upstream-status: http://lists.freedesktop.org/archives/intel-gfx/2013-November/0
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
-index b71a02663bae..c27b94be0a95 100644
+index 7bd17b3ee95c..15d8e8d97e46 100644
 --- a/drivers/gpu/drm/i915/intel_display.c
 +++ b/drivers/gpu/drm/i915/intel_display.c
-@@ -10656,7 +10656,7 @@ check_crtc_state(struct drm_device *dev)
+@@ -10660,7 +10660,7 @@ check_crtc_state(struct drm_device *dev)
  
  		if (active &&
  		    !intel_pipe_config_compare(dev, &crtc->config, &pipe_config)) {
@@ -27,5 +27,5 @@ index b71a02663bae..c27b94be0a95 100644
  					       "[hw state]");
  			intel_dump_pipe_config(crtc, &crtc->config,
 -- 
-1.9.3
+2.1.0
 

efi-Add-EFI_SECURE_BOOT-bit.patch

@@ -38,5 +38,5 @@ index 45cb4ffdea62..ebe6a24cc1e1 100644
  #ifdef CONFIG_EFI
  /*
 -- 
-1.9.3
+2.1.0
 

efi-Disable-secure-boot-if-shim-is-in-insecure-mode.patch

@@ -53,5 +53,5 @@ index 975d11bfaf5b..94bf7819857a 100644
  }
  
 -- 
-1.9.3
+2.1.0
 

efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch

@@ -25,5 +25,5 @@ index 61542c282e70..e5ee669e87b6 100644
  	---help---
  	  UEFI Secure Boot provides a mechanism for ensuring that the
 -- 
-1.9.3
+2.1.0
 

hibernate-Disable-in-a-signed-modules-environment.patch

@@ -34,5 +34,5 @@ index 1f35a3478f3c..5e2472fc3dda 100644
  
  /**
 -- 
-1.9.3
+2.1.0
 

input-kill-stupid-messages.patch

@@ -29,5 +29,5 @@ index 6f5d79569136..95469f6ecfa5 100644
  	case ATKBD_RET_ERR:
  		atkbd->err_count++;
 -- 
-1.9.3
+2.1.0
 

input-silence-i8042-noise.patch

@@ -61,5 +61,5 @@ index ce82337521f6..a3fee4becc93 100644
  		cp = can_get_proto(protocol);
  	}
 -- 
-1.9.3
+2.1.0
 

kbuild-AFTER_LINK.patch

@@ -121,5 +121,5 @@ index 86a4fe75f453..161637ed5611 100644
  
  
 -- 
-1.9.3
+2.1.0
 

kernel.spec

@@ -635,6 +635,9 @@ Patch26095: ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch
 #rhbz 1172543
 Patch26096: cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch
 
+#CVE-2014-8133 rhbz 1172797 1174374
+Patch26100: x86-tls-Validate-TLS-entries-to-protect-espfix.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch
 
@@ -1380,6 +1383,9 @@ ApplyPatch ahci-disable-MSI-on-SAMSUNG-0xa800-SSD.patch
 #rhbz 1172543
 ApplyPatch cfg80211-don-t-WARN-about-two-consecutive-Country-IE.patch
 
+#CVE-2014-8133 rhbz 1172797 1174374
+ApplyPatch x86-tls-Validate-TLS-entries-to-protect-espfix.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2254,6 +2260,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Mon Dec 15 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-8133 x86: espfix(64) bypass via set_thread_area and CLONE_SETTLS (rhbz 1172797 1174374)
+
 * Fri Dec 12 2014 Kyle McMartin <kyle@fedoraproject.org>
 - build in ahci_platform on aarch64 temporarily.
 

kexec-Disable-at-runtime-if-the-kernel-enforces-modu.patch

@@ -39,5 +39,5 @@ index 2bee072268d9..891477dbfee0 100644
  	 * This leaves us room for future extensions.
  	 */
 -- 
-1.9.3
+2.1.0
 

lib-cpumask-Make-CPUMASK_OFFSTACK-usable-without-deb.patch

@@ -33,5 +33,5 @@ index 54cf309a92a5..64f8bb4882fb 100644
  	  Use dynamic allocation for cpumask_var_t, instead of putting
  	  them on the stack.  This is a bit more expensive, but avoids
 -- 
-1.9.3
+2.1.0
 

lis3-improve-handling-of-null-rate.patch

@@ -74,5 +74,5 @@ index 3ef4627f9cb1..2b2d2e8e5eeb 100644
  		return err;
  
 -- 
-1.9.3
+2.1.0
 

no-pcspkr-modalias.patch

@@ -21,5 +21,5 @@ index 674a2cfc3c0e..9a2807227c69 100644
  static int pcspkr_event(struct input_dev *dev, unsigned int type, unsigned int code, int value)
  {
 -- 
-1.9.3
+2.1.0
 

perf-install-trace-event-plugins.patch

@@ -26,5 +26,5 @@ index 86c21a24da46..bf0fe97bd358 100644
  
  # Shell quote (do not use $(call) to accommodate ancient setups);
 -- 
-1.9.3
+2.1.0
 

pinctrl-pinctrl-single-must-be-initialized-early.patch

@@ -33,5 +33,5 @@ index 95dd9cf55cb3..800fc34d7ea9 100644
  MODULE_AUTHOR("Tony Lindgren <tony@atomide.com>");
  MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver");
 -- 
-1.9.3
+2.1.0
 

ppc64-fixtools.patch

@@ -20,5 +20,5 @@ index a7c23a4b3778..d73ef8bb08c7 100644
  /*
   * When saving the callchain on Power, the kernel conservatively saves
 -- 
-1.9.3
+2.1.0
 

psmouse-Add-psmouse_matches_pnp_id-helper-function.patch

@@ -53,10 +53,10 @@ index 2f0b39d59a9b..f4cf664c7db3 100644
  struct psmouse_attribute {
  	struct device_attribute dattr;
 diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
-index 2e8f3ba7b2bd..2a7a9174c702 100644
+index 3ebfb0386300..f9472920d986 100644
 --- a/drivers/input/mouse/synaptics.c
 +++ b/drivers/input/mouse/synaptics.c
-@@ -186,18 +186,6 @@ static const char * const topbuttonpad_pnp_ids[] = {
+@@ -190,18 +190,6 @@ static const char * const topbuttonpad_pnp_ids[] = {
  	NULL
  };
  
@@ -75,7 +75,7 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644
  /*****************************************************************************
   *	Synaptics communications functions
   ****************************************************************************/
-@@ -363,7 +351,8 @@ static int synaptics_resolution(struct psmouse *psmouse)
+@@ -367,7 +355,8 @@ static int synaptics_resolution(struct psmouse *psmouse)
  	}
  
  	for (i = 0; min_max_pnpid_table[i].pnp_ids; i++) {
@@ -85,7 +85,7 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644
  			priv->x_min = min_max_pnpid_table[i].x_min;
  			priv->x_max = min_max_pnpid_table[i].x_max;
  			priv->y_min = min_max_pnpid_table[i].y_min;
-@@ -1495,7 +1484,7 @@ static void set_input_params(struct psmouse *psmouse,
+@@ -1499,7 +1488,7 @@ static void set_input_params(struct psmouse *psmouse,
  
  	if (SYN_CAP_CLICKPAD(priv->ext_cap_0c)) {
  		__set_bit(INPUT_PROP_BUTTONPAD, dev->propbit);
@@ -95,5 +95,5 @@ index 2e8f3ba7b2bd..2a7a9174c702 100644
  		/* Clickpads report only left button */
  		__clear_bit(BTN_RIGHT, dev->keybit);
 -- 
-1.9.3
+2.1.0
 

psmouse-Add-support-for-detecting-FocalTech-PS-2-tou.patch

@@ -153,5 +153,5 @@ index 02e68c3008a3..2c8c8e2172a2 100644
   * Reset to defaults in case the device got confused by extended
   * protocol probes. Note that we follow up with full reset because
 -- 
-1.9.3
+2.1.0
 

samsung-laptop-Add-broken-acpi-video-quirk-for-NC210.patch

@@ -35,5 +35,5 @@ index ff765d8e1a09..864290243e46 100644
  };
  MODULE_DEVICE_TABLE(dmi, samsung_dmi_table);
 -- 
-1.9.3
+2.1.0
 

scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch

@@ -33,5 +33,5 @@ index 2c2041ca4b70..e10812d985af 100644
  	 * If the device is offline, don't try and read capacity or any
  	 * of the other niceties.
 -- 
-1.9.3
+2.1.0
 

silence-fbcon-logo.patch

@@ -51,5 +51,5 @@ index 57b1d44acbfe..31048a85713d 100644
  
  #ifdef MODULE
 -- 
-1.9.3
+2.1.0
 

uas-Add-US_FL_NO_ATA_1X-for-Seagate-devices-with-usb.patch

@@ -1,7 +1,6 @@
-From 37a72caa7f031da7b3e63252c1f0023b8272203c Mon Sep 17 00:00:00 2001
 From: Hans de Goede <hdegoede@redhat.com>
 Date: Fri, 5 Dec 2014 11:06:36 +0100
-Subject: [PATCH 2/3] uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id
+Subject: [PATCH] uas: Add US_FL_NO_ATA_1X for Seagate devices with usb-id
  0bc2:a013
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8

uas-Add-US_FL_NO_REPORT_OPCODES-for-JMicron-JMS566-w.patch

@@ -1,7 +1,6 @@
-From a7ea9a460f28ef9781ba8dad4a6feb5fd01202f2 Mon Sep 17 00:00:00 2001
 From: Hans de Goede <hdegoede@redhat.com>
 Date: Mon, 8 Dec 2014 09:46:36 +0100
-Subject: [PATCH 3/3] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS566 with
+Subject: [PATCH] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS566 with
  usb-id 0bc2:a013
 
 Like the JMicron JMS567 enclosures with the JMS566 choke on report-opcodes,

watchdog-Disable-watchdog-on-virtual-machines.patch

@@ -74,5 +74,5 @@ index a8d6914030fe..d0a8c308170d 100644
  
  	if (watchdog_user_enabled)
 -- 
-1.9.3
+2.1.0
 

x86-Lock-down-IO-port-access-when-module-security-is.patch

@@ -66,5 +66,5 @@ index 917403fe10da..cdf839f9defe 100644
  		return -EFAULT;
  	while (count-- > 0 && i < 65536) {
 -- 
-1.9.3
+2.1.0
 

x86-Restrict-MSR-access-when-module-loading-is-restr.patch

@@ -38,5 +38,5 @@ index c9603ac80de5..8bef43fc3f40 100644
  			err = -EFAULT;
  			break;
 -- 
-1.9.3
+2.1.0
 

x86-kvm-Clear-paravirt_enabled-on-KVM-guests-for-esp.patch

@@ -1,4 +1,3 @@
-From 0fdb006a5af7f391a6de4ce810aba4af46c427e4 Mon Sep 17 00:00:00 2001
 From: Andy Lutomirski <luto@amacapital.net>
 Date: Fri, 5 Dec 2014 19:03:28 -0800
 Subject: [PATCH] x86, kvm: Clear paravirt_enabled on KVM guests for espfix32's

x86-tls-Validate-TLS-entries-to-protect-espfix.patch

@@ -0,0 +1,77 @@
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Thu, 4 Dec 2014 16:48:16 -0800
+Subject: [PATCH] x86/tls: Validate TLS entries to protect espfix
+
+Installing a 16-bit RW data segment into the GDT defeats espfix.
+AFAICT this will not affect glibc, Wine, or dosemu at all.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Acked-by: H. Peter Anvin <hpa@zytor.com>
+Cc: stable@vger.kernel.org
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: security@kernel.org <security@kernel.org>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/kernel/tls.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
+index f7fec09e3e3a..e7650bd71109 100644
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -27,6 +27,21 @@ static int get_free_idx(void)
+ 	return -ESRCH;
+ }
+ 
++static bool tls_desc_okay(const struct user_desc *info)
++{
++	if (LDT_empty(info))
++		return true;
++
++	/*
++	 * espfix is required for 16-bit data segments, but espfix
++	 * only works for LDT segments.
++	 */
++	if (!info->seg_32bit)
++		return false;
++
++	return true;
++}
++
+ static void set_tls_desc(struct task_struct *p, int idx,
+ 			 const struct user_desc *info, int n)
+ {
+@@ -66,6 +81,9 @@ int do_set_thread_area(struct task_struct *p, int idx,
+ 	if (copy_from_user(&info, u_info, sizeof(info)))
+ 		return -EFAULT;
+ 
++	if (!tls_desc_okay(&info))
++		return -EINVAL;
++
+ 	if (idx == -1)
+ 		idx = info.entry_number;
+ 
+@@ -192,6 +210,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+ {
+ 	struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
+ 	const struct user_desc *info;
++	int i;
+ 
+ 	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ 	    (pos % sizeof(struct user_desc)) != 0 ||
+@@ -205,6 +224,10 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
+ 	else
+ 		info = infobuf;
+ 
++	for (i = 0; i < count / sizeof(struct user_desc); i++)
++		if (!tls_desc_okay(info + i))
++			return -EINVAL;
++
+ 	set_tls_desc(target,
+ 		     GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
+ 		     info, count / sizeof(struct user_desc));
+-- 
+2.1.0
+

xhci-Add-broken-streams-quirk-for-Fresco-Logic-FL100.patch

@@ -1,8 +1,7 @@
-From e6a429eb0bfa03e3dca62e3922874d768833395f Mon Sep 17 00:00:00 2001
 From: Hans de Goede <hdegoede@redhat.com>
 Date: Fri, 5 Dec 2014 11:01:00 +0100
-Subject: [PATCH 1/3] xhci: Add broken-streams quirk for Fresco Logic FL1000G
- xhci controllers
+Subject: [PATCH] xhci: Add broken-streams quirk for Fresco Logic FL1000G xhci
+ controllers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit