diff --git a/debian/changelog b/debian/changelog index 6fc9a5440..e1241ce41 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (3.12.5-1) UNRELEASED; urgency=medium +linux (3.12.6-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.4 @@ -34,6 +34,48 @@ linux (3.12.5-1) UNRELEASED; urgency=medium - SCSI: Disable WRITE SAME for RAID and virtual host adapter drivers - tg3: avoid double-freeing of rx data memory - crypto: scatterwalk - Use sg_chain_ptr on chain entries + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.6 + - ALSA: memalloc.h - fix wrong truncation of dma_addr_t + - [arm] 7912/1: check stack pointer in get_wchan + - [arm] 7913/1: fix framepointer check in unwind_frame + - KVM: Improve create VCPU parameter (CVE-2013-4587) + - [x86] KVM: Fix potential divide by 0 in lapic (CVE-2013-6367) + - [x86] KVM: Convert vapic synchronization to _cached functions + (CVE-2013-6368) + - [x86] KVM: fix guest-initiated crash with x2apic (CVE-2013-6376) + - xfs: growfs overruns AGFL buffer on V4 filesystems + - futex: fix handling of read-only-mapped hugepages + - nfsd: when reusing an existing repcache entry, unhash it first + - [armhf] usb: musb: musb_cppi41: handle pre-mature TX complete interrupt + - powerpc: Fix PTE page address mismatch in pgtable ctor/dtor + - mm: memcg: do not allow task about to OOM kill to bypass the limit + - mm: memcg: fix race condition between memcg teardown and swapin + - cfg80211: disable 5/10 MHz support for all drivers + - Revert "mac80211: allow disable power save in mesh" + - mac80211: fix scheduled scan rtnl deadlock + - iwlwifi: mvm: check sta_id/drain values in debugfs + - Btrfs: fix access_ok() check in btrfs_ioctl_send() + - dm snapshot: avoid snapshot space leak on crash + - dm array: fix a reference counting bug in shadow_ablock + - dm space map metadata: return on failure in sm_metadata_new_block + - dm space map: disallow decrementing a reference count below zero + - dm table: fail dm_table_create on dm_round_up overflow + - dm thin: switch to read only mode if a mapping insert fails + - dm thin: switch to read-only mode if metadata space is exhausted + - dm thin: always fallback the pool mode if commit fails + - dm thin: re-establish read-only state when switching to fail mode + - dm thin: allow pool in read-only mode to transition to read-write mode + - media/cxd2820r_core: Fix regression in 3.12.3 + - sched: Avoid throttle_cfs_rq() racing with period_timer stopping + - Btrfs: do a full search everytime in btrfs_search_old_slot + - Btrfs: reset intwrite on transaction abort + - Btrfs: fix memory leak of chunks' extent map + - Btrfs: fix hole check in log_one_extent + - Btrfs: fix incorrect inode acl reset + - Btrfs: take ordered root lock when removing ordered operations inode + - Btrfs: do not run snapshot-aware defragment on error + - Btrfs: fix a crash when running balance and defrag concurrently + - Btrfs: fix lockdep error in async commit [ Ben Hutchings ] * udeb: Add ohci-pci to usb-modules (Closes: #730789) @@ -53,12 +95,6 @@ linux (3.12.5-1) UNRELEASED; urgency=medium (Closes: #732106) * linux-source: Compress with gzip -1 (Closes: #725492) * [alpha] Prevent a NULL ptr dereference in csum_partial_copy - * media/cxd2820r_core: Fix regression in 3.12.3, thanks to Frederik Himpe - * KVM: Improve create VCPU parameter (CVE-2013-4587) - * [x86] KVM: Fix potential divide by 0 in lapic (CVE-2013-6367) - * [x86] KVM: Convert vapic synchronization to _cached functions - (CVE-2013-6368) - * [x86] KVM: fix guest-initiated crash with x2apic (CVE-2013-6376) * Set ABI to 1 * [ia64] Enable PSTORE, EFI_VARS_PSTORE * [x86,ia64] udeb: Remove zlib-modules as zlib is now built-in diff --git a/debian/patches/bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch b/debian/patches/bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch deleted file mode 100644 index f378260d8..000000000 --- a/debian/patches/bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Andy Honig -Date: Mon, 18 Nov 2013 16:09:22 -0800 -Subject: KVM: Improve create VCPU parameter (CVE-2013-4587) -Origin: https://git.kernel.org/linus/338c7dbadd2671189cec7faf64c84d01071b3f96 - -In multiple functions the vcpu_id is used as an offset into a bitfield. Ag -malicious user could specify a vcpu_id greater than 255 in order to set or -clear bits in kernel memory. This could be used to elevate priveges in the -kernel. This patch verifies that the vcpu_id provided is less than 255. -The api documentation already specifies that the vcpu_id must be less than -max_vcpus, but this is currently not checked. - -Reported-by: Andrew Honig -Cc: stable@vger.kernel.org -Signed-off-by: Andrew Honig -Signed-off-by: Paolo Bonzini ---- - virt/kvm/kvm_main.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/virt/kvm/kvm_main.c -+++ b/virt/kvm/kvm_main.c -@@ -1893,6 +1893,9 @@ static int kvm_vm_ioctl_create_vcpu(stru - int r; - struct kvm_vcpu *vcpu, *v; - -+ if (id >= KVM_MAX_VCPUS) -+ return -EINVAL; -+ - vcpu = kvm_arch_vcpu_create(kvm, id); - if (IS_ERR(vcpu)) - return PTR_ERR(vcpu); diff --git a/debian/patches/bugfix/all/KVM-x86-Fix-potential-divide-by-0-in-lapic-CVE-2013-.patch b/debian/patches/bugfix/all/KVM-x86-Fix-potential-divide-by-0-in-lapic-CVE-2013-.patch deleted file mode 100644 index 0d0a54746..000000000 --- a/debian/patches/bugfix/all/KVM-x86-Fix-potential-divide-by-0-in-lapic-CVE-2013-.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Andy Honig -Date: Tue, 19 Nov 2013 14:12:18 -0800 -Subject: KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) -Origin: https://git.kernel.org/linus/b963a22e6d1a266a67e9eecc88134713fd54775c - -Under guest controllable circumstances apic_get_tmcct will execute a -divide by zero and cause a crash. If the guest cpuid support -tsc deadline timers and performs the following sequence of requests -the host will crash. -- Set the mode to periodic -- Set the TMICT to 0 -- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) -- Set the TMICT to non-zero. -Then the lapic_timer.period will be 0, but the TMICT will not be. If the -guest then reads from the TMCCT then the host will perform a divide by 0. - -This patch ensures that if the lapic_timer.period is 0, then the division -does not occur. - -Reported-by: Andrew Honig -Cc: stable@vger.kernel.org -Signed-off-by: Andrew Honig -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/lapic.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index 5439117..89b52ec 100644 ---- a/arch/x86/kvm/lapic.c -+++ b/arch/x86/kvm/lapic.c -@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) - ASSERT(apic != NULL); - - /* if initial count is 0, current count should also be 0 */ -- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0) -+ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 || -+ apic->lapic_timer.period == 0) - return 0; - - remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); diff --git a/debian/patches/bugfix/all/media-cxd2820r_core-fix-sparse-warnings.patch b/debian/patches/bugfix/all/media-cxd2820r_core-fix-sparse-warnings.patch deleted file mode 100644 index 8f7c333be..000000000 --- a/debian/patches/bugfix/all/media-cxd2820r_core-fix-sparse-warnings.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Hans Verkuil -Date: Fri, 4 Oct 2013 11:01:43 -0300 -Subject: [media] cxd2820r_core: fix sparse warnings -Origin: https://git.kernel.org/linus/0db3fa2741ad8371c21b3a6785416a4afc0cc1d4 - -drivers/media/dvb-frontends/cxd2820r_core.c:34:32: error: cannot size expression -drivers/media/dvb-frontends/cxd2820r_core.c:68:32: error: cannot size expression - -Signed-off-by: Hans Verkuil -Acked-by: Antti Palosaari -Reviewed-by: Antti Palosaari -Reviewed-by: Michael Krufky -Signed-off-by: Mauro Carvalho Chehab -[bwh: Commit 8393796dfa4c ('media: dvb-frontends: Don't use dynamic static - allocation') depends on this but was cherry-picked for 3.12.3 without this] ---- - drivers/media/dvb-frontends/cxd2820r_core.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/media/dvb-frontends/cxd2820r_core.c -+++ b/drivers/media/dvb-frontends/cxd2820r_core.c -@@ -34,7 +34,7 @@ static int cxd2820r_wr_regs_i2c(struct c - { - .addr = i2c, - .flags = 0, -- .len = sizeof(buf), -+ .len = len + 1, - .buf = buf, - } - }; -@@ -75,7 +75,7 @@ static int cxd2820r_rd_regs_i2c(struct c - }, { - .addr = i2c, - .flags = I2C_M_RD, -- .len = sizeof(buf), -+ .len = len, - .buf = buf, - } - }; diff --git a/debian/patches/bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch b/debian/patches/bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch deleted file mode 100644 index 192b87507..000000000 --- a/debian/patches/bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Dan Carpenter -Date: Sat, 23 Nov 2013 15:59:42 +1100 -Subject: xfs: underflow bug in xfs_attrlist_by_handle() -Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch - -If we allocate less than sizeof(struct attrlist) then we end up corrupting -memory or doing a ZERO_PTR_SIZE dereference. - -This can only be triggered with CAP_SYS_ADMIN. - -Signed-off-by: Dan Carpenter -Reported-by: Nico Golde -Reported-by: Fabian Yamaguchi -Acked-by: Ben Myers -Cc: Alex Elder -Reviewed-by: Dave Chinner -Signed-off-by: Andrew Morton ---- - fs/xfs/xfs_ioctl.c | 3 ++- - fs/xfs/xfs_ioctl32.c | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - ---- a/fs/xfs/xfs_ioctl.c -+++ b/fs/xfs/xfs_ioctl.c -@@ -443,7 +443,8 @@ xfs_attrlist_by_handle( - return -XFS_ERROR(EPERM); - if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* ---- a/fs/xfs/xfs_ioctl32.c -+++ b/fs/xfs/xfs_ioctl32.c -@@ -357,7 +357,8 @@ xfs_compat_attrlist_by_handle( - if (copy_from_user(&al_hreq, arg, - sizeof(compat_xfs_fsop_attrlist_handlereq_t))) - return -XFS_ERROR(EFAULT); -- if (al_hreq.buflen > XATTR_LIST_MAX) -+ if (al_hreq.buflen < sizeof(struct attrlist) || -+ al_hreq.buflen > XATTR_LIST_MAX) - return -XFS_ERROR(EINVAL); - - /* diff --git a/debian/patches/bugfix/x86/KVM-x86-Convert-vapic-synchronization-to-_cached-fun.patch b/debian/patches/bugfix/x86/KVM-x86-Convert-vapic-synchronization-to-_cached-fun.patch deleted file mode 100644 index 3119758e3..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-Convert-vapic-synchronization-to-_cached-fun.patch +++ /dev/null @@ -1,183 +0,0 @@ -From: Andy Honig -Date: Wed, 20 Nov 2013 10:23:22 -0800 -Subject: KVM: x86: Convert vapic synchronization to _cached functions - (CVE-2013-6368) -Origin: https://git.kernel.org/linus/fda4e2e85589191b123d31cdc21fd33ee70f50fd - -In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the -potential to corrupt kernel memory if userspace provides an address that -is at the end of a page. This patches concerts those functions to use -kvm_write_guest_cached and kvm_read_guest_cached. It also checks the -vapic_address specified by userspace during ioctl processing and returns -an error to userspace if the address is not a valid GPA. - -This is generally not guest triggerable, because the required write is -done by firmware that runs before the guest. Also, it only affects AMD -processors and oldish Intel that do not have the FlexPriority feature -(unless you disable FlexPriority, of course; then newer processors are -also affected). - -Fixes: b93463aa59d6 ('KVM: Accelerated apic support') - -Reported-by: Andrew Honig -Cc: stable@vger.kernel.org -Signed-off-by: Andrew Honig -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/lapic.c | 27 +++++++++++++++------------ - arch/x86/kvm/lapic.h | 4 ++-- - arch/x86/kvm/x86.c | 40 +--------------------------------------- - 3 files changed, 18 insertions(+), 53 deletions(-) - ---- a/arch/x86/kvm/lapic.c -+++ b/arch/x86/kvm/lapic.c -@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest( - void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu) - { - u32 data; -- void *vapic; - - if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention)) - apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic); -@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kv - if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention)) - return; - -- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); -- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)); -- kunmap_atomic(vapic); -+ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, -+ sizeof(u32)); - - apic_set_tpr(vcpu->arch.apic, data & 0xff); - } -@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_ - u32 data, tpr; - int max_irr, max_isr; - struct kvm_lapic *apic = vcpu->arch.apic; -- void *vapic; - - apic_sync_pv_eoi_to_guest(vcpu, apic); - -@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_ - max_isr = 0; - data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24); - -- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); -- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data; -- kunmap_atomic(vapic); -+ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, -+ sizeof(u32)); - } - --void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) -+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) - { -- vcpu->arch.apic->vapic_addr = vapic_addr; -- if (vapic_addr) -+ if (vapic_addr) { -+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, -+ &vcpu->arch.apic->vapic_cache, -+ vapic_addr, sizeof(u32))) -+ return -EINVAL; - __set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); -- else -+ } else { - __clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); -+ } -+ -+ vcpu->arch.apic->vapic_addr = vapic_addr; -+ return 0; - } - - int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data) ---- a/arch/x86/kvm/lapic.h -+++ b/arch/x86/kvm/lapic.h -@@ -34,7 +34,7 @@ struct kvm_lapic { - */ - void *regs; - gpa_t vapic_addr; -- struct page *vapic_page; -+ struct gfn_to_hva_cache vapic_cache; - unsigned long pending_events; - unsigned int sipi_vector; - }; -@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struc - void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset); - void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector); - --void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); -+int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); - void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu); - void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu); - ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -3192,8 +3192,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi - r = -EFAULT; - if (copy_from_user(&va, argp, sizeof va)) - goto out; -- r = 0; -- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); -+ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); - break; - } - case KVM_X86_SETUP_MCE: { -@@ -5718,36 +5717,6 @@ static void post_kvm_run_save(struct kvm - !kvm_event_needs_reinjection(vcpu); - } - --static int vapic_enter(struct kvm_vcpu *vcpu) --{ -- struct kvm_lapic *apic = vcpu->arch.apic; -- struct page *page; -- -- if (!apic || !apic->vapic_addr) -- return 0; -- -- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); -- if (is_error_page(page)) -- return -EFAULT; -- -- vcpu->arch.apic->vapic_page = page; -- return 0; --} -- --static void vapic_exit(struct kvm_vcpu *vcpu) --{ -- struct kvm_lapic *apic = vcpu->arch.apic; -- int idx; -- -- if (!apic || !apic->vapic_addr) -- return; -- -- idx = srcu_read_lock(&vcpu->kvm->srcu); -- kvm_release_page_dirty(apic->vapic_page); -- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); -- srcu_read_unlock(&vcpu->kvm->srcu, idx); --} -- - static void update_cr8_intercept(struct kvm_vcpu *vcpu) - { - int max_irr, tpr; -@@ -6047,11 +6016,6 @@ static int __vcpu_run(struct kvm_vcpu *v - struct kvm *kvm = vcpu->kvm; - - vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); -- r = vapic_enter(vcpu); -- if (r) { -- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); -- return r; -- } - - r = 1; - while (r > 0) { -@@ -6110,8 +6074,6 @@ static int __vcpu_run(struct kvm_vcpu *v - - srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); - -- vapic_exit(vcpu); -- - return r; - } - diff --git a/debian/patches/bugfix/x86/KVM-x86-fix-guest-initiated-crash-with-x2apic-CVE-20.patch b/debian/patches/bugfix/x86/KVM-x86-fix-guest-initiated-crash-with-x2apic-CVE-20.patch deleted file mode 100644 index bbb7a6683..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-fix-guest-initiated-crash-with-x2apic-CVE-20.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Gleb Natapov -Date: Thu, 12 Dec 2013 21:20:08 +0100 -Subject: KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) -Origin: https://git.kernel.org/linus/17d68b763f09a9ce824ae23eb62c9efc57b69271 - -A guest can cause a BUG_ON() leading to a host kernel crash. -When the guest writes to the ICR to request an IPI, while in x2apic -mode the following things happen, the destination is read from -ICR2, which is a register that the guest can control. - -kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the -cluster id. A BUG_ON is triggered, which is a protection against -accessing map->logical_map with an out-of-bounds access and manages -to avoid that anything really unsafe occurs. - -The logic in the code is correct from real HW point of view. The problem -is that KVM supports only one cluster with ID 0 in clustered mode, but -the code that has the bug does not take this into account. - -Reported-by: Lars Bull -Cc: stable@vger.kernel.org -Signed-off-by: Gleb Natapov -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/lapic.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c -index b8bec45..dec48bf 100644 ---- a/arch/x86/kvm/lapic.c -+++ b/arch/x86/kvm/lapic.c -@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic) - return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff; - } - -+#define KVM_X2APIC_CID_BITS 0 -+ - static void recalculate_apic_map(struct kvm *kvm) - { - struct kvm_apic_map *new, *old = NULL; -@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm) - if (apic_x2apic_mode(apic)) { - new->ldr_bits = 32; - new->cid_shift = 16; -- new->cid_mask = new->lid_mask = 0xffff; -+ new->cid_mask = (1 << KVM_X2APIC_CID_BITS) - 1; -+ new->lid_mask = 0xffff; - } else if (kvm_apic_sw_enabled(apic) && - !new->cid_mask /* flat mode */ && - kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) { diff --git a/debian/patches/series b/debian/patches/series index a69865e71..188ee2d97 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -77,13 +77,7 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch -bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch bugfix/arm/ahci-imx-Explicitly-clear-IMX6Q_GPR13_SATA_MPLL_CLK_.patch bugfix/all/disable-some-marvell-phys.patch features/all/media-az6007-support-Technisat-Cablestar-Combo-HDCI-.patch bugfix/all/alpha-Prevent-a-NULL-ptr-dereference-in-csum_partial.patch -bugfix/all/media-cxd2820r_core-fix-sparse-warnings.patch -bugfix/all/KVM-Improve-create-VCPU-parameter-CVE-2013-4587.patch -bugfix/all/KVM-x86-Fix-potential-divide-by-0-in-lapic-CVE-2013-.patch -bugfix/x86/KVM-x86-Convert-vapic-synchronization-to-_cached-fun.patch -bugfix/x86/KVM-x86-fix-guest-initiated-crash-with-x2apic-CVE-20.patch