Merge remote-tracking branch 'origin/f24' into f24-user-thl-vanilla-fedorakernel-4.5.3-300.vanilla.knurd.1.fc24

18 files changed, 611 insertions, 312 deletions

diff --git a/0001-ARM-mvebu-Correct-unit-address-for-linksys.patch b/0001-ARM-mvebu-Correct-unit-address-for-linksys.patch
deleted file mode 100644
index ba0320c8e..000000000
--- a/0001-ARM-mvebu-Correct-unit-address-for-linksys.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 0eebfe3b5ae99d3a825be8e45395cea478fd83d8 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Mon, 28 Mar 2016 21:30:41 +0000
-Subject: [PATCH] ARM: mvebu: Correct unit address for linksys
-
-The USB2 port for Armada 38x is defined to be at 58000, not at
-50000.
-
-Acked-by: Imre Kaloz <kaloz@openwrt.org>
-Cc: <stable@vger.kernel.org>
-Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices")
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- arch/arm/boot/dts/armada-385-linksys.dtsi | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm/boot/dts/armada-385-linksys.dtsi b/arch/arm/boot/dts/armada-385-linksys.dtsi
-index 3710755..85d2c37 100644
---- a/arch/arm/boot/dts/armada-385-linksys.dtsi
-+++ b/arch/arm/boot/dts/armada-385-linksys.dtsi
-@@ -117,7 +117,7 @@
- 			};
- 
- 			/* USB part of the eSATA/USB 2.0 port */
--			usb@50000 {
-+			usb@58000 {
- 				status = "okay";
- 			};
- 
--- 
-2.5.0
-
diff --git a/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch b/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
new file mode 100644
index 000000000..d26c5d52d
--- /dev/null
+++ b/0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
@@ -0,0 +1,37 @@
+From 88fd0f33c3cc5aa6a26f56902241941ac717e9f8 Mon Sep 17 00:00:00 2001
+From: Peter Robinson <pbrobinson@gmail.com>
+Date: Wed, 27 Apr 2016 13:44:05 +0100
+Subject: [PATCH] gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading
+
+---
+ drivers/gpu/ipu-v3/ipu-common.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c
+index e00db3f..abb98c7 100644
+--- a/drivers/gpu/ipu-v3/ipu-common.c
++++ b/drivers/gpu/ipu-v3/ipu-common.c
+@@ -1068,7 +1068,6 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base)
+ 			goto err_register;
+ 		}
+ 
+-		pdev->dev.of_node = of_node;
+ 		pdev->dev.parent = dev;
+ 
+ 		ret = platform_device_add_data(pdev, &reg->pdata,
+@@ -1079,6 +1078,12 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base)
+ 			platform_device_put(pdev);
+ 			goto err_register;
+ 		}
++
++		/*
++		 * Set of_node only after calling platform_device_add. Otherwise
++		 * the platform:imx-ipuv3-crtc modalias won't be used.
++		 */
++		pdev->dev.of_node = of_node;
+ 	}
+ 
+ 	return 0;
+-- 
+2.7.4
+
diff --git a/USB-usbfs-fix-potential-infoleak-in-devio.patch b/USB-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 000000000..48360c930
--- /dev/null
+++ b/USB-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,41 @@
+From 7adc5cbc25dcc47dc3856108d9823d08da75da9d Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: [PATCH] USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 52c4461dfccd..9b7f1f75e887 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
+ 
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
+-- 
+2.5.5
+
diff --git a/USB-usbip-fix-potential-out-of-bounds-write.patch b/USB-usbip-fix-potential-out-of-bounds-write.patch
deleted file mode 100644
index 3d9f7c294..000000000
--- a/USB-usbip-fix-potential-out-of-bounds-write.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001
-From: Ignat Korchagin <ignat.korchagin@gmail.com>
-Date: Thu, 17 Mar 2016 18:00:29 +0000
-Subject: [PATCH] USB: usbip: fix potential out-of-bounds write
-
-Fix potential out-of-bounds write to urb->transfer_buffer
-usbip handles network communication directly in the kernel. When receiving a
-packet from its peer, usbip code parses headers according to protocol. As
-part of this parsing urb->actual_length is filled. Since the input for
-urb->actual_length comes from the network, it should be treated as untrusted.
-Any entity controlling the network may put any value in the input and the
-preallocated urb->transfer_buffer may not be large enough to hold the data.
-Thus, the malicious entity is able to write arbitrary data to kernel memory.
-
-Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/usb/usbip/usbip_common.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
-index facaaf003f19..e40da7759a0e 100644
---- a/drivers/usb/usbip/usbip_common.c
-+++ b/drivers/usb/usbip/usbip_common.c
-@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb)
- 	if (!(size > 0))
- 		return 0;
- 
-+	if (size > urb->transfer_buffer_length) {
-+		/* should not happen, probably malicious packet */
-+		if (ud->side == USBIP_STUB) {
-+			usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
-+			return 0;
-+		} else {
-+			usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
-+			return -EPIPE;
-+		}
-+	}
-+
- 	ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
- 	if (ret != size) {
- 		dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);
--- 
-2.5.5
-
diff --git a/config-armv7-generic b/config-armv7-generic
index 846667598..54f79c962 100644
--- a/config-armv7-generic
+++ b/config-armv7-generic
@@ -711,7 +711,6 @@ CONFIG_LIBERTAS_SPI=m
 CONFIG_P54_SPI=m
 CONFIG_P54_SPI_DEFAULT_EEPROM=n
 CONFIG_MICREL_KS8995MA=m
-CONFIG_IEEE802154_AT86RF230=m
 CONFIG_IEEE802154_MRF24J40=m
 
 CONFIG_ARM_KPROBES_TEST=m
diff --git a/config-generic b/config-generic
index c03972816..c2e8352ce 100644
--- a/config-generic
+++ b/config-generic
@@ -1983,11 +1983,11 @@ CONFIG_IEEE802154_DRIVERS=m
 CONFIG_IEEE802154_FAKELB=m
 CONFIG_IEEE802154_ATUSB=m
 CONFIG_IEEE802154_CC2520=m
-# CONFIG_IEEE802154_AT86RF230 is not set
+CONFIG_IEEE802154_AT86RF230=m
+# CONFIG_IEEE802154_AT86RF230_DEBUGFS is not set
 # CONFIG_IEEE802154_ADF7242 is not set
 # CONFIG_IEEE802154_MRF24J40 is not set
 # CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set
-# CONFIG_IEEE802154_AT86RF230_DEBUGFS is not set
 
 CONFIG_MAC802154=m
 CONFIG_NET_MPLS_GSO=m
@@ -2113,7 +2113,8 @@ CONFIG_NFC_ST21NFCA_I2C=m
 # CONFIG_NFC_ST21NFCB is not set
 # CONFIG_NFC_ST21NFCB_I2C is not set
 # CONFIG_NFC_ST95HF is not set
-# CONFIG_NFC_NXP_NCI is not set
+CONFIG_NFC_NXP_NCI=m
+CONFIG_NFC_NXP_NCI_I2C=m
 # CONFIG_NFC_NCI_SPI is not set
 # CONFIG_NFC_NCI_UART is not set
 # CONFIG_NFC_ST_NCI is not set
diff --git a/config-x86_64-generic b/config-x86_64-generic
index 8d8b27519..5d0f7b2b2 100644
--- a/config-x86_64-generic
+++ b/config-x86_64-generic
@@ -231,3 +231,6 @@ CONFIG_INFINIBAND_HFI1=m
 CONFIG_HFI1_VERBS_31BIT_PSN=y
 # CONFIG_SDMA_VERBOSITY is not set
 # CONFIG_PRESCAN_RXQ is not set
+
+# Temporary workaround until SND_SOC_INTEL_HASWELL_MACH no longer requires builtin
+CONFIG_DW_DMAC=y
diff --git a/efi-arm64-don-t-apply-MEMBLOCK_NOMAP-to-UEFI-memory-map-mapping.patch b/efi-arm64-don-t-apply-MEMBLOCK_NOMAP-to-UEFI-memory-map-mapping.patch
deleted file mode 100644
index 2e3ae0c9b..000000000
--- a/efi-arm64-don-t-apply-MEMBLOCK_NOMAP-to-UEFI-memory-map-mapping.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From patchwork Wed Mar 30 07:46:23 2016
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Subject: efi/arm64: don't apply MEMBLOCK_NOMAP to UEFI memory map mapping
-From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-X-Patchwork-Id: 8693271
-Message-Id: <1459323983-9120-1-git-send-email-ard.biesheuvel@linaro.org>
-To: linux-efi@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
-	matt@codeblueprint.co.uk
-Cc: mark.rutland@arm.com, mlangsdo@redhat.com,
-	Ard Biesheuvel <ard.biesheuvel@linaro.org>, leif.lindholm@linaro.org, 
-	jeremy.linton@arm.com, msalter@redhat.com
-Date: Wed, 30 Mar 2016 09:46:23 +0200
-
-Hi Matt,
-
-Could we queue this as a fix for v4.6 with a cc:stable for v4.5, please?
-(assuming no objections from any of the cc'ees)
-
-Thanks,
-Ard.
-
-----------8<--------------
-Commit 4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as
-MEMBLOCK_NOMAP") updated the mapping logic of both the RuntimeServices
-regions as well as the kernel's copy of the UEFI memory map to set the
-MEMBLOCK_NOMAP flag, which causes these regions to be omitted from the
-kernel direct mapping, and from being covered by a struct page.
-For the RuntimeServices regions, this is an obvious win, since the contents
-of these regions have significance to the firmware executable code itself,
-and are mapped in the EFI page tables using attributes that are described in
-the UEFI memory map, and which may differ from the attributes we use for
-mapping system RAM. It also prevents the contents from being modified
-inadvertently, since the EFI page tables are only live during runtime
-service invocations.
-
-None of these concerns apply to the allocation that covers the UEFI memory
-map, since it is entirely owned by the kernel. Setting the MEMBLOCK_NOMAP on
-the region did allow us to use ioremap_cache() to map it both on arm64 and
-on ARM, since the latter does not allow ioremap_cache() to be used on
-regions that are covered by a struct page.
-
-The ioremap_cache() on ARM restriction will be lifted in the v4.7 timeframe,
-but in the mean time, it has been reported that commit 4dffbfc48d65 causes
-a regression on 64k granule kernels. This is due to the fact that, given
-the 64 KB page size, the region that we end up removing from the kernel
-direct mapping is rounded up to 64 KB, and this 64 KB page frame may be
-shared with the initrd when booting via GRUB (which does not align its
-EFI_LOADER_DATA allocations to 64 KB like the stub does). This will crash
-the kernel as soon as it tries to access the initrd.
-
-Since the issue is specific to arm64, revert back to memblock_reserve()'ing
-the UEFI memory map when running on arm64. This is a temporary fix for v4.5
-and v4.6, and will be superseded in the v4.7 timeframe when we will be able
-to move back to memblock_reserve() unconditionally.
-
-Fixes: 4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP")
-Reported-by: Mark Salter <msalter@redhat.com>
-Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-
----
-drivers/firmware/efi/arm-init.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
-index aa1f743152a2..8714f8c271ba 100644
---- a/drivers/firmware/efi/arm-init.c
-+++ b/drivers/firmware/efi/arm-init.c
-@@ -203,7 +203,19 @@ void __init efi_init(void)
- 
- 	reserve_regions();
- 	early_memunmap(memmap.map, params.mmap_size);
--	memblock_mark_nomap(params.mmap & PAGE_MASK,
--			    PAGE_ALIGN(params.mmap_size +
--				       (params.mmap & ~PAGE_MASK)));
-+
-+	if (IS_ENABLED(CONFIG_ARM)) {
-+		/*
-+		 * ARM currently does not allow ioremap_cache() to be called on
-+		 * memory regions that are covered by struct page. So remove the
-+		 * UEFI memory map from the linear mapping.
-+		 */
-+		memblock_mark_nomap(params.mmap & PAGE_MASK,
-+				    PAGE_ALIGN(params.mmap_size +
-+					       (params.mmap & ~PAGE_MASK)));
-+	} else {
-+		memblock_reserve(params.mmap & PAGE_MASK,
-+				 PAGE_ALIGN(params.mmap_size +
-+					    (params.mmap & ~PAGE_MASK)));
-+	}
- }
diff --git a/input-gtco-fix-crash-on-detecting-device-without-end.patch b/input-gtco-fix-crash-on-detecting-device-without-end.patch
deleted file mode 100644
index 849f607a5..000000000
--- a/input-gtco-fix-crash-on-detecting-device-without-end.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Subject:    [PATCH] Input: gtco: fix crash on detecting device without endpoints
-From:       Vladis Dronov <vdronov@redhat.com>
-Date:       2016-03-18 18:35:00
-
-The gtco driver expects at least one valid endpoint. If given
-malicious descriptors that specify 0 for the number of endpoints,
-it will crash in the probe function. Ensure there is at least
-one endpoint on the interface before using it. Fix minor coding
-style issue.
-
-The full report of this issue can be found here:
-http://seclists.org/bugtraq/2016/Mar/86
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
----
- drivers/input/tablet/gtco.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
-index 3a7f3a4..7c18249 100644
---- a/drivers/input/tablet/gtco.c
-+++ b/drivers/input/tablet/gtco.c
-@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
- 		goto err_free_buf;
- 	}
- 
-+	/* Sanity check that a device has an endpoint */
-+	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
-+		dev_err(&usbinterface->dev,
-+			"Invalid number of endpoints\n");
-+		error = -EINVAL;
-+		goto err_free_urb;
-+	}
-+
- 	/*
- 	 * The endpoint is always altsetting 0, we know this since we know
- 	 * this device only has one interrupt endpoint
-@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
- 	 * HID report descriptor
- 	 */
- 	if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
--				     HID_DEVICE_TYPE, &hid_desc) != 0){
-+				     HID_DEVICE_TYPE, &hid_desc) != 0) {
- 		dev_err(&usbinterface->dev,
- 			"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
- 		error = -EIO;
--- 
-2.5.0
diff --git a/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
new file mode 100644
index 000000000..9e4cf4e0e
--- /dev/null
+++ b/ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
@@ -0,0 +1,40 @@
+From 9f79323a0aebccb9915ab8f4b7dcf531578b9cf9 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 21 Apr 2016 20:23:31 -0400
+Subject: [PATCH] ipv4/fib: don't warn when primary address is missing if
+ in_dev is dead
+
+After commit fbd40ea0180a ("ipv4: Don't do expensive useless work
+during inetdev destroy.") when deleting an interface,
+fib_del_ifaddr() can be executed without any primary address
+present on the dead interface.
+
+The above is safe, but triggers some "bug: prim == NULL" warnings.
+
+This commit avoids warning if the in_dev is dead
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+---
+ net/ipv4/fib_frontend.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 8a9246deccfe..63566ec54794 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -904,7 +904,11 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
+ 	if (ifa->ifa_flags & IFA_F_SECONDARY) {
+ 		prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask);
+ 		if (!prim) {
+-			pr_warn("%s: bug: prim == NULL\n", __func__);
++			/* if the device has been deleted, we don't perform
++			 * address promotion
++			 */
++			if (!in_dev->dead)
++				pr_warn("%s: bug: prim == NULL\n", __func__);
+ 			return;
+ 		}
+ 		if (iprim && iprim != prim) {
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index b34bb1222..3f3ef903f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -59,7 +59,7 @@ Summary: The Linux kernel
 
 
 # Do we have a -stable update to apply?
-%define stable_update 2
+%define stable_update 3
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -361,7 +361,7 @@ Summary: The Linux kernel
 # Packages that need to be installed before the kernel is, because the %%post
 # scripts use them.
 #
-%define kernel_prereq  fileutils, systemd >= 203-2
+%define kernel_prereq  fileutils, systemd >= 203-2, /usr/bin/kernel-install
 %define initrd_prereq  dracut >= 027
 
 
@@ -524,8 +524,11 @@ Patch422: geekbox-v4-device-tree-support.patch
 # http://www.spinics.net/lists/arm-kernel/msg483898.html
 Patch423: Initial-AllWinner-A64-and-PINE64-support.patch
 
-# http://www.spinics.net/lists/arm-kernel/msg493431.html
-Patch424: efi-arm64-don-t-apply-MEMBLOCK_NOMAP-to-UEFI-memory-map-mapping.patch
+# rhbz 1321330  http://www.spinics.net/lists/dri-devel/msg105829.html
+Patch425: 0001-gpu-ipu-v3-Fix-imx-ipuv3-crtc-module-autoloading.patch
+
+# http://www.spinics.net/lists/linux-tegra/msg26029.html
+Patch426: usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch
 
 # http://patchwork.ozlabs.org/patch/587554/
 Patch430: ARM-tegra-usb-no-reset.patch
@@ -543,9 +546,6 @@ Patch435: stmmac-fix-MDIO-settings.patch
 
 Patch436: ARM-mvebu-change-order-of-ethernet-DT-nodes-on-Armada-38x.patch
 
-# mvebu usb fixes http://www.spinics.net/lists/arm-kernel/msg493305.html
-Patch437: 0001-ARM-mvebu-Correct-unit-address-for-linksys.patch
-
 # mvebu DSA switch fixes
 # http://www.spinics.net/lists/netdev/msg370841.html http://www.spinics.net/lists/netdev/msg370842.html
 Patch438: 0001-net-dsa-mv88e6xxx-Introduce-_mv88e6xxx_phy_page_-rea.patch
@@ -647,24 +647,30 @@ Patch664: netfilter-x_tables-check-for-size-overflow.patch
 #CVE-2016-3134 rhbz 1317383 1317384
 Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 
-#CVE-2016-2187 rhbz 1317017 1317010
-Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
-
 # CVE-2016-3672 rhbz 1324749 1324750
 Patch689: x86-mm-32-Enable-full-randomization-on-i386-and-X86_.patch
 
 #rhbz 1309980
 Patch698: 0001-ACPI-processor-Request-native-thermal-interrupt-hand.patch
 
-# CVE-2016-3961 rhbz 1327219 1323956
-Patch699: x86-xen-suppress-hugetlbfs-in-PV-guests.patch
-
-# CVE-2016-3955 rhbz 1328478 1328479
-Patch700: USB-usbip-fix-potential-out-of-bounds-write.patch
-
 #rhbz 1309487
 Patch701: antenna_select.patch
 
+#rhbz 1302071
+Patch702: x86-build-Build-compressed-x86-kernels-as-PIE.patch
+
+# Follow on for CVE-2016-3156
+Patch703: ipv4-fib-don-t-warn-when-primary-address-is-missing-.patch
+
+# Stop splashing crap about broken firmware BGRT
+Patch704: x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
+
+#rhbz 1331092
+Patch705: mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
+
+#CVE-2016-4482 rhbz 1332931 1332932
+Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2189,6 +2195,34 @@ fi
 #
 # 
 %changelog
+* Wed May 04 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.3-300
+- Linux v4.5.3
+
+* Wed May 04 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Enable NFC_NXP_NCI options (rhbz 1290556)
+- CVE-2016-4482 info leak in devio.c (rhbz 1332931 1332932)
+
+* Thu Apr 28 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix KVM with THP corruption (rhbz 1331092)
+
+* Thu Apr 28 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Don't splash warnings from broken BGRT firmware implementations
+- Require /usr/bin/kernel-install (rhbz 1331012)
+
+* Wed Apr 27 2016 Peter Robinson <pbrobinson@fedoraproject.org> 4.5.2-302
+- Fix i.MX6 gpu loading - rhbz 1321330
+- Fix usb loading on some tegra devices
+
+* Tue Apr 26 2016 Justin M. Forbes <jforbes@fedoraproject.org>
+- Change CONFIG_DW_DMAC to built-in to fix sound on some intel platforms
+  This needs to be revisited later.
+
+* Tue Apr 26 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- Enable IEEE802154_AT86RF230 on more arches (rhbz 1330356)
+
+* Thu Apr 21 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.5.2-301
+- Build 32bit x86 compressed kernels as PIE (rhbz 1302071)
+
 * Wed Apr 20 2016 Laura Abbott <labbott@fedoraproject.org>
 - Allow antenna selection for rtl8723be (rhbz 1309487)
 
diff --git a/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch b/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
new file mode 100644
index 000000000..cc3e2168c
--- /dev/null
+++ b/mm-thp-kvm-fix-memory-corruption-in-KVM-with-THP-ena.patch
@@ -0,0 +1,126 @@
+From 94f984ff563d1777652b822d7a282cacc1e481c2 Mon Sep 17 00:00:00 2001
+From: Andrea Arcangeli <aarcange@redhat.com>
+Date: Wed, 27 Apr 2016 12:04:46 -0500
+Subject: [PATCH] mm: thp: kvm: fix memory corruption in KVM with THP enabled
+
+After the THP refcounting change, obtaining a compound pages from
+get_user_pages() no longer allows us to assume the entire compound
+page is immediately mappable from a secondary MMU.
+
+A secondary MMU doesn't want to call get_user_pages() more than once
+for each compound page, in order to know if it can map the whole
+compound page. So a secondary MMU needs to know from a single
+get_user_pages() invocation when it can map immediately the entire
+compound page to avoid a flood of unnecessary secondary MMU faults and
+spurious atomic_inc()/atomic_dec() (pages don't have to be pinned by
+MMU notifier users).
+
+Ideally instead of the page->_mapcount < 1 check, get_user_pages()
+should return the granularity of the "page" mapping in the "mm" passed
+to get_user_pages(). However it's non trivial change to pass the "pmd"
+status belonging to the "mm" walked by get_user_pages up the stack (up
+to the caller of get_user_pages). So the fix just checks if there is
+not a single pte mapping on the page returned by get_user_pages, and
+in turn if the caller can assume that the whole compound page is
+mapped in the current "mm" (in a pmd_trans_huge()). In such case the
+entire compound page is safe to map into the secondary MMU without
+additional get_user_pages() calls on the surrounding tail/head
+pages. In addition of being faster, not having to run other
+get_user_pages() calls also reduces the memory footprint of the
+secondary MMU fault in case the pmd split happened as result of memory
+pressure.
+
+Without this fix after a MADV_DONTNEED (like invoked by QEMU during
+postcopy live migration or balloning) or after generic swapping (with
+a failure in split_huge_page() that would only result in pmd splitting
+and not a physical page split), KVM would map the whole compound page
+into the shadow pagetables, despite regular faults or userfaults (like
+UFFDIO_COPY) may map regular pages into the primary MMU as result of
+the pte faults, leading to the guest mode and userland mode going out
+of sync and not working on the same memory at all times.
+
+Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
+---
+ arch/arm/kvm/mmu.c         |  2 +-
+ arch/x86/kvm/mmu.c         |  4 ++--
+ include/linux/page-flags.h | 22 ++++++++++++++++++++++
+ 3 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
+index aba61fd..8dafe97 100644
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -997,7 +997,7 @@ static bool transparent_hugepage_adjust(kvm_pfn_t *pfnp, phys_addr_t *ipap)
+ 	kvm_pfn_t pfn = *pfnp;
+ 	gfn_t gfn = *ipap >> PAGE_SHIFT;
+
+-	if (PageTransCompound(pfn_to_page(pfn))) {
++	if (PageTransCompoundMap(pfn_to_page(pfn))) {
+ 		unsigned long mask;
+ 		/*
+ 		 * The address we faulted on is backed by a transparent huge
+diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
+index 1e7a49b..3a371f7 100644
+--- a/arch/x86/kvm/mmu.c
++++ b/arch/x86/kvm/mmu.c
+@@ -2767,7 +2767,7 @@ static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
+ 	 */
+ 	if (!is_error_noslot_pfn(pfn) && !kvm_is_reserved_pfn(pfn) &&
+ 	    level == PT_PAGE_TABLE_LEVEL &&
+-	    PageTransCompound(pfn_to_page(pfn)) &&
++	    PageTransCompoundMap(pfn_to_page(pfn)) &&
+ 	    !has_wrprotected_page(vcpu, gfn, PT_DIRECTORY_LEVEL)) {
+ 		unsigned long mask;
+ 		/*
+@@ -4621,7 +4621,7 @@ restart:
+ 		 */
+ 		if (sp->role.direct &&
+ 			!kvm_is_reserved_pfn(pfn) &&
+-			PageTransCompound(pfn_to_page(pfn))) {
++			PageTransCompoundMap(pfn_to_page(pfn))) {
+ 			drop_spte(kvm, sptep);
+ 			need_tlb_flush = 1;
+ 			goto restart;
+diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
+index 19724e6..522bd6d 100644
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -517,6 +517,27 @@ static inline int PageTransCompound(struct page *page)
+ }
+
+ /*
++ * PageTransCompoundMap is the same as PageTransCompound, but it also
++ * guarantees the primary MMU has the entire compound page mapped
++ * through pmd_trans_huge, which in turn guarantees the secondary MMUs
++ * can also map the entire compound page. This allows the secondary
++ * MMUs to call get_user_pages() only once for each compound page and
++ * to immediately map the entire compound page with a single secondary
++ * MMU fault. If there will be a pmd split later, the secondary MMUs
++ * will get an update through the MMU notifier invalidation through
++ * split_huge_pmd().
++ *
++ * Unlike PageTransCompound, this is safe to be called only while
++ * split_huge_pmd() cannot run from under us, like if protected by the
++ * MMU notifier, otherwise it may result in page->_mapcount < 0 false
++ * positives.
++ */
++static inline int PageTransCompoundMap(struct page *page)
++{
++	return PageTransCompound(page) && atomic_read(&page->_mapcount) < 0;
++}
++
++/*
+  * PageTransTail returns true for both transparent huge pages
+  * and hugetlbfs pages, so it should only be called when it's known
+  * that hugetlbfs pages aren't involved.
+@@ -559,6 +580,7 @@ static inline int TestClearPageDoubleMap(struct page *page)
+ #else
+ TESTPAGEFLAG_FALSE(TransHuge)
+ TESTPAGEFLAG_FALSE(TransCompound)
++TESTPAGEFLAG_FALSE(TransCompoundMap)
+ TESTPAGEFLAG_FALSE(TransTail)
+ TESTPAGEFLAG_FALSE(DoubleMap)
+ 	TESTSETFLAG_FALSE(DoubleMap)
+-- 
+2.7.4
+
diff --git a/rebase-notes.txt b/rebase-notes.txt
index 0d7d76f2d..1cc632157 100644
--- a/rebase-notes.txt
+++ b/rebase-notes.txt
@@ -1,8 +1,8 @@
 Linux 4.5 rebase notes:
 
-- Check on status of drm-i915-turn-off-wc-mmaps.patch
-- Check on status of disabled ZONE_DMA
-- Check on status of CONFIG_DW_DMAC_CORE
+- Check on status of drm-i915-turn-off-wc-mmaps.patch (Should be okay to remove in F24, but not F22 or F23)
+- Check on status of disabled ZONE_DMA (They can now coexist with ZONE_DEVICE)
+- Check on status of CONFIG_DW_DMAC_CORE ( Built-in DW_DMAC for now, revisit later)
 
 Linux 4.4 rebase notes:
 
diff --git a/sources b/sources
index 4a185128c..623f6493c 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
 6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
-19a835c1d16183f629d45779f62d36b6  patch-4.5.2.xz
+efc81327bd2bd0d946f057ac71cbb1a7  patch-4.5.3.xz
diff --git a/usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch b/usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch
new file mode 100644
index 000000000..2a44851d7
--- /dev/null
+++ b/usb-phy-tegra-Add-38.4MHz-clock-table-entry.patch
@@ -0,0 +1,53 @@
+From patchwork Wed Apr  6 07:54:05 2016
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: usb: phy: tegra: Add 38.4MHz clock table entry
+From: Hunter Laux <hunterlaux@gmail.com>
+X-Patchwork-Id: 606877
+Message-Id: <1459929245-23449-1-git-send-email-hunterlaux@gmail.com>
+To: Stephen Warren <swarren@wwwdotorg.org>,
+ Thierry Reding <thierry.reding@gmail.com>,
+ Alexandre Courbot <gnurou@gmail.com>, linux-tegra@vger.kernel.org
+Cc: Hunter Laux <hunterlaux@gmail.com>
+Date: Wed,  6 Apr 2016 00:54:05 -0700
+
+The Tegra210 uses a 38.4MHz OSC. This clock table entry is required to
+use the ehci phy on the Jetson TX1.
+
+The xtal_freq_count is actually a 12 bit value, so it should be a u16
+instead of u8.
+
+Signed-off-by: Hunter Laux <hunterlaux@gmail.com>
+---
+ drivers/usb/phy/phy-tegra-usb.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/phy/phy-tegra-usb.c b/drivers/usb/phy/phy-tegra-usb.c
+index 5fe4a57..f0431f0 100644
+--- a/drivers/usb/phy/phy-tegra-usb.c
++++ b/drivers/usb/phy/phy-tegra-usb.c
+@@ -164,7 +164,7 @@ struct tegra_xtal_freq {
+ 	u8 enable_delay;
+ 	u8 stable_count;
+ 	u8 active_delay;
+-	u8 xtal_freq_count;
++	u16 xtal_freq_count;
+ 	u16 debounce;
+ };
+ 
+@@ -201,6 +201,14 @@ static const struct tegra_xtal_freq tegra_freq_table[] = {
+ 		.xtal_freq_count = 0xFE,
+ 		.debounce = 0xFDE8,
+ 	},
++	{
++		.freq = 38400000,
++		.enable_delay = 0x00,
++		.stable_count = 0x00,
++		.active_delay = 0x18,
++		.xtal_freq_count = 0x177,
++		.debounce = 0xBB80,
++	},
+ };
+ 
+ static void set_pts(struct tegra_usb_phy *phy, u8 pts_val)
diff --git a/x86-build-Build-compressed-x86-kernels-as-PIE.patch b/x86-build-Build-compressed-x86-kernels-as-PIE.patch
new file mode 100644
index 000000000..064cb485b
--- /dev/null
+++ b/x86-build-Build-compressed-x86-kernels-as-PIE.patch
@@ -0,0 +1,159 @@
+From 6d92bc9d483aa1751755a66fee8fb39dffb088c0 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Wed, 16 Mar 2016 20:04:35 -0700
+Subject: [PATCH] x86/build: Build compressed x86 kernels as PIE
+
+The 32-bit x86 assembler in binutils 2.26 will generate R_386_GOT32X
+relocation to get the symbol address in PIC.  When the compressed x86
+kernel isn't built as PIC, the linker optimizes R_386_GOT32X relocations
+to their fixed symbol addresses.  However, when the compressed x86
+kernel is loaded at a different address, it leads to the following
+load failure:
+
+  Failed to allocate space for phdrs
+
+during the decompression stage.
+
+If the compressed x86 kernel is relocatable at run-time, it should be
+compiled with -fPIE, instead of -fPIC, if possible and should be built as
+Position Independent Executable (PIE) so that linker won't optimize
+R_386_GOT32X relocation to its fixed symbol address.
+
+Older linkers generate R_386_32 relocations against locally defined
+symbols, _bss, _ebss, _got and _egot, in PIE.  It isn't wrong, just less
+optimal than R_386_RELATIVE.  But the x86 kernel fails to properly handle
+R_386_32 relocations when relocating the kernel.  To generate
+R_386_RELATIVE relocations, we mark _bss, _ebss, _got and _egot as
+hidden in both 32-bit and 64-bit x86 kernels.
+
+To build a 64-bit compressed x86 kernel as PIE, we need to disable the
+relocation overflow check to avoid relocation overflow errors. We do
+this with a new linker command-line option, -z noreloc-overflow, which
+got added recently:
+
+ commit 4c10bbaa0912742322f10d9d5bb630ba4e15dfa7
+ Author: H.J. Lu <hjl.tools@gmail.com>
+ Date:   Tue Mar 15 11:07:06 2016 -0700
+
+    Add -z noreloc-overflow option to x86-64 ld
+
+    Add -z noreloc-overflow command-line option to the x86-64 ELF linker to
+    disable relocation overflow check.  This can be used to avoid relocation
+    overflow check if there will be no dynamic relocation overflow at
+    run-time.
+
+The 64-bit compressed x86 kernel is built as PIE only if the linker supports
+-z noreloc-overflow.  So far 64-bit relocatable compressed x86 kernel
+boots fine even when it is built as a normal executable.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-kernel@vger.kernel.org
+[ Edited the changelog and comments. ]
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/boot/compressed/Makefile  | 14 +++++++++++++-
+ arch/x86/boot/compressed/head_32.S | 28 ++++++++++++++++++++++++++++
+ arch/x86/boot/compressed/head_64.S |  8 ++++++++
+ 3 files changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
+index 6915ff2..8774cb2 100644
+--- a/arch/x86/boot/compressed/Makefile
++++ b/arch/x86/boot/compressed/Makefile
+@@ -26,7 +26,7 @@ targets := vmlinux vmlinux.bin vmlinux.bin.gz vmlinux.bin.bz2 vmlinux.bin.lzma \
+ 	vmlinux.bin.xz vmlinux.bin.lzo vmlinux.bin.lz4
+
+ KBUILD_CFLAGS := -m$(BITS) -D__KERNEL__ $(LINUX_INCLUDE) -O2
+-KBUILD_CFLAGS += -fno-strict-aliasing -fPIC
++KBUILD_CFLAGS += -fno-strict-aliasing $(call cc-option, -fPIE, -fPIC)
+ KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+ cflags-$(CONFIG_X86_32) := -march=i386
+ cflags-$(CONFIG_X86_64) := -mcmodel=small
+@@ -40,6 +40,18 @@ GCOV_PROFILE := n
+ UBSAN_SANITIZE :=n
+
+ LDFLAGS := -m elf_$(UTS_MACHINE)
++ifeq ($(CONFIG_RELOCATABLE),y)
++# If kernel is relocatable, build compressed kernel as PIE.
++ifeq ($(CONFIG_X86_32),y)
++LDFLAGS += $(call ld-option, -pie) $(call ld-option, --no-dynamic-linker)
++else
++# To build 64-bit compressed kernel as PIE, we disable relocation
++# overflow check to avoid relocation overflow error with a new linker
++# command-line option, -z noreloc-overflow.
++LDFLAGS += $(shell $(LD) --help 2>&1 | grep -q "\-z noreloc-overflow" \
++	&& echo "-z noreloc-overflow -pie --no-dynamic-linker")
++endif
++endif
+ LDFLAGS_vmlinux := -T
+
+ hostprogs-y	:= mkpiggy
+diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
+index 8ef964d..0256064 100644
+--- a/arch/x86/boot/compressed/head_32.S
++++ b/arch/x86/boot/compressed/head_32.S
+@@ -31,6 +31,34 @@
+ #include <asm/asm-offsets.h>
+ #include <asm/bootparam.h>
+
++/*
++ * The 32-bit x86 assembler in binutils 2.26 will generate R_386_GOT32X
++ * relocation to get the symbol address in PIC.  When the compressed x86
++ * kernel isn't built as PIC, the linker optimizes R_386_GOT32X
++ * relocations to their fixed symbol addresses.  However, when the
++ * compressed x86 kernel is loaded at a different address, it leads
++ * to the following load failure:
++ *
++ *   Failed to allocate space for phdrs
++ *
++ * during the decompression stage.
++ *
++ * If the compressed x86 kernel is relocatable at run-time, it should be
++ * compiled with -fPIE, instead of -fPIC, if possible and should be built as
++ * Position Independent Executable (PIE) so that linker won't optimize
++ * R_386_GOT32X relocation to its fixed symbol address.  Older
++ * linkers generate R_386_32 relocations against locally defined symbols,
++ * _bss, _ebss, _got and _egot, in PIE.  It isn't wrong, just less
++ * optimal than R_386_RELATIVE.  But the x86 kernel fails to properly handle
++ * R_386_32 relocations when relocating the kernel.  To generate
++ * R_386_RELATIVE relocations, we mark _bss, _ebss, _got and _egot as
++ * hidden:
++ */
++	.hidden _bss
++	.hidden _ebss
++	.hidden _got
++	.hidden _egot
++
+ 	__HEAD
+ ENTRY(startup_32)
+ #ifdef CONFIG_EFI_STUB
+diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
+index b0c0d16..86558a1 100644
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -33,6 +33,14 @@
+ #include <asm/asm-offsets.h>
+ #include <asm/bootparam.h>
+
++/*
++ * Locally defined symbols should be marked hidden:
++ */
++	.hidden _bss
++	.hidden _ebss
++	.hidden _got
++	.hidden _egot
++
+ 	__HEAD
+ 	.code32
+ ENTRY(startup_32)
+-- 
+2.7.3
+
diff --git a/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch b/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
new file mode 100644
index 000000000..d3d0aa2c3
--- /dev/null
+++ b/x86-efi-bgrt-Switch-all-pr_err-to-pr_debug-for-inval.patch
@@ -0,0 +1,94 @@
+From 3e4f68f273ef86e6ed8be24a86f8ef514deaecc0 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Wed, 27 Apr 2016 08:37:41 -0400
+Subject: [PATCH] x86/efi-bgrt: Switch all pr_err() to pr_debug() for invalid
+ BGRT
+
+The promise of pretty boot splashes from firmware via BGRT was at
+best only that; a promise.  The kernel diligently checks to make
+sure the BGRT data firmware gives it is valid, and dutifully warns
+the user when it isn't.  However, it does so via the pr_err log
+level which seems unnecessary.  The user cannot do anything about
+this and there really isn't an error on the part of Linux to
+correct.
+
+This lowers the log level by using pr_debug instead.  Users will
+no longer have their boot process uglified by the kernel reminding
+us that firmware can and often is broken.  Ironic, considering
+BGRT is supposed to make boot pretty to begin with.
+
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+---
+ arch/x86/platform/efi/efi-bgrt.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/platform/efi/efi-bgrt.c b/arch/x86/platform/efi/efi-bgrt.c
+index ea48449b2e63..87da4108785b 100644
+--- a/arch/x86/platform/efi/efi-bgrt.c
++++ b/arch/x86/platform/efi/efi-bgrt.c
+@@ -41,17 +41,17 @@ void __init efi_bgrt_init(void)
+ 		return;
+ 
+ 	if (bgrt_tab->header.length < sizeof(*bgrt_tab)) {
+-		pr_err("Ignoring BGRT: invalid length %u (expected %zu)\n",
++		pr_debug("Ignoring BGRT: invalid length %u (expected %zu)\n",
+ 		       bgrt_tab->header.length, sizeof(*bgrt_tab));
+ 		return;
+ 	}
+ 	if (bgrt_tab->version != 1) {
+-		pr_err("Ignoring BGRT: invalid version %u (expected 1)\n",
++		pr_debug("Ignoring BGRT: invalid version %u (expected 1)\n",
+ 		       bgrt_tab->version);
+ 		return;
+ 	}
+ 	if (bgrt_tab->status & 0xfe) {
+-		pr_err("Ignoring BGRT: reserved status bits are non-zero %u\n",
++		pr_debug("Ignoring BGRT: reserved status bits are non-zero %u\n",
+ 		       bgrt_tab->status);
+ 		return;
+ 	}
+@@ -61,12 +61,12 @@ void __init efi_bgrt_init(void)
+ 		return;
+ 	}
+ 	if (bgrt_tab->image_type != 0) {
+-		pr_err("Ignoring BGRT: invalid image type %u (expected 0)\n",
++		pr_debug("Ignoring BGRT: invalid image type %u (expected 0)\n",
+ 		       bgrt_tab->image_type);
+ 		return;
+ 	}
+ 	if (!bgrt_tab->image_address) {
+-		pr_err("Ignoring BGRT: null image address\n");
++		pr_debug("Ignoring BGRT: null image address\n");
+ 		return;
+ 	}
+ 
+@@ -76,7 +76,7 @@ void __init efi_bgrt_init(void)
+ 				       sizeof(bmp_header));
+ 		ioremapped = true;
+ 		if (!image) {
+-			pr_err("Ignoring BGRT: failed to map image header memory\n");
++			pr_debug("Ignoring BGRT: failed to map image header memory\n");
+ 			return;
+ 		}
+ 	}
+@@ -88,7 +88,7 @@ void __init efi_bgrt_init(void)
+ 
+ 	bgrt_image = kmalloc(bgrt_image_size, GFP_KERNEL | __GFP_NOWARN);
+ 	if (!bgrt_image) {
+-		pr_err("Ignoring BGRT: failed to allocate memory for image (wanted %zu bytes)\n",
++		pr_debug("Ignoring BGRT: failed to allocate memory for image (wanted %zu bytes)\n",
+ 		       bgrt_image_size);
+ 		return;
+ 	}
+@@ -97,7 +97,7 @@ void __init efi_bgrt_init(void)
+ 		image = early_ioremap(bgrt_tab->image_address,
+ 				       bmp_header.size);
+ 		if (!image) {
+-			pr_err("Ignoring BGRT: failed to map image memory\n");
++			pr_debug("Ignoring BGRT: failed to map image memory\n");
+ 			kfree(bgrt_image);
+ 			bgrt_image = NULL;
+ 			return;
+-- 
+2.5.5
+
diff --git a/x86-xen-suppress-hugetlbfs-in-PV-guests.patch b/x86-xen-suppress-hugetlbfs-in-PV-guests.patch
deleted file mode 100644
index 1b7c8f24a..000000000
--- a/x86-xen-suppress-hugetlbfs-in-PV-guests.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 72c339e0c6d9969e664c2cf63e162753d7d859ae Mon Sep 17 00:00:00 2001
-From: Jan Beulich <jbeulich@suse.com>
-Date: Thu, 14 Apr 2016 13:03:47 +0000
-Subject: [PATCH] x86/xen: suppress hugetlbfs in PV guests
-
-Huge pages are not normally available to PV guests. Not suppressing
-hugetlbfs use results in an endless loop of page faults when user mode
-code tries to access a hugetlbfs mapped area (since the hypervisor
-denies such PTEs to be created, but error indications can't be
-propagated out of xen_set_pte_at(), just like for various of its
-siblings), and - once killed in an oops like this:
-
-kernel BUG at .../fs/hugetlbfs/inode.c:428!
-invalid opcode: 0000 [#1] SMP
-Modules linked in: ...
-Supported: Yes
-CPU: 2 PID: 6088 Comm: hugetlbfs Tainted: G        W         4.4.0-2016-01-20-pv #2
-Hardware name: ...
-task: ffff8808059205c0 ti: ffff880803c84000 task.ti: ffff880803c84000
-RIP: e030:[<ffffffff811c333b>]  [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320
-RSP: e02b:ffff880803c879a8  EFLAGS: 00010202
-RAX: 000000000077a4db RBX: ffffea001acff000 RCX: 0000000078417d38
-RDX: 0000000000000000 RSI: 000000007e154fa7 RDI: ffff880805d70960
-RBP: 0000000000000960 R08: 0000000000000000 R09: 0000000000000000
-R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
-R13: ffff880807486018 R14: 0000000000000000 R15: ffff880803c87af0
-FS:  00007f85fa8b8700(0000) GS:ffff88080b640000(0000) knlGS:0000000000000000
-CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
-CR2: 00007f85fa000000 CR3: 0000000001a0a000 CR4: 0000000000040660
-Stack:
- ffff880000000fb0 ffff880803c87a18 ffff880803c87ae8 ffff8808059205c0
- ffff880803c87af0 ffff880803c87ae8 ffff880807486018 0000000000000000
- ffffffff81bf6e60 ffff880807486168 000003ffffffffff 0000000003c87758
-Call Trace:
- [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40
- [<ffffffff81167b3d>] evict+0xbd/0x1b0
- [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0
- [<ffffffff81165b0e>] dput+0x1fe/0x220
- [<ffffffff81150535>] __fput+0x155/0x200
- [<ffffffff81079fc0>] task_work_run+0x60/0xa0
- [<ffffffff81063510>] do_exit+0x160/0x400
- [<ffffffff810637eb>] do_group_exit+0x3b/0xa0
- [<ffffffff8106e8bd>] get_signal+0x1ed/0x470
- [<ffffffff8100f854>] do_signal+0x14/0x110
- [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0
- [<ffffffff814178a5>] retint_user+0x8/0x13
-
-This is XSA-174.
-
-Signed-off-by: Jan Beulich <jbeulich@suse.com>
-Cc: stable@vger.kernel.org
----
- arch/x86/include/asm/hugetlb.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h
-index f8a29d2c97b0..e6a8613fbfb0 100644
---- a/arch/x86/include/asm/hugetlb.h
-+++ b/arch/x86/include/asm/hugetlb.h
-@@ -4,6 +4,7 @@
- #include <asm/page.h>
- #include <asm-generic/hugetlb.h>
- 
-+#define hugepages_supported() cpu_has_pse
- 
- static inline int is_hugepage_only_range(struct mm_struct *mm,
- 					 unsigned long addr,
--- 
-2.5.5
-