Merge remote-tracking branch 'origin/master'

16 files changed, 295 insertions, 179 deletions

diff --git a/ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch b/ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch
deleted file mode 100644
index 892cd5b77..000000000
--- a/ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From e36b3efcd07ab5c323e82319577d972ebddcbed1 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Fri, 18 Mar 2016 18:01:53 +0100
-Subject: [PATCH 2/3] ALSA: hda - Fix forgotten HDMI monitor_present update
-
-We forgot to copy monitor_present value when updating the ELD
-information.  This won't change the ELD retrieval and the jack
-notification behavior, but appears only in the proc output.   In that
-sense, it's no fatal error, but a bug is a bug is a bug.
-
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/pci/hda/patch_hdmi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
-index 8cdb804aa9cf..e7d9453ecd10 100644
---- a/sound/pci/hda/patch_hdmi.c
-+++ b/sound/pci/hda/patch_hdmi.c
-@@ -1358,6 +1358,7 @@ static void update_eld(struct hda_codec *codec,
- 			   eld->eld_size) != 0)
- 			eld_changed = true;
- 
-+	pin_eld->monitor_present = eld->monitor_present;
- 	pin_eld->eld_valid = eld->eld_valid;
- 	pin_eld->eld_size = eld->eld_size;
- 	if (eld->eld_valid)
--- 
-2.5.0
-
diff --git a/ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch b/ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch
deleted file mode 100644
index 5c9bda87c..000000000
--- a/ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 1f2109de8368f08a353d7862f462b943a5ac4b4a Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Fri, 18 Mar 2016 19:45:13 +0100
-Subject: [PATCH 3/3] ALSA: hda - Fix spurious kernel WARNING on Baytrail HDMI
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-snd_hdac_sync_audio_rate() call is mandatory only for HSW and later
-models, but we call the function unconditionally blindly assuming that
-the function doesn't do anything harmful.  But since recently, the
-function checks the validity of the passed pin NID, and eventually
-spews the warning if an unexpected pin is passed.  This is seen on old
-chips like Baytrail.
-
-The fix is to limit the call of this function again only for the chips
-with the proper binding.  This can be identified by the same flag as
-the eld notifier.
-
-Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Cc: <stable@vger.kernel.org> # v4.5
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/pci/hda/patch_hdmi.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
-index e7d9453ecd10..56d3575ee6cc 100644
---- a/sound/pci/hda/patch_hdmi.c
-+++ b/sound/pci/hda/patch_hdmi.c
-@@ -1741,7 +1741,8 @@ static int generic_hdmi_playback_pcm_prepare(struct hda_pcm_stream *hinfo,
- 
- 	/* Call sync_audio_rate to set the N/CTS/M manually if necessary */
- 	/* Todo: add DP1.2 MST audio support later */
--	snd_hdac_sync_audio_rate(&codec->bus->core, pin_nid, runtime->rate);
-+	if (codec_has_acomp(codec))
-+		snd_hdac_sync_audio_rate(&codec->bus->core, pin_nid, runtime->rate);
- 
- 	non_pcm = check_non_pcm_per_cvt(codec, cvt_nid);
- 	mutex_lock(&per_pin->lock);
--- 
-2.5.0
-
diff --git a/ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch b/ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch
deleted file mode 100644
index 2224e7fd0..000000000
--- a/ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 3fb329b2c3b6c2f009aa1255d2436ec49e49877f Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Fri, 18 Mar 2016 15:10:08 +0100
-Subject: [PATCH 1/3] ALSA: hda - Really restrict i915 notifier to HSW+
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The commit [b62232d429fa: ALSA: hda - Limit i915 HDMI binding only for
-HSW and later] tried to limit the usage of i915 audio notifier to the
-recent Intel models and switch to the old method on pre-Haswell
-models.  However, it assumed that the i915 component binding hasn't
-been done on such models, and the assumption was wrong: namely,
-Baytrail had already the i915 component binding due to powerwell
-control.  Thus, the workaround wasn't applied to Baytrail.
-
-For fixing this properly, this patch introduces a new flag indicating
-the usage of audio notifier and codec_has_acomp() refers to this flag
-instead of checking the existence of audio component.
-
-Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
-Cc: <stable@vger.kernel.org> # v4.5
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/pci/hda/patch_hdmi.c | 24 +++++++++++++++++-------
- 1 file changed, 17 insertions(+), 7 deletions(-)
-
-diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
-index 49ee4e55dd16..8cdb804aa9cf 100644
---- a/sound/pci/hda/patch_hdmi.c
-+++ b/sound/pci/hda/patch_hdmi.c
-@@ -152,6 +152,7 @@ struct hdmi_spec {
- 	struct hda_pcm_stream pcm_playback;
- 
- 	/* i915/powerwell (Haswell+/Valleyview+) specific */
-+	bool use_acomp_notifier; /* use i915 eld_notify callback for hotplug */
- 	struct i915_audio_component_audio_ops i915_audio_ops;
- 	bool i915_bound; /* was i915 bound in this driver? */
- 
-@@ -159,8 +160,11 @@ struct hdmi_spec {
- };
- 
- #ifdef CONFIG_SND_HDA_I915
--#define codec_has_acomp(codec) \
--	((codec)->bus->core.audio_component != NULL)
-+static inline bool codec_has_acomp(struct hda_codec *codec)
-+{
-+	struct hdmi_spec *spec = codec->spec;
-+	return spec->use_acomp_notifier;
-+}
- #else
- #define codec_has_acomp(codec)	false
- #endif
-@@ -2248,12 +2252,18 @@ static int patch_generic_hdmi(struct hda_codec *codec)
- 	codec->spec = spec;
- 	hdmi_array_init(spec, 4);
- 
-+#ifdef CONFIG_SND_HDA_I915
- 	/* Try to bind with i915 for Intel HSW+ codecs (if not done yet) */
--	if (!codec_has_acomp(codec) &&
--	    (codec->core.vendor_id >> 16) == 0x8086 &&
--	    is_haswell_plus(codec))
--		if (!snd_hdac_i915_init(&codec->bus->core))
--			spec->i915_bound = true;
-+	if ((codec->core.vendor_id >> 16) == 0x8086 &&
-+	    is_haswell_plus(codec)) {
-+		if (!codec->bus->core.audio_component)
-+			if (!snd_hdac_i915_init(&codec->bus->core))
-+				spec->i915_bound = true;
-+		/* use i915 audio component notifier for hotplug */
-+		if (codec->bus->core.audio_component)
-+			spec->use_acomp_notifier = true;
-+	}
-+#endif
- 
- 	if (is_haswell_plus(codec)) {
- 		intel_haswell_enable_all_pins(codec, true);
--- 
-2.5.0
-
diff --git a/Initial-AllWinner-A64-and-PINE64-support.patch b/Initial-AllWinner-A64-and-PINE64-support.patch
index e9b00f70e..966275a8f 100644
--- a/Initial-AllWinner-A64-and-PINE64-support.patch
+++ b/Initial-AllWinner-A64-and-PINE64-support.patch
@@ -1056,8 +1056,8 @@ index 171085a..cc89d1f 100644
 --- a/drivers/clk/sunxi/clk-factors.h
 +++ b/drivers/clk/sunxi/clk-factors.h
 @@ -26,6 +26,7 @@ struct factors_data {
- 	struct clk_factors_config *table;
- 	void (*getter) (u32 *rate, u32 parent_rate, u8 *n, u8 *k, u8 *m, u8 *p);
+ 	void (*getter)(struct factors_request *req);
+ 	void (*recalc)(struct factors_request *req);
  	const char *name;
 +	int name_idx;
  };
diff --git a/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch b/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
new file mode 100644
index 000000000..c7a461de8
--- /dev/null
+++ b/Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
@@ -0,0 +1,107 @@
+From 0f8536022831faaba3a952fa633902d9686f535f Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Wed, 23 Mar 2016 15:53:07 -0400
+Subject: [PATCH] Input: ati_remote2: fix crashes on detecting device with
+ invalid descriptor
+
+The ati_remote2 driver expects at least two interfaces with one
+endpoint each. If given malicious descriptor that specify one
+interface or no endpoints, it will crash in the probe function.
+Ensure there is at least two interfaces and one endpoint for each
+interface before using it.
+
+The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
+ 1 file changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
+index cfd58e87da26..cf5d1e8d92c7 100644
+--- a/drivers/input/misc/ati_remote2.c
++++ b/drivers/input/misc/ati_remote2.c
+@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+ 
+ 	ar2->udev = udev;
+ 
++	/* Sanity check, first interface must have an endpoint */
++	if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
++		dev_err(&interface->dev,
++			"%s(): interface 0 must have an endpoint\n", __func__);
++		r = -ENODEV;
++		goto fail1;
++	}
+ 	ar2->intf[0] = interface;
+ 	ar2->ep[0] = &alt->endpoint[0].desc;
+ 
++	/* Sanity check, the device must have two interfaces */
+ 	ar2->intf[1] = usb_ifnum_to_if(udev, 1);
++	if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
++		dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
++			__func__, udev->actconfig->desc.bNumInterfaces);
++		r = -ENODEV;
++		goto fail1;
++	}
++
+ 	r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
+ 	if (r)
+ 		goto fail1;
++
++	/* Sanity check, second interface must have an endpoint */
+ 	alt = ar2->intf[1]->cur_altsetting;
++	if ((alt->desc.bNumEndpoints < 1) || !alt->endpoint) {
++		dev_err(&interface->dev,
++			"%s(): interface 1 must have an endpoint\n", __func__);
++		r = -ENODEV;
++		goto fail2;
++	}
+ 	ar2->ep[1] = &alt->endpoint[0].desc;
+ 
+ 	r = ati_remote2_urb_init(ar2);
+ 	if (r)
+-		goto fail2;
++		goto fail3;
+ 
+ 	ar2->channel_mask = channel_mask;
+ 	ar2->mode_mask = mode_mask;
+ 
+ 	r = ati_remote2_setup(ar2, ar2->channel_mask);
+ 	if (r)
+-		goto fail2;
++		goto fail3;
+ 
+ 	usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
+ 	strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
+@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+ 
+ 	r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
+ 	if (r)
+-		goto fail2;
++		goto fail3;
+ 
+ 	r = ati_remote2_input_init(ar2);
+ 	if (r)
+-		goto fail3;
++		goto fail4;
+ 
+ 	usb_set_intfdata(interface, ar2);
+ 
+@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
+ 
+ 	return 0;
+ 
+- fail3:
++ fail4:
+ 	sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
+- fail2:
++ fail3:
+ 	ati_remote2_urb_cleanup(ar2);
++ fail2:
+ 	usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
+  fail1:
+ 	kfree(ar2);
+-- 
+2.5.0
+
diff --git a/config-arm-generic b/config-arm-generic
index eb9af25a0..e533137e4 100644
--- a/config-arm-generic
+++ b/config-arm-generic
@@ -42,6 +42,8 @@ CONFIG_HAVE_PERF_USER_STACK_DUMP=y
 
 CONFIG_ARM_PMU=y
 
+# CONFIG_IOMMU_IO_PGTABLE_ARMV7S is not set
+
 # ARM AMBA generic HW
 CONFIG_ARM_AMBA=y
 CONFIG_KERNEL_MODE_NEON=y
@@ -170,7 +172,6 @@ CONFIG_SND_HDA_TEGRA=m
 
 # CONFIG_ARM_TEGRA20_CPUFREQ is not set
 # CONFIG_MFD_NVEC is not set
-# CONFIG_TEGRA20_APB_DMA is not set
 
 # Virt
 CONFIG_PARAVIRT=y
@@ -440,7 +441,6 @@ CONFIG_VFIO_AMBA=m
 # CONFIG_CADENCE_WATCHDOG is not set
 
 # CONFIG_DRM_ARMADA is not set
-# CONFIG_DRM_TEGRA is not set
 # CONFIG_SHMOBILE_IOMMU is not set
 
 # CONFIG_COMMON_CLK_SI570 is not set
diff --git a/config-armv7 b/config-armv7
index 1a040d692..1efb5899f 100644
--- a/config-armv7
+++ b/config-armv7
@@ -238,6 +238,7 @@ CONFIG_TI_CPSW_ALE=m
 CONFIG_TI_CPTS=y
 CONFIG_TI_EMIF=m
 CONFIG_DRM_TILCDC=m
+# CONFIG_COMMON_CLK_TI_ADPLL is not set
 # We only need this until the BBB dts is actually updated
 CONFIG_DRM_TILCDC_SLAVE_COMPAT=y
 CONFIG_SPI_DAVINCI=m
@@ -296,6 +297,7 @@ CONFIG_REGULATOR_QCOM_SPMI=m
 CONFIG_APQ_GCC_8084=m
 CONFIG_APQ_MMCC_8084=m
 CONFIG_IPQ_GCC_806X=m
+CONFIG_IPQ_GCC_4019=m
 CONFIG_MSM_GCC_8660=m
 CONFIG_MSM_GCC_8960=m
 CONFIG_MSM_MMCC_8960=m
diff --git a/config-armv7-generic b/config-armv7-generic
index b3904423c..f042deef9 100644
--- a/config-armv7-generic
+++ b/config-armv7-generic
@@ -378,6 +378,13 @@ CONFIG_AD525X_DPOT=m
 CONFIG_AD525X_DPOT_I2C=m
 CONFIG_AD525X_DPOT_SPI=m
 
+# Jetson TK1
+CONFIG_PINCTRL_AS3722=y
+CONFIG_POWER_RESET_AS3722=y
+CONFIG_MFD_AS3722=y
+CONFIG_REGULATOR_AS3722=m
+CONFIG_RTC_DRV_AS3722=y
+
 # TI Generic
 CONFIG_TI_SOC_THERMAL=m
 CONFIG_TI_THERMAL=y
diff --git a/config-armv7-lpae b/config-armv7-lpae
index 828b13a87..e500e1d58 100644
--- a/config-armv7-lpae
+++ b/config-armv7-lpae
@@ -62,6 +62,7 @@ CONFIG_KEYSTONE_IRQ=m
 CONFIG_PCI_KEYSTONE=y
 CONFIG_MTD_NAND_DAVINCI=m
 CONFIG_GPIO_SYSCON=m
+CONFIG_TI_MESSAGE_MANAGER=m
 
 # Tegra (non A15 device options)
 # CONFIG_ARCH_TEGRA_2x_SOC is not set
@@ -71,7 +72,6 @@ CONFIG_GPIO_SYSCON=m
 # CONFIG_SPI_TEGRA20_SFLASH is not set
 # CONFIG_SPI_TEGRA20_SLINK is not set
 # CONFIG_MFD_MAX8907 is not set
-# CONFIG_MFD_NVEC is not set
 # CONFIG_SND_SOC_TEGRA_ALC5632 is not set
 # CONFIG_SND_SOC_TEGRA_TRIMSLICE is not set
 # CONFIG_SND_SOC_TEGRA_WM8753 is not set
@@ -80,5 +80,4 @@ CONFIG_GPIO_SYSCON=m
 # CONFIG_SND_SOC_TEGRA20_AC97 is not set
 # CONFIG_SND_SOC_TEGRA20_DAS is not set
 # CONFIG_SND_SOC_TEGRA20_SPDIF is not set
-# CONFIG_SND_SOC_TEGRA_RT5677 is not set
 # CONFIG_DRM_OMAP is not set
diff --git a/config-generic b/config-generic
index 85d0d9733..9bccf5ec0 100644
--- a/config-generic
+++ b/config-generic
@@ -109,6 +109,7 @@ CONFIG_PCIE_ECRC=y
 CONFIG_PCIEAER_INJECT=m
 CONFIG_HOTPLUG_PCI=y
 # CONFIG_HOTPLUG_PCI_CPCI is not set
+# CONFIG_HOTPLUG_PCI_SHPC is not set
 CONFIG_HOTPLUG_PCI_PCIE=y
 # CONFIG_PCIE_DW_PLAT is not set
 
@@ -190,6 +191,7 @@ CONFIG_INFINIBAND_CXGB4=m
 CONFIG_SCSI_CXGB3_ISCSI=m
 CONFIG_SCSI_CXGB4_ISCSI=m
 # CONFIG_INFINIBAND_CXGB3_DEBUG is not set
+CONFIG_INFINIBAND_I40IW=m
 CONFIG_INFINIBAND_NES=m
 # CONFIG_INFINIBAND_NES_DEBUG is not set
 CONFIG_INFINIBAND_QIB=m
@@ -197,6 +199,8 @@ CONFIG_INFINIBAND_QIB_DCA=y
 CONFIG_INFINIBAND_OCRDMA=m
 CONFIG_INFINIBAND_USNIC=m
 
+CONFIG_INFINIBAND_RDMAVT=m
+
 #
 # Executable file formats
 #
@@ -2694,6 +2698,7 @@ CONFIG_I2C_CHARDEV=m
 # CONFIG_I2C_MUX_PCA9541 is not set
 # CONFIG_I2C_MUX_PINCTRL is not set
 # CONFIG_I2C_MUX_REG is not set
+# CONFIG_I2C_DEMUX_PINCTRL is not set
 # CONFIG_I2C_CADENCE is not set
 
 #
@@ -4593,6 +4598,7 @@ CONFIG_MSDOS_FS=m
 CONFIG_VFAT_FS=m
 CONFIG_FAT_DEFAULT_CODEPAGE=437
 CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
+# CONFIG_FAT_DEFAULT_UTF8 is not set
 # CONFIG_NTFS_FS is not set
 
 #
@@ -4873,6 +4879,8 @@ CONFIG_HEADERS_CHECK=y
 # This just changes a default enable with workqueue.debug_force_rr_cpu
 # CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
 #
+# CONFIG_KCOV is not set
+#
 # These debug options are deliberatly left on (even in 'make release' kernels).
 # They aren't that much of a performance impact, and the value
 # from getting useful bug-reports makes it worth leaving them on.
diff --git a/digi_acceleport-do-sanity-checking-for-the-number-of.patch b/digi_acceleport-do-sanity-checking-for-the-number-of.patch
index 2bbae94b7..eb060eb08 100644
--- a/digi_acceleport-do-sanity-checking-for-the-number-of.patch
+++ b/digi_acceleport-do-sanity-checking-for-the-number-of.patch
@@ -1,7 +1,7 @@
 From e9c2a3972496927631a1a98fef43e9538e9fd5d5 Mon Sep 17 00:00:00 2001
 From: Oliver Neukum <oneukum@suse.com>
 Date: Mon, 14 Mar 2016 15:53:38 +0100
-Subject: [PATCH] digi_acceleport: do sanity checking for the number of ports
+Subject: [PATCH v2] digi_acceleport: do sanity checking for the number of ports
 
 The driver can be crashed with devices that expose crafted
 descriptors with too few endpoints.
@@ -9,26 +9,62 @@ See:
 http://seclists.org/bugtraq/2016/Mar/61
 
 Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+
+v1 - added sanity checks
+v2 - moved them to probe() to fix problems Johan pointed out
 ---
- drivers/usb/serial/digi_acceleport.c | 5 +++++
- 1 file changed, 5 insertions(+)
+ drivers/usb/serial/digi_acceleport.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
 
 diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
-index 12b0e67473ba..c4d4d4547d40 100644
+index 12b0e67..dab1dcf 100644
 --- a/drivers/usb/serial/digi_acceleport.c
 +++ b/drivers/usb/serial/digi_acceleport.c
-@@ -1260,6 +1260,11 @@ static int digi_startup(struct usb_serial *serial)
+@@ -1252,7 +1252,8 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
+ static int digi_startup(struct usb_serial *serial)
+ {
+ 	struct digi_serial *serial_priv;
+-	int ret;
++	int ret = -ENODEV;
++	int i;
+ 
+ 	serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
+ 	if (!serial_priv)
+@@ -1260,18 +1261,31 @@ static int digi_startup(struct usb_serial *serial)
  
  	spin_lock_init(&serial_priv->ds_serial_lock);
  	serial_priv->ds_oob_port_num = serial->type->num_ports;
-+	if (!(serial_priv->ds_oob_port_num == 2 && serial->type == &digi_acceleport_2_device)
-+		&& !(serial_priv->ds_oob_port_num == 4 && serial->type == &digi_acceleport_4_device)) {
-+		kfree(serial_priv);
-+		return -EINVAL;
++
++	/* Check whether the expected number of ports matches the device */
++	if (serial->num_ports < serial_priv->ds_oob_port_num)
++		goto error;
++	/* all features must be present */
++	for (i = 0; i < serial->type->num_ports + 1 ; i++) {
++		if (!serial->port[i]->read_urb)
++			goto error;
++		if (!serial->port[i]->write_urb)
++			goto error;
 +	}
++
  	serial_priv->ds_oob_port = serial->port[serial_priv->ds_oob_port_num];
  
  	ret = digi_port_init(serial_priv->ds_oob_port,
+ 						serial_priv->ds_oob_port_num);
+-	if (ret) {
+-		kfree(serial_priv);
+-		return ret;
+-	}
++	if (ret)
++		goto error;
+ 
+ 	usb_set_serial_data(serial, serial_priv);
+ 
+ 	return 0;
++error:
++	kfree(serial_priv);
++	return ret;
+ }
+ 
+ 
 -- 
-2.5.0
-
+2.1.4
diff --git a/gitrev b/gitrev
index b2ccd1d5f..3560dc23f 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-770c4c1119dbaa0e5e4c1f2e88ca8bfeb0d66b6d
+c130423620331a104492bbbcc49f25125e26a21a
diff --git a/input-gtco-fix-crash-on-detecting-device-without-end.patch b/input-gtco-fix-crash-on-detecting-device-without-end.patch
new file mode 100644
index 000000000..849f607a5
--- /dev/null
+++ b/input-gtco-fix-crash-on-detecting-device-without-end.patch
@@ -0,0 +1,49 @@
+Subject:    [PATCH] Input: gtco: fix crash on detecting device without endpoints
+From:       Vladis Dronov <vdronov@redhat.com>
+Date:       2016-03-18 18:35:00
+
+The gtco driver expects at least one valid endpoint. If given
+malicious descriptors that specify 0 for the number of endpoints,
+it will crash in the probe function. Ensure there is at least
+one endpoint on the interface before using it. Fix minor coding
+style issue.
+
+The full report of this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/86
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/input/tablet/gtco.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
+index 3a7f3a4..7c18249 100644
+--- a/drivers/input/tablet/gtco.c
++++ b/drivers/input/tablet/gtco.c
+@@ -858,6 +858,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 		goto err_free_buf;
+ 	}
+ 
++	/* Sanity check that a device has an endpoint */
++	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
++		dev_err(&usbinterface->dev,
++			"Invalid number of endpoints\n");
++		error = -EINVAL;
++		goto err_free_urb;
++	}
++
+ 	/*
+ 	 * The endpoint is always altsetting 0, we know this since we know
+ 	 * this device only has one interrupt endpoint
+@@ -879,7 +887,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
+ 	 * HID report descriptor
+ 	 */
+ 	if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
+-				     HID_DEVICE_TYPE, &hid_desc) != 0){
++				     HID_DEVICE_TYPE, &hid_desc) != 0) {
+ 		dev_err(&usbinterface->dev,
+ 			"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
+ 		error = -EIO;
+-- 
+2.5.0
diff --git a/kernel.spec b/kernel.spec
index 23683651e..96880300a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -77,7 +77,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 18
+%define gitrev 22
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -637,15 +637,14 @@ Patch668: x86-tsc-Prevent-NULL-pointer-deref-in-calibrate_dela.patch
 #CVE-2016-3137 rhbz 1317010 1316996
 Patch672: cypress_m8-add-sanity-checking.patch
 
+#CVE-2016-2185 rhbz 1317014 1317471
+Patch669: Input-ati_remote2-fix-crashes-on-detecting-device-wi.patch
+
 #CVE-2016-3140 rhbz 1317010 1316995
 Patch677: digi_acceleport-do-sanity-checking-for-the-number-of.patch
 
 Patch678: ims-pcu-sanity-check-against-missing-interfaces.patch
 
-Patch680: ALSA-hda-Really-restrict-i915-notifier-to-HSW.patch
-Patch681: ALSA-hda-Fix-forgotten-HDMI-monitor_present-update.patch
-Patch682: ALSA-hda-Fix-spurious-kernel-WARNING-on-Baytrail-HDM.patch
-
 #rhbz 1315013
 Patch683: 0001-uas-Limit-qdepth-at-the-scsi-host-level.patch
 
@@ -655,6 +654,12 @@ Patch684: thermal-fix.patch
 #rhbz 1318079
 Patch685: 0001-Input-synaptics-handle-spurious-release-of-trackstic.patch
 
+#CVE-2016-2187 rhbz 1317017 1317010
+Patch686: input-gtco-fix-crash-on-detecting-device-without-end.patch
+
+#CVE-2016-3136 rhbz 1317007 1317010
+Patch687: mct_u232-sanity-checking-in-probe.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2180,6 +2185,29 @@ fi
 #
 # 
 %changelog
+* Wed Mar 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git22.1
+- Linux v4.5-12013-gc13042362033
+- crypto, mailbox, clk merges
+
+* Wed Mar 23 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git21.1
+- Linux v4.5-11787-ga24e3d414e59
+- akpm, kvm, rdma
+
+* Wed Mar 23 2016 Peter Robinson <pbrobinson@fedoraproject.org>
+- Fix Tegra Jetson TK1
+
+* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git20.1
+- Linux v4.5-11312-g01cde1538e1d
+- nfs, overlayfs, fuse, xen, i2c, target, pci, sound, iommu merges
+
+* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-3136 mct_u232: oops on invalid USB descriptors (rhbz 1317007 1317010)
+- CVE-2016-2187 gtco: oops on invalid USB descriptors (rhbz 1317017 1317010)
+
+* Tue Mar 22 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git19.1
+- Linux v4.5-11118-g968f3e374faf
+- btrfs, mmc, md merges
+
 * Mon Mar 21 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git18.1
 - Linux v4.5-10883-g770c4c1119db
 - drm, arm64-perf, arc, udf, quota merges
diff --git a/mct_u232-sanity-checking-in-probe.patch b/mct_u232-sanity-checking-in-probe.patch
new file mode 100644
index 000000000..006faf15f
--- /dev/null
+++ b/mct_u232-sanity-checking-in-probe.patch
@@ -0,0 +1,35 @@
+Subject:    [PATCH v2] mct_u232: sanity checking in probe
+From:       Oliver Neukum <oneukum@suse.com>
+Date:       2016-03-21 13:14:37
+
+An attack using the lack of sanity checking in probe
+is known. This patch checks for the existance of a
+second port.
+CVE-2016-3136
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+CC: stable@vger.kernel.org
+
+v1 - add sanity check for presence of a second port
+v2 - add sanity check for an interrupt endpoint
+---
+ drivers/usb/serial/mct_u232.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
+index 4446b8d..3e64538 100644
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -378,6 +378,10 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
+ 	struct mct_u232_private *priv;
+ 
++	/* check first to simplify error handling */
++	if (!port->serial->port[1] || !port->serial->port[1]->interrupt_in_urb)
++		return -ENODEV;
++
+ 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ 	if (!priv)
+ 		return -ENOMEM;
+-- 
+2.1.4
diff --git a/sources b/sources
index b8dd53243..3e129fe0a 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 a60d48eee08ec0536d5efb17ca819aef  linux-4.5.tar.xz
 6f557fe90b800b615c85c2ca04da6154  perf-man-4.5.tar.gz
-a3447af4912b536e6d7d170b2bf18109  patch-4.5-git18.xz
+1efd8aeadf2822f23214a5129575a8f6  patch-4.5-git22.xz