Merge remote-tracking branch 'origin/master'kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc25kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc24kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc23kernel-4.7.0-0.rc0.git5.1.vanilla.knurd.1.fc22

15 files changed, 162 insertions, 185 deletions

diff --git a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch b/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
deleted file mode 100644
index 3eb8bf183..000000000
--- a/ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 527a5767c165abd2b4dba99da992c51ca7547562 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:07 -0400
-Subject: [PATCH 1/3] ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “tread” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 6469bedda2f3..964f5ebf495e 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1739,6 +1739,7 @@ static int snd_timer_user_params(struct file *file,
- 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
- 		if (tu->tread) {
- 			struct snd_timer_tread tread;
-+			memset(&tread, 0, sizeof(tread));
- 			tread.event = SNDRV_TIMER_EVENT_EARLY;
- 			tread.tstamp.tv_sec = 0;
- 			tread.tstamp.tv_nsec = 0;
--- 
-2.5.5
-
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
deleted file mode 100644
index e6f46f8a8..000000000
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From addd6e9f0e25efb00d813d54528607c75b77c416 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:20 -0400
-Subject: [PATCH 2/3] ALSA: timer: Fix leak in events via
- snd_timer_user_ccallback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index 964f5ebf495e..e98fa5feb731 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1225,6 +1225,7 @@ static void snd_timer_user_ccallback(struct snd_timer_instance *timeri,
- 		tu->tstamp = *tstamp;
- 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
- 		return;
-+	memset(&r1, 0, sizeof(r1));
- 	r1.event = event;
- 	r1.tstamp = *tstamp;
- 	r1.val = resolution;
--- 
-2.5.5
-
diff --git a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch b/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
deleted file mode 100644
index 7851c55a2..000000000
--- a/ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From b06a443b5679e9a0298e2f206ddb60845569f62f Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kangjielu@gmail.com>
-Date: Tue, 3 May 2016 16:44:32 -0400
-Subject: [PATCH 3/3] ALSA: timer: Fix leak in events via
- snd_timer_user_tinterrupt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The stack object “r1” has a total size of 32 bytes. Its field
-“event” and “val” both contain 4 bytes padding. These 8 bytes
-padding bytes are sent to user without being initialized.
-
-Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/timer.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/core/timer.c b/sound/core/timer.c
-index e98fa5feb731..c69a27155433 100644
---- a/sound/core/timer.c
-+++ b/sound/core/timer.c
-@@ -1268,6 +1268,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
- 	}
- 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
- 	    tu->last_resolution != resolution) {
-+		memset(&r1, 0, sizeof(r1));
- 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
- 		r1.tstamp = tstamp;
- 		r1.val = resolution;
--- 
-2.5.5
-
diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
index 86a285581..78f482b39 100644
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
@@ -1,4 +1,4 @@
-From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
+From 8cd53548ce7b88b08cc6345c8fca7d28d1f3a7f2 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
 Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
@@ -6,20 +6,21 @@ Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.
 
+[labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED]
 Signed-off-by: David Howells <dhowells@redhat.com>
 ---
  crypto/asymmetric_keys/Kconfig      |   8 +++
  crypto/asymmetric_keys/Makefile     |   1 +
- crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
+ crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++
  include/linux/efi.h                 |   4 ++
- 4 files changed, 122 insertions(+)
+ 4 files changed, 121 insertions(+)
  create mode 100644 crypto/asymmetric_keys/efi_parser.c
 
 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index 4870f28403f5..4a1b50d73b80 100644
+index e28e912..94024e8 100644
 --- a/crypto/asymmetric_keys/Kconfig
 +++ b/crypto/asymmetric_keys/Kconfig
-@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
+@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
  	  This option provides support for verifying the signature(s) on a
  	  signed PE binary.
  
@@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644
 +
  endif # ASYMMETRIC_KEY_TYPE
 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index cd1406f9b14a..d9db380bbe53 100644
+index 6516855..c099fe1 100644
 --- a/crypto/asymmetric_keys/Makefile
 +++ b/crypto/asymmetric_keys/Makefile
-@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o
+@@ -10,6 +10,7 @@ asymmetric_keys-y := \
+ 	signature.o
  
  obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
 +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
@@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644
  # X.509 Certificate handling
 diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 new file mode 100644
-index 000000000000..424896a0b169
+index 0000000..636feb1
 --- /dev/null
 +++ b/crypto/asymmetric_keys/efi_parser.c
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,108 @@
 +/* EFI signature/key/certificate list parser
 + *
 + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
@@ -139,8 +141,7 @@ index 000000000000..424896a0b169
 +				esize - sizeof(*elem),
 +				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				KEY_USR_VIEW,
-+				KEY_ALLOC_NOT_IN_QUOTA |
-+				KEY_ALLOC_TRUSTED);
++				KEY_ALLOC_NOT_IN_QUOTA);
 +
 +			if (IS_ERR(key))
 +				pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
@@ -159,10 +160,10 @@ index 000000000000..424896a0b169
 +	return 0;
 +}
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fac43c611614..414c3c3d988d 100644
+index b80227a..18443e3 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void);
+@@ -1050,6 +1050,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
  char * __init efi_md_typeattr_format(char *buf, size_t size,
  				     const efi_memory_desc_t *md);
  
@@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644
   * efi_range_is_wc - check the WC bit on an address range
   * @start: starting kvirt address
 -- 
-2.4.3
+2.5.5
 
diff --git a/KVM-MTRR-remove-MSR-0x2f8.patch b/KVM-MTRR-remove-MSR-0x2f8.patch
deleted file mode 100644
index 8066b2e8f..000000000
--- a/KVM-MTRR-remove-MSR-0x2f8.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From bb0f06280beb6507226627a85076ae349a23fe22 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
-Date: Mon, 16 May 2016 09:45:35 -0400
-Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
-was introduced by 9ba075a664df ("KVM: MTRR support").
-
-0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
-size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
-which made access to index 124 out of bounds.  The surrounding code only
-WARNs in this situation, thus the guest gained a limited read/write
-access to struct kvm_arch_vcpu.
-
-0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
-MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
-was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
-not implemented in KVM, therefore 0x2f8 could never do anything useful
-and getting rid of it is safe.
-
-This fixes CVE-2016-TBD.
-
-Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
-Cc: stable@vger.kernel.org
-Reported-by: David Matlack <dmatlack@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
----
- arch/x86/kvm/mtrr.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
-index 3f8c732117ec..c146f3c262c3 100644
---- a/arch/x86/kvm/mtrr.c
-+++ b/arch/x86/kvm/mtrr.c
-@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
- 	case MSR_MTRRdefType:
- 	case MSR_IA32_CR_PAT:
- 		return true;
--	case 0x2f8:
--		return true;
- 	}
- 	return false;
- }
--- 
-2.5.5
-
diff --git a/config-arm-generic b/config-arm-generic
index dfbab76cc..2b71fa092 100644
--- a/config-arm-generic
+++ b/config-arm-generic
@@ -6,8 +6,9 @@ CONFIG_EARLY_PRINTK=y
 CONFIG_SERIAL_EARLYCON_ARM_SEMIHOST=y
 CONFIG_FB_SSD1307=m
 CONFIG_HW_PERF_EVENTS=y
-CONFIG_NFS_FS=y
 CONFIG_FORCE_MAX_ZONEORDER=11
+CONFIG_XZ_DEC_ARM=y
+CONFIG_XZ_DEC_ARMTHUMB=y
 
 CONFIG_CC_STACKPROTECTOR=y
 
@@ -154,6 +155,8 @@ CONFIG_RTC_DRV_TEGRA=m
 CONFIG_ARM_TEGRA_DEVFREQ=m
 CONFIG_ARM_TEGRA124_CPUFREQ=m
 CONFIG_TEGRA_SOCTHERM=m
+CONFIG_PHY_TEGRA_XUSB=m
+CONFIG_USB_XHCI_TEGRA=m
 
 CONFIG_TEGRA_HOST1X=m
 CONFIG_TEGRA_HOST1X_FIREWALL=y
@@ -165,7 +168,6 @@ CONFIG_SND_HDA_TEGRA=m
 
 # CONFIG_ARM_TEGRA20_CPUFREQ is not set
 # CONFIG_MFD_NVEC is not set
-# CONFIG_PHY_TEGRA_XUSB is not set
 
 # Virt
 CONFIG_PARAVIRT=y
@@ -545,3 +547,6 @@ CONFIG_CHECKPOINT_RESTORE=y
 
 # CONFIG_HW_RANDOM_HISI is not set
 # CONFIG_QRTR is not set
+
+# This Xilinx option is now built for arm64 as well as ARM
+CONFIG_XILINX_VDMA=m
diff --git a/config-arm64 b/config-arm64
index 5c338d7fa..7266b7db3 100644
--- a/config-arm64
+++ b/config-arm64
@@ -162,6 +162,7 @@ CONFIG_HI6220_MBOX=m
 # Tegra
 CONFIG_ARCH_TEGRA_132_SOC=y
 CONFIG_ARCH_TEGRA_210_SOC=y
+CONFIG_TEGRA210_ADMA=y
 
 # AllWinner
 CONFIG_MACH_SUN50I=y
diff --git a/config-armv7 b/config-armv7
index 755cefa99..d2191cee9 100644
--- a/config-armv7
+++ b/config-armv7
@@ -587,7 +587,6 @@ CONFIG_SPI_CADENCE=m
 CONFIG_I2C_CADENCE=m
 CONFIG_XILINX_WATCHDOG=m
 CONFIG_XILINX_XADC=m
-CONFIG_XILINX_VDMA=m
 CONFIG_SND_SOC_ADI=m
 CONFIG_SND_SOC_ADI_AXI_I2S=m
 CONFIG_SND_SOC_ADI_AXI_SPDIF=m
diff --git a/config-armv7-generic b/config-armv7-generic
index 486a445ce..0b99be151 100644
--- a/config-armv7-generic
+++ b/config-armv7-generic
@@ -30,7 +30,6 @@ CONFIG_ATAGS=y
 CONFIG_ATAGS_PROC=y
 CONFIG_ZBOOT_ROM_TEXT=0x0
 CONFIG_ZBOOT_ROM_BSS=0x0
-CONFIG_XZ_DEC_ARMTHUMB=y
 CONFIG_ARCH_HAS_TICK_BROADCAST=y
 CONFIG_IRQ_CROSSBAR=y
 CONFIG_IOMMU_IO_PGTABLE_LPAE=y
@@ -164,8 +163,6 @@ CONFIG_DEVFREQ_GOV_USERSPACE=y
 CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
 CONFIG_LSM_MMAP_MIN_ADDR=32768
 
-CONFIG_XZ_DEC_ARM=y
-
 # CONFIG_PCI_LAYERSCAPE is not set
 # Do NOT enable this, it breaks stuff and makes things go slow
 # CONFIG_UACCESS_WITH_MEMCPY is not set
@@ -464,6 +461,7 @@ CONFIG_RTC_DRV_ARMADA38X=m
 CONFIG_LEDS_NS2=m
 CONFIG_SERIAL_MVEBU_UART=y
 # CONFIG_SERIAL_MVEBU_CONSOLE is not set
+# CONFIG_PCIE_ARMADA_8K is not set
 
 # DRM panels
 CONFIG_DRM_PANEL=y
diff --git a/config-generic b/config-generic
index 21ac74dae..9601b58d2 100644
--- a/config-generic
+++ b/config-generic
@@ -111,6 +111,7 @@ CONFIG_HOTPLUG_PCI=y
 # CONFIG_HOTPLUG_PCI_SHPC is not set
 CONFIG_HOTPLUG_PCI_PCIE=y
 # CONFIG_PCIE_DW_PLAT is not set
+CONFIG_PCIE_DPC=m
 
 # CONFIG_SGI_IOC4 is not set
 
@@ -4935,6 +4936,7 @@ CONFIG_SECURITY_SELINUX_AVC_STATS=y
 # CONFIG_SECURITY_SMACK is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_AUDIT=y
 CONFIG_AUDITSYSCALL=y
@@ -5071,6 +5073,7 @@ CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_BIG_KEYS=y
 CONFIG_TRUSTED_KEYS=m
 CONFIG_ENCRYPTED_KEYS=m
+CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
@@ -5580,10 +5583,6 @@ CONFIG_GPIOLIB=y
 CONFIG_NET_DSA=m
 CONFIG_NET_DSA_HWMON=y
 CONFIG_NET_DSA_MV88E6060=m
-CONFIG_NET_DSA_MV88E6131=m
-CONFIG_NET_DSA_MV88E6123=m
-CONFIG_NET_DSA_MV88E6171=m
-CONFIG_NET_DSA_MV88E6352=m
 CONFIG_NET_DSA_MV88E6XXX=m
 CONFIG_NET_DSA_BCM_SF2=m
 
@@ -5924,6 +5923,7 @@ CONFIG_MODULE_SIG_SHA256=y
 CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
 CONFIG_PKCS7_MESSAGE_PARSER=y
 # CONFIG_PKCS7_TEST_KEY is not set
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y
@@ -5959,3 +5959,5 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 # The kernel code has a nice comment
 # WARNING: Do not even assume this interface is staying stable!
 # CONFIG_MCE_AMD_INJ is not set
+
+# CONFIG_EZNPS_GIC is not set
diff --git a/config-x86-generic b/config-x86-generic
index 328f40020..5418ee7ab 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -575,6 +575,7 @@ CONFIG_SND_SOC_INTEL_CHT_BSW_MAX98090_TI_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_RT286_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_SSM4567_MACH=m
 CONFIG_SND_SOC_INTEL_SKL_NAU88L25_MAX98357A_MACH=m
+CONFIG_SND_SOC_INTEL_BXT_RT298_MACH=m
 CONFIG_SND_SOC_AC97_CODEC=m
 # CONFIG_SND_SOC_TAS571X is not set
 # CONFIG_SND_SUN4I_CODEC is not set
diff --git a/gitrev b/gitrev
index 3b79c3867..3ddae4b99 100644
--- a/gitrev
+++ b/gitrev
@@ -1 +1 @@
-2600a46ee0ed57c0e0a382c2a37ebac64d374d20
+03b979dd0323ace8e29a0561cd5232f73a060c09
diff --git a/kernel.spec b/kernel.spec
index 0e508fdb5..aa273c948 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -77,7 +77,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 0
 # The git snapshot level
-%define gitrev 4
+%define gitrev 5
 # Set rpm version accordingly
 %define rpmversion 4.%{upstream_sublevel}.0
 %endif
@@ -579,7 +579,10 @@ Patch487: Add-EFI-signature-data-types.patch
 
 Patch488: Add-an-EFI-signature-blob-parser-and-key-loader.patch
 
-Patch489: KEYS-Add-a-system-blacklist-keyring.patch
+# This doesn't apply. It seems like it could be replaced by
+# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c
+# which has an explicit line about blacklisting
+# Patch489: KEYS-Add-a-system-blacklist-keyring.patch
 
 Patch490: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
 
@@ -623,13 +626,8 @@ Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
 #CVE-2016-4482 rhbz 1332931 1332932
 Patch706: USB-usbfs-fix-potential-infoleak-in-devio.patch
 
-#CVE-2016-4569 rhbz 1334643 1334645
-Patch714: ALSA-timer-Fix-leak-in-SNDRV_TIMER_IOCTL_PARAMS.patch
-Patch715: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_cca.patch
-Patch716: ALSA-timer-Fix-leak-in-events-via-snd_timer_user_tin.patch
-
-#CVE-2016-3713 rhbz 1332139 1336410
-Patch717: KVM-MTRR-remove-MSR-0x2f8.patch
+#CVE-2016-4440 rhbz 1337806 1337807
+Patch719: kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -2159,6 +2157,16 @@ fi
 #
 # 
 %changelog
+* Fri May 20 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git5.1
+- Linux v4.6-6148-g03b979d
+- Docs, i2c, md, iommu, sound, pci, pinctrl, dmaengine, kvm, security merges
+
+* Fri May 20 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4440 kvm: incorrect state leading to APIC register access (rhbz 1337806 1337807)
+
+* Fri May 20 2016 Peter Robinson <pbrobinson@fedoraproject.org>
+- Minor ARM cleanups, enable Tegra USB-3 controller
+
 * Thu May 19 2016 Laura Abbott <labbott@redhat.com> - 4.7.0-0.rc0.git4.1
 - Linux v4.6-5028-g2600a46
 - trace, audit, input, media, scsi, armsoc merges
diff --git a/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
new file mode 100644
index 000000000..67043300c
--- /dev/null
+++ b/kvm-vmx-more-complete-state-update-on-APICv-on-off.patch
@@ -0,0 +1,112 @@
+From: Roman Kagan <rkagan@virtuozzo.com>
+Subject: [PATCH v3] kvm:vmx: more complete state update on APICv on/off
+Date: 2016-05-18 14:48:20 GMT (1 day, 21 hours and 23 minutes ago)
+
+The function to update APICv on/off state (in particular, to deactivate
+it when enabling Hyper-V SynIC), used to be incomplete: it didn't adjust
+APICv-related fields among secondary processor-based VM-execution
+controls.
+
+As a result, Windows 2012 guests would get stuck when SynIC-based
+auto-EOI interrupt intersected with e.g. an IPI in the guest.
+
+In addition, the MSR intercept bitmap wasn't updated to correspond to
+whether "virtualize x2APIC mode" was enabled.  This path used not to be
+triggered, since Windows didn't use x2APIC but rather their own
+synthetic APIC access MSRs; however it represented a security risk
+because the guest running in a SynIC-enabled VM could switch to x2APIC
+and thus obtain direct access to host APIC MSRs (thanks to Yang Zhang
+<yang.zhang.wz@gmail.com> for spotting this).
+
+The patch fixes those omissions.
+
+Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
+Cc: Steve Rutherford <srutherford@google.com>
+Cc: Yang Zhang <yang.zhang.wz@gmail.com>
+---
+v2 -> v3:
+ - only switch to x2apic msr bitmap if virtualize x2apic mode is on in vmcs
+
+v1 -> v2:
+ - only update relevant bits in the secondary exec control
+ - update msr intercept bitmap (also make x2apic msr bitmap always
+   correspond to APICv)
+
+ arch/x86/kvm/vmx.c | 48 ++++++++++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index ee1c8a9..cef741a 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2418,7 +2418,9 @@ static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu)
+
+ 	if (is_guest_mode(vcpu))
+ 		msr_bitmap = vmx_msr_bitmap_nested;
+-	else if (vcpu->arch.apic_base & X2APIC_ENABLE) {
++	else if (cpu_has_secondary_exec_ctrls() &&
++		 (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) &
++		  SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) {
+ 		if (is_long_mode(vcpu))
+ 			msr_bitmap = vmx_msr_bitmap_longmode_x2apic;
+ 		else
+@@ -4783,6 +4785,19 @@ static void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ 	vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx));
++	if (cpu_has_secondary_exec_ctrls()) {
++		if (kvm_vcpu_apicv_active(vcpu))
++			vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL,
++				      SECONDARY_EXEC_APIC_REGISTER_VIRT |
++				      SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++		else
++			vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL,
++					SECONDARY_EXEC_APIC_REGISTER_VIRT |
++					SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++	}
++
++	if (cpu_has_vmx_msr_bitmap())
++		vmx_set_msr_bitmap(vcpu);
+ }
+
+ static u32 vmx_exec_control(struct vcpu_vmx *vmx)
+@@ -6329,23 +6344,20 @@ static __init int hardware_setup(void)
+
+ 	set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */
+
+-	if (enable_apicv) {
+-		for (msr = 0x800; msr <= 0x8ff; msr++)
+-			vmx_disable_intercept_msr_read_x2apic(msr);
+-
+-		/* According SDM, in x2apic mode, the whole id reg is used.
+-		 * But in KVM, it only use the highest eight bits. Need to
+-		 * intercept it */
+-		vmx_enable_intercept_msr_read_x2apic(0x802);
+-		/* TMCCT */
+-		vmx_enable_intercept_msr_read_x2apic(0x839);
+-		/* TPR */
+-		vmx_disable_intercept_msr_write_x2apic(0x808);
+-		/* EOI */
+-		vmx_disable_intercept_msr_write_x2apic(0x80b);
+-		/* SELF-IPI */
+-		vmx_disable_intercept_msr_write_x2apic(0x83f);
+-	}
++	for (msr = 0x800; msr <= 0x8ff; msr++)
++		vmx_disable_intercept_msr_read_x2apic(msr);
++
++	/* According SDM, in x2apic mode, the whole id reg is used.  But in
++	 * KVM, it only use the highest eight bits. Need to intercept it */
++	vmx_enable_intercept_msr_read_x2apic(0x802);
++	/* TMCCT */
++	vmx_enable_intercept_msr_read_x2apic(0x839);
++	/* TPR */
++	vmx_disable_intercept_msr_write_x2apic(0x808);
++	/* EOI */
++	vmx_disable_intercept_msr_write_x2apic(0x80b);
++	/* SELF-IPI */
++	vmx_disable_intercept_msr_write_x2apic(0x83f);
+
+ 	if (enable_ept) {
+ 		kvm_mmu_set_mask_ptes(0ull,
+-- 
+2.5.5
diff --git a/sources b/sources
index ab2baebf7..89eacce1f 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 d2927020e24a76da4ab482a8bc3e9ef3  linux-4.6.tar.xz
 fd23b14b9d474c3dfacb6e8ee82d3a51  perf-man-4.6.tar.gz
-be912d5f22aba6286ac2e205e2ce1202  patch-4.6-git4.xz
+9bcfe711504d6e532084a2c2cc610b73  patch-4.6-git5.xz