Merge tag 'debian/4.5.5-1'

10 files changed, 468 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index b301b49f8738..f4dd64071e4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -91,6 +91,121 @@ linux (4.6~rc3-1~exp1) experimental; urgency=medium
 
  -- Ben Hutchings <ben@decadent.org.uk>  Thu, 14 Apr 2016 23:55:15 +0100
 
+linux (4.5.5-1) unstable; urgency=medium
+
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.5
+    - decnet: Do not build routes to devices without decnet private data.
+    - route: do not cache fib route info on local routes with oif
+    - packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface
+    - net: sched: do not requeue a NULL skb
+    - bpf/verifier: reject invalid LD_ABS | BPF_DW instruction
+    - cdc_mbim: apply "NDP to end" quirk to all Huawei devices
+    - soreuseport: fix ordering for mixed v4/v6 sockets
+    - net: use skb_postpush_rcsum instead of own implementations
+    - vlan: pull on __vlan_insert_tag error path and fix csum correction
+    - openvswitch: Orphan skbs before IPv6 defrag
+    - openvswitch: use flow protocol when recalculating ipv6 checksums
+    - net/mlx5_core: Fix soft lockup in steering error flow
+    - net/mlx5e: Device's mtu field is u16 and not int
+    - net/mlx5e: Fix minimum MTU
+    - net/mlx5e: Use vport MTU rather than physical port MTU
+    - ipv4/fib: don't warn when primary address is missing if in_dev is dead
+    - net/mlx4_en: fix spurious timestamping callbacks
+    - net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case
+    - gre: do not pull header in ICMP error processing
+    - net_sched: introduce qdisc_replace() helper
+    - net_sched: update hierarchical backlog too
+    - sch_htb: update backlog as well
+    - sch_dsmark: update backlog as well
+    - netem: Segment GSO packets on enqueue
+    - ipv6/ila: fix nlsize calculation for lwtunnel
+    - net/mlx4_en: Fix endianness bug in IPV6 csum calculation
+    - [x86] VSOCK: do not disconnect socket when peer has shutdown SEND only
+    - net: bridge: fix old ioctl unlocked net device walk
+    - bridge: fix igmp / mld query parsing
+    - net: fix a kernel infoleak in x25 module (CVE-2016-4580)
+    - net: thunderx: avoid exposing kernel stack
+    - tcp: refresh skb timestamp at retransmit time
+    - net/route: enforce hoplimit max value
+    - ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang
+    - ocfs2: fix posix_acl_create deadlock
+    - zsmalloc: fix zs_can_compact() integer overflow
+    - mm: thp: calculate the mapcount correctly for THP pages during WP faults
+    - [x86] crypto: qat - fix invalid pf2vf_resp_wq logic
+    - crypto: testmgr - Use kmalloc memory for RSA input
+    - ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
+    - ALSA: usb-audio: Yet another Phoneix Audio device quirk
+    - ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
+    - ALSA: hda - Fix white noise on Asus UX501VW headset
+    - ALSA: hda - Fix broken reconfig
+    - [armhf] spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is
+      overridden
+    - [armhf] spi: spi-ti-qspi: Handle truncated frames properly
+    - perf diff: Fix duplicated output column
+    - perf/core: Disable the event on a truncated AUX record
+    - vfs: rename: check backing inode being equal
+    - workqueue: fix rebind bound workers warning
+    - [armhf] regulator: s2mps11: Fix invalid selector mask and voltages
+      for buck9
+    - [armhf] regulator: axp20x: Fix axp22x ldo_io voltage ranges
+    - atomic_open(): fix the handling of create_error
+    - qla1280: Don't allocate 512kb of host tags
+    - tools lib traceevent: Do not reassign parg after collapse_tree()
+    - [x86] drm/i915: Update CDCLK_FREQ register on BDW after changing cdclk
+      frequency
+    - drm/radeon: fix PLL sharing on DCE6.1 (v2)
+    - [x86] drm/i915: Bail out of pipe config compute loop on LPT
+    - [x86] Revert "drm/i915: start adding dp mst audio"
+    - [x86] drm/i915/bdw: Add missing delay during L3 SQC credit programming
+    - drm/radeon: fix DP link training issue with second 4K monitor
+    - drm/radeon: fix DP mode validation
+    - [x86] drm/amdgpu: fix DP mode validation
+    - btrfs: reada: Fix in-segment calculation for reada
+    - Btrfs: fix truncate_space_check
+    - btrfs: remove error message from search ioctl for nonexistent tree
+    - btrfs: change max_inline default to 2048
+    - Btrfs: fix unreplayable log after snapshot delete + parent dir fsync
+    - Btrfs: fix file loss on log replay after renaming a file and fsync
+    - Btrfs: fix extent_same allowing destination offset beyond i_size
+    - Btrfs: fix deadlock between direct IO reads and buffered writes
+    - Btrfs: fix race when checking if we can skip fsync'ing an inode
+    - Btrfs: do not collect ordered extents when logging that inode exists
+    - btrfs: csum_tree_block: return proper errno value
+    - btrfs: do not write corrupted metadata blocks to disk
+    - Btrfs: fix invalid reference in replace_path
+    - btrfs: handle non-fatal errors in btrfs_qgroup_inherit()
+    - btrfs: fallback to vmalloc in btrfs_compare_tree
+    - Btrfs: don't use src fd for printk
+    - btrfs: Reset IO error counters before start of device replacing
+
+  [ Salvatore Bonaccorso ]
+  * tipc: check nl sock before parsing nested attributes (CVE-2016-4951)
+
+  [ Ben Hutchings ]
+  * aufs: Update support patches to aufs4.5-20160523
+    - mmap: Fix use-after-free in remap_file_pages(2)
+  * Revert "stmmac: Fix 'eth0: No PHY found' regression" (Closes: #823493)
+  * [x86] kvm:vmx: more complete state update on APICv on/off (CVE-2016-4440)
+  * USB: usbfs: fix potential infoleak in devio (CVE-2016-4482)
+  * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (CVE-2016-4569)
+  * ALSA: timer: Fix leak in events via snd_timer_user_ccallback or
+    snd_timer_user_tinterrupt (CVE-2016-4578)
+  * dwc3-exynos: Fix deferred probing storm (Closes: #823552; thanks to
+    Steinar H. Gunderson)
+  * Re-apply "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing",
+    reverted upstream in 4.5.5
+
+  [ Roger Shimizu ]
+  * [armhf] Enable SENSORS_PWM_FAN / PWM_SAMSUNG as module, as recommended by
+    Steinar H. Gunderson. (Closes: #824941)
+  * [armhf] For Odroid-U3 (Exynos4) support, enable ARCH_EXYNOS4 / MFD_MAX77686
+    / RTC_DRV_MAX77686 as built-in, and COMMON_CLK_MAX77686
+    / REGULATOR_MAX77686 / MMC_SDHCI_S3C as module. Thanks to
+    Vagrant Cascadian. (Closes: #825139)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 29 May 2016 22:21:11 +0100
+
 linux (4.5.4-1) unstable; urgency=medium
 
   * New upstream stable update:
diff --git a/debian/config/armhf/config b/debian/config/armhf/config
index 22129c4a59f4..bcfc316c51dc 100644
--- a/debian/config/armhf/config
+++ b/debian/config/armhf/config
@@ -47,7 +47,7 @@ CONFIG_ARCH_BCM2835=y
 ##
 CONFIG_ARCH_EXYNOS=y
 # CONFIG_ARCH_EXYNOS3 is not set
-# CONFIG_ARCH_EXYNOS4 is not set
+CONFIG_ARCH_EXYNOS4=y
 CONFIG_ARCH_EXYNOS5=y
 CONFIG_EXYNOS5420_MCPM=y
 
@@ -176,6 +176,7 @@ CONFIG_HW_RANDOM_OMAP=m
 ##
 ## file: drivers/clk/Kconfig
 ##
+CONFIG_COMMON_CLK_MAX77686=m
 CONFIG_COMMON_CLK_S2MPS11=m
 CONFIG_CLK_TWL6040=m
 
@@ -362,6 +363,7 @@ CONFIG_OMAP_SSI=m
 ##
 CONFIG_SENSORS_G762=m
 CONFIG_SENSORS_GPIO_FAN=m
+CONFIG_SENSORS_PWM_FAN=m
 
 ##
 ## file: drivers/hwspinlock/Kconfig
@@ -532,6 +534,7 @@ CONFIG_MFD_AS3722=y
 CONFIG_MFD_AXP20X_I2C=y
 CONFIG_MFD_DA9052_SPI=y
 CONFIG_MFD_DA9052_I2C=y
+CONFIG_MFD_MAX77686=y
 CONFIG_MFD_MC13XXX_SPI=m
 CONFIG_MFD_MC13XXX_I2C=m
 CONFIG_MFD_SEC_CORE=y
@@ -565,6 +568,7 @@ CONFIG_MMC_SDHCI_ESDHC_IMX=m
 CONFIG_MMC_SDHCI_TEGRA=m
 CONFIG_MMC_SDHCI_PXAV3=m
 CONFIG_MMC_SDHCI_BCM2835=m
+CONFIG_MMC_SDHCI_S3C=m
 CONFIG_MMC_OMAP=m
 CONFIG_MMC_OMAP_HS=m
 CONFIG_MMC_MVSDIO=m
@@ -854,6 +858,7 @@ CONFIG_PWM=y
 CONFIG_PWM_BCM2835=m
 CONFIG_PWM_IMX=m
 CONFIG_PWM_ROCKCHIP=m
+CONFIG_PWM_SAMSUNG=m
 CONFIG_PWM_SUN4I=m
 CONFIG_PWM_TEGRA=m
 CONFIG_PWM_TIECAP=m
@@ -873,6 +878,7 @@ CONFIG_REGULATOR_AXP20X=m
 CONFIG_REGULATOR_DA9052=m
 CONFIG_REGULATOR_FAN53555=m
 CONFIG_REGULATOR_GPIO=m
+CONFIG_REGULATOR_MAX77686=m
 CONFIG_REGULATOR_MC13783=m
 CONFIG_REGULATOR_MC13892=m
 CONFIG_REGULATOR_PALMAS=y
@@ -901,6 +907,7 @@ CONFIG_RTC_DRV_DA9052=y
 CONFIG_RTC_DRV_EFI=y
 CONFIG_RTC_DRV_IMXDI=y
 CONFIG_RTC_DRV_OMAP=y
+CONFIG_RTC_DRV_MAX77686=y
 CONFIG_RTC_DRV_PL030=y
 CONFIG_RTC_DRV_PL031=y
 CONFIG_RTC_DRV_VT8500=y
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
new file mode 100644
index 000000000000..7881d70d884e
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
@@ -0,0 +1,28 @@
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:20 -0400
+Subject: [1/2] ALSA: timer: Fix leak in events via snd_timer_user_ccallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1247,6 +1247,7 @@ static void snd_timer_user_ccallback(str
+ 		tu->tstamp = *tstamp;
+ 	if ((tu->filter & (1 << event)) == 0 || !tu->tread)
+ 		return;
++	memset(&r1, 0, sizeof(r1));
+ 	r1.event = event;
+ 	r1.tstamp = *tstamp;
+ 	r1.val = resolution;
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
new file mode 100644
index 000000000000..cf9da77fc6c3
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
@@ -0,0 +1,28 @@
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: [2/2] ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/e4ec8cc8039a7063e24204299b462bd1383184a5
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1290,6 +1290,7 @@ static void snd_timer_user_tinterrupt(st
+ 	}
+ 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ 	    tu->last_resolution != resolution) {
++		memset(&r1, 0, sizeof(r1));
+ 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ 		r1.tstamp = tstamp;
+ 		r1.val = resolution;
diff --git a/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
new file mode 100644
index 000000000000..c67d2f71c0eb
--- /dev/null
+++ b/debian/patches/bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
@@ -0,0 +1,28 @@
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:07 -0400
+Subject: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/cec8f96e49d9be372fdb0c3836dcf31ec71e457e
+
+The stack object “tread” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1755,6 +1755,7 @@ static int snd_timer_user_params(struct
+ 	if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) {
+ 		if (tu->tread) {
+ 			struct snd_timer_tread tread;
++			memset(&tread, 0, sizeof(tread));
+ 			tread.event = SNDRV_TIMER_EVENT_EARLY;
+ 			tread.tstamp.tv_sec = 0;
+ 			tread.tstamp.tv_nsec = 0;
diff --git a/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch b/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
new file mode 100644
index 000000000000..934147dd5293
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
@@ -0,0 +1,36 @@
+From: Richard Alpe <richard.alpe@ericsson.com>
+Date: Mon, 16 May 2016 11:14:54 +0200
+Subject: tipc: check nl sock before parsing nested attributes
+Origin: https://git.kernel.org/linus/45e093ae2830cd1264677d47ff9a95a71f5d9f9c
+
+Make sure the socket for which the user is listing publication exists
+before parsing the socket netlink attributes.
+
+Prior to this patch a call without any socket caused a NULL pointer
+dereference in tipc_nl_publ_dump().
+
+Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/tipc/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 1262889..3b7a799 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2853,6 +2853,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ 		if (err)
+ 			return err;
+ 
++		if (!attrs[TIPC_NLA_SOCK])
++			return -EINVAL;
++
+ 		err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
+ 				       attrs[TIPC_NLA_SOCK],
+ 				       tipc_nl_sock_policy);
+-- 
+2.8.1
+
diff --git a/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
new file mode 100644
index 000000000000..dee56c6ce512
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
@@ -0,0 +1,36 @@
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/681fef8380eb818c0b845fca5d2ab1dcbab114ee
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1186,10 +1186,11 @@ static int proc_getdriver(struct usb_dev
+ 
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
diff --git a/debian/patches/bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch b/debian/patches/bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch
new file mode 100644
index 000000000000..08d894fc4eec
--- /dev/null
+++ b/debian/patches/bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch
@@ -0,0 +1,81 @@
+From: "Steinar H. Gunderson" <sesse@google.com>
+Date: Tue, 24 May 2016 20:13:15 +0200
+Forwarded: http://mid.gmane.org/E1b6Hj3-0001MI-AS@pannekake.samfundet.no
+Subject: dwc3-exynos: Fix deferred probing storm.
+Bug-Debian: https://bugs.debian.org/823552
+
+dwc3-exynos has two problems during init if the regulators are slow
+to come up (for instance if the I2C bus driver is not on the initramfs)
+and return probe deferral. First, every time this happens, the driver
+leaks the USB phys created; they need to be deallocated on error.
+
+Second, since the phy devices are created before the regulators fail,
+this means that there's a new device to re-trigger deferred probing,
+which causes it to essentially go into a busy loop of re-probing the
+device until the regulators come up.
+
+Move the phy creation to after the regulators have succeeded, and also
+fix cleanup on failure. On my ODROID XU4 system (with Debian's initramfs
+which doesn't contain the I2C driver), this reduces the number of probe
+attempts (for each of the two controllers) from more than 2000 to eight.
+
+Signed-off-by: Steinar H. Gunderson <sesse@google.com>
+Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Reviewed-by: Vivek Gautam <gautam.vivek@samsung.com>
+Fixes: d720f057fda4 ("usb: dwc3: exynos: add nop transceiver support")
+Cc: <stable@vger.kernel.org>
+---
+ drivers/usb/dwc3/dwc3-exynos.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-exynos.c b/drivers/usb/dwc3/dwc3-exynos.c
+index dd5cb55..2f1fb7e 100644
+--- a/drivers/usb/dwc3/dwc3-exynos.c
++++ b/drivers/usb/dwc3/dwc3-exynos.c
+@@ -128,12 +128,6 @@ static int dwc3_exynos_probe(struct platform_device *pdev)
+ 
+ 	platform_set_drvdata(pdev, exynos);
+ 
+-	ret = dwc3_exynos_register_phys(exynos);
+-	if (ret) {
+-		dev_err(dev, "couldn't register PHYs\n");
+-		return ret;
+-	}
+-
+ 	exynos->dev	= dev;
+ 
+ 	exynos->clk = devm_clk_get(dev, "usbdrd30");
+@@ -183,20 +177,29 @@ static int dwc3_exynos_probe(struct platform_device *pdev)
+ 		goto err3;
+ 	}
+ 
++	ret = dwc3_exynos_register_phys(exynos);
++	if (ret) {
++		dev_err(dev, "couldn't register PHYs\n");
++		goto err4;
++	}
++
+ 	if (node) {
+ 		ret = of_platform_populate(node, NULL, NULL, dev);
+ 		if (ret) {
+ 			dev_err(dev, "failed to add dwc3 core\n");
+-			goto err4;
++			goto err5;
+ 		}
+ 	} else {
+ 		dev_err(dev, "no device node, failed to add dwc3 core\n");
+ 		ret = -ENODEV;
+-		goto err4;
++		goto err5;
+ 	}
+ 
+ 	return 0;
+ 
++err5:
++	platform_device_unregister(exynos->usb2_phy);
++	platform_device_unregister(exynos->usb3_phy);
+ err4:
+ 	regulator_disable(exynos->vdd10);
+ err3:
+
+
diff --git a/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch b/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
new file mode 100644
index 000000000000..ca5e6ad6e020
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
@@ -0,0 +1,101 @@
+From: Roman Kagan <rkagan@virtuozzo.com>
+Subject: kvm:vmx: more complete state update on APICv on/off
+Date: Wed, 18 May 2016 17:48:20 +0300
+Origin: http://article.gmane.org/gmane.comp.emulators.kvm.devel/152191
+
+The function to update APICv on/off state (in particular, to deactivate
+it when enabling Hyper-V SynIC), used to be incomplete: it didn't adjust
+APICv-related fields among secondary processor-based VM-execution
+controls.
+
+As a result, Windows 2012 guests would get stuck when SynIC-based
+auto-EOI interrupt intersected with e.g. an IPI in the guest.
+
+In addition, the MSR intercept bitmap wasn't updated to correspond to
+whether "virtualize x2APIC mode" was enabled.  This path used not to be
+triggered, since Windows didn't use x2APIC but rather their own
+synthetic APIC access MSRs; however it represented a security risk
+because the guest running in a SynIC-enabled VM could switch to x2APIC
+and thus obtain direct access to host APIC MSRs (thanks to Yang Zhang
+<yang.zhang.wz@gmail.com> for spotting this).
+
+The patch fixes those omissions.
+
+Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
+Cc: Steve Rutherford <srutherford@google.com>
+Cc: Yang Zhang <yang.zhang.wz@gmail.com>
+---
+ arch/x86/kvm/vmx.c | 48 ++++++++++++++++++++++++++++++------------------
+ 1 file changed, 30 insertions(+), 18 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -2397,7 +2397,9 @@ static void vmx_set_msr_bitmap(struct kv
+ 
+ 	if (is_guest_mode(vcpu))
+ 		msr_bitmap = vmx_msr_bitmap_nested;
+-	else if (vcpu->arch.apic_base & X2APIC_ENABLE) {
++	else if (cpu_has_secondary_exec_ctrls() &&
++		 (vmcs_read32(SECONDARY_VM_EXEC_CONTROL) &
++		  SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE)) {
+ 		if (is_long_mode(vcpu))
+ 			msr_bitmap = vmx_msr_bitmap_longmode_x2apic;
+ 		else
+@@ -4758,6 +4760,19 @@ static void vmx_refresh_apicv_exec_ctrl(
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+ 
+ 	vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, vmx_pin_based_exec_ctrl(vmx));
++	if (cpu_has_secondary_exec_ctrls()) {
++		if (kvm_vcpu_apicv_active(vcpu))
++			vmcs_set_bits(SECONDARY_VM_EXEC_CONTROL,
++				      SECONDARY_EXEC_APIC_REGISTER_VIRT |
++				      SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++		else
++			vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL,
++					SECONDARY_EXEC_APIC_REGISTER_VIRT |
++					SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY);
++	}
++
++	if (cpu_has_vmx_msr_bitmap())
++		vmx_set_msr_bitmap(vcpu);
+ }
+ 
+ static u32 vmx_exec_control(struct vcpu_vmx *vmx)
+@@ -6313,23 +6328,20 @@ static __init int hardware_setup(void)
+ 
+ 	set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */
+ 
+-	if (enable_apicv) {
+-		for (msr = 0x800; msr <= 0x8ff; msr++)
+-			vmx_disable_intercept_msr_read_x2apic(msr);
+-
+-		/* According SDM, in x2apic mode, the whole id reg is used.
+-		 * But in KVM, it only use the highest eight bits. Need to
+-		 * intercept it */
+-		vmx_enable_intercept_msr_read_x2apic(0x802);
+-		/* TMCCT */
+-		vmx_enable_intercept_msr_read_x2apic(0x839);
+-		/* TPR */
+-		vmx_disable_intercept_msr_write_x2apic(0x808);
+-		/* EOI */
+-		vmx_disable_intercept_msr_write_x2apic(0x80b);
+-		/* SELF-IPI */
+-		vmx_disable_intercept_msr_write_x2apic(0x83f);
+-	}
++	for (msr = 0x800; msr <= 0x8ff; msr++)
++		vmx_disable_intercept_msr_read_x2apic(msr);
++
++	/* According SDM, in x2apic mode, the whole id reg is used.  But in
++	 * KVM, it only use the highest eight bits. Need to intercept it */
++	vmx_enable_intercept_msr_read_x2apic(0x802);
++	/* TMCCT */
++	vmx_enable_intercept_msr_read_x2apic(0x839);
++	/* TPR */
++	vmx_disable_intercept_msr_write_x2apic(0x808);
++	/* EOI */
++	vmx_disable_intercept_msr_write_x2apic(0x80b);
++	/* SELF-IPI */
++	vmx_disable_intercept_msr_write_x2apic(0x83f);
+ 
+ 	if (enable_ept) {
+ 		kvm_mmu_set_mask_ptes(0ull,
diff --git a/debian/patches/series b/debian/patches/series
index f28f1eddc9a2..d64c767994c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -49,6 +49,7 @@ bugfix/mips/MIPS-Disable-preemption-during-prctl-PR_SET_FP_MODE.patch
 bugfix/mips/MIPS-Force-CPUs-to-lose-FP-context-during-mode-switc.patch
 bugfix/x86/revert-sp5100_tco-fix-the-device-check-for-SB800-and.patch
 bugfix/powerpc/powerpc-fix-sstep-compile-on-powerpcspe.patch
+bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch
 
 # Arch features
 features/mips/MIPS-increase-MAX-PHYSMEM-BITS-on-Loongson-3-only.patch
@@ -103,6 +104,12 @@ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
 bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
+bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
+bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch
+bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
+bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
+bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
 
 # Tools bug fixes
 bugfix/all/usbip-document-tcp-wrappers.patch