Update to 4.6.1

debian/changelog

@@ -1,5 +1,9 @@
-linux (4.6-1~exp3) UNRELEASED; urgency=medium
+linux (4.6.1-1~exp1) UNRELEASED; urgency=medium
 
+  * New upstream stable update:
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.6.1
+
+  [ Ben Hutchings ]
   * [mips*r6*] Disable these architectures until dak recognises them as valid
     in the control file
   * linux-image: Rewrite maintainer scripts in shell, using the new

debian/patches/bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch

@@ -1,44 +0,0 @@
-From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
-Subject: [PATCH] KVM: MTRR: remove MSR 0x2f8
-Origin: http://article.gmane.org/gmane.comp.security.oss.general/19584
-
-MSR 0x2f8 accessed the 124th Variable Range MTRR ever since MTRR support
-was introduced by 9ba075a664df ("KVM: MTRR support").
-
-0x2f8 became harmful when 910a6aae4e2e ("KVM: MTRR: exactly define the
-size of variable MTRRs") shrinked the array of VR MTRRs from 256 to 8,
-which made access to index 124 out of bounds.  The surrounding code only
-WARNs in this situation, thus the guest gained a limited read/write
-access to struct kvm_arch_vcpu.
-
-0x2f8 is not a valid VR MTRR MSR, because KVM has/advertises only 16 VR
-MTRR MSRs, 0x200-0x20f.  Every VR MTRR is set up using two MSRs, 0x2f8
-was treated as a PHYSBASE and 0x2f9 would be its PHYSMASK, but 0x2f9 was
-not implemented in KVM, therefore 0x2f8 could never do anything useful
-and getting rid of it is safe.
-
-This fixes CVE-2016-3713.
-
-Fixes: 910a6aae4e2e ("KVM: MTRR: exactly define the size of variable MTRRs")
-Cc: stable@vger.kernel.org
-Reported-by: David Matlack <dmatlack@google.com>
-Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
----
- arch/x86/kvm/mtrr.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/arch/x86/kvm/mtrr.c b/arch/x86/kvm/mtrr.c
-index 3f8c732117ec..c146f3c262c3 100644
---- a/arch/x86/kvm/mtrr.c
-+++ b/arch/x86/kvm/mtrr.c
-@@ -44,8 +44,6 @@ static bool msr_mtrr_valid(unsigned msr)
- 	case MSR_MTRRdefType:
- 	case MSR_IA32_CR_PAT:
- 		return true;
--	case 0x2f8:
--		return true;
- 	}
- 	return false;
- }
--- 
-2.8.1

debian/patches/bugfix/x86/revert-sp5100_tco-fix-the-device-check-for-SB800-and.patch

@@ -1,74 +0,0 @@
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Mon, 2 May 2016 21:15:00 +0200
-Subject: Revert "sp5100_tco: fix the device check for SB800 and later chipsets"
-Bug: https://bugzilla.kernel.org/show_bug.cgi?id=114201
-Bug-Debian: https://bugs.debian.org/823146
-Forwarded: no
-
-This reverts commit bdecfcdb5461834aab24002bb18d3cbdd907b7fb, which
-caused log flooding and hung CPUs on some systems.
----
- drivers/watchdog/sp5100_tco.c | 28 ++++++++++++----------------
- 1 file changed, 12 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/watchdog/sp5100_tco.c b/drivers/watchdog/sp5100_tco.c
-index 6467b91f2245..0ccadb44b609 100644
---- a/drivers/watchdog/sp5100_tco.c
-+++ b/drivers/watchdog/sp5100_tco.c
-@@ -335,24 +335,21 @@ static unsigned char sp5100_tco_setupdevice(void)
- 	if (!sp5100_tco_pci)
- 		return 0;
- 
--	pr_info("PCI Vendor ID: 0x%x, Device ID: 0x%x, Revision ID: 0x%x\n",
--		sp5100_tco_pci->vendor, sp5100_tco_pci->device,
--		sp5100_tco_pci->revision);
-+	pr_info("PCI Revision ID: 0x%x\n", sp5100_tco_pci->revision);
- 
- 	/*
- 	 * Determine type of southbridge chipset.
- 	 */
--	if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
--	    sp5100_tco_pci->revision < 0x40) {
--		dev_name = SP5100_DEVNAME;
--		index_reg = SP5100_IO_PM_INDEX_REG;
--		data_reg = SP5100_IO_PM_DATA_REG;
--		base_addr = SP5100_PM_WATCHDOG_BASE;
--	} else {
-+	if (sp5100_tco_pci->revision >= 0x40) {
- 		dev_name = SB800_DEVNAME;
- 		index_reg = SB800_IO_PM_INDEX_REG;
- 		data_reg = SB800_IO_PM_DATA_REG;
- 		base_addr = SB800_PM_WATCHDOG_BASE;
-+	} else {
-+		dev_name = SP5100_DEVNAME;
-+		index_reg = SP5100_IO_PM_INDEX_REG;
-+		data_reg = SP5100_IO_PM_DATA_REG;
-+		base_addr = SP5100_PM_WATCHDOG_BASE;
- 	}
- 
- 	/* Request the IO ports used by this driver */
-@@ -388,12 +385,7 @@ static unsigned char sp5100_tco_setupdevice(void)
- 	 * Secondly, Find the watchdog timer MMIO address
- 	 * from SBResource_MMIO register.
- 	 */
--	if (sp5100_tco_pci->device == PCI_DEVICE_ID_ATI_SBX00_SMBUS &&
--	    sp5100_tco_pci->revision < 0x40) {
--		/* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */
--		pci_read_config_dword(sp5100_tco_pci,
--				      SP5100_SB_RESOURCE_MMIO_BASE, &val);
--	} else {
-+	if (sp5100_tco_pci->revision >= 0x40) {
- 		/* Read SBResource_MMIO from AcpiMmioEn(PM_Reg: 24h) */
- 		outb(SB800_PM_ACPI_MMIO_EN+3, SB800_IO_PM_INDEX_REG);
- 		val = inb(SB800_IO_PM_DATA_REG);
-@@ -403,6 +395,10 @@ static unsigned char sp5100_tco_setupdevice(void)
- 		val = val << 8 | inb(SB800_IO_PM_DATA_REG);
- 		outb(SB800_PM_ACPI_MMIO_EN+0, SB800_IO_PM_INDEX_REG);
- 		val = val << 8 | inb(SB800_IO_PM_DATA_REG);
-+	} else {
-+		/* Read SBResource_MMIO from PCI config(PCI_Reg: 9Ch) */
-+		pci_read_config_dword(sp5100_tco_pci,
-+				      SP5100_SB_RESOURCE_MMIO_BASE, &val);
- 	}
- 
- 	/* The SBResource_MMIO is enabled and mapped memory space? */

debian/patches/series

@@ -47,7 +47,6 @@ bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
 bugfix/mips/MIPS-Allow-emulation-for-unaligned-LSDXC1-instructions.patch
 bugfix/mips/MIPS-Disable-preemption-during-prctl-PR_SET_FP_MODE.patch
 bugfix/mips/MIPS-Force-CPUs-to-lose-FP-context-during-mode-switc.patch
-bugfix/x86/revert-sp5100_tco-fix-the-device-check-for-SB800-and.patch
 bugfix/powerpc/powerpc-fix-sstep-compile-on-powerpcspe.patch
 bugfix/arm/dwc3-exynos-fix-deferred-probing-storm.patch
 
@@ -103,7 +102,6 @@ features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled
 # Security fixes
 bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/KVM-MTRR-remove-MSR-0x2f8.patch
 bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
 bugfix/all/tipc-check-nl-sock-before-parsing-nested-attributes.patch
 bugfix/x86/kvm-vmx-more-complete-state-update-on-apicv-on-off.patch