Untitled

commit 0c468cadbbc7a65c11042113b63838b16affa5d0
Author: Sabrina Dubroca <sd@queasysnail.net>
Date:   Wed Nov 4 14:47:53 2015 +0100

    ipv6: clean up dev_snmp6 proc entry when we fail to initialize inet6_dev

    [ Upstream commit 2a189f9e57650e9f310ddf4aad75d66c1233a064 ]

    In ipv6_add_dev, when addrconf_sysctl_register fails, we do not clean up
    the dev_snmp6 entry that we have already registered for this device.
    Call snmp6_unregister_dev in this case.

    Fixes: a317a2f19da7d ("ipv6: fail early when creating netdev named all or default")
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b724151849d9b60289ff4f829a544defc5e31881
Author: Martin Habets <mhabets@solarflare.com>
Date:   Mon Nov 2 12:51:31 2015 +0000

    sfc: push partner queue for skb->xmit_more

    [ Upstream commit b2663a4f30e85ec606b806f5135413e6d5c78d1e ]

    When the IP stack passes SKBs the sfc driver puts them in 2 different TX
    queues (called partners), one for checksummed and one for not checksummed.
    If the SKB has xmit_more set the driver will delay pushing the work to the
    NIC.

    When later it does decide to push the buffers this patch ensures it also
    pushes the partner queue, if that also has any delayed work. Before this
    fix the work in the partner queue would be left for a long time and cause
    a netdev watchdog.

    Fixes: 70b33fb ("sfc: add support for skb->xmit_more")
    Reported-by: Jianlin Shi <jishi@redhat.com>
    Signed-off-by: Martin Habets <mhabets@solarflare.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5a38002ee58d2ac061b289fc4f34c4da72598583
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Nov 2 17:08:19 2015 -0800

    sit: fix sit0 percpu double allocations

    [ Upstream commit 4ece9009774596ee3df0acba65a324b7ea79387c ]

    sit0 device allocates its percpu storage twice :
    - One time in ipip6_tunnel_init()
    - One time in ipip6_fb_tunnel_init()

    Thus we leak 48 bytes per possible cpu per network namespace dismantle.

    ipip6_fb_tunnel_init() can be much simpler and does not
    return an error, and should be called after register_netdev()

    Note that ipip6_tunnel_clone_6rd() also needs to be called
    after register_netdev() (calling ipip6_tunnel_init())

    Fixes: ebe084aafb7e ("sit: Use ipip6_tunnel_init as the ndo_init function.")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c48cc8bb582a83b2c64044abb73ad43900b13ef4
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Oct 24 05:47:44 2015 -0700

    ipv6: gre: support SIT encapsulation

    [ Upstream commit 7e3b6e7423d5f994257c1de88e06b509673fdbcf ]

    gre_gso_segment() chokes if SIT frames were aggregated by GRO engine.

    Fixes: 61c1db7fae21e ("ipv6: sit: add GSO/TSO support")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a83ab982ddbf61296f323c709ba7c0a3622a16a6
Author: Bjørn Mork <bjorn@mork.no>
Date:   Thu Oct 22 14:15:58 2015 +0200

    qmi_wwan: add Sierra Wireless MC74xx/EM74xx

    [ Upstream commit 0db65fcfcded76fe4f74e3ca9f4e2baf67b683ef ]

    New device IDs shamelessly lifted from the vendor driver.

    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f20b58288d77730caa69f8767977f7fc25d10f95
Author: Jason Wang <jasowang@redhat.com>
Date:   Wed Aug 5 10:34:04 2015 +0800

    virtio-net: drop NETIF_F_FRAGLIST

    [ Upstream commit 48900cb6af4282fa0fb6ff4d72a81aa3dadb5c39 ]

    virtio declares support for NETIF_F_FRAGLIST, but assumes
    that there are at most MAX_SKB_FRAGS + 2 fragments which isn't
    always true with a fraglist.

    A longer fraglist in the skb will make the call to skb_to_sgvec overflow
    the sg array, leading to memory corruption.

    Drop NETIF_F_FRAGLIST so we only get what we can handle.

    Cc: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 65dcc613f928ec6ed8f7bfbce217720a7f6c0ebc
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Nov 9 17:51:23 2015 -0800

    net: fix a race in dst_release()

    [ Upstream commit d69bbf88c8d0b367cf3e3a052f6daadf630ee566 ]

    Only cpu seeing dst refcount going to 0 can safely
    dereference dst->flags.

    Otherwise an other cpu might already have freed the dst.

    Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
    Reported-by: Greg Thelen <gthelen@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 59c3d7e9dadeb4960db61fc97239beb5d12a5773
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Oct 2 16:54:31 2015 -0700

    net: avoid NULL deref in inet_ctl_sock_destroy()

    [ Upstream commit 8fa677d2706d325d71dab91bf6e6512c05214e37 ]

    Under low memory conditions, tcp_sk_init() and icmp_sk_init()
    can both iterate on all possible cpus and call inet_ctl_sock_destroy(),
    with eventual NULL pointer.

    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 66858ce4963d3b5ea33920f104cdd7919554ce81
Author: Bjørn Mork <bjorn@mork.no>
Date:   Thu Oct 1 16:54:31 2015 -0700

    qmi_wwan: fix entry for HP lt4112 LTE/HSPA+ Gobi 4G Module

    [ Upstream commit 70910791731b5956171e1bfcad707766b8e18fee ]

    The lt4112 is a HP branded Huawei me906e modem. Like other Huawei
    modems, it does not have a fixed interface to function mapping.
    Instead it uses a Huawei specific scheme: functions are mapped by
    subclass and protocol.

    However, the HP vendor ID is used for modems from many different
    manufacturers using different schemes, so we cannot apply a generic
    vendor rule like we do for the Huawei vendor ID.

    Replace the previous lt4112 entry pointing to an arbitrary interface
    number with a device specific subclass + protocol match.

    Reported-and-tested-by: Muri Nicanor <muri+libqmi@immerda.ch>
    Tested-by: Martin Hauke <mardnh@gmx.de>
    Fixes: bb2bdeb83fb1 ("qmi_wwan: Add support for HP lt4112 LTE/HSPA+ Gobi 4G Modem")
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ecc599de1f4b9db6f71025c8ad24b0bf682a8bfc
Author: Ani Sinha <ani@arista.com>
Date:   Fri Oct 30 16:54:31 2015 -0700

    ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context.

    [ Upstream commit 44f49dd8b5a606870a1f21101522a0f9c4414784 ]

    Fixes the following kernel BUG :

    BUG: using __this_cpu_add() in preemptible [00000000] code: bash/2758
    caller is __this_cpu_preempt_check+0x13/0x15
    CPU: 0 PID: 2758 Comm: bash Tainted: P           O   3.18.19 #2
     ffffffff8170eaca ffff880110d1b788 ffffffff81482b2a 0000000000000000
     0000000000000000 ffff880110d1b7b8 ffffffff812010ae ffff880007cab800
     ffff88001a060800 ffff88013a899108 ffff880108b84240 ffff880110d1b7c8
    Call Trace:
    [<ffffffff81482b2a>] dump_stack+0x52/0x80
    [<ffffffff812010ae>] check_preemption_disabled+0xce/0xe1
    [<ffffffff812010d4>] __this_cpu_preempt_check+0x13/0x15
    [<ffffffff81419d60>] ipmr_queue_xmit+0x647/0x70c
    [<ffffffff8141a154>] ip_mr_forward+0x32f/0x34e
    [<ffffffff8141af76>] ip_mroute_setsockopt+0xe03/0x108c
    [<ffffffff810553fc>] ? get_parent_ip+0x11/0x42
    [<ffffffff810e6974>] ? pollwake+0x4d/0x51
    [<ffffffff81058ac0>] ? default_wake_function+0x0/0xf
    [<ffffffff810553fc>] ? get_parent_ip+0x11/0x42
    [<ffffffff810613d9>] ? __wake_up_common+0x45/0x77
    [<ffffffff81486ea9>] ? _raw_spin_unlock_irqrestore+0x1d/0x32
    [<ffffffff810618bc>] ? __wake_up_sync_key+0x4a/0x53
    [<ffffffff8139a519>] ? sock_def_readable+0x71/0x75
    [<ffffffff813dd226>] do_ip_setsockopt+0x9d/0xb55
    [<ffffffff81429818>] ? unix_seqpacket_sendmsg+0x3f/0x41
    [<ffffffff813963fe>] ? sock_sendmsg+0x6d/0x86
    [<ffffffff813959d4>] ? sockfd_lookup_light+0x12/0x5d
    [<ffffffff8139650a>] ? SyS_sendto+0xf3/0x11b
    [<ffffffff810d5738>] ? new_sync_read+0x82/0xaa
    [<ffffffff813ddd19>] compat_ip_setsockopt+0x3b/0x99
    [<ffffffff813fb24a>] compat_raw_setsockopt+0x11/0x32
    [<ffffffff81399052>] compat_sock_common_setsockopt+0x18/0x1f
    [<ffffffff813c4d05>] compat_SyS_setsockopt+0x1a9/0x1cf
    [<ffffffff813c4149>] compat_SyS_socketcall+0x180/0x1e3
    [<ffffffff81488ea1>] cstar_dispatch+0x7/0x1e

    Signed-off-by: Ani Sinha <ani@arista.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 468880892e5f3dfac1176c01dccdffb9551cf45e
Author: Phil Reid <preid@electromag.com.au>
Date:   Fri Oct 30 16:43:55 2015 +0800

    stmmac: Correctly report PTP capabilities.

    [ Upstream commit e6dbe1eb2db0d7a14991c06278dd3030c45fb825 ]

    priv->hwts_*_en indicate if timestamping is enabled/disabled at run
    time. But  priv->dma_cap.time_stamp  and priv->dma_cap.atime_stamp
    indicates HW is support for PTPv1/PTPv2.

    Signed-off-by: Phil Reid <preid@electromag.com.au>
    Acked-by: Richard Cochran <richardcochran@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b9eb1e61a9a96922a67c10822751ec5eeb5cc45f
Author: Carol L Soto <clsoto@linux.vnet.ibm.com>
Date:   Tue Oct 27 17:36:20 2015 +0200

    net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes

    [ Upstream commit c02b05011fadf8e409e41910217ca689f2fc9d91 ]

    When doing memcpy/memset of EQEs, we should use sizeof struct
    mlx4_eqe as the base size and not caps.eqe_size which could be bigger.

    If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt
    data in the master context.

    When using a 64 byte stride, the memcpy copied over 63 bytes to the
    slave_eq structure.  This resulted in copying over the entire eqe of
    interest, including its ownership bit -- and also 31 bytes of garbage
    into the next WQE in the slave EQ -- which did NOT include the ownership
    bit (and therefore had no impact).

    However, once the stride is increased to 128, we are overwriting the
    ownership bits of *three* eqes in the slave_eq struct.  This results
    in an incorrect ownership bit for those eqes, which causes the eq to
    seem to be full. The issue therefore surfaced only once 128-byte EQEs
    started being used in SRIOV and (overarchitectures that have 128/256
    byte cache-lines such as PPC) - e.g after commit 77507aa249ae
    "net/mlx4_core: Enable CQE/EQE stride support".

    Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support')
    Signed-off-by: Carol L Soto <clsoto@linux.vnet.ibm.com>
    Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
    Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fe9583e4721327a089e841713baa63b4fa27c07d
Author: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Date:   Mon Oct 26 12:46:37 2015 -0400

    RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv

    [ Upstream commit 8ce675ff39b9958d1c10f86cf58e357efaafc856 ]

    Either of pskb_pull() or pskb_trim() may fail under low memory conditions.
    If rds_tcp_data_recv() ignores such failures, the application will
    receive corrupted data because the skb has not been correctly
    carved to the RDS datagram size.

    Avoid this by handling pskb_pull/pskb_trim failure in the same
    manner as the skb_clone failure: bail out of rds_tcp_data_recv(), and
    retry via the deferred call to rds_send_worker() that gets set up on
    ENOMEM from rds_tcp_read_sock()

    Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
    Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b7491ba5218ead37c335f6457848c8e93c655055
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Thu Oct 22 16:57:10 2015 +0200

    ppp: fix pppoe_dev deletion condition in pppoe_release()

    [ Upstream commit 1acea4f6ce1b1c0941438aca75dd2e5c6b09db60 ]

    We can't rely on PPPOX_ZOMBIE to decide whether to clear po->pppoe_dev.
    PPPOX_ZOMBIE can be set by pppoe_disc_rcv() even when po->pppoe_dev is
    NULL. So we have no guarantee that (sk->sk_state & PPPOX_ZOMBIE) implies
    (po->pppoe_dev != NULL).
    Since we're releasing a PPPoE socket, we want to release the pppoe_dev
    if it exists and reset sk_state to PPPOX_DEAD, no matter the previous
    value of sk_state. So we can just check for po->pppoe_dev and avoid any
    assumption on sk->sk_state.

    Fixes: 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release")
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 08b66c123bd04c501b3f2299c4dd885aca9160c5
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri Oct 23 00:57:05 2015 -0400

    macvtap: unbreak receiving of gro skb with frag list

    [ Upstream commit f23d538bc24a83c16127c2eb82c9cf1adc2b5149 ]

    We don't have fraglist support in TAP_FEATURES. This will lead
    software segmentation of gro skb with frag list. Fixes by having
    frag list support in TAP_FEATURES.

    With this patch single session of netperf receiving were restored from
    about 5Gb/s to about 12Gb/s on mlx4.

    Fixes a567dd6252 ("macvtap: simplify usage of tap_features")
    Cc: Vlad Yasevich <vyasevic@redhat.com>
    Cc: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7d2c8abc68d63e287fe36a9df9bc59e5a47719ba
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Oct 19 13:16:49 2015 +0300

    irda: precedence bug in irlmp_seq_hb_idx()

    [ Upstream commit 50010c20597d14667eff0fdb628309986f195230 ]

    This is decrementing the pointer, instead of the value stored in the
    pointer.  KASan detects it as an out of bounds reference.

    Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b32d475dbf53b9be47ea1092539012dad1f7932b
Author: Paul Moore <pmoore@redhat.com>
Date:   Tue Dec 30 09:26:21 2014 -0500

    audit: create private file name copies when auditing inodes

    [ Upstream commit fcf22d8267ad2601fe9b6c549d1be96401c23e0b ]

    Unfortunately, while commit 4a928436 ("audit: correctly record file
    names with different path name types") fixed a problem where we were
    not recording filenames, it created a new problem by attempting to use
    these file names after they had been freed.  This patch resolves the
    issue by creating a copy of the filename which the audit subsystem
    frees after it is done with the string.

    At some point it would be nice to resolve this issue with refcounts,
    or something similar, instead of having to allocate/copy strings, but
    that is almost surely beyond the scope of a -rcX patch so we'll defer
    that for later.  On the plus side, only audit users should be impacted
    by the string copying.

    Reported-by: Toralf Foerster <toralf.foerster@gmx.de>
    Signed-off-by: Paul Moore <pmoore@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2f1d09037eeab4f3c89465fcb876a76ff651e12a
Author: Paul Moore <pmoore@redhat.com>
Date:   Mon Dec 22 12:27:39 2014 -0500

    audit: correctly record file names with different path name types

    [ Upstream commit 4a92843601ad0f5067f441d2f0dca55bbe18c076 ]

    There is a problem with the audit system when multiple audit records
    are created for the same path, each with a different path name type.
    The root cause of the problem is in __audit_inode() when an exact
    match (both the path name and path name type) is not found for a
    path name record; the existing code creates a new path name record,
    but it never sets the path name in this record, leaving it NULL.
    This patch corrects this problem by assigning the path name to these
    newly created records.

    There are many ways to reproduce this problem, but one of the
    easiest is the following (assuming auditd is running):

      # mkdir /root/tmp/test
      # touch /root/tmp/test/567
      # auditctl -a always,exit -F dir=/root/tmp/test
      # touch /root/tmp/test/567

    Afterwards, or while the commands above are running, check the audit
    log and pay special attention to the PATH records.  A faulty kernel
    will display something like the following for the file creation:

      type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
        success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
      type=CWD msg=audit(1416957442.025:93):  cwd="/root/tmp"
      type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
        inode=401409 ... nametype=PARENT
      type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
        inode=393804 ... nametype=NORMAL
      type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
        inode=393804 ... nametype=NORMAL

    While a patched kernel will show the following:

      type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
        success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
      type=CWD msg=audit(1416955786.566:89):  cwd="/root/tmp"
      type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
        inode=401409 ... nametype=PARENT
      type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
        inode=393804 ... nametype=NORMAL

    This issue was brought up by a number of people, but special credit
    should go to hujianyang@huawei.com for reporting the problem along
    with an explanation of the problem and a patch.  While the original
    patch did have some problems (see the archive link below), it did
    demonstrate the problem and helped kickstart the fix presented here.

      * https://lkml.org/lkml/2014/9/5/66

    Reported-by: hujianyang <hujianyang@huawei.com>
    Signed-off-by: Paul Moore <pmoore@redhat.com>
    Acked-by: Richard Guy Briggs <rgb@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f0146c7ff3129ad8137ade130c0a804e63d1579d
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jul 3 11:53:03 2015 +0300

    mptfusion: prevent some memory corruption

    [ Upstream commit e819cdb198319cccf4af4fc12ac4d796109d8c23 ]

    These are signed values the come from the user, we put a cap on the
    upper bounds but not on the lower bounds.

    We use "karg.dataSgeOffset" to calculate "sz".  We verify "sz" and
    proceed as if that means that "karg.dataSgeOffset" is correct but this
    fails to consider that the "sz" calculations can have integer overflows.

    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Signed-off-by: James Bottomley <JBottomley@Odin.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fd9ffdd1f79f1fd442b186c6fd702b4d71459c3c
Author: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Date:   Tue Jul 7 15:28:13 2015 +0100

    mfd: wm5110: Add register patch for rev E and above

    [ Upstream commit 81207880cef207cd89db863f9aa1d65f22b4f2a2 ]

    Add a register patch for rev E and above that configures the location of
    some write sequences to assist with the headphone enables.

    Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
    Acked-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1da953c20a7eca9d2dfe9c260c3f1a61ed44969e
Author: Nicholas Mc Guire <hofrat@osadl.org>
Date:   Sun Jun 7 11:34:40 2015 -0300

    [media] gscpa_m5602: use msecs_to_jiffies for conversions

    [ Upstream commit 63f2f417526fc54191f2b813f72dc1d5322bede8 ]

    API compliance scanning with coccinelle flagged:
    ./drivers/media/usb/gspca/m5602/m5602_s5k83a.c:180:9-25:
             WARNING: timeout (100) seems HZ dependent

    Numeric constants passed to schedule_timeout() make the effective
    timeout HZ dependent which makes little sense in a polling loop for
    the cameras rotation state.
    Fixed up by converting the constant to jiffies with msecs_to_jiffies()

    Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 52d42a7c1aac255fa0699497b5adeebe921da9bf
Author: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Date:   Wed Jan 28 22:53:53 2015 -0200

    [media] v4l: vsp1: Fix VI6_WPF_SZCLIP_SIZE_MASK macro

    [ Upstream commit 03b36e4dcf422a10da8b67bce2ed00b34ec58aac ]

    Clipping size bit of VI6_WPFn _HSZCLIP and VI6_WPFn _VSZCLIP register are from
    0 bit to 11 bit. But VI6_WPF_SZCLIP_SIZE_MASK is set to 0x1FFF, this will mask
    until the reserve bits. This fixes size for VI6_WPF_SZCLIP_SIZE_MASK.

    Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
    Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 8a6f1ccc84f161442f80fc8a6dfe7eebcac18d0e
Author: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Date:   Wed Jan 28 22:53:54 2015 -0200

    [media] v4l: vsp1: Fix VI6_DPR_ROUTE_FP_MASK macro

    [ Upstream commit 1aa7890324b497f96f07c20673fae58f26fabfe7 ]

    FP bit of VI6_DPR_mod_ROUTE register is 6bit. But VI6_DPR_ROUTE_FP_MASK is set
    to 0xFF, this will mask until the reserve bit.
    This fixes size for VI6_DPR_ROUTE_FP_MASK.

    Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
    Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0d4bca31e2974e42e6df0519b8a0b8bad1d463a8
Author: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Date:   Wed Jan 28 22:53:55 2015 -0200

    [media] v4l: vsp1: Fix VI6_DPR_ROUTE_FXA_MASK macro

    [ Upstream commit 45008ee9295b3ae96d7413ab91871907a671ca82 ]

    FXA bit of VI6_DPR_mod_ROUTE register starts from 16bit. But VI6_DPR_ROUTE_FXA_MASK
    is set to become start from 8bit. This fixes shift size for VI6_DPR_ROUTE_FXA_MASK.

    Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
    Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 23e0e849bb6f3a6ea2f58c779a3876de012da152
Author: Hans Verkuil <hans.verkuil@cisco.com>
Date:   Mon Jul 20 09:59:35 2015 -0300

    [media] usbvision: fix locking error

    [ Upstream commit e2c84ccb0fbe5e524d15bb09c042a6ca634adaed ]

    If remove_pending is non-zero, then the v4l2_lock is never unlocked.

    Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ccee6c265e76bdc9f7ea4a42c0db27e28b39dcbf
Author: Andrew Morton <akpm@linux-foundation.org>
Date:   Mon Sep 28 16:38:07 2015 -0700

    Input: zhenhua - ensure we have BITREVERSE

    [ Upstream commit d3b367bc26ea2e07a83fe73f0ccbddd729cb1f9a ]

    It uses bitrev8(), so it must ensure that lib/bitrev.o gets included in
    vmlinux.

    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c9366743e025947f8ec2e0b9fb2dca60bed947db
Author: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date:   Mon Sep 28 15:59:22 2015 -0700

    Input: omap4-keypad - fix memory leak

    [ Upstream commit d79bdc7f004404204a6ac07785f8d6717070ecdb ]

    If omap4_keypad_parse_dt() fails we returned the error code but we
    missed releasing keypad_data.

    Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e6004b4d70df3607e2c258e69d2ada8234f9c7cb
Author: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date:   Sun Sep 27 17:13:55 2015 -0700

    Input: serio - fix blocking of parport

    [ Upstream commit 1a5e251996e1b602f2ddc9261ee9de0ca1875bfa ]

    If parkbd_allocate_serio() fails to allocate memory we are releasing the
    parport but we missed unregistering the device. As a result this device
    with exclusive access to that parport remains registered. And no other
    device will be able to use that parport even though this driver has
    failed to load.

    Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7c4e78f59a93be4b62c7eee2aa7e14b92d38270c
Author: Stefan Assmann <sassmann@kpanic.de>
Date:   Wed Aug 26 13:11:49 2015 -0700

    Input: psmouse - add small delay for IBM trackpoint pass-through mode

    [ Upstream commit 66bc2f51ef7deabc8b8f3baa98ae64b65e5e973a ]

    There are trackpoint devices that fail to respond to the PS2 command
    PSMOUSE_CMD_GETID if immediately queried after the parent device is
    deactivated. Add a small delay for the hardware to get in a sane state
    before sending any PS2 commands.

    One example of such a system is:
    Lenovo ThinkPad X120e, model 30515QG
    synaptics: Touchpad model: 1, fw: 8.0, id: 0x1e2b1, caps: 0xd001a3/0x940300/0x121c00, board id: 1811, fw id: 797391

    Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4af4b38c1078c66b4d55a55a60393c414eb03602
Author: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Date:   Fri Aug 21 10:18:08 2015 -0400

    HID: quirks: add QUIRK_NOGET for an other TPV touchscreen

    [ Upstream commit c9b57724b38d4c1555ee49418be3d76801e3327c ]

    Looks like 0x8882 needs the same quirk than 0x8883.
    Given that both devices claim they are "TPV OpticalTouchScreen" rename
    the 0x8883 to add its PID in the #define.

    Reported-by: Blaine Lee <blaine.j.lee@medtronic.com>
    Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 850ab913a9af3d87c7b5e240e1004e480691fee9
Author: Henrik Rydberg <rydberg@bitmath.org>
Date:   Fri Jul 24 14:45:05 2015 -0700

    HID: apple: Add support for the 2015 Macbook Pro

    [ Upstream commit a4a2c54560f2c57b88ba0283f141b44f594c2337 ]

    This patch adds keyboard support for MacbookPro12,1 as WELLSPRING9
    (0x0272, 0x0273, 0x0274). The touchpad is handled in a separate
    bcm5974 patch, as usual.

    Tested-by: John Horan <knasher@gmail.com>
    Tested-by: Jochen Radmacher <jradmacher@gmx.de>
    Tested-by: Yang Hongyang <burnef@gmail.com>
    Tested-by: Yen-Chin, Lee <coldnew.tw@gmail.com>
    Tested-by: George Hilios <ghilios@gmail.com>
    Tested-by: Janez Urevc <janez@janezurevc.name>
    Signed-off-by: Henrik Rydberg <rydberg@bitmath.org>
    Acked-by: Jiri Kosina <jkosina@suse.com>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9f5c910b9c85796629adfc35fab903cb90b9b97a
Author: Bin Liu <b-liu@ti.com>
Date:   Mon Aug 24 15:28:37 2015 -0500

    usb: musb: fix cppi channel teardown for isoch transfer

    [ Upstream commit b431ba8803666e56c1d178a421b3cbc36e8d3d33 ]

    After a few iterations of start/stop UVC camera streaming, the streaming
    stops.

    This patch adds 250us delay in the cppi channel abort path to let cppi
    drain properly.

    Using 50us delay seems to be too aggressive, some webcams are still
    broken. 250us is the original value used in TI 3.2 kernel.

    Signed-off-by: Bin Liu <b-liu@ti.com>
    Signed-off-by: Felipe Balbi <balbi@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9a032d2a1f8a7453dd47cb0e3870ad02590499cd
Author: Bin Liu <b-liu@ti.com>
Date:   Mon Jan 26 16:22:07 2015 -0600

    usb: musb: cppi41: improve rx channel abort routine

    [ Upstream commit cb83df77f3ec151d68a1b6be957207e6fc7b7f50 ]

    1. set AUTOREQ to NONE at the beginning of teardown;

    2. add delay for dma pipeline to drain;

    3. Do not set USB_TDOWN bit for RX teardown.

      The CPPI hw has an issue that when tearing down a RX channel, if
      another RX channel is receiving data, the CPPI will lockup.

      To workaround the issue, do not set the CPPI TD bit. The steps before
      this point ensures the CPPI channel will be torn down properly.

    Signed-off-by: Bin Liu <b-liu@ti.com>
    Signed-off-by: Felipe Balbi <balbi@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 039a1e26d6f0fb392ae4ca82e91dc78228b024f9
Author: Philipp Hachtmann <hachti@hachti.de>
Date:   Mon Aug 17 17:31:47 2015 +0200

    USB: symbolserial: Correct transferred data size

    [ Upstream commit 8ae25a355b5969e12f3185e8cb8eb08b871c9084 ]

    The scanner (here DS3508) always returns 64 bytes per urb buffer. The first
    byte indicates the data length used in the current buffer. There even was
    a comment describing this. But the comment also said that we'll send
    everything in the buffer to the tty layer. That means sending the actual
    barcode data and lots of trailing zeroes. This patch lets the driver only
    send the real data.

    Signed-off-by: Philipp Hachtmann <hachti@hachti.de>
    Acked-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c357a87557409fe0c9a0b21ccfd85edf4f7eb948
Author: Li Jun <jun.li@freescale.com>
Date:   Wed Jul 29 13:11:11 2015 +0800

    usb: chipidea: debug: add runtime pm for register access

    [ Upstream commit bc24937943d9f71a1e32b5dc4e2f0ef8fcc07b64 ]

    Add runtime pm operations for registers access to avoid system hang.

    Signed-off-by: Li Jun <jun.li@freescale.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 448753c5cc07b5fade57b8ebbaf14ea25b652950
Author: Martin Schwidefsky <schwidefsky@de.ibm.com>
Date:   Wed Aug 19 16:50:10 2015 +0200

    s390/3270: redraw screen on unsolicited device end

    [ Upstream commit 05bfd70bcdd3cd12c061cb77b73a11ba6f87379d ]

    If a 3270 terminal is disconnected and later reconnected again,
    it gets an unsolicited device end. This is currently ignored and
    you have to hit the clear key to get the screen redrawn.
    Add an automatic full redraw of the screen for this case.

    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit df3a9927e47952b55a1695c0cb583530f98c9ce1
Author: Joerg Roedel <jroedel@suse.de>
Date:   Wed May 27 09:26:09 2015 +0200

    iommu/amd: Handle integer overflow in dma_ops_area_alloc

    [ Upstream commit e6aabee05f41c9d18e0b92194819edd84f352ac9 ]

    Handle this case to make sure boundary_size does not become
    0 and trigger a BUG_ON later.

    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fa52a8d9469cc7e46acdbe92b6568f7216ac9cb6
Author: Noel Power <noel.power@suse.com>
Date:   Wed May 27 09:22:10 2015 +0100

    client MUST ignore EncryptionKeyLength if CAP_EXTENDED_SECURITY is set

    [ Upstream commit f291095f340db986271e951e3891bb95624a93ea ]

    [MS-SMB] 2.2.4.5.2.1 states:

    "ChallengeLength (1 byte): When the CAP_EXTENDED_SECURITY bit is set,
     the server MUST set this value to zero and clients MUST ignore this
     value."

    Signed-off-by: Noel Power <noel.power@suse.com>
    Signed-off-by: Steve French <smfrench@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e59fd940129c83888ec2605b065c116cd21643d1
Author: Teunis van Beelen <teuniz@gmail.com>
Date:   Sun May 31 09:36:22 2015 +0200

    USB: usbtmc: add device quirk for Rigol DS6104

    [ Upstream commit f50420223071b6ff4b586308f5c27eec54694a81 ]

    Recently we purchased the Rigol DS6104 and when I try to operate it from
    my Linux pc, everything works well with the default usbtmc driver,
    except when I want to download a big datachunk like a screenshot. This
    bitmapfile has a size of 1152054 bytes but I receive a smaller file and
    no new packets can be read.

    When I took a look at the driver source, I found this "Rigol quirk" and
    I added the id of the new DS series oscilloscopes to this list. I
    compiled it and loaded the new driver and now everything seems to work
    fine.

    Signed-off-by: Teunis van Beelen <teuniz@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3bb4005ca26162ab0c64d8901b7b323904bbb890
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date:   Wed Aug 12 21:35:56 2015 +0200

    sched: Fix cpu_active_mask/cpu_online_mask race

    [ Upstream commit dd9d3843755da95f63dd3a376f62b3e45c011210 ]

    There is a race condition in SMP bootup code, which may result
    in

        WARNING: CPU: 0 PID: 1 at kernel/workqueue.c:4418
        workqueue_cpu_up_callback()
    or
        kernel BUG at kernel/smpboot.c:135!

    It can be triggered with a bit of luck in Linux guests running
    on busy hosts.

            CPU0                        CPUn
            ====                        ====

            _cpu_up()
              __cpu_up()
                                        start_secondary()
                                          set_cpu_online()
                                            cpumask_set_cpu(cpu,
                                                       to_cpumask(cpu_online_bits));
              cpu_notify(CPU_ONLINE)
                <do stuff, see below>
                                            cpumask_set_cpu(cpu,
                                                       to_cpumask(cpu_active_bits));

    During the various CPU_ONLINE callbacks CPUn is online but not
    active. Several things can go wrong at that point, depending on
    the scheduling of tasks on CPU0.

    Variant 1:

      cpu_notify(CPU_ONLINE)
        workqueue_cpu_up_callback()
          rebind_workers()
            set_cpus_allowed_ptr()

      This call fails because it requires an active CPU; rebind_workers()
      ends with a warning:

        WARNING: CPU: 0 PID: 1 at kernel/workqueue.c:4418
        workqueue_cpu_up_callback()

    Variant 2:

      cpu_notify(CPU_ONLINE)
        smpboot_thread_call()
          smpboot_unpark_threads()
           ..
            __kthread_unpark()
              __kthread_bind()
              wake_up_state()
               ..
                select_task_rq()
                  select_fallback_rq()

      The ->wake_cpu of the unparked thread is not allowed, making a call
      to select_fallback_rq() necessary. Then, select_fallback_rq() cannot
      find an allowed, active CPU and promptly resets the allowed CPUs, so
      that the task in question ends up on CPU0.

      When those unparked tasks are eventually executed, they run
      immediately into a BUG:

        kernel BUG at kernel/smpboot.c:135!

    Just changing the order in which the online/active bits are set
    (and adding some memory barriers), would solve the two issues
    above. However, it would change the order of operations back to
    the one before commit 6acbfb96976f ("sched: Fix hotplug vs.
    set_cpus_allowed_ptr()"), thus, reintroducing that particular
    problem.

    Going further back into history, we have at least the following
    commits touching this topic:
    - commit 2baab4e90495 ("sched: Fix select_fallback_rq() vs cpu_active/cpu_online")
    - commit 5fbd036b552f ("sched: Cleanup cpu_active madness")

    Together, these give us the following non-working solutions:

      - secondary CPU sets active before online, because active is assumed to
        be a subset of online;

      - secondary CPU sets online before active, because the primary CPU
        assumes that an online CPU is also active;

      - secondary CPU sets online and waits for primary CPU to set active,
        because it might deadlock.

    Commit 875ebe940d77 ("powerpc/smp: Wait until secondaries are
    active & online") introduces an arch-specific solution to this
    arch-independent problem.

    Now, go for a more general solution without explicit waiting and
    simply set active twice: once on the secondary CPU after online
    was set and once on the primary CPU after online was seen.

    set_cpus_allowed_ptr()")

    Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
    Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Cc: <stable@vger.kernel.org>
    Cc: Anton Blanchard <anton@samba.org>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Joerg Roedel <jroedel@suse.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Matt Wilson <msw@amazon.com>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Fixes: 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()")
    Link: http://lkml.kernel.org/r/1439408156-18840-1-git-send-email-jschoenh@amazon.de
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9caa36f324a300c0a35929e79a3e4ecb5442b955
Author: Mark Rustad <mark.d.rustad@intel.com>
Date:   Mon Jul 13 11:40:07 2015 -0700

    PCI: Add VPD function 0 quirk for Intel Ethernet devices

    [ Upstream commit 7aa6ca4d39edf01f997b9e02cf6d2fdeb224f351 ]

    Set the PCI_DEV_FLAGS_VPD_REF_F0 flag on all Intel Ethernet device
    functions other than function 0, so that on multi-function devices, we will
    always read VPD from function 0 instead of from the other functions.

    [bhelgaas: changelog]
    Signed-off-by: Mark Rustad <mark.d.rustad@intel.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: Alexander Duyck <alexander.h.duyck@redhat.com>
    CC: stable@vger.kernel.org

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e4ef8c343517e5ba5a42d3372e2dc655efde8f36
Author: Mark Rustad <mark.d.rustad@intel.com>
Date:   Mon Jul 13 11:40:02 2015 -0700

    PCI: Add dev_flags bit to access VPD through function 0

    [ Upstream commit 91a37c794cf2cf7ec1f9afc4cbf4a118df7e085e ]

    commit 932c435caba8a2ce473a91753bad0173269ef334 upstream.

    Add a dev_flags bit, PCI_DEV_FLAGS_VPD_REF_F0, to access VPD through
    function 0 to provide VPD access on other functions.  This is for hardware
    devices that provide copies of the same VPD capability registers in
    multiple functions.  Because the kernel expects that each function has its
    own registers, both the locking and the state tracking are affected by VPD
    accesses to different functions.

    On such devices for example, if a VPD write is performed on function 0,
    *any* later attempt to read VPD from any other function of that device will
    hang.  This has to do with how the kernel tracks the expected value of the
    F bit per function.

    Concurrent accesses to different functions of the same device can not only
    hang but also corrupt both read and write VPD data.

    When hangs occur, typically the error message:

      vpd r/w failed.  This is likely a firmware bug on this device.

    will be seen.

    Never set this bit on function 0 or there will be an infinite recursion.

    Signed-off-by: Mark Rustad <mark.d.rustad@intel.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: Alexander Duyck <alexander.h.duyck@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a0e38ca669beedd225ecddda70db61aad3da1694
Author: Alex Williamson <alex.williamson@redhat.com>
Date:   Fri Nov 21 11:24:08 2014 -0700

    PCI: Add flag for devices that don't reset on D3hot->D0 transition

    [ Upstream commit 51e537387990dc1f00752103f314fd135cb94bc6 ]

    Per the PCI Power Management spec r1.2, sec 3.2.4, a device that advertises
    No_Soft_Reset == 0 in the PMCSR register (reported by lspci as "NoSoftRst-")
    should perform an internal reset when transitioning from D3hot to D0 via
    software control.  Configuration context is lost and the device requires a
    full reinitialization sequence.

    Unfortunately the definition of "internal reset", beyond the application of
    the configuration context, is largely left to the interpretation of the
    specific device.  Some devices don't seem to perform an "internal reset"
    even if they report No_Soft_Reset == 0.

    We still need to honor the PCI specification and restore PCI config context
    in the event that we do a PM reset, so we don't cache and modify the
    PCI_PM_CTRL_NO_SOFT_RESET bit for the device, but for interfaces where the
    intention is to reset the device, like pci_reset_function(), we need a
    mechanism to flag that PM reset (a D3hot->D0 transition) doesn't perform
    any significant "internal reset" of the device.

    Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ec4d789161f852d8131df242b97c84331d1f09f0
Author: David Howells <dhowells@redhat.com>
Date:   Thu Oct 15 17:21:37 2015 +0100

    KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring

    [ Upstream commit f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 ]

    The following sequence of commands:

        i=`keyctl add user a a @s`
        keyctl request2 keyring foo bar @t
        keyctl unlink $i @s

    tries to invoke an upcall to instantiate a keyring if one doesn't already
    exist by that name within the user's keyring set.  However, if the upcall
    fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
    other error code.  When the key is garbage collected, the key destroy
    function is called unconditionally and keyring_destroy() uses list_empty()
    on keyring->type_data.link - which is in a union with reject_error.
    Subsequently, the kernel tries to unlink the keyring from the keyring names
    list - which oopses like this:

            BUG: unable to handle kernel paging request at 00000000ffffff8a
            IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
            ...
            Workqueue: events key_garbage_collector
            ...
            RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
            RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
            RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
            RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
            RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
            R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
            R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
            ...
            CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
            ...
            Call Trace:
             [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
             [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
             [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
             [<ffffffff8105fd17>] worker_thread+0x26e/0x361
             [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
             [<ffffffff810648ad>] kthread+0xf3/0xfb
             [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
             [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
             [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2

    Note the value in RAX.  This is a 32-bit representation of -ENOKEY.

    The solution is to only call ->destroy() if the key was successfully
    instantiated.

    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Tested-by: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9485c5aa5bfbbcbd656afdd06df905614ba2946a
Author: David Howells <dhowells@redhat.com>
Date:   Fri Sep 25 16:30:08 2015 +0100

    KEYS: Fix race between key destruction and finding a keyring by name

    [ Upstream commit 94c4554ba07adbdde396748ee7ae01e86cf2d8d7 ]

    There appears to be a race between:

     (1) key_gc_unused_keys() which frees key->security and then calls
         keyring_destroy() to unlink the name from the name list

     (2) find_keyring_by_name() which calls key_permission(), thus accessing
         key->security, on a key before checking to see whether the key usage is 0
         (ie. the key is dead and might be cleaned up).

    Fix this by calling ->destroy() before cleaning up the core key data -
    including key->security.

    Reported-by: Petr Matousek <pmatouse@redhat.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4a72f9130bb9afc3d18f5a2c0a8c3856c430080c
Author: Eric Whitney <enwlinux@gmail.com>
Date:   Fri Apr 3 00:13:42 2015 -0400

    ext4: fix loss of delalloc extent info in ext4_zero_range()

    [ Upstream commit 94426f4b9648154dc5a6760b59e6953e640ab3b1 ]

    In ext4_zero_range(), removing a file's entire block range from the
    extent status tree removes all records of that file's delalloc extents.
    The delalloc accounting code uses this information, and its loss can
    then lead to accounting errors and kernel warnings at writeback time and
    subsequent file system damage.  This is most noticeable on bigalloc
    file systems where code in ext4_ext_map_blocks() handles cases where
    delalloc extents share clusters with a newly allocated extent.

    Because we're not deleting a block range and are correctly updating the
    status of its associated extent, there is no need to remove anything
    from the extent status tree.

    When this patch is combined with an unrelated bug fix for
    ext4_zero_range(), kernel warnings and e2fsck errors reported during
    xfstests runs on bigalloc filesystems are greatly reduced without
    introducing regressions on other xfstests-bld test scenarios.

    Signed-off-by: Eric Whitney <enwlinux@gmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ecca2fb1f47b4cc4267de9d76d16c356a65601b3
Author: Lukas Czerner <lczerner@redhat.com>
Date:   Fri Apr 3 00:09:13 2015 -0400

    ext4: allocate entire range in zero range

    [ Upstream commit 0f2af21aae11972fa924374ddcf52e88347cf5a8 ]

    Currently there is a bug in zero range code which causes zero range
    calls to only allocate block aligned portion of the range, while
    ignoring the rest in some cases.

    In some cases, namely if the end of the range is past i_size, we do
    attempt to preallocate the last nonaligned block. However this might
    cause kernel to BUG() in some carefully designed zero range requests
    on setups where page size > block size.

    Fix this problem by first preallocating the entire range, including
    the nonaligned edges and converting the written extents to unwritten
    in the next step. This approach will also give us the advantage of
    having the range to be as linearly contiguous as possible.

    Signed-off-by: Lukas Czerner <lczerner@redhat.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6169a11a8fa06796cf15d64cd79c4dd4cccd651c
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Feb 5 10:37:33 2015 +0300

    vhost/scsi: potential memory corruption

    [ Upstream commit 59c816c1f24df0204e01851431d3bab3eb76719c ]

    This code in vhost_scsi_make_tpg() is confusing because we limit "tpgt"
    to UINT_MAX but the data type of "tpg->tport_tpgt" and that is a u16.

    I looked at the context and it turns out that in
    vhost_scsi_set_endpoint(), "tpg->tport_tpgt" is used as an offset into
    the vs_tpg[] array which has VHOST_SCSI_MAX_TARGET (256) elements so
    anything higher than 255 then it is invalid.  I have made that the limit
    now.

    In vhost_scsi_send_evt() we mask away values higher than 255, but now
    that the limit has changed, we don't need the mask.

    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9b85836ec94666957c2a1ae1adfd6da4a2b8d078
Author: Soeren Grunewald <soeren.grunewald@desy.de>
Date:   Thu Jun 11 09:25:04 2015 +0200

    serial: 8250_pci: Add support for 12 port Exar boards

    [ Upstream commit be32c0cf0462c36f482b5ddcff1d8371be1e183c ]

    The Exar XR17V358 can also be combined with a XR17V354 chip to act as a
    single 12 port chip. This works the same way as the combining two XR17V358
    chips. But the reported device id then is 0x4358.

    Signed-off-by: Soeren Grunewald <soeren.grunewald@desy.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e7509898c3936faf643dba8e105dfdf90f23b0a9
Author: Soeren Grunewald <soeren.grunewald@desy.de>
Date:   Tue Apr 28 16:29:49 2015 +0200

    serial: 8250_pci: Add support for 16 port Exar boards

    [ Upstream commit 96a5d18bc1338786fecac73599f1681f59a59a8e ]

    The Exar XR17V358 chip usually provides only 8 ports. But two chips can be
    combined to act as a single 16 port chip. Therefor one chip is configured
    as master the second as slave by connecting the mode pin to VCC (master)
    or GND (slave).

    Then the master chip is reporting a different device-id depending on
    whether a slave is detected or not. The UARTs 8-15 are addressed from
    0x2000-0x3fff. So the offset of 0x400 from UART to UART can be used to
    address all 16 ports as before.

    See: https://www.exar.com/common/content/document.ashx?id=1587 page 11

    Signed-off-by: Soeren Grunewald <soeren.grunewald@desy.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit cc908bc41a0ecc4be8db97521362e608f80a3077
Author: Roman Gushchin <klamm@yandex-team.ru>
Date:   Sat Oct 31 10:53:50 2015 +1100

    md/raid5: fix locking in handle_stripe_clean_event()

    [ Upstream commit b8a9d66d043ffac116100775a469f05f5158c16f ]

    After commit 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()")
    __find_stripe() is called under conf->hash_locks + hash.
    But handle_stripe_clean_event() calls remove_hash() under
    conf->device_lock.

    Under some cirscumstances the hash chain can be circuited,
    and we get an infinite loop with disabled interrupts and locked hash
    lock in __find_stripe(). This leads to hard lockup on multiple CPUs
    and following system crash.

    I was able to reproduce this behavior on raid6 over 6 ssd disks.
    The devices_handle_discard_safely option should be set to enable trim
    support. The following script was used:

    for i in `seq 1 32`; do
        dd if=/dev/zero of=large$i bs=10M count=100 &
    done

    neilb: original was against a 3.x kernel.  I forward-ported
      to 4.3-rc.  This verison is suitable for any kernel since
      Commit: 59fc630b8b5f ("RAID5: batch adjacent full stripe write")
      (v4.1+).  I'll post a version for earlier kernels to stable.

    Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
    Fixes: 566c09c53455 ("raid5: relieve lock contention in get_active_stripe()")
    Signed-off-by: NeilBrown <neilb@suse.com>
    Cc: Shaohua Li <shli@kernel.org>
    Cc: <stable@vger.kernel.org> # 3.13 - 4.2
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 53d59e5595f3d3c91a5668866a981037a319bc82
Author: Doron Tsur <doront@mellanox.com>
Date:   Sun Oct 11 15:58:17 2015 +0300

    IB/cm: Fix rb-tree duplicate free and use-after-free

    [ Upstream commit 0ca81a2840f77855bbad1b9f172c545c4dc9e6a4 ]

    ib_send_cm_sidr_rep could sometimes erase the node from the sidr
    (depending on errors in the process). Since ib_send_cm_sidr_rep is
    called both from cm_sidr_req_handler and cm_destroy_id, cm_id_priv
    could be either erased from the rb_tree twice or not erased at all.
    Fixing that by making sure it's erased only once before freeing
    cm_id_priv.

    Fixes: a977049dacde ('[PATCH] IB: Add the kernel CM implementation')
    Signed-off-by: Doron Tsur <doront@mellanox.com>
    Signed-off-by: Matan Barak <matanb@mellanox.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 37dfbd826b48df45b5e2bf7aecb3036450a66ecc
Author: Dāvis Mosāns <davispuh@gmail.com>
Date:   Fri Aug 21 07:29:22 2015 +0300

    mvsas: Fix NULL pointer dereference in mvs_slot_task_free

    [ Upstream commit 2280521719e81919283b82902ac24058f87dfc1b ]

    When pci_pool_alloc fails in mvs_task_prep then task->lldd_task stays
    NULL but it's later used in mvs_abort_task as slot which is passed
    to mvs_slot_task_free causing NULL pointer dereference.

    Just return from mvs_slot_task_free when passed with NULL slot.

    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=101891
    Signed-off-by: Dāvis Mosāns <davispuh@gmail.com>
    Reviewed-by: Tomas Henzl <thenzl@redhat.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: James Bottomley <JBottomley@Odin.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e456c19869192bc51aa098f510f1df3e913c2a1d
Author: NeilBrown <neilb@suse.com>
Date:   Sat Oct 31 11:00:56 2015 +1100

    Revert "md: allow a partially recovered device to be hot-added to an array."

    [ Upstream commit d01552a76d71f9879af448e9142389ee9be6e95b ]

    This reverts commit 7eb418851f3278de67126ea0c427641ab4792c57.

    This commit is poorly justified, I can find not discusison in email,
    and it clearly causes a problem.

    If a device which is being recovered fails and is subsequently
    re-added to an array, there could easily have been changes to the
    array *before* the point where the recovery was up to.  So the
    recovery must start again from the beginning.

    If a spare is being recovered and fails, then when it is re-added we
    really should do a bitmap-based recovery up to the recovery-offset,
    and then a full recovery from there.  Before this reversion, we only
    did the "full recovery from there" which is not corect.  After this
    reversion with will do a full recovery from the start, which is safer
    but not ideal.

    It will be left to a future patch to arrange the two different styles
    of recovery.

    Reported-and-tested-by: Nate Dailey <nate.dailey@stratus.com>
    Signed-off-by: NeilBrown <neilb@suse.com>
    Cc: stable@vger.kernel.org (3.14+)
    Fixes: 7eb418851f32 ("md: allow a partially recovered device to be hot-added to an array.")
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit aab9369e905c132ceeb03924e6ecfd73cea9c3dd
Author: Jes Sorensen <Jes.Sorensen@redhat.com>
Date:   Tue Oct 20 12:09:13 2015 -0400

    md/raid10: submit_bio_wait() returns 0 on success

    [ Upstream commit 681ab4696062f5aa939c9e04d058732306a97176 ]

    This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b
    which changed the return value of submit_bio_wait() to return != 0 on
    error, but didn't update the caller accordingly.

    Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md")
    Cc: stable@vger.kernel.org (v3.10)
    Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
    Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
    Signed-off-by: NeilBrown <neilb@suse.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3ae3d7f7d36d7776a8284024374c11879b3577fb
Author: Jes Sorensen <Jes.Sorensen@redhat.com>
Date:   Tue Oct 20 12:09:12 2015 -0400

    md/raid1: submit_bio_wait() returns 0 on success

    [ Upstream commit 203d27b0226a05202438ddb39ef0ef1acb14a759 ]

    This was introduced with 9e882242c6193ae6f416f2d8d8db0d9126bd996b
    which changed the return value of submit_bio_wait() to return != 0 on
    error, but didn't update the caller accordingly.

    Fixes: 9e882242c6 ("block: Add submit_bio_wait(), remove from md")
    Cc: stable@vger.kernel.org (v3.10)
    Reported-by: Bill Kuzeja <William.Kuzeja@stratus.com>
    Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
    Signed-off-by: NeilBrown <neilb@suse.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 287819b75d1b56163ac9cc2ee6c8b3cca7483650
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Oct 19 18:23:57 2015 +0800

    crypto: api - Only abort operations on fatal signal

    [ Upstream commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 ]

    Currently a number of Crypto API operations may fail when a signal
    occurs.  This causes nasty problems as the caller of those operations
    are often not in a good position to restart the operation.

    In fact there is currently no need for those operations to be
    interrupted by user signals at all.  All we need is for them to
    be killable.

    This patch replaces the relevant calls of signal_pending with
    fatal_signal_pending, and wait_for_completion_interruptible with
    wait_for_completion_killable, respectively.

    Cc: stable@vger.kernel.org
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2b23192757b42e2774516e170712aac0759038e1
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Thu Aug 20 10:34:59 2015 +0930

    module: Fix locking in symbol_put_addr()

    [ Upstream commit 275d7d44d802ef271a42dc87ac091a495ba72fc5 ]

    Poma (on the way to another bug) reported an assertion triggering:

      [<ffffffff81150529>] module_assert_mutex_or_preempt+0x49/0x90
      [<ffffffff81150822>] __module_address+0x32/0x150
      [<ffffffff81150956>] __module_text_address+0x16/0x70
      [<ffffffff81150f19>] symbol_put_addr+0x29/0x40
      [<ffffffffa04b77ad>] dvb_frontend_detach+0x7d/0x90 [dvb_core]

    Laura Abbott <labbott@redhat.com> produced a patch which lead us to
    inspect symbol_put_addr(). This function has a comment claiming it
    doesn't need to disable preemption around the module lookup
    because it holds a reference to the module it wants to find, which
    therefore cannot go away.

    This is wrong (and a false optimization too, preempt_disable() is really
    rather cheap, and I doubt any of this is on uber critical paths,
    otherwise it would've retained a pointer to the actual module anyway and
    avoided the second lookup).

    While its true that the module cannot go away while we hold a reference
    on it, the data structure we do the lookup in very much _CAN_ change
    while we do the lookup. Therefore fix the comment and add the
    required preempt_disable().

    Reported-by: poma <pomidorabelisima@gmail.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
    Fixes: a6e6abd575fc ("module: remove module_text_address()")
    Cc: stable@kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 01d978039a585c712e51cccf3e8c30b24c5e0215
Author: Cathy Avery <cathy.avery@oracle.com>
Date:   Fri Oct 2 09:35:01 2015 -0400

    xen-blkfront: check for null drvdata in blkback_changed (XenbusStateClosing)

    [ Upstream commit a54c8f0f2d7df525ff997e2afe71866a1a013064 ]

    xen-blkfront will crash if the check to talk_to_blkback()
    in blkback_changed()(XenbusStateInitWait) returns an error.
    The driver data is freed and info is set to NULL. Later during
    the close process via talk_to_blkback's call to xenbus_dev_fatal()
    the null pointer is passed to and dereference in blkfront_closing.

    CC: stable@vger.kernel.org
    Signed-off-by: Cathy Avery <cathy.avery@oracle.com>
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 244cebd7d0c7cf5a9d807449622b98d444b292b8
Author: Laura Abbott <labbott@fedoraproject.org>
Date:   Mon Oct 12 11:30:13 2015 +0300

    xhci: Add spurious wakeup quirk for LynxPoint-LP controllers

    [ Upstream commit fd7cd061adcf5f7503515ba52b6a724642a839c8 ]

    We received several reports of systems rebooting and powering on
    after an attempted shutdown. Testing showed that setting
    XHCI_SPURIOUS_WAKEUP quirk in addition to the XHCI_SPURIOUS_REBOOT
    quirk allowed the system to shutdown as expected for LynxPoint-LP
    xHCI controllers. Set the quirk back.

    Note that the quirk was originally introduced for LynxPoint and
    LynxPoint-LP just for this same reason. See:

    commit 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell")

    It was later limited to only concern HP machines as it caused
    regression on some machines, see both bug and commit:

    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66171
    commit 6962d914f317 ("xhci: Limit the spurious wakeup fix only to HP machines")

    Later it was discovered that the powering on after shutdown
    was limited to LynxPoint-LP (Haswell-ULT) and that some non-LP HP
    machine suffered from spontaneous resume from S3 (which should
    not be related to the SPURIOUS_WAKEUP quirk at all). An attempt
    to fix this then removed the SPURIOUS_WAKEUP flag usage completely.

    commit b45abacde3d5 ("xhci: no switching back on non-ULT Haswell")

    Current understanding is that LynxPoint-LP (Haswell ULT) machines
    need the SPURIOUS_WAKEUP quirk, otherwise they will restart, and
    plain Lynxpoint (Haswell) machines may _not_ have the quirk
    set otherwise they again will restart.

    Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
    Cc: Takashi Iwai <tiwai@suse.de>
    Cc: Oliver Neukum <oneukum@suse.com>
    [Added more history to commit message -Mathias]
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 24cd9f6f26d25f9ca1939abaeab327c483b9a742
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Oct 12 11:30:12 2015 +0300

    xhci: handle no ping response error properly

    [ Upstream commit 3b4739b8951d650becbcd855d7d6f18ac98a9a85 ]

    If a host fails to wake up a isochronous SuperSpeed device from U1/U2
    in time for a isoch transfer it will generate a "No ping response error"
    Host will then move to the next transfer descriptor.

    Handle this case in the same way as missed service errors, tag the
    current TD as skipped and handle it on the next transfer event.

    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c74505b714a06ca639dbfdf07349f67009508326
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Thu Oct 22 10:56:40 2015 -0400

    dm btree: fix leak of bufio-backed block in btree_split_beneath error path

    [ Upstream commit 4dcb8b57df3593dcb20481d9d6cf79d1dc1534be ]

    btree_split_beneath()'s error path had an outstanding FIXME that speaks
    directly to the potential for _not_ cleaning up a previously allocated
    bufio-backed block.

    Fix this by releasing the previously allocated bufio block using
    unlock_block().

    Reported-by: Mikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Acked-by: Joe Thornber <thornber@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 297ce6f9c494be69cc3106c7be437038ee842344
Author: Joe Thornber <ejt@redhat.com>
Date:   Wed Oct 21 18:36:49 2015 +0100

    dm btree remove: fix a bug when rebalancing nodes after removal

    [ Upstream commit 2871c69e025e8bc507651d5a9cf81a8a7da9d24b ]

    Commit 4c7e309340ff ("dm btree remove: fix bug in redistribute3") wasn't
    a complete fix for redistribute3().

    The redistribute3 function takes 3 btree nodes and shares out the entries
    evenly between them.  If the three nodes in total contained
    (MAX_ENTRIES * 3) - 1 entries between them then this was erroneously getting
    rebalanced as (MAX_ENTRIES - 1) on the left and right, and (MAX_ENTRIES + 1) in
    the center.

    Fix this issue by being more careful about calculating the target number
    of entries for the left and right nodes.

    Unit tested in userspace using this program:
    https://github.com/jthornber/redistribute3-test/blob/master/redistribute3_t.c

    Signed-off-by: Joe Thornber <ejt@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1895f1b79e22b18b1b46b845572b9bd36a4ebd20
Author: Will Deacon <will.deacon@arm.com>
Date:   Wed Oct 28 16:56:13 2015 +0000

    Revert "ARM64: unwind: Fix PC calculation"

    [ Upstream commit 9702970c7bd3e2d6fecb642a190269131d4ac16c ]

    This reverts commit e306dfd06fcb44d21c80acb8e5a88d55f3d1cf63.

    With this patch applied, we were the only architecture making this sort
    of adjustment to the PC calculation in the unwinder. This causes
    problems for ftrace, where the PC values are matched against the
    contents of the stack frames in the callchain and fail to match any
    records after the address adjustment.

    Whilst there has been some effort to change ftrace to workaround this,
    those patches are not yet ready for mainline and, since we're the odd
    architecture in this regard, let's just step in line with other
    architectures (like arch/arm/) for now.

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 51c083f34d4545f49749327242e69475187a2b98
Author: Ronny Hegewald <ronny.hegewald@online.de>
Date:   Thu Oct 15 18:50:46 2015 +0000

    rbd: require stable pages if message data CRCs are enabled

    [ Upstream commit bae818ee1577c27356093901a0ea48f672eda514 ]

    rbd requires stable pages, as it performs a crc of the page data before
    they are send to the OSDs.

    But since kernel 3.9 (patch 1d1d1a767206fbe5d4c69493b7e6d2a8d08cc0a0
    "mm: only enforce stable page writes if the backing device requires
    it") it is not assumed anymore that block devices require stable pages.

    This patch sets the necessary flag to get stable pages back for rbd.

    In a ceph installation that provides multiple ext4 formatted rbd
    devices "bad crc" messages appeared regularly (ca 1 message every 1-2
    minutes on every OSD that provided the data for the rbd) in the
    OSD-logs before this patch. After this patch this messages are pretty
    much gone (only ca 1-2 / month / OSD).

    Cc: stable@vger.kernel.org # 3.9+, needs backporting
    Signed-off-by: Ronny Hegewald <Ronny.Hegewald@online.de>
    [idryomov@gmail.com: require stable pages only in crc case, changelog]
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a1c0361f5dad79729ec1dcb503d773e11f801b8c
Author: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Date:   Wed Oct 7 13:10:54 2015 +0200

    iio: mxs-lradc: Fix temperature offset

    [ Upstream commit b94e22805a2224061bb263a82b72e09544a5fbb3 ]

    0° Kelvin is actually −273.15°C, not -272.15°C. Fix the temperature offset.
    Also improve the comment explaining the calculation.

    Reported-by: Janusz Użycki <j.uzycki@elpromaelectronics.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
    Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
    Acked-by: Marek Vasut <marex@denx.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit cb6e0c1eda88038175cd848f10ae330744067558
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Fri Oct 23 10:38:52 2015 -0400

    drm/radeon: don't try to recreate sysfs entries on resume

    [ Upstream commit 49abb26651167c892393cd9f2ad23df429645ed9 ]

    Fixes a harmless error message caused by:
    51a4726b04e880fdd9b4e0e58b13f70b0a68a7f5

    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a83d675ed2f83b40e539e859f8d624f2ac1b4404
Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
Date:   Wed Oct 7 22:08:24 2015 +0300

    drm/i915: Restore lost DPLL register write on gen2-4

    [ Upstream commit 8e7a65aa70bcc1235a44e40ae0da5056525fe081 ]

    We accidentally lost the initial DPLL register write in
    1c4e02746147 drm/i915: Fix DVO 2x clock enable on 830M

    The "three times for luck" hack probably saved us from a total
    disaster. But anyway, bring the initial write back so that the
    code actually makes some sense.

    Reported-and-tested-by: Nick Bowler <nbowler@draconx.ca>
    References: http://mid.gmane.org/CAN_QmVyMaArxYgEcVVsGvsMo7-6ohZr8HmF5VhkkL4i9KOmrhw@mail.gmail.com
    Cc: stable@vger.kernel.org
    Cc: Nick Bowler <nbowler@draconx.ca>
    Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 239030251b6e6187f55831aa44e2aee415dabed4
Author: Ilia Mirkin <imirkin@alum.mit.edu>
Date:   Tue Oct 20 01:15:39 2015 -0400

    drm/nouveau/gem: return only valid domain when there's only one

    [ Upstream commit 2a6c521bb41ce862e43db46f52e7681d33e8d771 ]

    On nv50+, we restrict the valid domains to just the one where the buffer
    was originally created. However after the buffer is evicted to system
    memory, we might move it back to a different domain that was not
    originally valid. When sharing the buffer and retrieving its GEM_INFO
    data, we still want the domain that will be valid for this buffer in a
    pushbuf, not the one where it currently happens to be.

    This resolves fdo#92504 and several others. These are due to suspend
    evicting all buffers, making it more likely that they temporarily end up
    in the wrong place.

    Cc: stable@vger.kernel.org
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92504
    Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 499cf5fb763ce3271b5190ef1a00c5404c7f43b9
Author: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Date:   Thu Dec 4 14:56:04 2014 +0000

    power: bq24190_charger: suppress build warning

    [ Upstream commit 31f50e48e3e4ea9d503285a389d6a1b5349d66c0 ]

    This patch fixes following build warning:

    In file included from include/linux/printk.h:261:0,
                     from include/linux/kernel.h:13,
                     from include/linux/list.h:8,
                     from include/linux/module.h:9,
                     from drivers/power/bq24190_charger.c:11:
    drivers/power/bq24190_charger.c: In function ‘bq24190_irq_handler_thread’:
    include/linux/dynamic_debug.h:86:20: warning: ‘ss_reg’ may be used uninitialized in this function [-Wmaybe-uninitialized]
       __dynamic_dev_dbg(&descriptor, dev, fmt, \
                        ^
    drivers/power/bq24190_charger.c:1211:5: note: ‘ss_reg’ was declared here
      u8 ss_reg, f_reg;
         ^
    In file included from include/linux/printk.h:261:0,
                     from include/linux/kernel.h:13,
                     from include/linux/list.h:8,
                     from include/linux/module.h:9,
                     from drivers/power/bq24190_charger.c:11:
    include/linux/dynamic_debug.h:86:20: warning: ‘f_reg’ may be used uninitialized in this function [-Wmaybe-uninitialized]
       __dynamic_dev_dbg(&descriptor, dev, fmt, \
                        ^
    drivers/power/bq24190_charger.c:1211:13: note: ‘f_reg’ was declared here
      u8 ss_reg, f_reg;

    Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
    Signed-off-by: Sebastian Reichel <sre@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a6a0076803a901f499bc60ce379807cf4eda8aaa
Author: David S. Miller <davem@davemloft.net>
Date:   Fri Apr 17 15:15:40 2015 -0400

    sfc: Fix memcpy() with const destination compiler warning.

    [ Upstream commit 1d20a16062e771b6e26b843c0cde3b17c1146e00 ]

    drivers/net/ethernet/sfc/selftest.c: In function ‘efx_iterate_state’:
    drivers/net/ethernet/sfc/selftest.c:388:9: warning: passing argument 1 of ‘memcpy’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-array-qualifiers]

    This is because the msg[] member of struct efx_loopback_payload
    is marked as 'const'.  Remove that.

    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4084246db34ccb9c58cd6b5a85bfe74af0d4620a
Author: Jan Kara <jack@suse.com>
Date:   Thu Oct 22 13:32:21 2015 -0700

    mm: make sendfile(2) killable

    [ Upstream commit 296291cdd1629c308114504b850dc343eabc2782 ]

    Currently a simple program below issues a sendfile(2) system call which
    takes about 62 days to complete in my test KVM instance.

            int fd;
            off_t off = 0;

            fd = open("file", O_RDWR | O_TRUNC | O_SYNC | O_CREAT, 0644);
            ftruncate(fd, 2);
            lseek(fd, 0, SEEK_END);
            sendfile(fd, fd, &off, 0xfffffff);

    Now you should not ask kernel to do a stupid stuff like copying 256MB in
    2-byte chunks and call fsync(2) after each chunk but if you do, sysadmin
    should have a way to stop you.

    We actually do have a check for fatal_signal_pending() in
    generic_perform_write() which triggers in this path however because we
    always succeed in writing something before the check is done, we return
    value > 0 from generic_perform_write() and thus the information about
    signal gets lost.

    Fix the problem by doing the signal check before writing anything.  That
    way generic_perform_write() returns -EINTR, the error gets propagated up
    and the sendfile loop terminates early.

    Signed-off-by: Jan Kara <jack@suse.com>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: Al Viro <viro@ZenIV.linux.org.uk>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7b516b5f395b0610008c7d2638fd293440ab2f8a
Author: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Date:   Tue Oct 20 10:25:58 2015 +0100

    ASoC: wm8904: Correct number of EQ registers

    [ Upstream commit 97aff2c03a1e4d343266adadb52313613efb027f ]

    There are 24 EQ registers not 25, I suspect this bug came about because
    the registers start at EQ1 not zero. The bug is relatively harmless as
    the extra register written is an unused one.

    Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 074ea6f13f7617cccf074ba8401bfb83dc0b4420
Author: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Date:   Fri Oct 16 15:53:29 2015 +0530

    powerpc/rtas: Validate rtas.entry before calling enter_rtas()

    [ Upstream commit 8832317f662c06f5c06e638f57bfe89a71c9b266 ]

    Currently we do not validate rtas.entry before calling enter_rtas(). This
    leads to a kernel oops when user space calls rtas system call on a powernv
    platform (see below). This patch adds code to validate rtas.entry before
    making enter_rtas() call.

      Oops: Exception in kernel mode, sig: 4 [#1]
      SMP NR_CPUS=1024 NUMA PowerNV
      task: c000000004294b80 ti: c0000007e1a78000 task.ti: c0000007e1a78000
      NIP: 0000000000000000 LR: 0000000000009c14 CTR: c000000000423140
      REGS: c0000007e1a7b920 TRAP: 0e40   Not tainted  (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le)
      MSR: 1000000000081000 <HV,ME>  CR: 00000000  XER: 00000000
      CFAR: c000000000009c0c SOFTE: 0
      NIP [0000000000000000]           (null)
      LR [0000000000009c14] 0x9c14
      Call Trace:
      [c0000007e1a7bba0] [c00000000041a7f4] avc_has_perm_noaudit+0x54/0x110 (unreliable)
      [c0000007e1a7bd80] [c00000000002ddc0] ppc_rtas+0x150/0x2d0
      [c0000007e1a7be30] [c000000000009358] syscall_exit+0x0/0x98

    Cc: stable@vger.kernel.org # v3.2+
    Fixes: 55190f88789a ("powerpc: Add skeleton PowerNV platform")
    Reported-by: NAGESWARA R. SASTRY <nasastry@in.ibm.com>
    Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
    [mpe: Reword change log, trim oops, and add stable + fixes]
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b6a84ee5b14652021a9d34c43206eb36a081a2d7
Author: Joerg Roedel <jroedel@suse.de>
Date:   Tue Oct 20 14:59:36 2015 +0200

    iommu/amd: Don't clear DTE flags when modifying it

    [ Upstream commit cbf3ccd09d683abf1cacd36e3640872ee912d99b ]

    During device assignment/deassignment the flags in the DTE
    get lost, which might cause spurious faults, for example
    when the device tries to access the system management range.
    Fix this by not clearing the flags with the rest of the DTE.

    Reported-by: G. Richard Bellamy <rbellamy@pteradigm.com>
    Tested-by: G. Richard Bellamy <rbellamy@pteradigm.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 09d7738b387bc229eda6df0a705ec8f09d9ff75f
Author: Luca Coelho <luciano.coelho@intel.com>
Date:   Tue Sep 22 09:44:39 2015 +0300

    iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series

    [ Upstream commit f08f625876476b6c4a87834dc86e3b927f4697d2 ]

    Add 3 new subdevice IDs for the 0x095A device ID and 2 for the 0x095B
    device ID.

    Cc: <stable@vger.kernerl.org> [3.13+]
    Reported-by: Jeremy <jeremy.bomkamp@gmail.com>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e9bdf3b3913dd77c463c6e01c2901a232ead7289
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Sep 15 14:36:09 2015 +0200

    iwlwifi: mvm: fix D3 firmware PN programming

    [ Upstream commit 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 ]

    The code to send the RX PN data (for each TID) to the firmware
    has a devastating bug: it overwrites the data for TID 0 with
    all the TID data, leaving the remaining TIDs zeroed. This will
    allow replays to actually be accepted by the firmware, which
    could allow waking up the system.

    Cc: <stable@vger.kernel.org> [3.1+]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1b0151756149d603927e1a590429d8ae4ee51876
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Nov 18 15:39:51 2014 +0100

    iwlwifi: pcie: support 7265-D devices

    [ Upstream commit 3fd0d3c170ad6ba8b64e16938f699d0b43cc782e ]

    Identify 7265-D devices using the hardware revision (they have the
    same PCI IDs as 7265) and change the configuration for them taking
    the differences (currently only the firmware image) into account.

    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b2845e18999b1f9e51eefadd0b9e64a62bfcff90
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Sep 22 10:47:27 2015 +0200

    iwlwifi: fix firmware filename for 3160

    [ Upstream commit b5a48134f8af08f5243328f8a0b05fc5ae7cf343 ]

    The MODULE_FIRMWARE() for 3160 should be using the 7260 version as
    it's done in the device configuration struct instead of referencing
    IWL3160_UCODE_API_OK which doesn't even exist.

    Cc: <stable@vger.kernel.org> [3.8+]
    Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ae9b626a28912f18a61b8963da60deef0609a93d
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Tue Sep 15 14:36:09 2015 +0200

    iwlwifi: dvm: fix D3 firmware PN programming

    [ Upstream commit 5bd166872d8f99f156fac191299d24f828bb2348 ]

    The code to send the RX PN data (for each TID) to the firmware
    has a devastating bug: it overwrites the data for TID 0 with
    all the TID data, leaving the remaining TIDs zeroed. This will
    allow replays to actually be accepted by the firmware, which
    could allow waking up the system.

    Cc: <stable@vger.kernel.org> [3.1+]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c66c8ccae54d30a47a1a9d793a1790fc612d3842
Author: Felix Fietkau <nbd@openwrt.org>
Date:   Thu Sep 24 16:59:46 2015 +0200

    ath9k: declare required extra tx headroom

    [ Upstream commit 029cd0370241641eb70235d205aa0b90c84dce44 ]

    ath9k inserts padding between the 802.11 header and the data area (to
    align it). Since it didn't declare this extra required headroom, this
    led to some nasty issues like randomly dropped packets in some setups.

    Cc: stable@vger.kernel.org
    Signed-off-by: Felix Fietkau <nbd@openwrt.org>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ca7c3488286856a30fdd8c376360ebc7b687518b
Author: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Date:   Thu Feb 12 15:03:05 2015 -0800

    lib/radix-tree.c: change to simpler include

    [ Upstream commit 886d3dfa85d5aa6f11813c319e50f5402c7cf4e4 ]

    The comment helpfully explains why hardirq.h is included, but since
    commit 2d4b84739f0a ("hardirq: Split preempt count mask definitions")
    in_interrupt() has been provided by preempt_mask.h.  Use that instead,
    saving around 40 lines in the generated dependency file.

    Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f5c09209ca16bd7329e4255aca7ad6bca31cfaff
Author: Ilya Dryomov <idryomov@gmail.com>
Date:   Mon Aug 31 15:21:39 2015 +0300

    rbd: fix double free on rbd_dev->header_name

    [ Upstream commit 3ebe138ac642a195c7f2efdb918f464734421fd6 ]

    If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name
    is freed twice: once in rbd_dev_probe_parent() and then in its caller
    rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to
    handle parent images).

    rbd_dev_probe_parent() is responsible for probing the parent, so it
    shouldn't muck with clone's fields.

    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Reviewed-by: Alex Elder <elder@linaro.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 21f6ebb8ddf3d7940bc6a752df0ddc62667915c1
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Tue Oct 13 12:04:28 2015 -0400

    dm thin: fix missing pool reference count decrement in pool_ctr error path

    [ Upstream commit ba30670f4d5292c4e7f7980bbd5071f7c4794cdd ]

    Fixes: ac8c3f3df ("dm thin: generate event when metadata threshold passed")
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Cc: stable@vger.kernel.org # 3.10+
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5ab6262ccf4d1a622ab8fb63636a24a1028ffd92
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Sep 30 16:45:52 2015 -0400

    drm/radeon: add pm sysfs files late

    [ Upstream commit 51a4726b04e880fdd9b4e0e58b13f70b0a68a7f5 ]

    They were added relatively early in the driver init process
    which meant that in some cases the driver was not finished
    initializing before external tools tried to use them which
    could result in a crash depending on the timing.

    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a7138587d56380902237cec784fbc09048a17003
Author: Ben Skeggs <bskeggs@redhat.com>
Date:   Fri Oct 2 14:03:19 2015 +1000

    drm/nouveau/fbcon: take runpm reference when userspace has an open fd

    [ Upstream commit f231976c2e8964ceaa9250e57d27c35ff03825c2 ]

    We need to do this in order to prevent accesses to the device while it's
    powered down.  Userspace may have an mmap of the fb, and there's no good
    way (that I know of) to prevent it from touching the device otherwise.

    This fixes some nasty races between runpm and plymouth on some systems,
    which result in the GPU getting very upset and hanging the boot.

    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 43ac913d76a9ae3894337654effc3ff2f931e106
Author: Shaohua Li <shli@fb.com>
Date:   Wed Sep 30 09:05:30 2015 -0700

    workqueue: make sure delayed work run in local cpu

    [ Upstream commit 874bbfe600a660cba9c776b3957b1ce393151b76 ]

    My system keeps crashing with below message. vmstat_update() schedules a delayed
    work in current cpu and expects the work runs in the cpu.
    schedule_delayed_work() is expected to make delayed work run in local cpu. The
    problem is timer can be migrated with NO_HZ. __queue_work() queues work in
    timer handler, which could run in a different cpu other than where the delayed
    work is scheduled. The end result is the delayed work runs in different cpu.
    The patch makes __queue_delayed_work records local cpu earlier. Where the timer
    runs doesn't change where the work runs with the change.

    [   28.010131] ------------[ cut here ]------------
    [   28.010609] kernel BUG at ../mm/vmstat.c:1392!
    [   28.011099] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
    [   28.011860] Modules linked in:
    [   28.012245] CPU: 0 PID: 289 Comm: kworker/0:3 Tainted: G        W4.3.0-rc3+ #634
    [   28.013065] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140709_153802- 04/01/2014
    [   28.014160] Workqueue: events vmstat_update
    [   28.014571] task: ffff880117682580 ti: ffff8800ba428000 task.ti: ffff8800ba428000
    [   28.015445] RIP: 0010:[<ffffffff8115f921>]  [<ffffffff8115f921>]vmstat_update+0x31/0x80
    [   28.016282] RSP: 0018:ffff8800ba42fd80  EFLAGS: 00010297
    [   28.016812] RAX: 0000000000000000 RBX: ffff88011a858dc0 RCX:0000000000000000
    [   28.017585] RDX: ffff880117682580 RSI: ffffffff81f14d8c RDI:ffffffff81f4df8d
    [   28.018366] RBP: ffff8800ba42fd90 R08: 0000000000000001 R09:0000000000000000
    [   28.019169] R10: 0000000000000000 R11: 0000000000000121 R12:ffff8800baa9f640
    [   28.019947] R13: ffff88011a81e340 R14: ffff88011a823700 R15:0000000000000000
    [   28.020071] FS:  0000000000000000(0000) GS:ffff88011a800000(0000)knlGS:0000000000000000
    [   28.020071] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [   28.020071] CR2: 00007ff6144b01d0 CR3: 00000000b8e93000 CR4:00000000000006f0
    [   28.020071] Stack:
    [   28.020071]  ffff88011a858dc0 ffff8800baa9f640 ffff8800ba42fe00ffffffff8106bd88
    [   28.020071]  ffffffff8106bd0b 0000000000000096 0000000000000000ffffffff82f9b1e8
    [   28.020071]  ffffffff829f0b10 0000000000000000 ffffffff81f18460ffff88011a81e340
    [   28.020071] Call Trace:
    [   28.020071]  [<ffffffff8106bd88>] process_one_work+0x1c8/0x540
    [   28.020071]  [<ffffffff8106bd0b>] ? process_one_work+0x14b/0x540
    [   28.020071]  [<ffffffff8106c214>] worker_thread+0x114/0x460
    [   28.020071]  [<ffffffff8106c100>] ? process_one_work+0x540/0x540
    [   28.020071]  [<ffffffff81071bf8>] kthread+0xf8/0x110
    [   28.020071]  [<ffffffff81071b00>] ?kthread_create_on_node+0x200/0x200
    [   28.020071]  [<ffffffff81a6522f>] ret_from_fork+0x3f/0x70
    [   28.020071]  [<ffffffff81071b00>] ?kthread_create_on_node+0x200/0x200

    Signed-off-by: Shaohua Li <shli@fb.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Cc: stable@vger.kernel.org # v2.6.31+
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit cd351c29c369fc45102590d60a136436360f8e11
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Thu Sep 24 12:06:54 2015 +0300

    i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348

    [ Upstream commit 56d4b8a24cef5d66f0d10ac778a520d3c2c68a48 ]

    ACPI SSCN/FMCN methods were originally added because then the platform can
    provide the most accurate HCNT/LCNT values to the driver. However, this
    seems not to be true for Dell Inspiron 7348 where using these causes the
    touchpad to fail in boot:

      i2c_hid i2c-DLL0675:00: failed to retrieve report from device.
      i2c_designware INT3433:00: i2c_dw_handle_tx_abort: lost arbitration
      i2c_hid i2c-DLL0675:00: failed to retrieve report from device.
      i2c_designware INT3433:00: controller timed out

    The values received from ACPI are (in fast mode):

      HCNT: 72
      LCNT: 160

    this translates to following timings (input clock is 100MHz on Broadwell):

      tHIGH: 720 ns (spec min 600 ns)
      tLOW: 1600 ns (spec min 1300 ns)
      Bus period: 2920 ns (assuming 300 ns tf and tr)
      Bus speed: 342.5 kHz

    Both tHIGH and tLOW are within the I2C specification.

    The calculated values when ACPI parameters are not used are (in fast mode):

      HCNT: 87
      LCNT: 159

    which translates to:

      tHIGH: 870 ns (spec min 600 ns)
      tLOW: 1590 ns (spec min 1300 ns)
      Bus period 3060 ns (assuming 300 ns tf and tr)
      Bus speed 326.8 kHz

    These values are also within the I2C specification.

    Since both ACPI and calculated values meet the I2C specification timing
    requirements it is hard to say why the touchpad does not function properly
    with the ACPI values except that the bus speed is higher in this case (but
    still well below the max 400kHz).

    Solve this by adding DMI quirk to the driver that disables using ACPI
    parameters on this particulare machine.

    Reported-by: Pavel Roskin <plroskin@gmail.com>
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Tested-by: Pavel Roskin <plroskin@gmail.com>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit d8b06f6fe0481d5bb79994b31f284a6609c46286
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Sat Oct 10 08:24:23 2015 +0100

    i2c: s3c2410: enable RuntimePM before registering to the core

    [ Upstream commit eadd709f5d2e8aebb1b7bf49460e97a68d81a9b0 ]

    The core may register clients attached to this master which may use
    funtionality from the master. So, RuntimePM must be enabled before, otherwise
    this will fail. While here, move drvdata, too.

    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Tested-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
    Acked-by: Kukjin Kim <kgene@kernel.org>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit d1edec87b14e67ff76d97eb8d6434270d8286efc
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Fri Oct 9 10:39:25 2015 +0100

    i2c: rcar: enable RuntimePM before registering to the core

    [ Upstream commit 4f7effddf4549d57114289f273710f077c4c330a ]

    The core may register clients attached to this master which may use
    funtionality from the master. So, RuntimePM must be enabled before, otherwise
    this will fail. While here, move drvdata, too.

    Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Cc: stable@kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b2a40bdea04d1b212e4c26e68953ec5d8151d218
Author: Will Deacon <will.deacon@arm.com>
Date:   Thu Oct 8 11:11:17 2015 +0100

    arm64: errata: use KBUILD_CFLAGS_MODULE for erratum #843419

    [ Upstream commit b6dd8e0719c0d2d01429639a11b7bc2677de240c ]

    Commit df057cc7b4fa ("arm64: errata: add module build workaround for
    erratum #843419") sets CFLAGS_MODULE to ensure that the large memory
    model is used by the compiler when building kernel modules.

    However, CFLAGS_MODULE is an environment variable and intended to be
    overridden on the command line, which appears to be the case with the
    Ubuntu kernel packaging system, so use KBUILD_CFLAGS_MODULE instead.

    Cc: <stable@vger.kernel.org>
    Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Fixes: df057cc7b4fa ("arm64: errata: add module build workaround for erratum #843419")
    Reported-by: Dann Frazier <dann.frazier@canonical.com>
    Tested-by: Dann Frazier <dann.frazier@canonical.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 431baf4cb7d25cd47bb9c81c08eff0a835f6536e
Author: Chris Mason <clm@fb.com>
Date:   Tue Oct 13 14:06:48 2015 -0400

    btrfs: fix use after free iterating extrefs

    [ Upstream commit dc6c5fb3b514221f2e9d21ee626a9d95d3418dff ]

    The code for btrfs inode-resolve has never worked properly for
    files with enough hard links to trigger extrefs.  It was trying to
    get the leaf out of a path after freeing the path:

            btrfs_release_path(path);
            leaf = path->nodes[0];
            item_size = btrfs_item_size_nr(leaf, slot);

    The fix here is to use the extent buffer we cloned just a little higher
    up to avoid deadlocks caused by using the leaf in the path.

    Signed-off-by: Chris Mason <clm@fb.com>
    cc: stable@vger.kernel.org # v3.7+
    cc: Mark Fasheh <mfasheh@suse.de>
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: Mark Fasheh <mfasheh@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0202b0dfe93fe7d0179b80013dbac5c15f2c81c3
Author: Russell King <rmk+kernel@arm.linux.org.uk>
Date:   Fri Oct 9 20:43:33 2015 +0100

    crypto: ahash - ensure statesize is non-zero

    [ Upstream commit 8996eafdcbad149ac0f772fb1649fbb75c482a6a ]

    Unlike shash algorithms, ahash drivers must implement export
    and import as their descriptors may contain hardware state and
    cannot be exported as is.  Unfortunately some ahash drivers did
    not provide them and end up causing crashes with algif_hash.

    This patch adds a check to prevent these drivers from registering
    ahash algorithms until they are fixed.

    Cc: stable@vger.kernel.org
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 27874987e9b9eba00c17aa5590befe3ebe8723ba
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Mon Oct 5 10:08:51 2015 -0500

    crypto: sparc - initialize blkcipher.ivsize

    [ Upstream commit a66d7f724a96d6fd279bfbd2ee488def6b081bea ]

    Some of the crypto algorithms write to the initialization vector,
    but no space has been allocated for it. This clobbers adjacent memory.

    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f5f7e02d8bd8f173aa74bfa006d696c83cc39119
Author: Joe Perches <joe@perches.com>
Date:   Wed Oct 14 01:09:40 2015 -0700

    ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings

    [ Upstream commit 077cb37fcf6f00a45f375161200b5ee0cd4e937b ]

    It seems that kernel memory can leak into userspace by a
    kmalloc, ethtool_get_strings, then copy_to_user sequence.

    Avoid this by using kcalloc to zero fill the copied buffer.

    Signed-off-by: Joe Perches <joe@perches.com>
    Acked-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2191851fa6974677c5cbb0c4b131cd768c18c4ec
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Sep 30 11:45:33 2015 +0200

    ppp: don't override sk->sk_state in pppoe_flush_dev()

    [ Upstream commit e6740165b8f7f06d8caee0fceab3fb9d790a6fed ]

    Since commit 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release"),
    pppoe_release() calls dev_put(po->pppoe_dev) if sk is in the
    PPPOX_ZOMBIE state. But pppoe_flush_dev() can set sk->sk_state to
    PPPOX_ZOMBIE _and_ reset po->pppoe_dev to NULL. This leads to the
    following oops:

    [  570.140800] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e0
    [  570.142931] IP: [<ffffffffa018c701>] pppoe_release+0x50/0x101 [pppoe]
    [  570.144601] PGD 3d119067 PUD 3dbc1067 PMD 0
    [  570.144601] Oops: 0000 [#1] SMP
    [  570.144601] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pppoe pppox ppp_generic slhc loop crc32c_intel ghash_clmulni_intel jitterentropy_rng sha256_generic hmac drbg ansi_cprng aesni_intel aes_x86_64 ablk_helper cryptd lrw gf128mul glue_helper acpi_cpufreq evdev serio_raw processor button ext4 crc16 mbcache jbd2 virtio_net virtio_blk virtio_pci virtio_ring virtio
    [  570.144601] CPU: 1 PID: 15738 Comm: ppp-apitest Not tainted 4.2.0 #1
    [  570.144601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
    [  570.144601] task: ffff88003d30d600 ti: ffff880036b60000 task.ti: ffff880036b60000
    [  570.144601] RIP: 0010:[<ffffffffa018c701>]  [<ffffffffa018c701>] pppoe_release+0x50/0x101 [pppoe]
    [  570.144601] RSP: 0018:ffff880036b63e08  EFLAGS: 00010202
    [  570.144601] RAX: 0000000000000000 RBX: ffff880034340000 RCX: 0000000000000206
    [  570.144601] RDX: 0000000000000006 RSI: ffff88003d30dd20 RDI: ffff88003d30dd20
    [  570.144601] RBP: ffff880036b63e28 R08: 0000000000000001 R09: 0000000000000000
    [  570.144601] R10: 00007ffee9b50420 R11: ffff880034340078 R12: ffff8800387ec780
    [  570.144601] R13: ffff8800387ec7b0 R14: ffff88003e222aa0 R15: ffff8800387ec7b0
    [  570.144601] FS:  00007f5672f48700(0000) GS:ffff88003fc80000(0000) knlGS:0000000000000000
    [  570.144601] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  570.144601] CR2: 00000000000004e0 CR3: 0000000037f7e000 CR4: 00000000000406a0
    [  570.144601] Stack:
    [  570.144601]  ffffffffa018f240 ffff8800387ec780 ffffffffa018f240 ffff8800387ec7b0
    [  570.144601]  ffff880036b63e48 ffffffff812caabe ffff880039e4e000 0000000000000008
    [  570.144601]  ffff880036b63e58 ffffffff812cabad ffff880036b63ea8 ffffffff811347f5
    [  570.144601] Call Trace:
    [  570.144601]  [<ffffffff812caabe>] sock_release+0x1a/0x75
    [  570.144601]  [<ffffffff812cabad>] sock_close+0xd/0x11
    [  570.144601]  [<ffffffff811347f5>] __fput+0xff/0x1a5
    [  570.144601]  [<ffffffff811348cb>] ____fput+0x9/0xb
    [  570.144601]  [<ffffffff81056682>] task_work_run+0x66/0x90
    [  570.144601]  [<ffffffff8100189e>] prepare_exit_to_usermode+0x8c/0xa7
    [  570.144601]  [<ffffffff81001a26>] syscall_return_slowpath+0x16d/0x19b
    [  570.144601]  [<ffffffff813babb1>] int_ret_from_sys_call+0x25/0x9f
    [  570.144601] Code: 48 8b 83 c8 01 00 00 a8 01 74 12 48 89 df e8 8b 27 14 e1 b8 f7 ff ff ff e9 b7 00 00 00 8a 43 12 a8 0b 74 1c 48 8b 83 a8 04 00 00 <48> 8b 80 e0 04 00 00 65 ff 08 48 c7 83 a8 04 00 00 00 00 00 00
    [  570.144601] RIP  [<ffffffffa018c701>] pppoe_release+0x50/0x101 [pppoe]
    [  570.144601]  RSP <ffff880036b63e08>
    [  570.144601] CR2: 00000000000004e0
    [  570.200518] ---[ end trace 46956baf17349563 ]---

    pppoe_flush_dev() has no reason to override sk->sk_state with
    PPPOX_ZOMBIE. pppox_unbind_sock() already sets sk->sk_state to
    PPPOX_DEAD, which is the correct state given that sk is unbound and
    po->pppoe_dev is NULL.

    Fixes: 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release")
    Tested-by: Oleksii Berezhniak <core@irc.lg.ua>
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5ca907c8d1e928e88f6a3cf877a8d39c5193de64
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 29 18:52:25 2015 -0700

    net: add pfmemalloc check in sk_add_backlog()

    [ Upstream commit c7c49b8fde26b74277188bdc6c9dca38db6fa35b ]

    Greg reported crashes hitting the following check in __sk_backlog_rcv()

            BUG_ON(!sock_flag(sk, SOCK_MEMALLOC));

    The pfmemalloc bit is currently checked in sk_filter().

    This works correctly for TCP, because sk_filter() is ran in
    tcp_v[46]_rcv() before hitting the prequeue or backlog checks.

    For UDP or other protocols, this does not work, because the sk_filter()
    is ran from sock_queue_rcv_skb(), which might be called _after_ backlog
    queuing if socket is owned by user by the time packet is processed by
    softirq handler.

    Fixes: b4b9e35585089 ("netvm: set PF_MEMALLOC as appropriate during SKB processing")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Greg Thelen <gthelen@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 22f7f93333ef1dd1466cc205e8644c025da65c3e
Author: Pravin B Shelar <pshelar@nicira.com>
Date:   Mon Sep 28 17:24:25 2015 -0700

    skbuff: Fix skb checksum partial check.

    [ Upstream commit 31b33dfb0a144469dd805514c9e63f4993729a48 ]

    Earlier patch 6ae459bda tried to detect void ckecksum partial
    skb by comparing pull length to checksum offset. But it does
    not work for all cases since checksum-offset depends on
    updates to skb->data.

    Following patch fixes it by validating checksum start offset
    after skb-data pointer is updated. Negative value of checksum
    offset start means there is no need to checksum.

    Fixes: 6ae459bda ("skbuff: Fix skb checksum flag on skb pull")
    Reported-by: Andrew Vagin <avagin@odin.com>
    Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 97582070de7ca5d50db3e2659b55906d73ab908d
Author: Pravin B Shelar <pshelar@nicira.com>
Date:   Tue Sep 22 12:57:53 2015 -0700

    skbuff: Fix skb checksum flag on skb pull

    [ Upstream commit 6ae459bdaaeebc632b16e54dcbabb490c6931d61 ]

    VXLAN device can receive skb with checksum partial. But the checksum
    offset could be in outer header which is pulled on receive. This results
    in negative checksum offset for the skb. Such skb can cause the assert
    failure in skb_checksum_help(). Following patch fixes the bug by setting
    checksum-none while pulling outer header.

    Following is the kernel panic msg from old kernel hitting the bug.

    ------------[ cut here ]------------
    kernel BUG at net/core/dev.c:1906!
    RIP: 0010:[<ffffffff81518034>] skb_checksum_help+0x144/0x150
    Call Trace:
    <IRQ>
    [<ffffffffa0164c28>] queue_userspace_packet+0x408/0x470 [openvswitch]
    [<ffffffffa016614d>] ovs_dp_upcall+0x5d/0x60 [openvswitch]
    [<ffffffffa0166236>] ovs_dp_process_packet_with_key+0xe6/0x100 [openvswitch]
    [<ffffffffa016629b>] ovs_dp_process_received_packet+0x4b/0x80 [openvswitch]
    [<ffffffffa016c51a>] ovs_vport_receive+0x2a/0x30 [openvswitch]
    [<ffffffffa0171383>] vxlan_rcv+0x53/0x60 [openvswitch]
    [<ffffffffa01734cb>] vxlan_udp_encap_recv+0x8b/0xf0 [openvswitch]
    [<ffffffff8157addc>] udp_queue_rcv_skb+0x2dc/0x3b0
    [<ffffffff8157b56f>] __udp4_lib_rcv+0x1cf/0x6c0
    [<ffffffff8157ba7a>] udp_rcv+0x1a/0x20
    [<ffffffff8154fdbd>] ip_local_deliver_finish+0xdd/0x280
    [<ffffffff81550128>] ip_local_deliver+0x88/0x90
    [<ffffffff8154fa7d>] ip_rcv_finish+0x10d/0x370
    [<ffffffff81550365>] ip_rcv+0x235/0x300
    [<ffffffff8151ba1d>] __netif_receive_skb+0x55d/0x620
    [<ffffffff8151c360>] netif_receive_skb+0x80/0x90
    [<ffffffff81459935>] virtnet_poll+0x555/0x6f0
    [<ffffffff8151cd04>] net_rx_action+0x134/0x290
    [<ffffffff810683d8>] __do_softirq+0xa8/0x210
    [<ffffffff8162fe6c>] call_softirq+0x1c/0x30
    [<ffffffff810161a5>] do_softirq+0x65/0xa0
    [<ffffffff810687be>] irq_exit+0x8e/0xb0
    [<ffffffff81630733>] do_IRQ+0x63/0xe0
    [<ffffffff81625f2e>] common_interrupt+0x6e/0x6e

    Reported-by: Anupam Chanda <achanda@vmware.com>
    Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
    Acked-by: Tom Herbert <tom@herbertland.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9afa56cff10e209bb9910ef5460f87c0e8f89d3a
Author: Andrey Vagin <avagin@openvz.org>
Date:   Fri Oct 2 00:05:36 2015 +0300

    net/unix: fix logic about sk_peek_offset

    [ Upstream commit e9193d60d363e4dff75ff6d43a48f22be26d59c7 ]

    Now send with MSG_PEEK can return data from multiple SKBs.

    Unfortunately we take into account the peek offset for each skb,
    that is wrong. We need to apply the peek offset only once.

    In addition, the peek offset should be used only if MSG_PEEK is set.

    Cc: "David S. Miller" <davem@davemloft.net> (maintainer:NETWORKING
    Cc: Eric Dumazet <edumazet@google.com> (commit_signer:1/14=7%)
    Cc: Aaron Conole <aconole@bytheb.org>
    Fixes: 9f389e35674f ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag")
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Tested-by: Aaron Conole <aconole@bytheb.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit aa7940ce4d64d03444e093d4b15a66b8a63e9626
Author: Aaron Conole <aconole@bytheb.org>
Date:   Sat Sep 26 18:50:43 2015 -0400

    af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag

    [ Upstream commit 9f389e35674f5b086edd70ed524ca0f287259725 ]

    AF_UNIX sockets now return multiple skbs from recv() when MSG_PEEK flag
    is set.

    This is referenced in kernel bugzilla #12323 @
    https://bugzilla.kernel.org/show_bug.cgi?id=12323

    As described both in the BZ and lkml thread @
    http://lkml.org/lkml/2008/1/8/444 calling recv() with MSG_PEEK on an
    AF_UNIX socket only reads a single skb, where the desired effect is
    to return as much skb data has been queued, until hitting the recv
    buffer size (whichever comes first).

    The modified MSG_PEEK path will now move to the next skb in the tree
    and jump to the again: label, rather than following the natural loop
    structure. This requires duplicating some of the loop head actions.

    This was tested using the python socketpair python code attached to
    the bugzilla issue.

    Signed-off-by: Aaron Conole <aconole@bytheb.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 38bd9af57d22d9de63c8a8ebb647fbea1f55d887
Author: Aaron Conole <aconole@bytheb.org>
Date:   Sat Sep 26 18:50:42 2015 -0400

    af_unix: Convert the unix_sk macro to an inline function for type safety

    [ Upstream commit 4613012db1d911f80897f9446a49de817b2c4c47 ]

    As suggested by Eric Dumazet this change replaces the
    #define with a static inline function to enjoy
    complaints by the compiler when misusing the API.

    Signed-off-by: Aaron Conole <aconole@bytheb.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c859b74e5a49244ddf6734ef42f365f3814f3227
Author: Alexander Couzens <lynxis@fe80.eu>
Date:   Mon Sep 28 11:32:42 2015 +0200

    l2tp: protect tunnel->del_work by ref_count

    [ Upstream commit 06a15f51cf3618e32a73871ee6a547ef7fd902b5 ]

    There is a small chance that tunnel_free() is called before tunnel->del_work scheduled
    resulting in a zero pointer dereference.

    Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
    Acked-by: James Chapman <jchapman@katalix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 645d5160d3e33b256e897b26270f8c944eec67d8
Author: Jan Kara <jack@suse.com>
Date:   Tue Jul 28 14:57:14 2015 -0400

    jbd2: avoid infinite loop when destroying aborted journal

    [ Upstream commit 841df7df196237ea63233f0f9eaa41db53afd70f ]

    Commit 6f6a6fda2945 "jbd2: fix ocfs2 corrupt when updating journal
    superblock fails" changed jbd2_cleanup_journal_tail() to return EIO
    when the journal is aborted. That makes logic in
    jbd2_log_do_checkpoint() bail out which is fine, except that
    jbd2_journal_destroy() expects jbd2_log_do_checkpoint() to always make
    a progress in cleaning the journal. Without it jbd2_journal_destroy()
    just loops in an infinite loop.

    Fix jbd2_journal_destroy() to cleanup journal checkpoint lists of
    jbd2_log_do_checkpoint() fails with error.

    Reported-by: Eryu Guan <guaneryu@gmail.com>
    Tested-by: Eryu Guan <guaneryu@gmail.com>
    Fixes: 6f6a6fda294506dfe0e3e0a253bb2d2923f28f0a
    Signed-off-by: Jan Kara <jack@suse.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6df34de6c5d05d6fa7d99d000a18b84a446095e8
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Sat Oct 31 16:39:51 2015 -0400

    Linux 3.18.24

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5f8c7ff19975a9d78d07265a00d79bff3e168a78
Author: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
Date:   Fri Oct 2 08:27:05 2015 +0000

    tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c

    [ Upstream commit e81107d4c6bd098878af9796b24edc8d4a9524fd ]

    My colleague ran into a program stall on a x86_64 server, where
    n_tty_read() was waiting for data even if there was data in the buffer
    in the pty.  kernel stack for the stuck process looks like below.
     #0 [ffff88303d107b58] __schedule at ffffffff815c4b20
     #1 [ffff88303d107bd0] schedule at ffffffff815c513e
     #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818
     #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2
     #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23
     #5 [ffff88303d107dd0] tty_read at ffffffff81368013
     #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704
     #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57
     #8 [ffff88303d107f00] sys_read at ffffffff811a4306
     #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7

    There seems to be two problems causing this issue.

    First, in drivers/tty/n_tty.c, __receive_buf() stores the data and
    updates ldata->commit_head using smp_store_release() and then checks
    the wait queue using waitqueue_active().  However, since there is no
    memory barrier, __receive_buf() could return without calling
    wake_up_interactive_poll(), and at the same time, n_tty_read() could
    start to wait in wait_woken() as in the following chart.

            __receive_buf()                         n_tty_read()
    ------------------------------------------------------------------------
    if (waitqueue_active(&tty->read_wait))
    /* Memory operations issued after the
       RELEASE may be completed before the
       RELEASE operation has completed */
                                            add_wait_queue(&tty->read_wait, &wait);
                                            ...
                                            if (!input_available_p(tty, 0)) {
    smp_store_release(&ldata->commit_head,
                      ldata->read_head);
                                            ...
                                            timeout = wait_woken(&wait,
                                              TASK_INTERRUPTIBLE, timeout);
    ------------------------------------------------------------------------

    The second problem is that n_tty_read() also lacks a memory barrier
    call and could also cause __receive_buf() to return without calling
    wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken()
    as in the chart below.

            __receive_buf()                         n_tty_read()
    ------------------------------------------------------------------------
                                            spin_lock_irqsave(&q->lock, flags);
                                            /* from add_wait_queue() */
                                            ...
                                            if (!input_available_p(tty, 0)) {
                                            /* Memory operations issued after the
                                               RELEASE may be completed before the
                                               RELEASE operation has completed */
    smp_store_release(&ldata->commit_head,
                      ldata->read_head);
    if (waitqueue_active(&tty->read_wait))
                                            __add_wait_queue(q, wait);
                                            spin_unlock_irqrestore(&q->lock,flags);
                                            /* from add_wait_queue() */
                                            ...
                                            timeout = wait_woken(&wait,
                                              TASK_INTERRUPTIBLE, timeout);
    ------------------------------------------------------------------------

    There are also other places in drivers/tty/n_tty.c which have similar
    calls to waitqueue_active(), so instead of adding many memory barrier
    calls, this patch simply removes the call to waitqueue_active(),
    leaving just wake_up*() behind.

    This fixes both problems because, even though the memory access before
    or after the spinlocks in both wake_up*() and add_wait_queue() can
    sneak into the critical section, it cannot go past it and the critical
    section assures that they will be serialized (please see "INTER-CPU
    ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a
    better explanation).  Moreover, the resulting code is much simpler.

    Latency measurement using a ping-pong test over a pty doesn't show any
    visible performance drop.

    Signed-off-by: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit cfe6deeecd4098b743a4d50825a112893465738e
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Sat Oct 31 08:54:32 2015 -0400

    Revert "tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c"

    This reverts commit af32cc7bde6304dac92e6a74fe4b2cc8120cb29a.

    The commit was incorrectly backported and was causing hangs.

    Reported-by: Corey Wright <undefined@pobox.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 343f9bd48a7d3b6399542bf50762371ee44ed70f
Author: Sasha Levin <sasha.levin@oracle.com>
Date:   Wed Oct 28 22:49:46 2015 -0400

    Linux 3.18.23

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5ef609bbdc4845085488543b1c67d550f705e090
Author: Steven Rostedt <rostedt@goodmis.org>
Date:   Fri Feb 27 14:50:19 2015 -0500

    x86: Init per-cpu shadow copy of CR4 on 32-bit CPUs too

    [ Upstream commit 5b2bdbc84556774afbe11bcfd24c2f6411cfa92b ]

    Commit:

       1e02ce4cccdc ("x86: Store a per-cpu shadow copy of CR4")

    added a shadow CR4 such that reads and writes that do not
    modify the CR4 execute much faster than always reading the
    register itself.

    The change modified cpu_init() in common.c, so that the
    shadow CR4 gets initialized before anything uses it.

    Unfortunately, there's two cpu_init()s in common.c. There's
    one for 64-bit and one for 32-bit. The commit only added
    the shadow init to the 64-bit path, but the 32-bit path
    needs the init too.

    Link: http://lkml.kernel.org/r/20150227125208.71c36402@gandalf.local.home Fixes: 1e02ce4cccdc "x86: Store a per-cpu shadow copy of CR4"
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Acked-by: Andy Lutomirski <luto@amacapital.net>
    Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/20150227145019.2bdd4354@gandalf.local.home
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 12b34f06d178859239282182dc2951873ec8818f
Author: Christoph Hellwig <hch@lst.de>
Date:   Sat Oct 3 19:16:07 2015 +0200

    3w-9xxx: don't unmap bounce buffered commands

    [ Upstream commit 15e3d5a285ab9283136dba34bbf72886d9146706 ]

    3w controller don't dma map small single SGL entry commands but instead
    bounce buffer them.  Add a helper to identify these commands and don't
    call scsi_dma_unmap for them.

    Based on an earlier patch from James Bottomley.

    Fixes: 118c85 ("3w-9xxx: fix command completion race")
    Reported-by: Tóth Attila <atoth@atoth.sote.hu>
    Tested-by: Tóth Attila <atoth@atoth.sote.hu>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Acked-by: Adam Radford <aradford@gmail.com>
    Signed-off-by: James Bottomley <JBottomley@Odin.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2c74d22246d30a2c6205e30d8b52b93870586200
Author: Roland Dreier <roland@purestorage.com>
Date:   Mon Oct 5 10:29:28 2015 -0700

    fib_rules: Fix dump_rules() not to exit early

    [ Upstream commit 8ea4b34355189e1f1eacaf2d825f2dce776b3b9c ]

    Backports of 41fc014332d9 ("fib_rules: fix fib rule dumps across
    multiple skbs") introduced a regression in "ip rule show" - it ends up
    dumping the first rule over and over and never exiting, because 3.19
    and earlier are missing commit 053c095a82cf ("netlink: make
    nlmsg_end() and genlmsg_end() void"), so fib_nl_fill_rule() ends up
    returning skb->len (i.e. > 0) in the success case.

    Fix this by checking the return code for < 0 instead of != 0.

    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 36afb7233c204099f1f81395e72d0aa2ec3230ac
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Sat Aug 15 20:27:13 2015 -0500

    vfs: Test for and handle paths that are unreachable from their mnt_root

    [ Upstream commit 397d425dc26da728396e66d392d5dcb8dac30c37 ]

    In rare cases a directory can be renamed out from under a bind mount.
    In those cases without special handling it becomes possible to walk up
    the directory tree to the root dentry of the filesystem and down
    from the root dentry to every other file or directory on the filesystem.

    Like division by zero .. from an unconnected path can not be given
    a useful semantic as there is no predicting at which path component
    the code will realize it is unconnected.  We certainly can not match
    the current behavior as the current behavior is a security hole.

    Therefore when encounting .. when following an unconnected path
    return -ENOENT.

    - Add a function path_connected to verify path->dentry is reachable
      from path->mnt.mnt_root.  AKA to validate that rename did not do
      something nasty to the bind mount.

      To avoid races path_connected must be called after following a path
      component to it's next path component.

    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 846a6c3fdedbea41f9787f6dbc9f1b0b081fb518
Author: NeilBrown <neilb@suse.com>
Date:   Wed Jul 22 10:20:07 2015 +1000

    md: flush ->event_work before stopping array.

    [ Upstream commit ee5d004fd0591536a061451eba2b187092e9127c ]

    The 'event_work' worker used by dm-raid may still be running
    when the array is stopped.  This can result in an oops.

    So flush the workqueue on which it is run after detaching
    and before destroying the device.

    Reported-by: Heinz Mauelshagen <heinzm@redhat.com>
    Signed-off-by: NeilBrown <neilb@suse.com>
    Cc: stable@vger.kernel.org (2.6.38+ please delay 2 weeks after -final release)
    Fixes: 9d09e663d550 ("dm: raid456 basic support")
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 307a1c1213513f41dd39b40aae0291f16adc6b7b
Author: Andy Lutomirski <luto@kernel.org>
Date:   Sun Sep 20 16:32:05 2015 -0700

    x86/nmi/64: Fix a paravirt stack-clobbering bug in the NMI code

    [ Upstream commit 83c133cf11fb0e68a51681447e372489f052d40e ]

    The NMI entry code that switches to the normal kernel stack needs to
    be very careful not to clobber any extra stack slots on the NMI
    stack.  The code is fine under the assumption that SWAPGS is just a
    normal instruction, but that assumption isn't really true.  Use
    SWAPGS_UNSAFE_STACK instead.

    This is part of a fix for some random crashes that Sasha saw.

    Fixes: 9b6e6a8334d5 ("x86/nmi/64: Switch stacks on userspace NMI entry")
    Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Cc: stable@vger.kernel.org
    Link: http://lkml.kernel.org/r/974bc40edffdb5c2950a5c4977f821a446b76178.1442791737.git.luto@kernel.org
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c93f6e1ee3a8db372b6527030f6bd2eb97474476
Author: Markus Pargmann <mpa@pengutronix.de>
Date:   Wed Jul 29 15:46:03 2015 +0200

    Revert "iio: bmg160: IIO_BUFFER and IIO_TRIGGERED_BUFFER are required"

    [ Upstream commit HEAD ]

    This reverts commit 279c039ca63acbd69e69d6d7ddfed50346fb2185 which was
    commit 06d2f6ca5a38abe92f1f3a132b331eee773868c3 upstream as it should
    not have been applied.

    Reported-by: Luis Henriques <luis.henriques@canonical.com>
    Cc: Markus Pargmann <mpa@pengutronix.de>
    Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Cc: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

    (cherry picked from commit 934d9b907aeec5f344ca801ed7361551199dfc69)
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c1b3815f362ef76e27553e70d4ec54ce8951aeac
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Jul 13 16:04:13 2015 +0800

    net: Fix skb_set_peeked use-after-free bug

    [ Upstream commit a0a2a6602496a45ae838a96db8b8173794b5d398 ]

    The commit 738ac1ebb96d02e0d23bc320302a6ea94c612dec ("net: Clone
    skb before setting peeked flag") introduced a use-after-free bug
    in skb_recv_datagram.  This is because skb_set_peeked may create
    a new skb and free the existing one.  As it stands the caller will
    continue to use the old freed skb.

    This patch fixes it by making skb_set_peeked return the new skb
    (or the old one if unchanged).

    Fixes: 738ac1ebb96d ("net: Clone skb before setting peeked flag")
    Reported-by: Brenden Blanco <bblanco@plumgrid.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Tested-by: Brenden Blanco <bblanco@plumgrid.com>
    Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6402732251519e7cc44949e7621cb24c8a3dd5dc
Author: Yinghai Lu <yinghai@kernel.org>
Date:   Fri Sep 4 15:42:39 2015 -0700

    mm: check if section present during memory block registering

    [ Upstream commit 04697858d89e4bf2650364f8d6956e2554e8ef88 ]

    Tony Luck found on his setup, if memory block size 512M will cause crash
    during booting.

      BUG: unable to handle kernel paging request at ffffea0074000020
      IP: get_nid_for_pfn+0x17/0x40
      PGD 128ffcb067 PUD 128ffc9067 PMD 0
      Oops: 0000 [#1] SMP
      Modules linked in:
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc8 #1
      ...
      Call Trace:
         ? register_mem_sect_under_node+0x66/0xe0
         register_one_node+0x17b/0x240
         ? pci_iommu_alloc+0x6e/0x6e
         topology_init+0x3c/0x95
         do_one_initcall+0xcd/0x1f0

    The system has non continuous RAM address:
     BIOS-e820: [mem 0x0000001300000000-0x0000001cffffffff] usable
     BIOS-e820: [mem 0x0000001d70000000-0x0000001ec7ffefff] usable
     BIOS-e820: [mem 0x0000001f00000000-0x0000002bffffffff] usable
     BIOS-e820: [mem 0x0000002c18000000-0x0000002d6fffefff] usable
     BIOS-e820: [mem 0x0000002e00000000-0x00000039ffffffff] usable

    So there are start sections in memory block not present.  For example:

        memory block : [0x2c18000000, 0x2c20000000) 512M

    first three sections are not present.

    The current register_mem_sect_under_node() assume first section is
    present, but memory block section number range [start_section_nr,
    end_section_nr] would include not present section.

    For arch that support vmemmap, we don't setup memmap for struct page
    area within not present sections area.

    So skip the pfn range that belong to absent section.

    [akpm@linux-foundation.org: simplification]
    [rientjes@google.com: more simplification]
    Fixes: bdee237c0343 ("x86: mm: Use 2GB memory block size on large memory x86-64 systems")
    Fixes: 982792c782ef ("x86, mm: probe memory block size for generic x86 64bit")
    Signed-off-by: Yinghai Lu <yinghai@kernel.org>
    Signed-off-by: David Rientjes <rientjes@google.com>
    Reported-by: Tony Luck <tony.luck@intel.com>
    Tested-by: Tony Luck <tony.luck@intel.com>
    Cc: Greg KH <greg@kroah.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Tested-by: David Rientjes <rientjes@google.com>
    Cc: <stable@vger.kernel.org>    [3.15+]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 49577c854b5dbf004acb57037596ab5b39c800aa
Author: Mikulas Patocka <mikulas@twibright.com>
Date:   Wed Sep 2 22:51:53 2015 +0200

    hpfs: update ctime and mtime on directory modification

    [ Upstream commit f49a26e7718dd30b49e3541e3e25aecf5e7294e2 ]

    Update ctime and mtime when a directory is modified. (though OS/2 doesn't
    update them anyway)

    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: stable@kernel.org   # v3.3+
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 84d2f08ca422687a306f31388c3cfda000eae355
Author: Grant Likely <grant.likely@linaro.org>
Date:   Sun Jun 7 15:20:11 2015 +0100

    drivercore: Fix unregistration path of platform devices

    [ Upstream commit 7f5dcaf1fdf289767a126a0a5cc3ef39b5254b06 ]

    The unregister path of platform_device is broken. On registration, it
    will register all resources with either a parent already set, or
    type==IORESOURCE_{IO,MEM}. However, on unregister it will release
    everything with type==IORESOURCE_{IO,MEM}, but ignore the others. There
    are also cases where resources don't get registered in the first place,
    like with devices created by of_platform_populate()*.

    Fix the unregister path to be symmetrical with the register path by
    checking the parent pointer instead of the type field to decide which
    resources to unregister. This is safe because the upshot of the
    registration path algorithm is that registered resources have a parent
    pointer, and non-registered resources do not.

    * It can be argued that of_platform_populate() should be registering
      it's resources, and they argument has some merit. However, there are
      quite a few platforms that end up broken if we try to do that due to
      overlapping resources in the device tree. Until that is fixed, we need
      to solve the immediate problem.

    Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
    Cc: Wolfram Sang <wsa@the-dreams.de>
    Cc: Rob Herring <robh@kernel.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
    Signed-off-by: Grant Likely <grant.likely@linaro.org>
    Tested-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
    Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ee491c0c341c43a9aac4a44255e8a801e8233955
Author: Vignesh R <vigneshr@ti.com>
Date:   Wed Jun 3 17:21:20 2015 +0530

    ARM: OMAP2+: DRA7: clockdomain: change l4per2_7xx_clkdm to SW_WKUP

    [ Upstream commit b9e23f321940d2db2c9def8ff723b8464fb86343 ]

    Legacy IPs like PWMSS, present under l4per2_7xx_clkdm, cannot support
    smart-idle when its clock domain is in HW_AUTO on DRA7 SoCs. Hence,
    program clock domain to SW_WKUP.

    Signed-off-by: Vignesh R <vigneshr@ti.com>
    Acked-by: Tero Kristo <t-kristo@ti.com>
    Reviewed-by: Paul Walmsley <paul@pwsan.com>
    Signed-off-by: Paul Walmsley <paul@pwsan.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6e95689dd460d525a65be7158f31f52323812654
Author: David Daney <david.daney@cavium.com>
Date:   Wed Aug 19 13:17:47 2015 -0700

    of/address: Don't loop forever in of_find_matching_node_by_address().

    [ Upstream commit 3a496b00b6f90c41bd21a410871dfc97d4f3c7ab ]

    If the internal call to of_address_to_resource() fails, we end up
    looping forever in of_find_matching_node_by_address().  This can be
    caused by a defective device tree, or calling with an incorrect
    matches argument.

    Fix by calling of_find_matching_node() unconditionally at the end of
    the loop.

    Signed-off-by: David Daney <david.daney@cavium.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e5c96a79865c62e593b41eb69153be15cc66b41e
Author: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date:   Mon Jul 20 17:27:21 2015 +0530

    auxdisplay: ks0108: fix refcount

    [ Upstream commit bab383de3b84e584b0f09227151020b2a43dc34c ]

    parport_find_base() will implicitly do parport_get_port() which
    increases the refcount. Then parport_register_device() will again
    increment the refcount. But while unloading the module we are only
    doing parport_unregister_device() decrementing the refcount only once.
    We add an parport_put_port() to neutralize the effect of
    parport_get_port().

    Cc: <stable@vger.kernel.org> # 2.6.32+
    Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e451bf46db1a1fda75428c29de0137b20946580f
Author: Peter Chen <peter.chen@freescale.com>
Date:   Fri Jul 31 16:36:29 2015 +0800

    Doc: ABI: testing: configfs-usb-gadget-sourcesink

    [ Upstream commit 4bc58eb16bb2352854b9c664cc36c1c68d2bfbb7 ]

    Fix the name of attribute

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Peter Chen <peter.chen@freescale.com>
    Signed-off-by: Felipe Balbi <balbi@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 930acc5024169d705c7debdf5fa30a8e8ae84788
Author: Peter Chen <peter.chen@freescale.com>
Date:   Fri Jul 31 16:36:28 2015 +0800

    Doc: ABI: testing: configfs-usb-gadget-loopback

    [ Upstream commit 8cd50626823c00ca7472b2f61cb8c0eb9798ddc0 ]

    Fix the name of attribute

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Peter Chen <peter.chen@freescale.com>
    Signed-off-by: Felipe Balbi <balbi@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5062f6012e4022cde01727b831454e981a070306
Author: Masahiro Yamada <yamada.masahiro@socionext.com>
Date:   Wed Jul 15 10:29:00 2015 +0900

    devres: fix devres_get()

    [ Upstream commit 64526370d11ce8868ca495723d595b61e8697fbf ]

    Currently, devres_get() passes devres_free() the pointer to devres,
    but devres_free() should be given with the pointer to resource data.

    Fixes: 9ac7849e35f7 ("devres: device resource management")
    Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
    Acked-by: Tejun Heo <tj@kernel.org>
    Cc: stable <stable@vger.kernel.org> # 2.6.21+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 75f411869a2a2b72cadc077e1bf44338bb869d82
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Thu Jul 16 10:41:02 2015 +0300

    xtensa: fix kernel register spilling

    [ Upstream commit 77d6273e79e3a86552fcf10cdd31a69b46ed2ce6 ]

    call12 can't be safely used as the first call in the inline function,
    because the compiler does not extend the stack frame of the bounding
    function accordingly, which may result in corruption of local variables.

    If a call needs to be done, do call8 first followed by call12.

    For pure assembly code in _switch_to increase stack frame size of the
    bounding function.

    Cc: stable@vger.kernel.org
    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 493c0e290d349e4821558a575061d98193ba5115
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Sat Jul 4 15:27:39 2015 +0300

    xtensa: fix threadptr reload on return to userspace

    [ Upstream commit 4229fb12a03e5da5882b420b0aa4a02e77447b86 ]

    Userspace return code may skip restoring THREADPTR register if there are
    no registers that need to be zeroed. This leads to spurious failures in
    libc NPTL tests.

    Always restore THREADPTR on return to userspace.

    Cc: stable@vger.kernel.org
    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3d5f09649ae556201f93c1e4be967aaf2b920744
Author: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Date:   Wed Aug 5 12:04:19 2015 +0800

    KVM: MMU: fix validation of mmio page fault

    [ Upstream commit 6f691251c0350ac52a007c54bf3ef62e9d8cdc5e ]

    We got the bug that qemu complained with "KVM: unknown exit, hardware
    reason 31" and KVM shown these info:
    [84245.284948] EPT: Misconfiguration.
    [84245.285056] EPT: GPA: 0xfeda848
    [84245.285154] ept_misconfig_inspect_spte: spte 0x5eaef50107 level 4
    [84245.285344] ept_misconfig_inspect_spte: spte 0x5f5fadc107 level 3
    [84245.285532] ept_misconfig_inspect_spte: spte 0x5141d18107 level 2
    [84245.285723] ept_misconfig_inspect_spte: spte 0x52e40dad77 level 1

    This is because we got a mmio #PF and the handler see the mmio spte becomes
    normal (points to the ram page)

    However, this is valid after introducing fast mmio spte invalidation which
    increases the generation-number instead of zapping mmio sptes, a example
    is as follows:
    1. QEMU drops mmio region by adding a new memslot
    2. invalidate all mmio sptes
    3.

            VCPU 0                        VCPU 1
        access the invalid mmio spte
                                access the region originally was MMIO before
                                set the spte to the normal ram map

        mmio #PF
        check the spte and see it becomes normal ram mapping !!!

    This patch fixes the bug just by dropping the check in mmio handler, it's
    good for backport. Full check will be introduced in later patches

    Reported-by: Pavel Shirshov <ru.pchel@gmail.com>
    Tested-by: Pavel Shirshov <ru.pchel@gmail.com>
    Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 06cab2593619a6ed6fee26dbdd55fa521f14f9f0
Author: Don Zickus <dzickus@redhat.com>
Date:   Mon Aug 10 12:06:53 2015 -0400

    HID: usbhid: Fix the check for HID_RESET_PENDING in hid_io_error

    [ Upstream commit 3af4e5a95184d6d3c1c6a065f163faa174a96a1d ]

    It was reported that after 10-20 reboots, a usb keyboard plugged
    into a docking station would not work unless it was replugged in.

    Using usbmon, it turns out the interrupt URBs were streaming with
    callback errors of -71 for some reason.  The hid-core.c::hid_io_error was
    supposed to retry and then reset, but the reset wasn't really happening.

    The check for HID_NO_BANDWIDTH was inverted.  Fix was simple.

    Tested by reporter and locally by me by unplugging a keyboard halfway until I
    could recreate a stream of errors but no disconnect.

    Signed-off-by: Don Zickus <dzickus@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit d72174a6d7cbdf965458c586eb736e40bd81f215
Author: Andrey Ryabinin <aryabinin@odin.com>
Date:   Thu Sep 3 14:32:01 2015 +0300

    crypto: ghash-clmulni: specify context size for ghash async algorithm

    [ Upstream commit 71c6da846be478a61556717ef1ee1cea91f5d6a8 ]

    Currently context size (cra_ctxsize) doesn't specified for
    ghash_async_alg. Which means it's zero. Thus crypto_create_tfm()
    doesn't allocate needed space for ghash_async_ctx, so any
    read/write to ctx (e.g. in ghash_async_init_tfm()) is not valid.

    Cc: stable@vger.kernel.org
    Signed-off-by: Andrey Ryabinin <aryabinin@odin.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0df02ec634dc9ace6854b1e11c692c116aaf35fe
Author: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Date:   Sun Aug 2 23:11:52 2015 +0200

    serial: 8250: don't bind to SMSC IrCC IR port

    [ Upstream commit ffa34de03bcfbfa88d8352942bc238bb48e94e2d ]

    SMSC IrCC SIR/FIR port should not be bound to by
    (legacy) serial driver so its own driver (smsc-ircc2)
    can bind to it.

    Signed-off-by: Maciej Szmigiero <mail@maciej.szmigiero.name>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 63bdd88aebe05c01c64bfce68ffeaf2697c7007d
Author: Peter Chen <peter.chen@freescale.com>
Date:   Mon Aug 17 10:23:03 2015 +0800

    usb: host: ehci-sys: delete useless bus_to_hcd conversion

    [ Upstream commit 0521cfd06e1ebcd575e7ae36aab068b38df23850 ]

    The ehci platform device's drvdata is the pointer of struct usb_hcd
    already, so we doesn't need to call bus_to_hcd conversion again.

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Peter Chen <peter.chen@freescale.com>
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2c9fef0a33b224c6e3b9083d6b3ac1966f5e5df2
Author: Kishon Vijay Abraham I <kishon@ti.com>
Date:   Mon Jul 27 12:25:27 2015 +0530

    usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512 bytes

    [ Upstream commit b2fb5b1a0f50d3ebc12342c8d8dead245e9c9d4e ]

    DWC3 uses bounce buffer to handle non max packet aligned OUT transfers and
    the size of bounce buffer is 512 bytes. However if the host initiates OUT
    transfers of size more than 512 bytes (and non max packet aligned), the
    driver throws a WARN dump but still programs the TRB to receive more than
    512 bytes. This will cause bounce buffer to overflow and corrupt the
    adjacent memory locations which can be fatal.

    Fix it by programming the TRB to receive a maximum of DWC3_EP0_BOUNCE_SIZE
    (512) bytes.

    Cc: <stable@vger.kernel.org> # 3.4+
    Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
    Signed-off-by: Felipe Balbi <balbi@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a3c1260650e176f211f9cbc1cfc8cbad570784dd
Author: Matthijs Kooijman <matthijs@stdin.nl>
Date:   Tue Aug 18 10:33:56 2015 +0200

    USB: ftdi_sio: Added custom PID for CustomWare products

    [ Upstream commit 1fb8dc36384ae1140ee6ccc470de74397606a9d5 ]

    CustomWare uses the FTDI VID with custom PIDs for their ShipModul MiniPlex
    products.

    Signed-off-by: Matthijs Kooijman <matthijs@stdin.nl>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2d2438f4ad4f57732fc2c44380c95ad5955984d2
Author: Philipp Hachtmann <hachti@hachti.de>
Date:   Mon Aug 17 17:31:46 2015 +0200

    USB: symbolserial: Use usb_get_serial_port_data

    [ Upstream commit 951d3793bbfc0a441d791d820183aa3085c83ea9 ]

    The driver used usb_get_serial_data(port->serial) which compiled but resulted
    in a NULL pointer being returned (and subsequently used). I did not go deeper
    into this but I guess this is a regression.

    Signed-off-by: Philipp Hachtmann <hachti@hachti.de>
    Fixes: a85796ee5149 ("USB: symbolserial: move private-data allocation to
    port_probe")
    Cc: stable <stable@vger.kernel.org>     # v3.10
    Acked-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 28fe0e4f55fd669f5f629bc763d3b8cf399e2467
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Fri Jun 19 15:58:24 2015 -0500

    PCI: Fix TI816X class code quirk

    [ Upstream commit d1541dc977d376406f4584d8eb055488655c98ec ]

    In fixup_ti816x_class(), we assigned "class = PCI_CLASS_MULTIMEDIA_VIDEO".
    But PCI_CLASS_MULTIMEDIA_VIDEO is only the two-byte base class/sub-class
    and needs to be shifted to make space for the low-order interface byte.

    Shift PCI_CLASS_MULTIMEDIA_VIDEO to set the correct class code.

    Fixes: 63c4408074cb ("PCI: Add quirk for setting valid class for TI816X Endpoint")
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    CC: Hemant Pedanekar <hemantp@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 63f29ebd76d06f0eadd2de6987b94bfb86ca7dab
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Jul 29 13:17:06 2015 +0300

    clk: versatile: off by one in clk_sp810_timerclken_of_get()

    [ Upstream commit 3294bee87091be5f179474f6c39d1d87769635e2 ]

    The ">" should be ">=" or we end up reading beyond the end of the array.

    Fixes: 6e973d2c4385 ('clk: vexpress: Add separate SP810 driver')
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Pawel Moll <pawel.moll@arm.com>
    Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 25eabc9328cbd27e52d20010682151f0493cd0c8
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Tue Aug 11 13:05:10 2015 +0100

    staging: comedi: adl_pci7x3x: fix digital output on PCI-7230

    [ Upstream commit ad83dbd974feb2e2a8cc071a1d28782bd4d2c70e ]

    The "adl_pci7x3x" driver replaced the "adl_pci7230" and "adl_pci7432"
    drivers in commits 8f567c373c4b ("staging: comedi: new adl_pci7x3x
    driver") and 657f77d173d3 ("staging: comedi: remove adl_pci7230 and
    adl_pci7432 drivers").  Although the new driver code agrees with the
    user manuals for the respective boards, digital outputs stopped working
    on the PCI-7230.  This has 16 digital output channels and the previous
    adl_pci7230 driver shifted the 16 bit output state left by 16 bits
    before writing to the hardware register.  The new adl_pci7x3x driver
    doesn't do that.  Fix it in `adl_pci7x3x_do_insn_bits()` by checking
    for the special case of the subdevice having only 16 channels and
    duplicating the 16 bit output state into both halves of the 32-bit
    register.  That should work both for what the board actually does and
    for what the user manual says it should do.

    Fixes: 8f567c373c4b ("staging: comedi: new adl_pci7x3x driver")
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Cc: <stable@vger.kernel.org> # 3.13+, needs backporting for 3.7 to 3.12
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f452eb1887c18b83ea991781c413cf9e88a86863
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Aug 5 15:38:15 2015 +0200

    iio: adis16480: Fix scale factors

    [ Upstream commit 7abad1063deb0f77d275c61f58863ec319c58c5c ]

    The different devices support by the adis16480 driver have slightly
    different scales for the gyroscope and accelerometer channels.

    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 12958c6062a0075074e16131ef4837cfecc3b8de
Author: Lars-Peter Clausen <lars@metafoo.de>
Date:   Wed Aug 5 15:38:14 2015 +0200

    iio: Add inverse unit conversion macros

    [ Upstream commit c689a923c867eac40ed3826c1d9328edea8b6bc7 ]

    Add inverse unit conversion macro to convert from standard IIO units to
    units that might be used by some devices.

    Those are useful in combination with scale factors that are specified as
    IIO_VAL_FRACTIONAL. Typically the denominator for those specifications will
    contain the maximum raw value the sensor will generate and the numerator
    the value it maps to in a specific unit. Sometimes datasheets specify those
    in different units than the standard IIO units (e.g. degree/s instead of
    rad/s) and so we need to do a unit conversion.

    From a mathematical point of view it does not make a difference whether we
    apply the unit conversion to the numerator or the inverse unit conversion
    to the denominator since (x / y) / z = x / (y * z). But as the denominator
    is typically a larger value and we are rounding both the numerator and
    denominator to integer values using the later method gives us a better
    precision (E.g. the relative error is smaller if we round 8000.3 to 8000
    rather than rounding 8.3 to 8).

    This is where in inverse unit conversion macros will be used.

    Marked for stable as used by some upcoming fixes.

    Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 32163777a11a84449114c304848a884f3f5ed887
Author: Cristina Opriceana <cristina.opriceana@gmail.com>
Date:   Mon Aug 3 13:37:40 2015 +0300

    iio: industrialio-buffer: Fix iio_buffer_poll return value

    [ Upstream commit 1bdc0293901cbea23c6dc29432e81919d4719844 ]

    Change return value to 0 if no device is bound since
    unsigned int cannot support negative error codes.

    Fixes: f18e7a068 ("iio: Return -ENODEV for file operations if the
    device has been unregistered")

    Signed-off-by: Cristina Opriceana <cristina.opriceana@gmail.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1c979a10452b6bb7b22a3756fa0b374720179543
Author: Cristina Opriceana <cristina.opriceana@gmail.com>
Date:   Mon Aug 3 13:00:47 2015 +0300

    iio: event: Remove negative error code from iio_event_poll

    [ Upstream commit 41d903c00051d8f31c98a8136edbac67e6f8688f ]

    Negative return values are not supported by iio_event_poll since
    its return type is unsigned int.

    Fixes: f18e7a068a0a3 ("iio: Return -ENODEV for file operations if the device has been unregistered")

    Signed-off-by: Cristina Opriceana <cristina.opriceana@gmail.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0b7a7c0416bd481cb4c9e10cca496f3b1dc56c35
Author: Markus Pargmann <mpa@pengutronix.de>
Date:   Wed Jul 29 15:46:03 2015 +0200

    iio: bmg160: IIO_BUFFER and IIO_TRIGGERED_BUFFER are required

    [ Upstream commit 06d2f6ca5a38abe92f1f3a132b331eee773868c3 ]

    This patch adds selects for IIO_BUFFER and IIO_TRIGGERED_BUFFER. Without
    IIO_BUFFER, the driver does not compile.

    Signed-off-by: Markus Pargmann <mpa@pengutronix.de>
    Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <jic23@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a03140d0a726899c457fe95b81dfd2bd49d967f4
Author: Sebastian Ott <sebott@linux.vnet.ibm.com>
Date:   Thu Jun 25 09:32:22 2015 +0200

    s390/sclp: fix compile error

    [ Upstream commit a313bdc5310dd807655d3ca3eb2219cd65dfe45a ]

    Fix this error when compiling with CONFIG_SMP=n and
    CONFIG_DYNAMIC_DEBUG=y:

    drivers/s390/char/sclp_early.c: In function 'sclp_read_info_early':
    drivers/s390/char/sclp_early.c:87:19: error: 'EBUSY' undeclared (first use in this function)
       } while (rc == -EBUSY);
                       ^

    Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 510b6c73f2ba293b6c69af9353f6989bbd213e19
Author: Jonathon Jongsma <jjongsma@redhat.com>
Date:   Thu Aug 20 14:04:32 2015 -0500

    drm/qxl: validate monitors config modes

    [ Upstream commit bd3e1c7c6de9f5f70d97cdb6c817151c0477c5e3 ]

    Due to some recent changes in
    drm_helper_probe_single_connector_modes_merge_bits(), old custom modes
    were not being pruned properly. In current kernels,
    drm_mode_validate_basic() is called to sanity-check each mode in the
    list. If the sanity-check passes, the mode's status gets set to to
    MODE_OK. In older kernels this check was not done, so old custom modes
    would still have a status of MODE_UNVERIFIED at this point, and would
    therefore be pruned later in the function.

    As a result of this new behavior, the list of modes for a device always
    includes every custom mode ever configured for the device, with the
    largest one listed first. Since desktop environments usually choose the
    first preferred mode when a hotplug event is emitted, this had the
    result of making it very difficult for the user to reduce the size of
    the display.

    The qxl driver did implement the mode_valid connector function, but it
    was empty. In order to restore the old behavior where old custom modes
    are pruned, we implement a proper mode_valid function for the qxl
    driver. This function now checks each mode against the last configured
    custom mode and the list of standard modes. If the mode doesn't match
    any of these, its status is set to MODE_BAD so that it will be pruned as
    expected.

    Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 97c4f73e690d584945ace96f2dc10ebae63a2180
Author: Stephen Chandler Paul <cpaul@redhat.com>
Date:   Fri Aug 21 14:16:12 2015 -0400

    drm/amdgpu: Don't link train DisplayPort on HPD until we get the dpcd

    [ Upstream commit a887adadb7b9ef9eb4ee48e4ad575aefcfd1db14 ]

    This is a port of:
    DRM - radeon: Don't link train DisplayPort on HPD until we get the dpcd
    to amdgpu.

    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2c8818052d31bdc57b78ccbdbc1298479bc80d51
Author: Joonsoo Kim <js1304@gmail.com>
Date:   Thu Oct 1 15:36:54 2015 -0700

    mm/slab: fix unexpected index mapping result of kmalloc_size(INDEX_NODE+1)

    [ Upstream commit 03a2d2a3eafe4015412cf4e9675ca0e2d9204074 ]

    Commit description is copied from the original post of this bug:

      http://comments.gmane.org/gmane.linux.kernel.mm/135349

    Kernels after v3.9 use kmalloc_size(INDEX_NODE + 1) to get the next
    larger cache size than the size index INDEX_NODE mapping.  In kernels
    3.9 and earlier we used malloc_sizes[INDEX_L3 + 1].cs_size.

    However, sometimes we can't get the right output we expected via
    kmalloc_size(INDEX_NODE + 1), causing a BUG().

    The mapping table in the latest kernel is like:
        index = {0,   1,  2 ,  3,  4,   5,   6,   n}
         size = {0,   96, 192, 8, 16,  32,  64,   2^n}
    The mapping table before 3.10 is like this:
        index = {0 , 1 , 2,   3,  4 ,  5 ,  6,   n}
        size  = {32, 64, 96, 128, 192, 256, 512, 2^(n+3)}

    The problem on my mips64 machine is as follows:

    (1) When configured DEBUG_SLAB && DEBUG_PAGEALLOC && DEBUG_LOCK_ALLOC
        && DEBUG_SPINLOCK, the sizeof(struct kmem_cache_node) will be "150",
        and the macro INDEX_NODE turns out to be "2": #define INDEX_NODE
        kmalloc_index(sizeof(struct kmem_cache_node))

    (2) Then the result of kmalloc_size(INDEX_NODE + 1) is 8.

    (3) Then "if(size >= kmalloc_size(INDEX_NODE + 1)" will lead to "size
        = PAGE_SIZE".

    (4) Then "if ((size >= (PAGE_SIZE >> 3))" test will be satisfied and
        "flags |= CFLGS_OFF_SLAB" will be covered.

    (5) if (flags & CFLGS_OFF_SLAB)" test will be satisfied and will go to
        "cachep->slabp_cache = kmalloc_slab(slab_size, 0u)", and the result
        here may be NULL while kernel bootup.

    (6) Finally,"BUG_ON(ZERO_OR_NULL_PTR(cachep->slabp_cache));" causes the
        BUG info as the following shows (may be only mips64 has this problem):

    This patch fixes the problem of kmalloc_size(INDEX_NODE + 1) and removes
    the BUG by adding 'size >= 256' check to guarantee that all necessary
    small sized slabs are initialized regardless sequence of slab size in
    mapping table.

    Fixes: e33660165c90 ("slab: Use common kmalloc_index/kmalloc_size...")
    Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
    Reported-by: Liuhailong <liu.hailong6@zte.com.cn>
    Acked-by: Christoph Lameter <cl@linux.com>
    Cc: Pekka Enberg <penberg@kernel.org>
    Cc: David Rientjes <rientjes@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e3c2669ff76d4636d41907f08a31129cb2e02eac
Author: Prarit Bhargava <prarit@redhat.com>
Date:   Mon Jun 15 13:43:29 2015 -0400

    intel_pstate: Fix overflow in busy_scaled due to long delay

    [ Upstream commit 7180dddf7c32c49975c7e7babf2b60ed450cb760 ]

    The kernel may delay interrupts for a long time which can result in timers
    being delayed. If this occurs the intel_pstate driver will crash with a
    divide by zero error:

    divide error: 0000 [#1] SMP
    Modules linked in: btrfs zlib_deflate raid6_pq xor msdos ext4 mbcache jbd2 binfmt_misc arc4 md4 nls_utf8 cifs dns_resolver tcp_lp bnep bluetooth rfkill fuse dm_service_time iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi nf_conntrack_netbios_ns nf_conntrack_broadcast nf_conntrack_ftp ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter ip_tables intel_powerclamp coretemp vfat fat kvm_intel iTCO_wdt iTCO_vendor_support ipmi_devintf sr_mod kvm crct10dif_pclmul
     crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel cdc_ether lrw usbnet cdrom mii gf128mul glue_helper ablk_helper cryptd lpc_ich mfd_core pcspkr sb_edac edac_core ipmi_si ipmi_msghandler ioatdma wmi shpchp acpi_pad nfsd auth_rpcgss nfs_acl lockd uinput dm_multipath sunrpc xfs libcrc32c usb_storage sd_mod crc_t10dif crct10dif_common ixgbe mgag200 syscopyarea sysfillrect sysimgblt mdio drm_kms_helper ttm igb drm ptp pps_core dca i2c_algo_bit megaraid_sas i2c_core dm_mirror dm_region_hash dm_log dm_mod
    CPU: 113 PID: 0 Comm: swapper/113 Tainted: G        W   --------------   3.10.0-229.1.2.el7.x86_64 #1
    Hardware name: IBM x3950 X6 -[3837AC2]-/00FN827, BIOS -[A8E112BUS-1.00]- 08/27/2014
    task: ffff880fe8abe660 ti: ffff880fe8ae4000 task.ti: ffff880fe8ae4000
    RIP: 0010:[<ffffffff814a9279>]  [<ffffffff814a9279>] intel_pstate_timer_func+0x179/0x3d0
    RSP: 0018:ffff883fff4e3db8  EFLAGS: 00010206
    RAX: 0000000027100000 RBX: ffff883fe6965100 RCX: 0000000000000000
    RDX: 0000000000000000 RSI: 0000000000000010 RDI: 000000002e53632d
    RBP: ffff883fff4e3e20 R08: 000e6f69a5a125c0 R09: ffff883fe84ec001
    R10: 0000000000000002 R11: 0000000000000005 R12: 00000000000049f5
    R13: 0000000000271000 R14: 00000000000049f5 R15: 0000000000000246
    FS:  0000000000000000(0000) GS:ffff883fff4e0000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f7668601000 CR3: 000000000190a000 CR4: 00000000001407e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Stack:
     ffff883fff4e3e58 ffffffff81099dc1 0000000000000086 0000000000000071
     ffff883fff4f3680 0000000000000071 fbdc8a965e33afee ffffffff810b69dd
     ffff883fe84ec000 ffff883fe6965108 0000000000000100 ffffffff814a9100
    Call Trace:
     <IRQ>

     [<ffffffff81099dc1>] ? run_posix_cpu_timers+0x51/0x840
     [<ffffffff810b69dd>] ? trigger_load_balance+0x5d/0x200
     [<ffffffff814a9100>] ? pid_param_set+0x130/0x130
     [<ffffffff8107df56>] call_timer_fn+0x36/0x110
     [<ffffffff814a9100>] ? pid_param_set+0x130/0x130
     [<ffffffff8107fdcf>] run_timer_softirq+0x21f/0x320
     [<ffffffff81077b2f>] __do_softirq+0xef/0x280
     [<ffffffff816156dc>] call_softirq+0x1c/0x30
     [<ffffffff81015d95>] do_softirq+0x65/0xa0
     [<ffffffff81077ec5>] irq_exit+0x115/0x120
     [<ffffffff81616355>] smp_apic_timer_interrupt+0x45/0x60
     [<ffffffff81614a1d>] apic_timer_interrupt+0x6d/0x80
     <EOI>

     [<ffffffff814a9c32>] ? cpuidle_enter_state+0x52/0xc0
     [<ffffffff814a9c28>] ? cpuidle_enter_state+0x48/0xc0
     [<ffffffff814a9d65>] cpuidle_idle_call+0xc5/0x200
     [<ffffffff8101d14e>] arch_cpu_idle+0xe/0x30
     [<ffffffff810c67c1>] cpu_startup_entry+0xf1/0x290
     [<ffffffff8104228a>] start_secondary+0x1ba/0x230
    Code: 42 0f 00 45 89 e6 48 01 c2 43 8d 44 6d 00 39 d0 73 26 49 c1 e5 08 89 d2 4d 63 f4 49 63 c5 48 c1 e2 08 48 c1 e0 08 48 63 ca 48 99 <48> f7 f9 48 98 4c 0f af f0 49 c1 ee 08 8b 43 78 c1 e0 08 44 29
    RIP  [<ffffffff814a9279>] intel_pstate_timer_func+0x179/0x3d0
     RSP <ffff883fff4e3db8>

    The kernel values for cpudata for CPU 113 were:

    struct cpudata {
      cpu = 113,
      timer = {
        entry = {
          next = 0x0,
          prev = 0xdead000000200200
        },
        expires = 8357799745,
        base = 0xffff883fe84ec001,
        function = 0xffffffff814a9100 <intel_pstate_timer_func>,
        data = 18446612406765768960,
    <snip>
        i_gain = 0,
        d_gain = 0,
        deadband = 0,
        last_err = 22489
      },
      last_sample_time = {
        tv64 = 4063132438017305
      },
      prev_aperf = 287326796397463,
      prev_mperf = 251427432090198,
      sample = {
        core_pct_busy = 23081,
        aperf = 2937407,
        mperf = 3257884,
        freq = 2524484,
        time = {
          tv64 = 4063149215234118
        }
      }
    }

    which results in the time between samples = last_sample_time - sample.time
    = 4063149215234118 - 4063132438017305 = 16777216813 which is 16.777 seconds.

    The duration between reads of the APERF and MPERF registers overflowed a s32
    sized integer in intel_pstate_get_scaled_busy()'s call to div_fp().  The result
    is that int_tofp(duration_us) == 0, and the kernel attempts to divide by 0.

    While the kernel shouldn't be delaying for a long time, it can and does
    happen and the intel_pstate driver should not panic in this situation.  This
    patch changes the div_fp() function to use div64_s64() to allow for "long"
    division.  This will avoid the overflow condition on long delays.

    [v2]: use div64_s64() in div_fp()

    Signed-off-by: Prarit Bhargava <prarit@redhat.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e892880767a6dacbbc53841bfe4b7c38b90f3a52
Author: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
Date:   Fri Oct 2 08:27:05 2015 +0000

    tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c

    [ Upstream commit e81107d4c6bd098878af9796b24edc8d4a9524fd ]

    My colleague ran into a program stall on a x86_64 server, where
    n_tty_read() was waiting for data even if there was data in the buffer
    in the pty.  kernel stack for the stuck process looks like below.
     #0 [ffff88303d107b58] __schedule at ffffffff815c4b20
     #1 [ffff88303d107bd0] schedule at ffffffff815c513e
     #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818
     #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2
     #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23
     #5 [ffff88303d107dd0] tty_read at ffffffff81368013
     #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704
     #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57
     #8 [ffff88303d107f00] sys_read at ffffffff811a4306
     #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7

    There seems to be two problems causing this issue.

    First, in drivers/tty/n_tty.c, __receive_buf() stores the data and
    updates ldata->commit_head using smp_store_release() and then checks
    the wait queue using waitqueue_active().  However, since there is no
    memory barrier, __receive_buf() could return without calling
    wake_up_interactive_poll(), and at the same time, n_tty_read() could
    start to wait in wait_woken() as in the following chart.

            __receive_buf()                         n_tty_read()
    ------------------------------------------------------------------------
    if (waitqueue_active(&tty->read_wait))
    /* Memory operations issued after the
       RELEASE may be completed before the
       RELEASE operation has completed */
                                            add_wait_queue(&tty->read_wait, &wait);
                                            ...
                                            if (!input_available_p(tty, 0)) {
    smp_store_release(&ldata->commit_head,
                      ldata->read_head);
                                            ...
                                            timeout = wait_woken(&wait,
                                              TASK_INTERRUPTIBLE, timeout);
    ------------------------------------------------------------------------

    The second problem is that n_tty_read() also lacks a memory barrier
    call and could also cause __receive_buf() to return without calling
    wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken()
    as in the chart below.

            __receive_buf()                         n_tty_read()
    ------------------------------------------------------------------------
                                            spin_lock_irqsave(&q->lock, flags);
                                            /* from add_wait_queue() */
                                            ...
                                            if (!input_available_p(tty, 0)) {
                                            /* Memory operations issued after the
                                               RELEASE may be completed before the
                                               RELEASE operation has completed */
    smp_store_release(&ldata->commit_head,
                      ldata->read_head);
    if (waitqueue_active(&tty->read_wait))
                                            __add_wait_queue(q, wait);
                                            spin_unlock_irqrestore(&q->lock,flags);
                                            /* from add_wait_queue() */
                                            ...
                                            timeout = wait_woken(&wait,
                                              TASK_INTERRUPTIBLE, timeout);
    ------------------------------------------------------------------------

    There are also other places in drivers/tty/n_tty.c which have similar
    calls to waitqueue_active(), so instead of adding many memory barrier
    calls, this patch simply removes the call to waitqueue_active(),
    leaving just wake_up*() behind.

    This fixes both problems because, even though the memory access before
    or after the spinlocks in both wake_up*() and add_wait_queue() can
    sneak into the critical section, it cannot go past it and the critical
    section assures that they will be serialized (please see "INTER-CPU
    ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a
    better explanation).  Moreover, the resulting code is much simpler.

    Latency measurement using a ping-pong test over a pty doesn't show any
    visible performance drop.

    Signed-off-by: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ae7799addbd7e6830e613e252009bb07a43ec52d
Author: covici@ccs.covici.com <covici@ccs.covici.com>
Date:   Wed May 20 05:44:11 2015 -0400

    staging: speakup: fix speakup-r regression

    [ Upstream commit b1d562acc78f0af46de0dfe447410bc40bdb7ece ]

    Here is a patch to make speakup-r work again.

    It broke in 3.6 due to commit 4369c64c79a22b98d3b7eff9d089196cd878a10a
    "Input: Send events one packet at a time)

    The problem was that the fakekey.c routine to fake a down arrow no
    longer functioned properly and putting the input_sync fixed it.

    Fixes: 4369c64c79a22b98d3b7eff9d089196cd878a10a
    Cc: stable <stable@vger.kernel.org>
    Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
    Signed-off-by: John Covici <covici@ccs.covici.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5db13a87a598b3b8045a11658686feb3f689826a
Author: Joe Thornber <ejt@redhat.com>
Date:   Fri Oct 9 14:03:38 2015 +0100

    dm cache: fix NULL pointer when switching from cleaner policy

    [ Upstream commit 2bffa1503c5c06192eb1459180fac4416575a966 ]

    The cleaner policy doesn't make use of the per cache block hint space in
    the metadata (unlike the other policies).  When switching from the
    cleaner policy to mq or smq a NULL pointer crash (in dm_tm_new_block)
    was observed.  The crash was caused by bugs in dm-cache-metadata.c
    when trying to skip creation of the hint btree.

    The minimal fix is to change hint size for the cleaner policy to 4 bytes
    (only hint size supported).

    Signed-off-by: Joe Thornber <ejt@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4af768733ce0fb8f8a6788791471375c0ac3aba7
Author: Ben Dooks <ben.dooks@codethink.co.uk>
Date:   Tue Sep 29 15:01:08 2015 +0100

    clk: ti: fix dual-registration of uart4_ick

    [ Upstream commit 19e79687de22f23bcfb5e79cce3daba20af228d1 ]

    On the OMAP AM3517 platform the uart4_ick gets registered
    twice, causing any power management to /dev/ttyO3 to fail
    when trying to wake the device up.

    This solves the following oops:

    [] Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa09e008
    [] PC is at serial_omap_pm+0x48/0x15c
    [] LR is at _raw_spin_unlock_irqrestore+0x30/0x5c

    Fixes: aafd900cab87 ("CLK: TI: add omap3 clock init file")
    Cc: stable@vger.kernel.org
    Cc: mturquette@baylibre.com
    Cc: sboyd@codeaurora.org
    Cc: linux-clk@vger.kernel.org
    Cc: linux-omap@vger.kernel.org
    Cc: linux-kernel@lists.codethink.co.uk
    Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
    Signed-off-by: Tero Kristo <t-kristo@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9d8248b629a7f2fb16802b09fb6dfb6bc862e460
Author: Kinglong Mee <kinglongmee@gmail.com>
Date:   Mon Sep 14 20:12:21 2015 +0800

    nfs/filelayout: Fix NULL reference caused by double freeing of fh_array

    [ Upstream commit 3ec0c97959abff33a42db9081c22132bcff5b4f2 ]

    If filelayout_decode_layout fail, _filelayout_free_lseg will causes
    a double freeing of fh_array.

    [ 1179.279800] BUG: unable to handle kernel NULL pointer dereference at           (null)
    [ 1179.280198] IP: [<ffffffffa027222d>] filelayout_free_fh_array.isra.11+0x1d/0x70 [nfs_layout_nfsv41_files]
    [ 1179.281010] PGD 0
    [ 1179.281443] Oops: 0000 [#1]
    [ 1179.281831] Modules linked in: nfs_layout_nfsv41_files(OE) nfsv4(OE) nfs(OE) fscache(E) xfs libcrc32c coretemp nfsd crct10dif_pclmul ppdev crc32_pclmul crc32c_intel auth_rpcgss ghash_clmulni_intel nfs_acl lockd vmw_balloon grace sunrpc parport_pc vmw_vmci parport shpchp i2c_piix4 vmwgfx drm_kms_helper ttm drm serio_raw mptspi scsi_transport_spi mptscsih e1000 mptbase ata_generic pata_acpi [last unloaded: fscache]
    [ 1179.283891] CPU: 0 PID: 13336 Comm: cat Tainted: G           OE   4.3.0-rc1-pnfs+ #244
    [ 1179.284323] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
    [ 1179.285206] task: ffff8800501d48c0 ti: ffff88003e3c4000 task.ti: ffff88003e3c4000
    [ 1179.285668] RIP: 0010:[<ffffffffa027222d>]  [<ffffffffa027222d>] filelayout_free_fh_array.isra.11+0x1d/0x70 [nfs_layout_nfsv41_files]
    [ 1179.286612] RSP: 0018:ffff88003e3c77f8  EFLAGS: 00010202
    [ 1179.287092] RAX: 0000000000000000 RBX: ffff88001fe78900 RCX: 0000000000000000
    [ 1179.287731] RDX: ffffea0000f40760 RSI: ffff88001fe789c8 RDI: ffff88001fe789c0
    [ 1179.288383] RBP: ffff88003e3c7810 R08: ffffea0000f40760 R09: 0000000000000000
    [ 1179.289170] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001fe789c8
    [ 1179.289959] R13: ffff88001fe789c0 R14: ffff88004ec05a80 R15: ffff88004f935b88
    [ 1179.290791] FS:  00007f4e66bb5700(0000) GS:ffffffff81c29000(0000) knlGS:0000000000000000
    [ 1179.291580] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 1179.292209] CR2: 0000000000000000 CR3: 00000000203f8000 CR4: 00000000001406f0
    [ 1179.292731] Stack:
    [ 1179.293195]  ffff88001fe78900 00000000000000d0 ffff88001fe78178 ffff88003e3c7868
    [ 1179.293676]  ffffffffa0272737 0000000000000001 0000000000000001 ffff88001fe78800
    [ 1179.294151]  00000000614fffce ffffffff81727671 ffff88001fe78100 ffff88001fe78100
    [ 1179.294623] Call Trace:
    [ 1179.295092]  [<ffffffffa0272737>] filelayout_alloc_lseg+0xa7/0x2d0 [nfs_layout_nfsv41_files]
    [ 1179.295625]  [<ffffffff81727671>] ? out_of_line_wait_on_bit+0x81/0xb0
    [ 1179.296133]  [<ffffffffa040407e>] pnfs_layout_process+0xae/0x320 [nfsv4]
    [ 1179.296632]  [<ffffffffa03e0a01>] nfs4_proc_layoutget+0x2b1/0x360 [nfsv4]
    [ 1179.297134]  [<ffffffffa0402983>] pnfs_update_layout+0x853/0xb30 [nfsv4]
    [ 1179.297632]  [<ffffffffa039db24>] ? nfs_get_lock_context+0x74/0x170 [nfs]
    [ 1179.298158]  [<ffffffffa0271807>] filelayout_pg_init_read+0x37/0x50 [nfs_layout_nfsv41_files]
    [ 1179.298834]  [<ffffffffa03a72d9>] __nfs_pageio_add_request+0x119/0x460 [nfs]
    [ 1179.299385]  [<ffffffffa03a6bd7>] ? nfs_create_request.part.9+0x37/0x2e0 [nfs]
    [ 1179.299872]  [<ffffffffa03a7cc3>] nfs_pageio_add_request+0xa3/0x1b0 [nfs]
    [ 1179.300362]  [<ffffffffa03a8635>] readpage_async_filler+0x85/0x260 [nfs]
    [ 1179.300907]  [<ffffffff81180cb1>] read_cache_pages+0x91/0xd0
    [ 1179.301391]  [<ffffffffa03a85b0>] ? nfs_read_completion+0x220/0x220 [nfs]
    [ 1179.301867]  [<ffffffffa03a8dc8>] nfs_readpages+0x128/0x200 [nfs]
    [ 1179.302330]  [<ffffffff81180ef3>] __do_page_cache_readahead+0x203/0x280
    [ 1179.302784]  [<ffffffff81180dc8>] ? __do_page_cache_readahead+0xd8/0x280
    [ 1179.303413]  [<ffffffff81181116>] ondemand_readahead+0x1a6/0x2f0
    [ 1179.303855]  [<ffffffff81181371>] page_cache_sync_readahead+0x31/0x50
    [ 1179.304286]  [<ffffffff811750a6>] generic_file_read_iter+0x4a6/0x5c0
    [ 1179.304711]  [<ffffffffa03a0316>] ? __nfs_revalidate_mapping+0x1f6/0x240 [nfs]
    [ 1179.305132]  [<ffffffffa039ccf2>] nfs_file_read+0x52/0xa0 [nfs]
    [ 1179.305540]  [<ffffffff811e343c>] __vfs_read+0xcc/0x100
    [ 1179.305936]  [<ffffffff811e3d15>] vfs_read+0x85/0x130
    [ 1179.306326]  [<ffffffff811e4a98>] SyS_read+0x58/0xd0
    [ 1179.306708]  [<ffffffff8172caaf>] entry_SYSCALL_64_fastpath+0x12/0x76
    [ 1179.307094] Code: c4 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 8b 07 49 89 f4 85 c0 74 47 48 8b 06 49 89 fd <48> 8b 38 48 85 ff 74 22 31 db eb 0c 48 63 d3 48 8b 3c d0 48 85
    [ 1179.308357] RIP  [<ffffffffa027222d>] filelayout_free_fh_array.isra.11+0x1d/0x70 [nfs_layout_nfsv41_files]
    [ 1179.309177]  RSP <ffff88003e3c77f8>
    [ 1179.309582] CR2: 0000000000000000

    Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 184f42a146a071392aae4fa2eeefdf87886db1d1
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sun Jul 12 10:39:45 2015 -0400

    fix a braino in ovl_d_select_inode()

    [ Upstream commit 9391dd00d13c853ab4f2a85435288ae2202e0e43 ]

    when opening a directory we want the overlayfs inode, not one from
    the topmost layer.

    Reported-By: Andrey Jr. Melnikov <temnota.am@gmail.com>
    Tested-By: Andrey Jr. Melnikov <temnota.am@gmail.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 687fad0d4610e4211ede26c6785a738c44e9db29
Author: David Howells <dhowells@redhat.com>
Date:   Thu Jun 18 14:32:31 2015 +0100

    overlayfs: Make f_path always point to the overlay and f_inode to the underlay

    [ Upstream commit 4bacc9c9234c7c8eec44f5ed4e960d9f96fa0f01 ]

    Make file->f_path always point to the overlay dentry so that the path in
    /proc/pid/fd is correct and to ensure that label-based LSMs have access to the
    overlay as well as the underlay (path-based LSMs probably don't need it).

    Using my union testsuite to set things up, before the patch I see:

            [root@andromeda union-testsuite]# bash 5</mnt/a/foo107
            [root@andromeda union-testsuite]# ls -l /proc/$$/fd/
            ...
            lr-x------. 1 root root 64 Jun  5 14:38 5 -> /a/foo107
            [root@andromeda union-testsuite]# stat /mnt/a/foo107
            ...
            Device: 23h/35d Inode: 13381       Links: 1
            ...
            [root@andromeda union-testsuite]# stat -L /proc/$$/fd/5
            ...
            Device: 23h/35d Inode: 13381       Links: 1
            ...

    After the patch:

            [root@andromeda union-testsuite]# bash 5</mnt/a/foo107
            [root@andromeda union-testsuite]# ls -l /proc/$$/fd/
            ...
            lr-x------. 1 root root 64 Jun  5 14:22 5 -> /mnt/a/foo107
            [root@andromeda union-testsuite]# stat /mnt/a/foo107
            ...
            Device: 23h/35d Inode: 40346       Links: 1
            ...
            [root@andromeda union-testsuite]# stat -L /proc/$$/fd/5
            ...
            Device: 23h/35d Inode: 40346       Links: 1
            ...

    Note the change in where /proc/$$/fd/5 points to in the ls command.  It was
    pointing to /a/foo107 (which doesn't exist) and now points to /mnt/a/foo107
    (which is correct).

    The inode accessed, however, is the lower layer.  The union layer is on device
    25h/37d and the upper layer on 24h/36d.

    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3ed7df6411ed4038c9962bfef9725e79396e581b
Author: David Howells <dhowells@redhat.com>
Date:   Thu Jan 29 12:02:27 2015 +0000

    VFS: Introduce inode-getting helpers for layered/unioned fs environments

    [ Upstream commit 155e35d4daa804582f75acaa2c74ec797a89c615 ]

    Introduce some function for getting the inode (and also the dentry) in an
    environment where layered/unioned filesystems are in operation.

    The problem is that we have places where we need *both* the union dentry and
    the lower source or workspace inode or dentry available, but we can only have
    a handle on one of them.  Therefore we need to derive the handle to the other
    from that.

    The idea is to introduce an extra field in struct dentry that allows the union
    dentry to refer to and pin the lower dentry.

    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c098c356cb19574036c82652d978ba319f1693ea
Author: David Howells <dhowells@redhat.com>
Date:   Thu Jun 18 14:32:23 2015 +0100

    overlay: Call ovl_drop_write() earlier in ovl_dentry_open()

    [ Upstream commit f25801ee4680ef1db21e15c112e6e5fe3ffe8da5 ]

    Call ovl_drop_write() earlier in ovl_dentry_open() before we call vfs_open()
    as we've done the copy up for which we needed the freeze-write lock by that
    point.

    Signed-off-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7750e25bbf2b4c9dafe9777e11c2ac8355d777ba
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Sat Sep 26 12:23:56 2015 +0100

    genirq: Fix race in register_irq_proc()

    [ Upstream commit 95c2b17534654829db428f11bcf4297c059a2a7e ]

    Per-IRQ directories in procfs are created only when a handler is first
    added to the irqdesc, not when the irqdesc is created.  In the case of
    a shared IRQ, multiple tasks can race to create a directory.  This
    race condition seems to have been present forever, but is easier to
    hit with async probing.

    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Link: http://lkml.kernel.org/r/1443266636.2004.2.camel@decadent.org.uk
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1ace5c6e26cdb135f9fc5ca36e020400ca5e4fb8
Author: Stefan Assmann <sassmann@kpanic.de>
Date:   Fri Jul 10 15:01:12 2015 +0200

    igb: do not re-init SR-IOV during probe

    [ Upstream commit 6423fc34160939142d72ffeaa2db6408317f54df ]

    During driver probing the following code path is triggered.
    igb_probe
    ->igb_sw_init
      ->igb_probe_vfs
        ->igb_pci_enable_sriov
          ->igb_sriov_reinit

    Doing the SR-IOV re-init is not necessary during probing since we're
    starting from scratch. Here we can call igb_enable_sriov() right away.

    Running igb_sriov_reinit() during igb_probe() also seems to cause
    occasional packet loss on some onboard 82576 NICs. Reproduced on
    Dell and HP servers with onboard 82576 NICs.
    Example:
    Intel Corporation 82576 Gigabit Network Connection [8086:10c9] (rev 01)
    Subsystem: Dell Device [1028:0481]

    Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 382aec5dbe7315540ae37a797e344f8f2a316393
Author: Chas Williams <3chas3@gmail.com>
Date:   Thu Aug 27 12:28:46 2015 -0400

    net/xen-netfront: only napi_synchronize() if running

    [ Upstream commit 274b045509175db0405c784be85e8cce116e6f7d ]

    If an interface isn't running napi_synchronize() will hang forever.

    [  392.248403] rmmod           R  running task        0   359    343 0x00000000
    [  392.257671]  ffff88003760fc88 ffff880037193b40 ffff880037193160 ffff88003760fc88
    [  392.267644]  ffff880037610000 ffff88003760fcd8 0000000100014c22 ffffffff81f75c40
    [  392.277524]  0000000000bc7010 ffff88003760fca8 ffffffff81796927 ffffffff81f75c40
    [  392.287323] Call Trace:
    [  392.291599]  [<ffffffff81796927>] schedule+0x37/0x90
    [  392.298553]  [<ffffffff8179985b>] schedule_timeout+0x14b/0x280
    [  392.306421]  [<ffffffff810f91b9>] ? irq_free_descs+0x69/0x80
    [  392.314006]  [<ffffffff811084d0>] ? internal_add_timer+0xb0/0xb0
    [  392.322125]  [<ffffffff81109d07>] msleep+0x37/0x50
    [  392.329037]  [<ffffffffa00ec79a>] xennet_disconnect_backend.isra.24+0xda/0x390 [xen_netfront]
    [  392.339658]  [<ffffffffa00ecadc>] xennet_remove+0x2c/0x80 [xen_netfront]
    [  392.348516]  [<ffffffff81481c69>] xenbus_dev_remove+0x59/0xc0
    [  392.356257]  [<ffffffff814e7217>] __device_release_driver+0x87/0x120
    [  392.364645]  [<ffffffff814e7cf8>] driver_detach+0xb8/0xc0
    [  392.371989]  [<ffffffff814e6e69>] bus_remove_driver+0x59/0xe0
    [  392.379883]  [<ffffffff814e84f0>] driver_unregister+0x30/0x70
    [  392.387495]  [<ffffffff814814b2>] xenbus_unregister_driver+0x12/0x20
    [  392.395908]  [<ffffffffa00ed89b>] netif_exit+0x10/0x775 [xen_netfront]
    [  392.404877]  [<ffffffff81124e08>] SyS_delete_module+0x1d8/0x230
    [  392.412804]  [<ffffffff8179a8ee>] system_call_fastpath+0x12/0x71

    Signed-off-by: Chas Williams <3chas3@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 51302cb3b7c918b7d58c7a9004c48b80646da332
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Wed Sep 23 23:12:09 2015 +0200

    m68k: Define asmlinkage_protect

    [ Upstream commit 8474ba74193d302e8340dddd1e16c85cc4b98caf ]

    Make sure the compiler does not modify arguments of syscall functions.
    This can happen if the compiler generates a tailcall to another
    function.  For example, without asmlinkage_protect sys_openat is compiled
    into this function:

    sys_openat:
            clr.l %d0
            move.w 18(%sp),%d0
            move.l %d0,16(%sp)
            jbra do_sys_open

    Note how the fourth argument is modified in place, modifying the register
    %d4 that gets restored from this stack slot when the function returns to
    user-space.  The caller may expect the register to be unmodified across
    system calls.

    Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 36c8fcc207bfb55731e1f8a454d6ab2fab20f0d1
Author: Li Bin <huawei.libin@huawei.com>
Date:   Wed Sep 30 10:49:55 2015 +0800

    arm64: ftrace: fix function_graph tracer panic

    [ Upstream commit ee556d00cf20012e889344a0adbbf809ab5015a3 ]

    When function graph tracer is enabled, the following operation
    will trigger panic:

    mount -t debugfs nodev /sys/kernel
    echo next_tgid > /sys/kernel/tracing/set_ftrace_filter
    echo function_graph > /sys/kernel/tracing/current_tracer
    ls /proc/

    ------------[ cut here ]------------
    [  198.501417] Unable to handle kernel paging request at virtual address cb88537fdc8ba316
    [  198.506126] pgd = ffffffc008f79000
    [  198.509363] [cb88537fdc8ba316] *pgd=00000000488c6003, *pud=00000000488c6003, *pmd=0000000000000000
    [  198.517726] Internal error: Oops: 94000005 [#1] SMP
    [  198.518798] Modules linked in:
    [  198.520582] CPU: 1 PID: 1388 Comm: ls Tainted: G
    [  198.521800] Hardware name: linux,dummy-virt (DT)
    [  198.522852] task: ffffffc0fa9e8000 ti: ffffffc0f9ab0000 task.ti: ffffffc0f9ab0000
    [  198.524306] PC is at next_tgid+0x30/0x100
    [  198.525205] LR is at return_to_handler+0x0/0x20
    [  198.526090] pc : [<ffffffc0002a1070>] lr : [<ffffffc0000907c0>] pstate: 60000145
    [  198.527392] sp : ffffffc0f9ab3d40
    [  198.528084] x29: ffffffc0f9ab3d40 x28: ffffffc0f9ab0000
    [  198.529406] x27: ffffffc000d6a000 x26: ffffffc000b786e8
    [  198.530659] x25: ffffffc0002a1900 x24: ffffffc0faf16c00
    [  198.531942] x23: ffffffc0f9ab3ea0 x22: 0000000000000002
    [  198.533202] x21: ffffffc000d85050 x20: 0000000000000002
    [  198.534446] x19: 0000000000000002 x18: 0000000000000000
    [  198.535719] x17: 000000000049fa08 x16: ffffffc000242efc
    [  198.537030] x15: 0000007fa472b54c x14: ffffffffff000000
    [  198.538347] x13: ffffffc0fada84a0 x12: 0000000000000001
    [  198.539634] x11: ffffffc0f9ab3d70 x10: ffffffc0f9ab3d70
    [  198.540915] x9 : ffffffc0000907c0 x8 : ffffffc0f9ab3d40
    [  198.542215] x7 : 0000002e330f08f0 x6 : 0000000000000015
    [  198.543508] x5 : 0000000000000f08 x4 : ffffffc0f9835ec0
    [  198.544792] x3 : cb88537fdc8ba316 x2 : cb88537fdc8ba306
    [  198.546108] x1 : 0000000000000002 x0 : ffffffc000d85050
    [  198.547432]
    [  198.547920] Process ls (pid: 1388, stack limit = 0xffffffc0f9ab0020)
    [  198.549170] Stack: (0xffffffc0f9ab3d40 to 0xffffffc0f9ab4000)
    [  198.582568] Call trace:
    [  198.583313] [<ffffffc0002a1070>] next_tgid+0x30/0x100
    [  198.584359] [<ffffffc0000907bc>] ftrace_graph_caller+0x6c/0x70
    [  198.585503] [<ffffffc0000907bc>] ftrace_graph_caller+0x6c/0x70
    [  198.586574] [<ffffffc0000907bc>] ftrace_graph_caller+0x6c/0x70
    [  198.587660] [<ffffffc0000907bc>] ftrace_graph_caller+0x6c/0x70
    [  198.588896] Code: aa0003f5 2a0103f4 b4000102 91004043 (885f7c60)
    [  198.591092] ---[ end trace 6a346f8f20949ac8 ]---

    This is because when using function graph tracer, if the traced
    function return value is in multi regs ([x0-x7]), return_to_handler
    may corrupt them. So in return_to_handler, the parameter regs should
    be protected properly.

    Cc: <stable@vger.kernel.org> # 3.18+
    Signed-off-by: Li Bin <huawei.libin@huawei.com>
    Acked-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b94ee9f4e5475b89378dce8c923705f204a474dd
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Sat Aug 15 13:36:12 2015 -0500

    dcache: Handle escaped paths in prepend_path

    [ Upstream commit cde93be45a8a90d8c264c776fab63487b5038a65 ]

    A rename can result in a dentry that by walking up d_parent
    will never reach it's mnt_root.  For lack of a better term
    I call this an escaped path.

    prepend_path is called by four different functions __d_path,
    d_absolute_path, d_path, and getcwd.

    __d_path only wants to see paths are connected to the root it passes
    in.  So __d_path needs prepend_path to return an error.

    d_absolute_path similarly wants to see paths that are connected to
    some root.  Escaped paths are not connected to any mnt_root so
    d_absolute_path needs prepend_path to return an error greater
    than 1.  So escaped paths will be treated like paths on lazily
    unmounted mounts.

    getcwd needs to prepend "(unreachable)" so getcwd also needs
    prepend_path to return an error.

    d_path is the interesting hold out.  d_path just wants to print
    something, and does not care about the weird cases.  Which raises
    the question what should be printed?

    Given that <escaped_path>/<anything> should result in -ENOENT I
    believe it is desirable for escaped paths to be printed as empty
    paths.  As there are not really any meaninful path components when
    considered from the perspective of a mount tree.

    So tweak prepend_path to return an empty path with an new error
    code of 3 when it encounters an escaped path.

    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 683846ae9c03e7c1a8c7a0588a222b1b35075b4f
Author: shengyong <shengyong1@huawei.com>
Date:   Mon Sep 28 17:57:19 2015 +0000

    UBI: return ENOSPC if no enough space available

    [ Upstream commit 7c7feb2ebfc9c0552c51f0c050db1d1a004faac5 ]

    UBI: attaching mtd1 to ubi0
    UBI: scanning is finished
    UBI error: init_volumes: not enough PEBs, required 706, available 686
    UBI error: ubi_wl_init: no enough physical eraseblocks (-20, need 1)
    UBI error: ubi_attach_mtd_dev: failed to attach mtd1, error -12 <= NOT ENOMEM
    UBI error: ubi_init: cannot attach mtd1

    If available PEBs are not enough when initializing volumes, return -ENOSPC
    directly. If available PEBs are not enough when initializing WL, return
    -ENOSPC instead of -ENOMEM.

    Cc: stable@vger.kernel.org
    Signed-off-by: Sheng Yong <shengyong1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Reviewed-by: David Gstir <david@sigma-star.at>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 65521fa80cfaa5d19dd4f5d1171fe295169709ac
Author: Richard Weinberger <richard@nod.at>
Date:   Tue Sep 22 23:58:07 2015 +0200

    UBI: Validate data_size

    [ Upstream commit 281fda27673f833a01d516658a64d22a32c8e072 ]

    Make sure that data_size is less than LEB size.
    Otherwise a handcrafted UBI image is able to trigger
    an out of bounds memory access in ubi_compare_lebs().

    Cc: stable@vger.kernel.org
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Reviewed-by: David Gstir <david@sigma-star.at>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 751a99634e13731cc0d9f95425de36c902a058f9
Author: Paul Mackerras <paulus@ozlabs.org>
Date:   Thu Sep 10 14:36:21 2015 +1000

    powerpc/MSI: Fix race condition in tearing down MSI interrupts

    [ Upstream commit e297c939b745e420ef0b9dc989cb87bda617b399 ]

    This fixes a race which can result in the same virtual IRQ number
    being assigned to two different MSI interrupts.  The most visible
    consequence of that is usually a warning and stack trace from the
    sysfs code about an attempt to create a duplicate entry in sysfs.

    The race happens when one CPU (say CPU 0) is disposing of an MSI
    while another CPU (say CPU 1) is setting up an MSI.  CPU 0 calls
    (for example) pnv_teardown_msi_irqs(), which calls
    msi_bitmap_free_hwirqs() to indicate that the MSI (i.e. its
    hardware IRQ number) is no longer in use.  Then, before CPU 0 gets
    to calling irq_dispose_mapping() to free up the virtal IRQ number,
    CPU 1 comes in and calls msi_bitmap_alloc_hwirqs() to allocate an
    MSI, and gets the same hardware IRQ number that CPU 0 just freed.
    CPU 1 then calls irq_create_mapping() to get a virtual IRQ number,
    which sees that there is currently a mapping for that hardware IRQ
    number and returns the corresponding virtual IRQ number (which is
    the same virtual IRQ number that CPU 0 was using).  CPU 0 then
    calls irq_dispose_mapping() and frees that virtual IRQ number.
    Now, if another CPU comes along and calls irq_create_mapping(), it
    is likely to get the virtual IRQ number that was just freed,
    resulting in the same virtual IRQ number apparently being used for
    two different hardware interrupts.

    To fix this race, we just move the call to msi_bitmap_free_hwirqs()
    to after the call to irq_dispose_mapping().  Since virq_to_hw()
    doesn't work for the virtual IRQ number after irq_dispose_mapping()
    has been called, we need to call it before irq_dispose_mapping() and
    remember the result for the msi_bitmap_free_hwirqs() call.

    The pattern of calling msi_bitmap_free_hwirqs() before
    irq_dispose_mapping() appears in 5 places under arch/powerpc, and
    appears to have originated in commit 05af7bd2d75e ("[POWERPC] MPIC
    U3/U4 MSI backend") from 2007.

    Fixes: 05af7bd2d75e ("[POWERPC] MPIC U3/U4 MSI backend")
    Cc: stable@vger.kernel.org # v2.6.22+
    Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c49426e98f62651d79eca5f0bc0bcbfd5f7eb36d
Author: Kapileshwar Singh <kapileshwar.singh@arm.com>
Date:   Tue Sep 22 14:22:03 2015 +0100

    tools lib traceevent: Fix string handling in heterogeneous arch environments

    [ Upstream commit c2e4b24ff848bb180f9b9cd873a38327cd219ad2 ]

    When a trace recorded on a 32-bit device is processed with a 64-bit
    binary, the higher 32-bits of the address need to ignored.

    The lack of this results in the output of the 64-bit pointer
    value to the trace as the 32-bit address lookup fails in find_printk().

    Before:

      burn-1778  [003]   548.600305: bputs:   0xc0046db2s: 2cec5c058d98c

    After:

      burn-1778  [003]   548.600305: bputs:   0xc0046db2s: RT throttling activated

    The problem occurs in PRINT_FIELD when the field is recognized as a
    pointer to a string (of the type const char *)

    Heterogeneous architectures cases below can arise and should be handled:

    * Traces recorded using 32-bit addresses processed on a 64-bit machine
    * Traces recorded using 64-bit addresses processed on a 32-bit machine

    Reported-by: Juri Lelli <juri.lelli@arm.com>
    Signed-off-by: Kapileshwar Singh <kapileshwar.singh@arm.com>
    Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
    Cc: David Ahern <dsahern@gmail.com>
    Cc: Javi Merino <javi.merino@arm.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: stable@vger.kernel.org
    Link: http://lkml.kernel.org/r/1442928123-13824-1-git-send-email-kapileshwar.singh@arm.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 32435867973da5100ee4ecb3aee0db664af61379
Author: Linus Lüssing <linus.luessing@c0d3.blue>
Date:   Tue Jun 30 23:45:26 2015 +0200

    batman-adv: Fix potentially broken skb network header access

    [ Upstream commit 53cf037bf846417fd92dc92ddf97267f69b110f4 ]

    The two commits noted below added calls to ip_hdr() and ipv6_hdr(). They
    need a correctly set skb network header.

    Unfortunately we cannot rely on the device drivers to set it for us.
    Therefore setting it in the beginning of the according ndo_start_xmit
    handler.

    Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
    Fixes: ab49886e3da7 ("batman-adv: Add IPv4 link-local/IPv6-ll-all-nodes multicast support")
    Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
    Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
    Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a5516389f7813170c593bc8106bcc20c1a086cb8
Author: Linus Lüssing <linus.luessing@c0d3.blue>
Date:   Tue Jun 16 17:10:24 2015 +0200

    batman-adv: Make TT capability changes atomic

    [ Upstream commit ac4eebd48461ec993e7cb614d5afe7df8c72e6b7 ]

    Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One
    OGM handler might undo the set/clear of a specific bit from another
    handler run in between.

    Fix this by using the atomic set_bit()/clear_bit()/test_bit() functions.

    Fixes: e17931d1a61d ("batman-adv: introduce capability initialization bitfield")
    Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
    Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
    Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9a1f325d7c9f0a56af6b5111f4c8514422f4b02d
Author: Linus Lüssing <linus.luessing@c0d3.blue>
Date:   Tue Jun 16 17:10:23 2015 +0200

    batman-adv: Make NC capability changes atomic

    [ Upstream commit 4635469f5c617282f18c69643af36cd8c0acf707 ]

    Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One
    OGM handler might undo the set/clear of a specific bit from another
    handler run in between.

    Fix this by using the atomic set_bit()/clear_bit()/test_bit() functions.

    Fixes: 3f4841ffb336 ("batman-adv: tvlv - add network coding container")
    Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
    Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
    Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 993b87dfa9ba01cdfc7026bbb8d6365f892dcb33
Author: James Hogan <james.hogan@imgtec.com>
Date:   Fri Mar 27 08:33:43 2015 +0000

    MIPS: dma-default: Fix 32-bit fall back to GFP_DMA

    [ Upstream commit 53960059d56ecef67d4ddd546731623641a3d2d1 ]

    If there is a DMA zone (usually 24bit = 16MB I believe), but no DMA32
    zone, as is the case for some 32-bit kernels, then massage_gfp_flags()
    will cause DMA memory allocated for devices with a 32..63-bit
    coherent_dma_mask to fall back to using __GFP_DMA, even though there may
    only be 32-bits of physical address available anyway.

    Correct that case to compare against a mask the size of phys_addr_t
    instead of always using a 64-bit mask.

    Signed-off-by: James Hogan <james.hogan@imgtec.com>
    Fixes: a2e715a86c6d ("MIPS: DMA: Fix computation of DMA flags from device's coherent_dma_mask.")
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: linux-mips@linux-mips.org
    Cc: <stable@vger.kernel.org> # 2.6.36+
    Patchwork: https://patchwork.linux-mips.org/patch/9610/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 178adb782b60a76981bf041736c27c06bedb20f2
Author: Viresh Kumar <viresh.kumar@linaro.org>
Date:   Wed Sep 2 14:36:50 2015 +0530

    cpufreq: dt: Tolerance applies on both sides of target voltage

    [ Upstream commit a2022001cebd0825b96aa0f3345ea3ad44ae79d4 ]

    Tolerance applies on both sides of the target voltage, i.e. both min and
    max sides. But while checking if a voltage is supported by the regulator
    or not, we haven't taken care of tolerance on the lower side. Fix that.

    Cc: Lucas Stach <l.stach@pengutronix.de>
    Fixes: 045ee45c4ff2 ("cpufreq: cpufreq-dt: disable unsupported OPPs")
    Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
    Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 317a43bb95155b991644de5c8f152a3c2586fecb
Author: Yao-Wen Mao <yaowen@google.com>
Date:   Mon Aug 31 14:24:09 2015 +0800

    USB: Add reset-resume quirk for two Plantronics usb headphones.

    [ Upstream commit 8484bf2981b3d006426ac052a3642c9ce1d8d980 ]

    These two headphones need a reset-resume quirk to properly resume to
    original volume level.

    Signed-off-by: Yao-Wen Mao <yaowen@google.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit d9345b0c2b7b828b8208f2a2a064cdc76293e1dc
Author: Vincent Palatin <vpalatin@chromium.org>
Date:   Thu Oct 1 14:10:22 2015 -0700

    usb: Add device quirk for Logitech PTZ cameras

    [ Upstream commit 72194739f54607bbf8cfded159627a2015381557 ]

    Add a device quirk for the Logitech PTZ Pro Camera and its sibling the
    ConferenceCam CC3000e Camera.
    This fixes the failed camera enumeration on some boot, particularly on
    machines with fast CPU.

    Tested by connecting a Logitech PTZ Pro Camera to a machine with a
    Haswell Core i7-4600U CPU @ 2.10GHz, and doing thousands of reboot cycles
    while recording the kernel logs and taking camera picture after each boot.
    Before the patch, more than 7% of the boots show some enumeration transfer
    failures and in a few of them, the kernel is giving up before actually
    enumerating the webcam. After the patch, the enumeration has been correct
    on every reboot.

    Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9ea9f8ee0be93e9b90a64616391a32e461660d3a
Author: Felipe Balbi <balbi@ti.com>
Date:   Thu Aug 6 10:51:29 2015 -0500

    usb: musb: cppi41: allow it to work again

    [ Upstream commit b0a688ddcc5015eb26000c63841db7c46cfb380a ]

    since commit 33c300cb90a6 ("usb: musb: dsps:
    don't fake of_node to musb core") we have been
    preventing CPPI 4.1 from probing due to NULL
    of_node. We can't revert said commit otherwise
    a different regression would show up, so the fix
    is to look for the parent device's (glue layer's)
    of_node instead, since that's the thing which
    is actually described in DTS.

    Signed-off-by: Felipe Balbi <balbi@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2180f6799fe3594149ec4d7e185cc694f37ca055
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Sep 21 17:46:09 2015 +0300

    usb: Use the USB_SS_MULT() macro to get the burst multiplier.

    [ Upstream commit ff30cbc8da425754e8ab96904db1d295bd034f27 ]

    Bits 1:0 of the bmAttributes are used for the burst multiplier.
    The rest of the bits used to be reserved (zero), but USB3.1 takes bit 7
    into use.

    Use the existing USB_SS_MULT() macro instead to make sure the mult value
    and hence max packet calculations are correct for USB3.1 devices.

    Note that burst multiplier in bmAttributes is zero based and that
    the USB_SS_MULT() macro adds one.

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 110fda8090a2f3131c8e2035b4ca3ffef0dc9cdd
Author: Peter Chen <peter.chen@freescale.com>
Date:   Mon Aug 24 14:10:07 2015 +0800

    usb: chipidea: udc: using the correct stall implementation

    [ Upstream commit 56ffa1d154c7e12af16273f0cdc42690dd05caf5 ]

    According to spec, there are functional and protocol stalls.

    For functional stall, it is for bulk and interrupt endpoints,
    below are cases for it:
    - Host sends SET_FEATURE request for Set-Halt, the udc driver
    needs to set stall, and return true unconditionally.
    - The gadget driver may call usb_ep_set_halt to stall certain
    endpoints, if there is a transfer in pending, the udc driver
    should not set stall, and return -EAGAIN accordingly.
    These two kinds of stall need to be cleared by host using CLEAR_FEATURE
    request (Clear-Halt).

    For protocol stall, it is for control endpoint, this stall will
    be set if the control request has failed. This stall will be
    cleared by next setup request (hardware will do it).

    It fixed usbtest (drivers/usb/misc/usbtest.c) Test 13 "set/clear halt"
    test failure, meanwhile, this change has been verified by
    USB2 CV Compliance Test and MSC Tests.

    Cc: <stable@vger.kernel.org> #3.10+
    Cc: Alan Stern <stern@rowland.harvard.edu>
    Cc: Felipe Balbi <balbi@ti.com>
    Signed-off-by: Peter Chen <peter.chen@freescale.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 37371a15850eafb5f7dc831a6cf76e80a727d16f
Author: Jann Horn <jann@thejh.net>
Date:   Fri Sep 18 23:41:23 2015 +0200

    security: fix typo in security_task_prctl

    [ Upstream commit b7f76ea2ef6739ee484a165ffbac98deb855d3d3 ]

    Signed-off-by: Jann Horn <jann@thejh.net>
    Reviewed-by: Andy Lutomirski <luto@kernel.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit afeda4748db04805d0fe7905fc93518118e65251
Author: Mark Brown <broonie@kernel.org>
Date:   Sat Sep 19 07:12:34 2015 -0700

    regmap: debugfs: Don't bother actually printing when calculating max length

    [ Upstream commit 176fc2d5770a0990eebff903ba680d2edd32e718 ]

    The in kernel snprintf() will conveniently return the actual length of
    the printed string even if not given an output beffer at all so just do
    that rather than relying on the user to pass in a suitable buffer,
    ensuring that we don't need to worry if the buffer was truncated due to
    the size of the buffer passed in.

    Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c53a219f7f9b7462fdf4a8fd2d20fadad811e97f
Author: Mark Brown <broonie@kernel.org>
Date:   Sat Sep 19 07:00:18 2015 -0700

    regmap: debugfs: Ensure we don't underflow when printing access masks

    [ Upstream commit b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 ]

    If a read is attempted which is smaller than the line length then we may
    underflow the subtraction we're doing with the unsigned size_t type so
    move some of the calculation to be additions on the right hand side
    instead in order to avoid this.

    Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit df1dc5e8cb68325743fda1c745b2f9cb6901cf9e
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Aug 4 21:36:12 2015 +0200

    PM / AVS: rockchip-io: depend on CONFIG_POWER_AVS

    [ Upstream commit 28c1f1628ee4b163e615eefe1b6463e3d229a873 ]

    The rockchip io-domain driver currently only depends on ARCH_ROCKCHIP
    itself. This makes it possible to select the power-domain driver, but
    not the POWER_AVS class and results in the iodomain-driver not getting
    build in this case.

    So add the additional dependency, which also results in the driver
    config option now being placed nicely into the AVS submenu.

    Fixes: 662a958638bd ("PM / AVS: rockchip-io: add driver handling Rockchip io domains")
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Acked-by: Kevin Hilman <khilman@linaro.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 101755ff61aa274657aba98670282b185144dcd9
Author: Antoine Ténart <antoine.tenart@free-electrons.com>
Date:   Tue Aug 18 10:59:10 2015 +0200

    mtd: pxa3xx_nand: add a default chunk size

    [ Upstream commit bc3e00f04cc1fe033a289c2fc2e5c73c0168d360 ]

    When keeping the configuration set by the bootloader (by using
    the marvell,nand-keep-config property), the pxa3xx_nand_detect_config()
    function is called and set the chunk size to 512 as a default value if
    NDCR_PAGE_SZ is not set.

    In the other case, when not keeping the bootloader configuration, no
    chunk size is set. Fix this by adding a default chunk size of 512.

    Fixes: 70ed85232a93 ("mtd: nand: pxa3xx: Introduce multiple page I/O
    support")

    Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
    Acked-by: Robert Jarzmik <robert.jarzmik@free>
    Signed-off-by: Brian Norris <computersforpeace@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7a41fbe7baec500e8a94fe76a09fb9d3370c07ec
Author: Mario Carrillo <mario.alfredo.c.arevalo@intel.com>
Date:   Mon Aug 24 09:33:09 2015 -0500

    docs: update HOWTO for 3.x -> 4.x versioning

    [ Upstream commit e4144fe5d47c91c92d36cdbd5f31ed8d6e3a57ab ]

    The HOWTO document needed updating for the new kernel versioning.

    Signed-off-by: Mario Carrillo <mario.alfredo.c.arevalo@intel.com>
    Signed-off-by: Jonathan Corbet <corbet@lwn.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ec30985f6dfadd1b5e3d9a833fd872b01ab28058
Author: Peter Seiderer <ps.report@gmx.net>
Date:   Thu Sep 17 21:40:12 2015 +0200

    cifs: use server timestamp for ntlmv2 authentication

    [ Upstream commit 98ce94c8df762d413b3ecb849e2b966b21606d04 ]

    Linux cifs mount with ntlmssp against an Mac OS X (Yosemite
    10.10.5) share fails in case the clocks differ more than +/-2h:

    digest-service: digest-request: od failed with 2 proto=ntlmv2
    digest-service: digest-request: kdc failed with -1561745592 proto=ntlmv2

    Fix this by (re-)using the given server timestamp for the
    ntlmv2 authentication (as Windows 7 does).

    A related problem was also reported earlier by Namjae Jaen (see below):

    Windows machine has extended security feature which refuse to allow
    authentication when there is time difference between server time and
    client time when ntlmv2 negotiation is used. This problem is prevalent
    in embedded enviornment where system time is set to default 1970.

    Modern servers send the server timestamp in the TargetInfo Av_Pair
    structure in the challenge message [see MS-NLMP 2.2.2.1]
    In [MS-NLMP 3.1.5.1.2] it is explicitly mentioned that the client must
    use the server provided timestamp if present OR current time if it is
    not

    Reported-by: Namjae Jeon <namjae.jeon@samsung.com>
    Signed-off-by: Peter Seiderer <ps.report@gmx.net>
    Signed-off-by: Steve French <smfrench@gmail.com>
    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 56b4f4e1e72aaaebab94c0fdddb132a5f4cbfab6
Author: Dong Aisheng <aisheng.dong@freescale.com>
Date:   Wed Jul 22 20:53:03 2015 +0800

    dts: imx25: fix sd card gpio polarity specified in device tree

    [ Upstream commit cf75eb15be2bdd054a76aeef6458beaa4a6ab770 ]

    cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
    should be changed to GPIO_ACTIVE_HIGH.
    Otherwise, the SD may not work properly due to wrong polarity inversion
    specified in DT after switch to common parsing function mmc_of_parse().

    Signed-off-by: Dong Aisheng <aisheng.dong@freescale.com>
    Acked-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 776aefbd399915fd4ddd6c9de4a12f989a62699e
Author: Dong Aisheng <aisheng.dong@freescale.com>
Date:   Wed Jul 22 20:53:01 2015 +0800

    dts: imx53: fix sd card gpio polarity specified in device tree

    [ Upstream commit 94d76946859b4bcfa0da373357f14feda2af0622 ]

    cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
    should be changed to GPIO_ACTIVE_HIGH.
    Otherwise, the SD may not work properly due to wrong polarity inversion
    specified in DT after switch to common parsing function mmc_of_parse().

    Signed-off-by: Dong Aisheng <aisheng.dong@freescale.com>
    Acked-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ea16b55dc40e466bd18f3f42a97625614f5d2c95
Author: Dong Aisheng <aisheng.dong@freescale.com>
Date:   Wed Jul 22 20:53:00 2015 +0800

    dts: imx51: fix sd card gpio polarity specified in device tree

    [ Upstream commit aca45c0e95dad1c4ba4d38da192756b0e10cbbbd ]

    cd-gpios polarity should be changed to GPIO_ACTIVE_LOW and wp-gpios
    should be changed to GPIO_ACTIVE_HIGH.
    Otherwise, the SD may not work properly due to wrong polarity inversion
    specified in DT after switch to common parsing function mmc_of_parse().

    Signed-off-by: Dong Aisheng <aisheng.dong@freescale.com>
    Acked-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f4896bf8e3783a0358de738739881b6142c12ea2
Author: Linus Lüssing <linus.luessing@c0d3.blue>
Date:   Tue Jun 16 17:10:22 2015 +0200

    batman-adv: Make DAT capability changes atomic

    [ Upstream commit 65d7d46050704bcdb8121ddbf4110bfbf2b38baa ]

    Bitwise OR/AND assignments in C aren't guaranteed to be atomic. One
    OGM handler might undo the set/clear of a specific bit from another
    handler run in between.

    Fix this by using the atomic set_bit()/clear_bit()/test_bit() functions.

    Fixes: 17cf0ea455f1 ("batman-adv: tvlv - add distributed arp table container")
    Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
    Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
    Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit cd7d25e2e12f9e3aef73417f0937276ca5b5c451
Author: Marek Lindner <mareklindner@neomailbox.ch>
Date:   Wed Jun 17 20:01:36 2015 +0800

    batman-adv: protect tt_local_entry from concurrent delete events

    [ Upstream commit ef72706a0543d0c3a5ab29bd6378fdfb368118d9 ]

    The tt_local_entry deletion performed in batadv_tt_local_remove() was neither
    protecting against simultaneous deletes nor checking whether the element was
    still part of the list before calling hlist_del_rcu().

    Replacing the hlist_del_rcu() call with batadv_hash_remove() provides adequate
    protection via hash spinlocks as well as an is-element-still-in-hash check to
    avoid 'blind' hash removal.

    Fixes: 068ee6e204e1 ("batman-adv: roaming handling mechanism redesign")
    Reported-by: alfonsname@web.de
    Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
    Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ab8311e07dad19e7c45822e1b8493a79205658d7
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Tue Jul 28 15:31:12 2015 +0200

    fbdev: select versatile helpers for the integrator

    [ Upstream commit 2701fa0864ecb9e49d47a4aa1c02f172ab79639a ]

    Commit 11c32d7b6274cb0f554943d65bd4a126c4a86dcd
    "video: move Versatile CLCD helpers" missed the fact
    that the Integrator/CP is also using the helper, and
    as a result the platform got only stubs and no graphics.
    Add this as a default selection to Kconfig so we have
    graphics again.

    Fixes: 11c32d7b6274 (video: move Versatile CLCD helpers)
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a7fadae31bf58178f39838ad00d6f467eeb13da0
Author: Julian Anastasov <ja@ssi.bg>
Date:   Wed Jul 8 08:31:33 2015 +0300

    ipvs: fix crash with sync protocol v0 and FTP

    [ Upstream commit 56184858d1fc95c46723436b455cb7261cd8be6f ]

    Fix crash in 3.5+ if FTP is used after switching
    sync_version to 0.

    Fixes: 749c42b620a9 ("ipvs: reduce sync rate with time thresholds")
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 8e891d1e7d0f1e0f1ef129ed47f405af4f38c3a4
Author: Alex Gartrell <agartrell@fb.com>
Date:   Sun Jul 5 14:28:26 2015 -0700

    ipvs: skb_orphan in case of forwarding

    [ Upstream commit 71563f3414e917c62acd8e0fb0edf8ed6af63e4b ]

    It is possible that we bind against a local socket in early_demux when we
    are actually going to want to forward it.  In this case, the socket serves
    no purpose and only serves to confuse things (particularly functions which
    implicitly expect sk_fullsock to be true, like ip_local_out).
    Additionally, skb_set_owner_w is totally broken for non full-socks.

    Signed-off-by: Alex Gartrell <agartrell@fb.com>
    Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0932d43cda2bde73fa8f7c12e2e0834ecdef5e9c
Author: Julian Anastasov <ja@ssi.bg>
Date:   Mon Jun 29 21:51:40 2015 +0300

    ipvs: fix crash if scheduler is changed

    [ Upstream commit 05f00505a89acd21f5d0d20f5797dfbc4cf85243 ]

    I overlooked the svc->sched_data usage from schedulers
    when the services were converted to RCU in 3.10. Now
    the rare ipvsadm -E command can change the scheduler
    but due to the reverse order of ip_vs_bind_scheduler
    and ip_vs_unbind_scheduler we provide new sched_data
    to the old scheduler resulting in a crash.

    To fix it without changing the scheduler methods we
    have to use synchronize_rcu() only for the editing case.
    It means all svc->scheduler readers should expect a
    NULL value. To avoid breakage for the service listing
    and ipvsadm -R we can use the "none" name to indicate
    that scheduler is not assigned, a state when we drop
    new connections.

    Reported-by: Alexander Vasiliev <a.vasylev@404-group.com>
    Fixes: ceec4c381681 ("ipvs: convert services to rcu")
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fd33c09af14f6786fed65c8319743a8d709e5996
Author: Julian Anastasov <ja@ssi.bg>
Date:   Sat Jun 27 14:39:30 2015 +0300

    ipvs: do not use random local source address for tunnels

    [ Upstream commit 4754957f04f5f368792a0eb7dab0ae89fb93dcfd ]

    Michael Vallaly reports about wrong source address used
    in rare cases for tunneled traffic. Looks like
    __ip_vs_get_out_rt in 3.10+ is providing uninitialized
    dest_dst->dst_saddr.ip because ip_vs_dest_dst_alloc uses
    kmalloc. While we retry after seeing EINVAL from routing
    for data that does not look like valid local address, it
    still succeeded when this memory was previously used from
    other dests and with different local addresses. As result,
    we can use valid local address that is not suitable for
    our real server.

    Fix it by providing 0.0.0.0 every time our cache is refreshed.
    By this way we will get preferred source address from routing.

    Reported-by: Michael Vallaly <lvs@nolatency.com>
    Fixes: 026ace060dfe ("ipvs: optimize dst usage for real server")
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a7596ac980aae5ddbba5ac8954e4651551c35b61
Author: Ben Segall <bsegall@google.com>
Date:   Mon Apr 6 15:28:10 2015 -0700

    sched/fair: Prevent throttling in early pick_next_task_fair()

    [ Upstream commit 54d27365cae88fbcc853b391dcd561e71acb81fa ]

    The optimized task selection logic optimistically selects a new task
    to run without first doing a full put_prev_task(). This is so that we
    can avoid a put/set on the common ancestors of the old and new task.

    Similarly, we should only call check_cfs_rq_runtime() to throttle
    eligible groups if they're part of the common ancestry, otherwise it
    is possible to end up with no eligible task in the simple task
    selection.

    Imagine:
                    /root
            /prev           /next
            /A              /B

    If our optimistic selection ends up throttling /next, we goto simple
    and our put_prev_task() ends up throttling /prev, after which we're
    going to bug out in set_next_entity() because there aren't any tasks
    left.

    Avoid this scenario by only throttling common ancestors.

    Reported-by: Mohammed Naser <mnaser@vexxhost.com>
    Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: Ben Segall <bsegall@google.com>
    [ munged Changelog ]
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Roman Gushchin <klamm@yandex-team.ru>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: pjt@google.com
    Fixes: 678d5718d8d0 ("sched/fair: Optimize cgroup pick_next_task_fair()")
    Link: http://lkml.kernel.org/r/xm26wq1oswoq.fsf@sword-of-the-dawn.mtv.corp.google.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5240c25c81adef4633d173424ee133637e8ed8b4
Author: Reyad Attiyat <reyad.attiyat@gmail.com>
Date:   Thu Aug 6 19:23:58 2015 +0300

    usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg transfers

    [ Upstream commit 4758dcd19a7d9ba9610b38fecb93f65f56f86346 ]

    This commit checks for the URB_ZERO_PACKET flag and creates an extra
    zero-length td if the urb transfer length is a multiple of the endpoint's
    max packet length.

    Signed-off-by: Reyad Attiyat <reyad.attiyat@gmail.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 923a0e8f49af962a51734a19943b89bb1c2fc709
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Sep 21 17:46:17 2015 +0300

    xhci: init command timeout timer earlier to avoid deleting it uninitialized

    [ Upstream commit cc8e4fc0c3b5e8340bc8358990515d116a3c274c ]

    Don't check if timer is running with a timer_pending() before
    deleting it with del_timer_sync(), this defies the whole point of
    the sync part and can cause a possible race.

    Instead we just want to make sure the timer is initialized early enough
    before we have a chance to delete it.

    Cc: <stable@vger.kernel.org>
    Reported-by: Oliver Neukum <oneukum@suse.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a15f9f60fb8ed89793e72d08a5537a4ca99d8982
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Mon Sep 21 17:46:16 2015 +0300

    xhci: change xhci 1.0 only restrictions to support xhci 1.1

    [ Upstream commit dca7794539eff04b786fb6907186989e5eaaa9c2 ]

    Some changes between xhci 0.96 and xhci 1.0 specifications forced us to
    check the hci version in code, some of these checks were implemented as
    hci_version == 1.0, which will not work with new xhci 1.1 controllers.

    xhci 1.1 behaves similar to xhci 1.0 in these cases, so change these
    checks to hci_version >= 1.0

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4b025c015cf467efd35ccad202784d3ff75874e2
Author: Roger Quadros <rogerq@ti.com>
Date:   Mon Sep 21 17:46:15 2015 +0300

    usb: xhci: exit early in xhci_setup_device() if we're halted or dying

    [ Upstream commit 448116bfa856d3c076fa7178ed96661a008a5d45 ]

    During quick plug/removal of OTG adapter during dual-role testing
    it can happen that xhci_alloc_device() is called for the newly
    detected device after the DRD library has called xhci_stop to
    remove the HCD.

    If that is the case, just fail early to prevent the following warning.

    [  154.732649] hub 4-0:1.0: USB hub found
    [  154.742204] hub 4-0:1.0: 1 port detected
    [  154.824458] hub 3-0:1.0: state 7 ports 1 chg 0002 evt 0000
    [  154.854609] hub 4-0:1.0: state 7 ports 1 chg 0000 evt 0000
    [  154.944430] usb 3-1: new high-speed USB device number 2 using xhci-hcd
    [  154.951009] xhci-hcd xhci-hcd.0.auto: xhci_setup_device
    [  155.038191] xhci-hcd xhci-hcd.0.auto: remove, state 4
    [  155.043315] usb usb4: USB disconnect, device number 1
    [  155.055270] xhci-hcd xhci-hcd.0.auto: xhci_stop
    [  155.060094] xhci-hcd xhci-hcd.0.auto: USB bus 4 deregistered
    [  155.066576] xhci-hcd xhci-hcd.0.auto: remove, state 1
    [  155.071710] usb usb3: USB disconnect, device number 1
    [  155.077124] xhci-hcd xhci-hcd.0.auto: xhci_setup_device
    [  155.082389] ------------[ cut here ]------------
    [  155.087690] WARNING: CPU: 0 PID: 72 at drivers/usb/host/xhci.c:3800 xhci_setup_device+0x410/0x484 [xhci_hcd]()
    [  155.097861] Modules linked in: sd_mod usb_storage scsi_mod usb_f_ss_lb g_zero libcomposite ipv6 xhci_plat_hcd xhci_hcd usbcore dwc3 udc_core evdev ti_am335x_adc joydev kfifo_buf industrialio snd_soc_simple_cc
    [  155.146734] CPU: 0 PID: 72 Comm: kworker/0:3 Tainted: G        W       4.1.4-00834-gcd9380b-dirty #50
    [  155.156073] Hardware name: Generic AM43 (Flattened Device Tree)
    [  155.162117] Workqueue: usb_hub_wq hub_event [usbcore]
    [  155.167249] Backtrace:
    [  155.169751] [<c0012af0>] (dump_backtrace) from [<c0012c8c>] (show_stack+0x18/0x1c)
    [  155.177390]  r6:c089d4a4 r5:ffffffff r4:00000000 r3:ee46c000
    [  155.183137] [<c0012c74>] (show_stack) from [<c05f7c14>] (dump_stack+0x84/0xd0)
    [  155.190446] [<c05f7b90>] (dump_stack) from [<c00439ac>] (warn_slowpath_common+0x80/0xbc)
    [  155.198605]  r7:00000009 r6:00000ed8 r5:bf27eb70 r4:00000000
    [  155.204348] [<c004392c>] (warn_slowpath_common) from [<c0043a0c>] (warn_slowpath_null+0x24/0x2c)
    [  155.213202]  r8:ee49f000 r7:ee7c0004 r6:00000000 r5:ee7c0158 r4:ee7c0000
    [  155.220051] [<c00439e8>] (warn_slowpath_null) from [<bf27eb70>] (xhci_setup_device+0x410/0x484 [xhci_hcd])
    [  155.229816] [<bf27e760>] (xhci_setup_device [xhci_hcd]) from [<bf27ec10>] (xhci_address_device+0x14/0x18 [xhci_hcd])
    [  155.240415]  r10:ee598200 r9:00000001 r8:00000002 r7:00000001 r6:00000003 r5:00000002
    [  155.248363]  r4:ee49f000
    [  155.250978] [<bf27ebfc>] (xhci_address_device [xhci_hcd]) from [<bf20cb94>] (hub_port_init+0x1b8/0xa9c [usbcore])
    [  155.261403] [<bf20c9dc>] (hub_port_init [usbcore]) from [<bf2101e0>] (hub_event+0x738/0x1020 [usbcore])
    [  155.270874]  r10:ee598200 r9:ee7c0000 r8:ee7c0038 r7:ee518800 r6:ee49f000 r5:00000001
    [  155.278822]  r4:00000000
    [  155.281426] [<bf20faa8>] (hub_event [usbcore]) from [<c005754c>] (process_one_work+0x128/0x340)
    [  155.290196]  r10:00000000 r9:00000003 r8:00000000 r7:fedfa000 r6:eeec5400 r5:ee598314
    [  155.298151]  r4:ee434380
    [  155.300718] [<c0057424>] (process_one_work) from [<c00578f8>] (worker_thread+0x158/0x49c)
    [  155.308963]  r10:ee434380 r9:00000003 r8:eeec5400 r7:00000008 r6:ee434398 r5:eeec5400
    [  155.316913]  r4:eeec5414
    [  155.319482] [<c00577a0>] (worker_thread) from [<c005cc40>] (kthread+0xdc/0xf8)
    [  155.326765]  r10:00000000 r9:00000000 r8:00000000 r7:c00577a0 r6:ee434380 r5:ee4441c0
    [  155.334713]  r4:00000000 r3:00000000
    [  155.338341] [<c005cb64>] (kthread) from [<c000fc08>] (ret_from_fork+0x14/0x2c)
    [  155.345626]  r7:00000000 r6:00000000 r5:c005cb64 r4:ee4441c0
    [  155.356108] ---[ end trace a58d34c223b190e6 ]---
    [  155.360783] xhci-hcd xhci-hcd.0.auto: Virt dev invalid for slot_id 0x1!
    [  155.574404] xhci-hcd xhci-hcd.0.auto: xhci_setup_device
    [  155.579667] ------------[ cut here ]------------

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Roger Quadros <rogerq@ti.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b78034d9af682dd587aa49884b559f9ff51e8ef7
Author: Roger Quadros <rogerq@ti.com>
Date:   Mon Sep 21 17:46:13 2015 +0300

    usb: xhci: Clear XHCI_STATE_DYING on start

    [ Upstream commit e5bfeab0ad515b4f6df39fe716603e9dc6d3dfd0 ]

    For whatever reason if XHCI died in the previous instant
    then it will never recover on the next xhci_start unless we
    clear the DYING flag.

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Roger Quadros <rogerq@ti.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ad0473dde67387a9c5b3e25429cb8adac090a0af
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Sep 23 11:41:42 2015 -0700

    USB: whiteheat: fix potential null-deref at probe

    [ Upstream commit cbb4be652d374f64661137756b8f357a1827d6a4 ]

    Fix potential null-pointer dereference at probe by making sure that the
    required endpoints are present.

    The whiteheat driver assumes there are at least five pairs of bulk
    endpoints, of which the final pair is used for the "command port". An
    attempt to bind to an interface with fewer bulk endpoints would
    currently lead to an oops.

    Fixes CVE-2015-5257.

    Reported-by: Moein Ghasemzadeh <moein@istuary.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 51bd52fb41d3f8669d2df20b63e1aa4b61cc9f8d
Author: Michel Dänzer <michel.daenzer@amd.com>
Date:   Mon Sep 28 18:16:31 2015 +0900

    drm/amdgpu:  Restore LCD backlight level on resume

    [ Upstream commit 74b3112e95073b351e3b0b9799795bc76f8415fa ]

    Instead of only enabling the backlight (which seems to set it to max
    brightness), just re-set the current backlight level, which also takes
    care of enabling the backlight if necessary.

    Port of radeon commit:
    drm/radeon: Restore LCD backlight level on resume (>= R5xx)

    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6131d99de4a7a2d2e24f59dea3698006011f791e
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue Jun 23 11:34:21 2015 +0200

    drm: Reject DRI1 hw lock ioctl functions for kms drivers

    [ Upstream commit da168d81b44898404d281d5dbe70154ab5f117c1 ]

    I've done some extensive history digging across libdrm, mesa and
    xf86-video-{intel,nouveau,ati}. The only potential user of this with
    kms drivers I could find was ttmtest, which once used drmGetLock
    still. But that mistake was quickly fixed up. Even the intel xvmc
    library (which otherwise was really good with using dri1 stuff in kms
    mode) managed to never take the hw lock for dri2 (and hence kms).

    Hence it should be save to unconditionally disallow this.

    Cc: Peter Antoine <peter.antoine@intel.com>
    Reviewed-by: Peter Antoine <peter.antoine@intel.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 21330a631016d627759be437d992000b5bdbf7d2
Author: Jani Nikula <jani.nikula@intel.com>
Date:   Thu Sep 17 16:42:07 2015 +0300

    drm/i915/bios: handle MIPI Sequence Block v3+ gracefully

    [ Upstream commit cd67d226ebd909d239d2c6e5a6abd6e2a338d1cd ]

    The VBT MIPI Sequence Block version 3 has forward incompatible changes:

    First, the block size in the header has been specified reserved, and the
    actual size is a separate 32-bit value within the block. The current
    find_section() function to will only look at the size in the block
    header, and, depending on what's in that now reserved size field,
    continue looking for other sections in the wrong place.

    Fix this by taking the new block size field into account. This will
    ensure that the lookups for other sections will work properly, as long
    as the new 32-bit size does not go beyond the opregion VBT mailbox size.

    Second, the contents of the block have been completely
    changed. Gracefully refuse parsing the yet unknown data version.

    Cc: Deepak M <m.deepak@intel.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Deepak M <m.deepak@intel.com>
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 445e1554e787c657acb9c300c0556b71bddac8e7
Author: Fabiano Fidêncio <fidencio@redhat.com>
Date:   Thu Sep 24 15:18:34 2015 +0200

    drm/qxl: recreate the primary surface when the bo is not primary

    [ Upstream commit 8d0d94015e96b8853c4f7f06eac3f269e1b3d866 ]

    When disabling/enabling a crtc the primary area must be updated
    independently of which crtc has been disabled/enabled.

    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1264735

    Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit dcd79cf88046986d1e4082ee12793124a0035798
Author: Dave Airlie <airlied@redhat.com>
Date:   Mon Sep 14 10:28:34 2015 +1000

    drm/qxl: only report first monitor as connected if we have no state

    [ Upstream commit 69e5d3f893e19613486f300fd6e631810338aa4b ]

    If the server isn't new enough to give us state, report the first
    monitor as always connected, otherwise believe the server side.

    Cc: stable@vger.kernel.org
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ca5b6dad41ed3ceecc959b9a19b52c9aded89d39
Author: Steve French <smfrench@gmail.com>
Date:   Mon Sep 28 17:21:07 2015 -0500

    [SMB3] Do not fall back to SMBWriteX in set_file_size error cases

    [ Upstream commit 646200a041203f440fb6fcf9cacd9efeda9de74c ]

    The error paths in set_file_size for cifs and smb3 are incorrect.

    In the unlikely event that a server did not support set file info
    of the file size, the code incorrectly falls back to trying SMBWriteX
    (note that only the original core SMB Write, used for example by DOS,
    can set the file size this way - this actually  does not work for the more
    recent SMBWriteX).  The idea was since the old DOS SMB Write could set
    the file size if you write zero bytes at that offset then use that if
    server rejects the normal set file info call.

    Fortunately the SMBWriteX will never be sent on the wire (except when
    file size is zero) since the length and offset fields were reversed
    in the two places in this function that call SMBWriteX causing
    the fall back path to return an error. It is also important to never call
    an SMB request from an SMB2/sMB3 session (which theoretically would
    be possible, and can cause a brief session drop, although the client
    recovers) so this should be fixed.  In practice this path does not happen
    with modern servers but the error fall back to SMBWriteX is clearly wrong.

    Removing the calls to SMBWriteX in the error paths in cifs_set_file_size

    Pointed out by PaX/grsecurity team

    Signed-off-by: Steve French <steve.french@primarydata.com>
    Reported-by: PaX Team <pageexec@freemail.hu>
    CC: Emese Revfy <re.emese@gmail.com>
    CC: Brad Spengler <spender@grsecurity.net>
    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 27dc98701f026c09be9d459ae0bd432527be5ce5
Author: Steve French <smfrench@gmail.com>
Date:   Tue Sep 22 09:29:38 2015 -0500

    disabling oplocks/leases via module parm enable_oplocks broken for SMB3

    [ Upstream commit e0ddde9d44e37fbc21ce893553094ecf1a633ab5 ]

    leases (oplocks) were always requested for SMB2/SMB3 even when oplocks
    disabled in the cifs.ko module.

    Signed-off-by: Steve French <steve.french@primarydata.com>
    Reviewed-by: Chandrika Srinivasan <chandrika.srinivasan@citrix.com>
    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9c6e28cab8ebf2177dfe58930a8e17ca7043a4dc
Author: Peng Tao <tao.peng@primarydata.com>
Date:   Fri Sep 11 11:14:06 2015 +0800

    nfs: fix pg_test page count calculation

    [ Upstream commit 048883e0b934d9a5103d40e209cb14b7f33d2933 ]

    We really want sizeof(struct page *) instead. Otherwise we limit
    maximum IO size to 64 pages rather than 512 pages on a 64bit system.

    Fixes 2e11f829(nfs: cap request size to fit a kmalloced page array).

    Cc: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Peng Tao <tao.peng@primarydata.com>
    Fixes: 2e11f8296d22 ("nfs: cap request size to fit a kmalloced page array")
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e79740704034182a5961d774f4c87025db4eb0e3
Author: Florian Westphal <fw@strlen.de>
Date:   Wed Sep 9 02:57:21 2015 +0200

    netfilter: nf_log: don't zap all loggers on unregister

    [ Upstream commit 205ee117d4dc4a11ac3bd9638bb9b2e839f4de9a ]

    like nf_log_unset, nf_log_unregister must not reset the list of loggers.
    Otherwise, a call to nf_log_unregister() will render loggers of other nf
    protocols unusable:

    iptables -A INPUT -j LOG
    modprobe nf_log_arp ; rmmod nf_log_arp
    iptables -A INPUT -j LOG
    iptables: No chain/target/match by that name

    Fixes: 30e0c6a6be ("netfilter: nf_log: prepare net namespace support for loggers")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0496ef122e0b9296f27e1493aaaa217c9497f8d1
Author: Marcelo Leitner <mleitner@redhat.com>
Date:   Wed Oct 29 10:04:51 2014 -0200

    netfilter: nf_log: Introduce nft_log_dereference() macro

    [ Upstream commit 0c26ed1c07f13ca27e2638ffdd1951013ed96c48 ]

    Wrap up a common call pattern in an easier to handle call.

    Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0b41eaece3a6f675c3940ca694a10c449ea9d227
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Sep 14 18:04:09 2015 +0200

    netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC

    [ Upstream commit ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 ]

    Fix lookup of existing match/target structures in the corresponding list
    by skipping the family check if NFPROTO_UNSPEC is used.

    This is resulting in the allocation and insertion of one match/target
    structure for each use of them. So this not only bloats memory
    consumption but also severely affects the time to reload the ruleset
    from the iptables-compat utility.

    After this patch, iptables-compat-restore and iptables-compat take
    almost the same time to reload large rulesets.

    Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1aaf3bed304e54b4e4d3cac938f5560bc6b8f52d
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Sep 17 13:37:00 2015 +0200

    netfilter: nf_log: wait for rcu grace after logger unregistration

    [ Upstream commit ad5001cc7cdf9aaee5eb213fdee657e4a3c94776 ]

    The nf_log_unregister() function needs to call synchronize_rcu() to make sure
    that the objects are not dereferenced anymore on module removal.

    Fixes: 5962815a6a56 ("netfilter: nf_log: use an array of loggers instead of list")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f71252c2c3d7bac9895de13bf6005bc34daee2ac
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Thu Jul 9 22:56:00 2015 +0200

    netfilter: ctnetlink: put back references to master ct and expect objects

    [ Upstream commit 95dd8653de658143770cb0e55a58d2aab97c79d2 ]

    We have to put back the references to the master conntrack and the expectation
    that we just created, otherwise we'll leak them.

    Fixes: 0ef71ee1a5b9 ("netfilter: ctnetlink: refactor ctnetlink_create_expect")
    Reported-by: Tim Wiess <Tim.Wiess@watchguard.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a9108c7e36ad49c61e4f82a52f00e04bfa9b5882
Author: Joe Stringer <joestringer@nicira.com>
Date:   Tue Jul 21 21:37:31 2015 -0700

    netfilter: nf_conntrack: Support expectations in different zones

    [ Upstream commit 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 ]

    When zones were originally introduced, the expectation functions were
    all extended to perform lookup using the zone. However, insertion was
    not modified to check the zone. This means that two expectations which
    are intended to apply for different connections that have the same tuple
    but exist in different zones cannot both be tracked.

    Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones")
    Signed-off-by: Joe Stringer <joestringer@nicira.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit aef4db8e27803571e673ea2cf9c0e5c2a6dd1f49
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Aug 28 21:01:43 2015 +0200

    netfilter: nfnetlink: work around wrong endianess in res_id field

    [ Upstream commit a9de9777d613500b089a7416f936bf3ae5f070d2 ]

    The convention in nfnetlink is to use network byte order in every header field
    as well as in the attribute payload. The initial version of the batching
    infrastructure assumes that res_id comes in host byte order though.

    The only client of the batching infrastructure is nf_tables, so let's add a
    workaround to address this inconsistency. We currently have 11 nfnetlink
    subsystems according to NFNL_SUBSYS_COUNT, so we can assume that the subsystem
    2560, ie. htons(10), will not be allocated anytime soon, so it can be an alias
    of nf_tables from the nfnetlink batching path when interpreting the res_id
    field.

    Based on original patch from Florian Westphal.

    Reported-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7b4543bf7ea8f6018385a29ade02038d532e406a
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Fri Oct 2 11:17:37 2015 -0400

    dm raid: fix round up of default region size

    [ Upstream commit 042745ee53a0a7c1f5aff191a4a24213c6dcfb52 ]

    Commit 3a0f9aaee028 ("dm raid: round region_size to power of two")
    intended to make sure that the default region size is a power of two.
    However, the logic in that commit is incorrect and sets the variable
    region_size to 0 or 1, depending on whether min_region_size is a power
    of two.

    Fix this logic, using roundup_pow_of_two(), so that region_size is
    properly rounded up to the next power of two.

    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Fixes: 3a0f9aaee028 ("dm raid: round region_size to power of two")
    Cc: stable@vger.kernel.org # v3.8+
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ab92cac0bfb5e4c27ea8f6139118f13b982c51b9
Author: Liu.Zhao <lzsos369@163.com>
Date:   Mon Aug 24 08:36:12 2015 -0700

    USB: option: add ZTE PIDs

    [ Upstream commit 19ab6bc5674a30fdb6a2436b068d19a3c17dc73e ]

    This is intended to add ZTE device PIDs on kernel.

    Signed-off-by: Liu.Zhao <lzsos369@163.com>
    Cc: stable <stable@vger.kernel.org>
    [johan: sort the new entries ]
    Signed-off-by: Johan Hovold <johan@kernel.org>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5fdd843e65edc2727ba630519559430bd276cb9c
Author: Joe Thornber <ejt@redhat.com>
Date:   Wed Aug 12 15:12:09 2015 +0100

    dm btree: add ref counting ops for the leaves of top level btrees

    [ Upstream commit b0dc3c8bc157c60b1d470163882be8c13e1950af ]

    When using nested btrees, the top leaves of the top levels contain
    block addresses for the root of the next tree down.  If we shadow a
    shared leaf node the leaf values (sub tree roots) should be incremented
    accordingly.

    This is only an issue if there is metadata sharing in the top levels.
    Which only occurs if metadata snapshots are being used (as is possible
    with dm-thinp).  And could result in a block from the thinp metadata
    snap being reused early, thus corrupting the thinp metadata snap.

    Signed-off-by: Joe Thornber <ejt@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 11982b198b595fab7c996fa7b15d655e1a84e933
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Thu Jul 9 16:45:18 2015 -0400

    svcrdma: Fix send_reply() scatter/gather set-up

    [ Upstream commit 9d11b51ce7c150a69e761e30518f294fc73d55ff ]

    The Linux NFS server returns garbage in the data payload of inline
    NFS/RDMA READ replies. These are READs of under 1000 bytes or so
    where the client has not provided either a reply chunk or a write
    list.

    The NFS server delivers the data payload for an NFS READ reply to
    the transport in an xdr_buf page list. If the NFS client did not
    provide a reply chunk or a write list, send_reply() is supposed to
    set up a separate sge for the page containing the READ data, and
    another sge for XDR padding if needed, then post all of the sges via
    a single SEND Work Request.

    The problem is send_reply() does not advance through the xdr_buf
    when setting up scatter/gather entries for SEND WR. It always calls
    dma_map_xdr with xdr_off set to zero. When there's more than one
    sge, dma_map_xdr() sets up the SEND sge's so they all point to the
    xdr_buf's head.

    The current Linux NFS/RDMA client always provides a reply chunk or
    a write list when performing an NFS READ over RDMA. Therefore, it
    does not exercise this particular case. The Linux server has never
    had to use more than one extra sge for building RPC/RDMA replies
    with a Linux client.

    However, an NFS/RDMA client _is_ allowed to send small NFS READs
    without setting up a write list or reply chunk. The NFS READ reply
    fits entirely within the inline reply buffer in this case. This is
    perhaps a more efficient way of performing NFS READs that the Linux
    NFS/RDMA client may some day adopt.

    Fixes: b432e6b3d9c1 ('svcrdma: Change DMA mapping logic to . . .')
    BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=285
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 41d3120a5cd75117ac7f681514c27180cae7e8c2
Author: Michal Kazior <michal.kazior@tieto.com>
Date:   Wed Aug 19 13:10:43 2015 +0200

    ath10k: fix dma_mapping_error() handling

    [ Upstream commit 5e55e3cbd1042cffa6249f22c10585e63f8a29bf ]

    The function returns 1 when DMA mapping fails. The
    driver would return bogus values and could
    possibly confuse itself if DMA failed.

    Fixes: 767d34fc67af ("ath10k: remove DMA mapping wrappers")
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
    Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b2abcec9c58d844e9cf506329cbff89521457702
Author: Filipe Manana <fdmanana@suse.com>
Date:   Mon Sep 28 09:56:26 2015 +0100

    Btrfs: update fix for read corruption of compressed and shared extents

    [ Upstream commit 808f80b46790f27e145c72112189d6a3be2bc884 ]

    My previous fix in commit 005efedf2c7d ("Btrfs: fix read corruption of
    compressed and shared extents") was effective only if the compressed
    extents cover a file range with a length that is not a multiple of 16
    pages. That's because the detection of when we reached a different range
    of the file that shares the same compressed extent as the previously
    processed range was done at extent_io.c:__do_contiguous_readpages(),
    which covers subranges with a length up to 16 pages, because
    extent_readpages() groups the pages in clusters no larger than 16 pages.
    So fix this by tracking the start of the previously processed file
    range's extent map at extent_readpages().

    The following test case for fstests reproduces the issue:

      seq=`basename $0`
      seqres=$RESULT_DIR/$seq
      echo "QA output created by $seq"
      tmp=/tmp/$$
      status=1      # failure is the default!
      trap "_cleanup; exit \$status" 0 1 2 3 15

      _cleanup()
      {
          rm -f $tmp.*
      }

      # get standard environment, filters and checks
      . ./common/rc
      . ./common/filter

      # real QA test starts here
      _need_to_be_root
      _supported_fs btrfs
      _supported_os Linux
      _require_scratch
      _require_cloner

      rm -f $seqres.full

      test_clone_and_read_compressed_extent()
      {
          local mount_opts=$1

          _scratch_mkfs >>$seqres.full 2>&1
          _scratch_mount $mount_opts

          # Create our test file with a single extent of 64Kb that is going to
          # be compressed no matter which compression algo is used (zlib/lzo).
          $XFS_IO_PROG -f -c "pwrite -S 0xaa 0K 64K" \
              $SCRATCH_MNT/foo | _filter_xfs_io

          # Now clone the compressed extent into an adjacent file offset.
          $CLONER_PROG -s 0 -d $((64 * 1024)) -l $((64 * 1024)) \
              $SCRATCH_MNT/foo $SCRATCH_MNT/foo

          echo "File digest before unmount:"
          md5sum $SCRATCH_MNT/foo | _filter_scratch

          # Remount the fs or clear the page cache to trigger the bug in
          # btrfs. Because the extent has an uncompressed length that is a
          # multiple of 16 pages, all the pages belonging to the second range
          # of the file (64K to 128K), which points to the same extent as the
          # first range (0K to 64K), had their contents full of zeroes instead
          # of the byte 0xaa. This was a bug exclusively in the read path of
          # compressed extents, the correct data was stored on disk, btrfs
          # just failed to fill in the pages correctly.
          _scratch_remount

          echo "File digest after remount:"
          # Must match the digest we got before.
          md5sum $SCRATCH_MNT/foo | _filter_scratch
      }

      echo -e "\nTesting with zlib compression..."
      test_clone_and_read_compressed_extent "-o compress=zlib"

      _scratch_unmount

      echo -e "\nTesting with lzo compression..."
      test_clone_and_read_compressed_extent "-o compress=lzo"

      status=0
      exit

    Cc: stable@vger.kernel.org
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Tested-by: Timofey Titovets <nefelim4ag@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fc6c5152944cc7462391953667a9ac214dad3a94
Author: Filipe Manana <fdmanana@suse.com>
Date:   Mon Sep 14 09:09:31 2015 +0100

    Btrfs: fix read corruption of compressed and shared extents

    [ Upstream commit 005efedf2c7d0a270ffbe28d8997b03844f3e3e7 ]

    If a file has a range pointing to a compressed extent, followed by
    another range that points to the same compressed extent and a read
    operation attempts to read both ranges (either completely or part of
    them), the pages that correspond to the second range are incorrectly
    filled with zeroes.

    Consider the following example:

      File layout
      [0 - 8K]                      [8K - 24K]
          |                             |
          |                             |
       points to extent X,         points to extent X,
       offset 4K, length of 8K     offset 0, length 16K

      [extent X, compressed length = 4K uncompressed length = 16K]

    If a readpages() call spans the 2 ranges, a single bio to read the extent
    is submitted - extent_io.c:submit_extent_page() would only create a new
    bio to cover the second range pointing to the extent if the extent it
    points to had a different logical address than the extent associated with
    the first range. This has a consequence of the compressed read end io
    handler (compression.c:end_compressed_bio_read()) finish once the extent
    is decompressed into the pages covering the first range, leaving the
    remaining pages (belonging to the second range) filled with zeroes (done
    by compression.c:btrfs_clear_biovec_end()).

    So fix this by submitting the current bio whenever we find a range
    pointing to a compressed extent that was preceded by a range with a
    different extent map. This is the simplest solution for this corner
    case. Making the end io callback populate both ranges (or more, if we
    have multiple pointing to the same extent) is a much more complex
    solution since each bio is tightly coupled with a single extent map and
    the extent maps associated to the ranges pointing to the shared extent
    can have different offsets and lengths.

    The following test case for fstests triggers the issue:

      seq=`basename $0`
      seqres=$RESULT_DIR/$seq
      echo "QA output created by $seq"
      tmp=/tmp/$$
      status=1      # failure is the default!
      trap "_cleanup; exit \$status" 0 1 2 3 15

      _cleanup()
      {
          rm -f $tmp.*
      }

      # get standard environment, filters and checks
      . ./common/rc
      . ./common/filter

      # real QA test starts here
      _need_to_be_root
      _supported_fs btrfs
      _supported_os Linux
      _require_scratch
      _require_cloner

      rm -f $seqres.full

      test_clone_and_read_compressed_extent()
      {
          local mount_opts=$1

          _scratch_mkfs >>$seqres.full 2>&1
          _scratch_mount $mount_opts

          # Create a test file with a single extent that is compressed (the
          # data we write into it is highly compressible no matter which
          # compression algorithm is used, zlib or lzo).
          $XFS_IO_PROG -f -c "pwrite -S 0xaa 0K 4K"        \
                          -c "pwrite -S 0xbb 4K 8K"        \
                          -c "pwrite -S 0xcc 12K 4K"       \
                          $SCRATCH_MNT/foo | _filter_xfs_io

          # Now clone our extent into an adjacent offset.
          $CLONER_PROG -s $((4 * 1024)) -d $((16 * 1024)) -l $((8 * 1024)) \
              $SCRATCH_MNT/foo $SCRATCH_MNT/foo

          # Same as before but for this file we clone the extent into a lower
          # file offset.
          $XFS_IO_PROG -f -c "pwrite -S 0xaa 8K 4K"         \
                          -c "pwrite -S 0xbb 12K 8K"        \
                          -c "pwrite -S 0xcc 20K 4K"        \
                          $SCRATCH_MNT/bar | _filter_xfs_io

          $CLONER_PROG -s $((12 * 1024)) -d 0 -l $((8 * 1024)) \
              $SCRATCH_MNT/bar $SCRATCH_MNT/bar

          echo "File digests before unmounting filesystem:"
          md5sum $SCRATCH_MNT/foo | _filter_scratch
          md5sum $SCRATCH_MNT/bar | _filter_scratch

          # Evicting the inode or clearing the page cache before reading
          # again the file would also trigger the bug - reads were returning
          # all bytes in the range corresponding to the second reference to
          # the extent with a value of 0, but the correct data was persisted
          # (it was a bug exclusively in the read path). The issue happened
          # only if the same readpages() call targeted pages belonging to the
          # first and second ranges that point to the same compressed extent.
          _scratch_remount

          echo "File digests after mounting filesystem again:"
          # Must match the same digests we got before.
          md5sum $SCRATCH_MNT/foo | _filter_scratch
          md5sum $SCRATCH_MNT/bar | _filter_scratch
      }

      echo -e "\nTesting with zlib compression..."
      test_clone_and_read_compressed_extent "-o compress=zlib"

      _scratch_unmount

      echo -e "\nTesting with lzo compression..."
      test_clone_and_read_compressed_extent "-o compress=lzo"

      status=0
      exit

    Cc: stable@vger.kernel.org
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: Qu Wenruo<quwenruo@cn.fujitsu.com>
    Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1fb045a8b0bbfb757e114d5d0ad4dfb335346dc7
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Fri Sep 11 21:44:17 2015 -0400

    btrfs: skip waiting on ordered range for special files

    [ Upstream commit a30e577c96f59b1e1678ea5462432b09bf7d5cbc ]

    In btrfs_evict_inode, we properly truncate the page cache for evicted
    inodes but then we call btrfs_wait_ordered_range for every inode as well.
    It's the right thing to do for regular files but results in incorrect
    behavior for device inodes for block devices.

    filemap_fdatawrite_range gets called with inode->i_mapping which gets
    resolved to the block device inode before getting passed to
    wbc_attach_fdatawrite_inode and ultimately to inode_to_bdi.  What happens
    next depends on whether there's an open file handle associated with the
    inode.  If there is, we write to the block device, which is unexpected
    behavior.  If there isn't, we through normally and inode->i_data is used.
    We can also end up racing against open/close which can result in crashes
    when i_mapping points to a block device inode that has been closed.

    Since there can't be any page cache associated with special file inodes,
    it's safe to skip the btrfs_wait_ordered_range call entirely and avoid
    the problem.

    Cc: <stable@vger.kernel.org>
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=100911
    Tested-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e1a73316b1c356860a5d5ee7c7ecf30a3880516d
Author: Yitian Bu <buyitian@gmail.com>
Date:   Fri Oct 2 15:18:41 2015 +0800

    ASoC: dwc: correct irq clear method

    [ Upstream commit 4873867e5f2bd90faad861dd94865099fc3140f3 ]

    from Designware I2S datasheet, tx/rx XRUN irq is cleared by
    reading register TOR/ROR, rather than by writing into them.

    Signed-off-by: Yitian Bu <yitian.bu@tangramtek.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 44594dddabd8e4e6b0a388b8ff9b5e06a6e782db
Author: Robert Jarzmik <robert.jarzmik@free.fr>
Date:   Tue Sep 15 20:51:31 2015 +0200

    ASoC: fix broken pxa SoC support

    [ Upstream commit 3c8f7710c1c44fb650bc29b6ef78ed8b60cfaa28 ]

    The previous fix of pxa library support, which was introduced to fix the
    library dependency, broke the previous SoC behavior, where a machine
    code binding pxa2xx-ac97 with a coded relied on :
     - sound/soc/pxa/pxa2xx-ac97.c
     - sound/soc/codecs/XXX.c

    For example, the mioa701_wm9713.c machine code is currently broken. The
    "select ARM" statement wrongly selects the soc/arm/pxa2xx-ac97 for
    compilation, as per an unfortunate fate SND_PXA2XX_AC97 is both declared
    in sound/arm/Kconfig and sound/soc/pxa/Kconfig.

    Fix this by ensuring that SND_PXA2XX_SOC correctly triggers the correct
    pxa2xx-ac97 compilation.

    Fixes: 846172dfe33c ("ASoC: fix SND_PXA2XX_LIB Kconfig warning")
    Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b402bfb3dd7ae94cea9f9e583631f08837442a0a
Author: Robert Jarzmik <robert.jarzmik@free.fr>
Date:   Tue Sep 22 21:20:22 2015 +0200

    ASoC: pxa: pxa2xx-ac97: fix dma requestor lines

    [ Upstream commit 8811191fdf7ed02ee07cb8469428158572d355a2 ]

    PCM receive and transmit DMA requestor lines were reverted, breaking the
    PCM playback interface for PXA platforms using the sound/soc/ variant
    instead of the sound/arm variant.

    The commit below shows the inversion in the requestor lines.

    Fixes: d65a14587a9b ("ASoC: pxa: use snd_dmaengine_dai_dma_data")
    Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e7c645a25f3a201fd2e8d097a52d50a6ba01fec3
Author: John Flatness <john@zerocrates.org>
Date:   Fri Oct 2 17:07:49 2015 -0400

    ALSA: hda - Apply SPDIF pin ctl to MacBookPro 12,1

    [ Upstream commit e8ff581f7ac2bc3b8886094b7ca635dcc4d1b0e9 ]

    The MacBookPro 12,1 has the same setup as the 11 for controlling the
    status of the optical audio light. Simply apply the existing workaround
    to the subsystem ID for the 12,1.

    [sorted the fixup entry by tiwai]

    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105401
    Signed-off-by: John Flatness <john@zerocrates.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f60c8a5f2697193ea4b08b0f554c7265df8bbb11
Author: Laura Abbott <labbott@fedoraproject.org>
Date:   Fri Oct 2 11:09:54 2015 -0700

    ALSA: hda: Add dock support for ThinkPad T550

    [ Upstream commit d05ea7da0e8f6df3c62cfee75538f347cb3d89ef ]

    Much like all the other Lenovo laptops, add a quirk to make
    sound work with docking.

    Reported-and-tested-by: lacknerflo@gmail.com
    Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e701ac72198baa78ee26b1c6da77173371346122
Author: Takashi Iwai <tiwai@suse.de>
Date:   Mon Oct 5 16:55:09 2015 +0200

    ALSA: synth: Fix conflicting OSS device registration on AWE32

    [ Upstream commit 225db5762dc1a35b26850477ffa06e5cd0097243 ]

    When OSS emulation is loaded on ISA SB AWE32 chip, we get now kernel
    warnings like:
      WARNING: CPU: 0 PID: 2791 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x51/0x80()
      sysfs: cannot create duplicate filename '/devices/isa/sbawe.0/sound/card0/seq-oss-0-0'

    It's because both emux synth and opl3 drivers try to register their
    OSS device object with the same static index number 0.  This hasn't
    been a big problem until the recent rewrite of device management code
    (that exposes sysfs at the same time), but it's been an obvious bug.

    This patch works around it just by using a different index number of
    emux synth object.  There can be a more elegant way to fix, but it's
    enough for now, as this code won't be touched so often, in anyway.

    Reported-and-tested-by: Michael Shell <list1@michaelshell.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0e4cfed8f063028430bfc6883217698fca3c35ab
Author: Mel Gorman <mgorman@techsingularity.net>
Date:   Thu Oct 1 15:36:57 2015 -0700

    mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault

    [ Upstream commit 2f84a8990ebbe235c59716896e017c6b2ca1200f ]

    SunDong reported the following on

      https://bugzilla.kernel.org/show_bug.cgi?id=103841

            I think I find a linux bug, I have the test cases is constructed. I
            can stable recurring problems in fedora22(4.0.4) kernel version,
            arch for x86_64.  I construct transparent huge page, when the parent
            and child process with MAP_SHARE, MAP_PRIVATE way to access the same
            huge page area, it has the opportunity to lead to huge page copy on
            write failure, and then it will munmap the child corresponding mmap
            area, but then the child mmap area with VM_MAYSHARE attributes, child
            process munmap this area can trigger VM_BUG_ON in set_vma_resv_flags
            functions (vma - > vm_flags & VM_MAYSHARE).

    There were a number of problems with the report (e.g.  it's hugetlbfs that
    triggers this, not transparent huge pages) but it was fundamentally
    correct in that a VM_BUG_ON in set_vma_resv_flags() can be triggered that
    looks like this

             vma ffff8804651fd0d0 start 00007fc474e00000 end 00007fc475e00000
             next ffff8804651fd018 prev ffff8804651fd188 mm ffff88046b1b1800
             prot 8000000000000027 anon_vma           (null) vm_ops ffffffff8182a7a0
             pgoff 0 file ffff88106bdb9800 private_data           (null)
             flags: 0x84400fb(read|write|shared|mayread|maywrite|mayexec|mayshare|dontexpand|hugetlb)
             ------------
             kernel BUG at mm/hugetlb.c:462!
             SMP
             Modules linked in: xt_pkttype xt_LOG xt_limit [..]
             CPU: 38 PID: 26839 Comm: map Not tainted 4.0.4-default #1
             Hardware name: Dell Inc. PowerEdge R810/0TT6JF, BIOS 2.7.4 04/26/2012
             set_vma_resv_flags+0x2d/0x30

    The VM_BUG_ON is correct because private and shared mappings have
    different reservation accounting but the warning clearly shows that the
    VMA is shared.

    When a private COW fails to allocate a new page then only the process
    that created the VMA gets the page -- all the children unmap the page.
    If the children access that data in the future then they get killed.

    The problem is that the same file is mapped shared and private.  During
    the COW, the allocation fails, the VMAs are traversed to unmap the other
    private pages but a shared VMA is found and the bug is triggered.  This
    patch identifies such VMAs and skips them.

    Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
    Reported-by: SunDong <sund_sky@126.com>
    Reviewed-by: Michal Hocko <mhocko@suse.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: David Rientjes <rientjes@google.com>
    Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit efddc65b3ecb2d1e7043a96d5f673760f22742d2
Author: Joseph Qi <joseph.qi@huawei.com>
Date:   Tue Sep 22 14:59:20 2015 -0700

    ocfs2/dlm: fix deadlock when dispatch assert master

    [ Upstream commit 012572d4fc2e4ddd5c8ec8614d51414ec6cae02a ]

    The order of the following three spinlocks should be:
    dlm_domain_lock < dlm_ctxt->spinlock < dlm_lock_resource->spinlock

    But dlm_dispatch_assert_master() is called while holding
    dlm_ctxt->spinlock and dlm_lock_resource->spinlock, and then it calls
    dlm_grab() which will take dlm_domain_lock.

    Once another thread (for example, dlm_query_join_handler) has already
    taken dlm_domain_lock, and tries to take dlm_ctxt->spinlock deadlock
    happens.

    Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Mark Fasheh <mfasheh@suse.com>
    Cc: "Junxiao Bi" <junxiao.bi@oracle.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit bf61da4411682000a12ad7756d62fe7985fd8523
Author: Tan, Jui Nee <jui.nee.tan@intel.com>
Date:   Tue Sep 1 10:22:51 2015 +0800

    spi: spi-pxa2xx: Check status register to determine if SSSR_TINT is disabled

    [ Upstream commit 02bc933ebb59208f42c2e6305b2c17fd306f695d ]

    On Intel Baytrail, there is case when interrupt handler get called, no SPI
    message is captured. The RX FIFO is indeed empty when RX timeout pending
    interrupt (SSSR_TINT) happens.

    Use the BIOS version where both HSUART and SPI are on the same IRQ. Both
    drivers are using IRQF_SHARED when calling the request_irq function. When
    running two separate and independent SPI and HSUART application that
    generate data traffic on both components, user will see messages like
    below on the console:

      pxa2xx-spi pxa2xx-spi.0: bad message state in interrupt handler

    This commit will fix this by first checking Receiver Time-out Interrupt,
    if it is disabled, ignore the request and return without servicing.

    Signed-off-by: Tan, Jui Nee <jui.nee.tan@intel.com>
    Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a94229eb62f288a04ddafa39abce4a0b9f6280fc
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Tue Sep 22 14:32:03 2015 +0300

    spi: xtensa-xtfpga: fix register endianness

    [ Upstream commit b0b4855099e301c8603ea37da9a0103a96c2e0b1 ]

    XTFPGA SPI controller has native endian registers.
    Fix register acessors so that they work in big-endian configurations.

    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 628e5c38cf55892da4e202e6a4940617e1ec8ee8
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Sun Sep 6 01:46:54 2015 +0300

    spi: Fix documentation of spi_alloc_master()

    [ Upstream commit a394d635193b641f2c86ead5ada5b115d57c51f8 ]

    Actually, spi_master_put() after spi_alloc_master() must _not_ be followed
    by kfree(). The memory is already freed with the call to spi_master_put()
    through spi_master_class, which registers a release function. Calling both
    spi_master_put() and kfree() results in often nasty (and delayed) crashes
    elsewhere in the kernel, often in the networking stack.

    This reverts commit eb4af0f5349235df2e4a5057a72fc8962d00308a.

    Link to patch and concerns: https://lkml.org/lkml/2012/9/3/269
    or
    http://lkml.iu.edu/hypermail/linux/kernel/1209.0/00790.html

    Alexey Klimov: This revert becomes valid after
    94c69f765f1b4a658d96905ec59928e3e3e07e6a when spi-imx.c
    has been fixed and there is no need to call kfree() so comment
    for spi_alloc_master() should be fixed.

    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 91f073fb956fa7e16d56b18be462059a203e97d3
Author: Christian Borntraeger <borntraeger@de.ibm.com>
Date:   Mon Sep 28 22:47:42 2015 +0200

    s390/boot/decompression: disable floating point in decompressor

    [ Upstream commit adc0b7fbf6fe9967505c0254d9535ec7288186ae ]

    my gcc 5.1 used an ldgr instruction with a register != 0,2,4,6 for
    spilling/filling into a floating point register in our decompressor.

    This will cause an AFP-register data exception as the decompressor
    did not setup the additional floating point registers via cr0.
    That causes a program check loop that looked like a hang with
    one "Uncompressing Linux... " message (directly booted via kvm)
    or a loop of "Uncompressing Linux... " messages (when booted via
    zipl boot loader).

    The offending code in my build was

       48e400:       e3 c0 af ff ff 71       lay     %r12,-1(%r10)
    -->48e406:       b3 c1 00 1c             ldgr    %f1,%r12
       48e40a:       ec 6c 01 22 02 7f       clij    %r6,2,12,0x48e64e

    but gcc could do spilling into an fpr at any function. We can
    simply disable floating point support at that early stage.

    Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
    Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ca49c6cc8e77980557c26c88f43b5699acb3d770
Author: Martin Schwidefsky <schwidefsky@de.ibm.com>
Date:   Tue Sep 8 15:25:39 2015 +0200

    s390/compat: correct uc_sigmask of the compat signal frame

    [ Upstream commit 8d4bd0ed0439dfc780aab801a085961925ed6838 ]

    The uc_sigmask in the ucontext structure is an array of words to keep
    the 64 signal bits (or 1024 if you ask glibc but the kernel sigset_t
    only has 64 bits).

    For 64 bit the sigset_t contains a single 8 byte word, but for 31 bit
    there are two 4 byte words. The compat signal handler code uses a
    simple copy of the 64 bit sigset_t to the 31 bit compat_sigset_t.
    As s390 is a big-endian architecture this is incorrect, the two words
    in the 31 bit sigset_t array need to be swapped.

    Cc: <stable@vger.kernel.org>
    Reported-by: Stefan Liebler <stli@linux.vnet.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fafb54dbf1d5dfba928085ae5532b7f2c9b6eb67
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Tue Sep 29 14:45:09 2015 +0200

    sched/core: Fix TASK_DEAD race in finish_task_switch()

    [ Upstream commit 95913d97914f44db2b81271c2e2ebd4d2ac2df83 ]

    So the problem this patch is trying to address is as follows:

            CPU0                            CPU1

            context_switch(A, B)
                                            ttwu(A)
                                              LOCK A->pi_lock
                                              A->on_cpu == 0
            finish_task_switch(A)
              prev_state = A->state  <-.
              WMB                      |
              A->on_cpu = 0;           |
              UNLOCK rq0->lock         |
                                       |    context_switch(C, A)
                                       `--  A->state = TASK_DEAD
              prev_state == TASK_DEAD
                put_task_struct(A)
                                            context_switch(A, C)
                                            finish_task_switch(A)
                                              A->state == TASK_DEAD
                                                put_task_struct(A)

    The argument being that the WMB will allow the load of A->state on CPU0
    to cross over and observe CPU1's store of A->state, which will then
    result in a double-drop and use-after-free.

    Now the comment states (and this was true once upon a long time ago)
    that we need to observe A->state while holding rq->lock because that
    will order us against the wakeup; however the wakeup will not in fact
    acquire (that) rq->lock; it takes A->pi_lock these days.

    We can obviously fix this by upgrading the WMB to an MB, but that is
    expensive, so we'd rather avoid that.

    The alternative this patch takes is: smp_store_release(&A->on_cpu, 0),
    which avoids the MB on some archs, but not important ones like ARM.

    Reported-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: <stable@vger.kernel.org> # v3.1+
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-kernel@vger.kernel.org
    Cc: manfred@colorfullife.com
    Cc: will.deacon@arm.com
    Fixes: e4a52bcb9a18 ("sched: Remove rq->lock from the first half of ttwu()")
    Link: http://lkml.kernel.org/r/20150929124509.GG3816@twins.programming.kicks-ass.net
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4de74d2037ad5bcd475c0fa113de00941dd7d567
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Fri Sep 25 11:59:52 2015 +0200

    x86/xen: Support kexec/kdump in HVM guests by doing a soft reset

    [ Upstream commit 0b34a166f291d255755be46e43ed5497cdd194f2 ]

    Currently there is a number of issues preventing PVHVM Xen guests from
    doing successful kexec/kdump:

      - Bound event channels.
      - Registered vcpu_info.
      - PIRQ/emuirq mappings.
      - shared_info frame after XENMAPSPACE_shared_info operation.
      - Active grant mappings.

    Basically, newly booted kernel stumbles upon already set up Xen
    interfaces and there is no way to reestablish them. In Xen-4.7 a new
    feature called 'soft reset' is coming. A guest performing kexec/kdump
    operation is supposed to call SCHEDOP_shutdown hypercall with
    SHUTDOWN_soft_reset reason before jumping to new kernel. Hypervisor
    (with some help from toolstack) will do full domain cleanup (but
    keeping its memory and vCPU contexts intact) returning the guest to
    the state it had when it was first booted and thus allowing it to
    start over.

    Doing SHUTDOWN_soft_reset on Xen hypervisors which don't support it is
    probably OK as by default all unknown shutdown reasons cause domain
    destroy with a message in toolstack log: 'Unknown shutdown reason code
    5. Destroying domain.'  which gives a clue to what the problem is and
    eliminates false expectations.

    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: David Vrabel <david.vrabel@citrix.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit da00c72eae91e6a72ab1fef7ab94fcc382c5edd2
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Thu Oct 1 09:04:22 2015 -0400

    x86/mm: Set NX on gap between __ex_table and rodata

    [ Upstream commit ab76f7b4ab2397ffdd2f1eb07c55697d19991d10 ]

    Unused space between the end of __ex_table and the start of
    rodata can be left W+x in the kernel page tables.  Extend the
    setting of the NX bit to cover this gap by starting from
    text_end rather than rodata_start.

      Before:
      ---[ High Kernel Mapping ]---
      0xffffffff80000000-0xffffffff81000000          16M                               pmd
      0xffffffff81000000-0xffffffff81600000           6M     ro         PSE     GLB x  pmd
      0xffffffff81600000-0xffffffff81754000        1360K     ro                 GLB x  pte
      0xffffffff81754000-0xffffffff81800000         688K     RW                 GLB x  pte
      0xffffffff81800000-0xffffffff81a00000           2M     ro         PSE     GLB NX pmd
      0xffffffff81a00000-0xffffffff81b3b000        1260K     ro                 GLB NX pte
      0xffffffff81b3b000-0xffffffff82000000        4884K     RW                 GLB NX pte
      0xffffffff82000000-0xffffffff82200000           2M     RW         PSE     GLB NX pmd
      0xffffffff82200000-0xffffffffa0000000         478M                               pmd

      After:
      ---[ High Kernel Mapping ]---
      0xffffffff80000000-0xffffffff81000000          16M                               pmd
      0xffffffff81000000-0xffffffff81600000           6M     ro         PSE     GLB x  pmd
      0xffffffff81600000-0xffffffff81754000        1360K     ro                 GLB x  pte
      0xffffffff81754000-0xffffffff81800000         688K     RW                 GLB NX pte
      0xffffffff81800000-0xffffffff81a00000           2M     ro         PSE     GLB NX pmd
      0xffffffff81a00000-0xffffffff81b3b000        1260K     ro                 GLB NX pte
      0xffffffff81b3b000-0xffffffff82000000        4884K     RW                 GLB NX pte
      0xffffffff82000000-0xffffffff82200000           2M     RW         PSE     GLB NX pmd
      0xffffffff82200000-0xffffffffa0000000         478M                               pmd

    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Acked-by: Kees Cook <keescook@chromium.org>
    Cc: <stable@vger.kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-kernel@vger.kernel.org
    Link: http://lkml.kernel.org/r/1443704662-3138-1-git-send-email-sds@tycho.nsa.gov
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a92668113fc5326cb3c09958a000e7130eaa651f
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Wed Sep 30 08:38:22 2015 +0000

    x86/process: Add proper bound checks in 64bit get_wchan()

    [ Upstream commit eddd3826a1a0190e5235703d1e666affa4d13b96 ]

    Dmitry Vyukov reported the following using trinity and the memory
    error detector AddressSanitizer
    (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).

    [ 124.575597] ERROR: AddressSanitizer: heap-buffer-overflow on
    address ffff88002e280000
    [ 124.576801] ffff88002e280000 is located 131938492886538 bytes to
    the left of 28857600-byte region [ffffffff81282e0a, ffffffff82e0830a)
    [ 124.578633] Accessed by thread T10915:
    [ 124.579295] inlined in describe_heap_address
    ./arch/x86/mm/asan/report.c:164
    [ 124.579295] #0 ffffffff810dd277 in asan_report_error
    ./arch/x86/mm/asan/report.c:278
    [ 124.580137] #1 ffffffff810dc6a0 in asan_check_region
    ./arch/x86/mm/asan/asan.c:37
    [ 124.581050] #2 ffffffff810dd423 in __tsan_read8 ??:0
    [ 124.581893] #3 ffffffff8107c093 in get_wchan
    ./arch/x86/kernel/process_64.c:444

    The address checks in the 64bit implementation of get_wchan() are
    wrong in several ways:

     - The lower bound of the stack is not the start of the stack
       page. It's the start of the stack page plus sizeof (struct
       thread_info)

     - The upper bound must be:

           top_of_stack - TOP_OF_KERNEL_STACK_PADDING - 2 * sizeof(unsigned long).

       The 2 * sizeof(unsigned long) is required because the stack pointer
       points at the frame pointer. The layout on the stack is: ... IP FP
       ... IP FP. So we need to make sure that both IP and FP are in the
       bounds.

    Fix the bound checks and get rid of the mix of numeric constants, u64
    and unsigned long. Making all unsigned long allows us to use the same
    function for 32bit as well.

    Use READ_ONCE() when accessing the stack. This does not prevent a
    concurrent wakeup of the task and the stack changing, but at least it
    avoids TOCTOU.

    Also check task state at the end of the loop. Again that does not
    prevent concurrent changes, but it avoids walking for nothing.

    Add proper comments while at it.

    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Based-on-patch-from: Wolfram Gloger <wmglo@dent.med.uni-muenchen.de>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@alien8.de>
    Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
    Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
    Cc: Andy Lutomirski <luto@amacapital.net>
    Cc: Andrey Konovalov <andreyknvl@google.com>
    Cc: Kostya Serebryany <kcc@google.com>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: kasan-dev <kasan-dev@googlegroups.com>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: Wolfram Gloger <wmglo@dent.med.uni-muenchen.de>
    Cc: stable@vger.kernel.org
    Link: http://lkml.kernel.org/r/20150930083302.694788319@linutronix.de
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4aa755567f1e664c985eb0fb55e2be4b1fe14f17
Author: Andy Lutomirski <luto@amacapital.net>
Date:   Tue Mar 10 11:05:58 2015 -0700

    x86/asm/entry: Create and use a 'TOP_OF_KERNEL_STACK_PADDING' macro

    [ Upstream commit 3ee4298f440c81638cbb5ec06f2497fb7a9a9eb4 ]

    x86_32, unlike x86_64, pads the top of the kernel stack, because the
    hardware stack frame formats are variable in size.

    Document this padding and give it a name.

    This should make no change whatsoever to the compiled kernel
    image. It also doesn't fix any of the current bugs in this area.

    Signed-off-by: Andy Lutomirski <luto@amacapital.net>
    Acked-by: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/02bf2f54b8dcb76a62a142b6dfe07d4ef7fc582e.1426009661.git.luto@amacapital.net
    [ Fixed small details, such as a missed magic constant in entry_32.S pointed out by Denys Vlasenko. ]
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e0bc30ecd6debc5a9a88a45f589bc05795e871ec
Author: Lee, Chun-Yi <joeyli.kernel@gmail.com>
Date:   Tue Sep 29 20:58:57 2015 +0800

    x86/kexec: Fix kexec crash in syscall kexec_file_load()

    [ Upstream commit e3c41e37b0f4b18cbd4dac76cbeece5a7558b909 ]

    The original bug is a page fault crash that sometimes happens
    on big machines when preparing ELF headers:

        BUG: unable to handle kernel paging request at ffffc90613fc9000
        IP: [<ffffffff8103d645>] prepare_elf64_ram_headers_callback+0x165/0x260

    The bug is caused by us under-counting the number of memory ranges
    and subsequently not allocating enough ELF header space for them.
    The bug is typically masked on smaller systems, because the ELF header
    allocation is rounded up to the next page.

    This patch modifies the code in fill_up_crash_elf_data() by using
    walk_system_ram_res() instead of walk_system_ram_range() to correctly
    count the max number of crash memory ranges. That's because the
    walk_system_ram_range() filters out small memory regions that
    reside in the same page, but walk_system_ram_res() does not.

    Here's how I found the bug:

    After tracing prepare_elf64_headers() and prepare_elf64_ram_headers_callback(),
    the code uses walk_system_ram_res() to fill-in crash memory regions information
    to the program header, so it counts those small memory regions that
    reside in a page area.

    But, when the kernel was using walk_system_ram_range() in
    fill_up_crash_elf_data() to count the number of crash memory regions,
    it filters out small regions.

    I printed those small memory regions, for example:

      kexec: Get nr_ram ranges. vaddr=0xffff880077592258 paddr=0x77592258, sz=0xdc0

    Based on the code in walk_system_ram_range(), this memory region
    will be filtered out:

      pfn = (0x77592258 + 0x1000 - 1) >> 12 = 0x77593
      end_pfn = (0x77592258 + 0xfc0 -1 + 1) >> 12 = 0x77593
      end_pfn - pfn = 0x77593 - 0x77593 = 0  <=== if (end_pfn > pfn) is FALSE

    So, the max_nr_ranges that's counted by the kernel doesn't include
    small memory regions - causing us to under-allocate the required space.
    That causes the page fault crash that happens in a later code path
    when preparing ELF headers.

    This bug is not easy to reproduce on small machines that have few
    CPUs, because the allocated page aligned ELF buffer has more free
    space to cover those small memory regions' PT_LOAD headers.

    Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Baoquan He <bhe@redhat.com>
    Cc: Jiang Liu <jiang.liu@linux.intel.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephen Rothwell <sfr@canb.auug.org.au>
    Cc: Takashi Iwai <tiwai@suse.de>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Viresh Kumar <viresh.kumar@linaro.org>
    Cc: Vivek Goyal <vgoyal@redhat.com>
    Cc: kexec@lists.infradead.org
    Cc: linux-kernel@vger.kernel.org
    Cc: <stable@vger.kernel.org>
    Link: http://lkml.kernel.org/r/1443531537-29436-1-git-send-email-jlee@suse.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 38b54f8d748555c3e34dade08f112461e8c1db03
Author: Matt Fleming <matt.fleming@intel.com>
Date:   Fri Sep 25 23:02:18 2015 +0100

    x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down

    [ Upstream commit a5caa209ba9c29c6421292e7879d2387a2ef39c9 ]

    Beginning with UEFI v2.5 EFI_PROPERTIES_TABLE was introduced
    that signals that the firmware PE/COFF loader supports splitting
    code and data sections of PE/COFF images into separate EFI
    memory map entries. This allows the kernel to map those regions
    with strict memory protections, e.g. EFI_MEMORY_RO for code,
    EFI_MEMORY_XP for data, etc.

    Unfortunately, an unwritten requirement of this new feature is
    that the regions need to be mapped with the same offsets
    relative to each other as observed in the EFI memory map. If
    this is not done crashes like this may occur,

      BUG: unable to handle kernel paging request at fffffffefe6086dd
      IP: [<fffffffefe6086dd>] 0xfffffffefe6086dd
      Call Trace:
       [<ffffffff8104c90e>] efi_call+0x7e/0x100
       [<ffffffff81602091>] ? virt_efi_set_variable+0x61/0x90
       [<ffffffff8104c583>] efi_delete_dummy_variable+0x63/0x70
       [<ffffffff81f4e4aa>] efi_enter_virtual_mode+0x383/0x392
       [<ffffffff81f37e1b>] start_kernel+0x38a/0x417
       [<ffffffff81f37495>] x86_64_start_reservations+0x2a/0x2c
       [<ffffffff81f37582>] x86_64_start_kernel+0xeb/0xef

    Here 0xfffffffefe6086dd refers to an address the firmware
    expects to be mapped but which the OS never claimed was mapped.
    The issue is that included in these regions are relative
    addresses to other regions which were emitted by the firmware
    toolchain before the "splitting" of sections occurred at
    runtime.

    Needless to say, we don't satisfy this unwritten requirement on
    x86_64 and instead map the EFI memory map entries in reverse
    order. The above crash is almost certainly triggerable with any
    kernel newer than v3.13 because that's when we rewrote the EFI
    runtime region mapping code, in commit d2f7cbe7b26a ("x86/efi:
    Runtime services virtual mapping"). For kernel versions before
    v3.13 things may work by pure luck depending on the
    fragmentation of the kernel virtual address space at the time we
    map the EFI regions.

    Instead of mapping the EFI memory map entries in reverse order,
    where entry N has a higher virtual address than entry N+1, map
    them in the same order as they appear in the EFI memory map to
    preserve this relative offset between regions.

    This patch has been kept as small as possible with the intention
    that it should be applied aggressively to stable and
    distribution kernels. It is very much a bugfix rather than
    support for a new feature, since when EFI_PROPERTIES_TABLE is
    enabled we must map things as outlined above to even boot - we
    have no way of asking the firmware not to split the code/data
    regions.

    In fact, this patch doesn't even make use of the more strict
    memory protections available in UEFI v2.5. That will come later.

    Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>
    Cc: <stable@vger.kernel.org>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Chun-Yi <jlee@suse.com>
    Cc: Dave Young <dyoung@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: James Bottomley <JBottomley@Odin.com>
    Cc: Lee, Chun-Yi <jlee@suse.com>
    Cc: Leif Lindholm <leif.lindholm@linaro.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Matthew Garrett <mjg59@srcf.ucam.org>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Peter Jones <pjones@redhat.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: linux-kernel@vger.kernel.org
    Link: http://lkml.kernel.org/r/1443218539-7610-2-git-send-email-matt@codeblueprint.co.uk
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c2b75739d99428b5dd97e4afbfee4a892b7c51a9
Author: Dirk Müller <dmueller@suse.com>
Date:   Thu Oct 1 13:43:42 2015 +0200

    Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS

    [ Upstream commit d2922422c48df93f3edff7d872ee4f3191fefb08 ]

    The cpu feature flags are not ever going to change, so warning
    everytime can cause a lot of kernel log spam
    (in our case more than 10GB/hour).

    The warning seems to only occur when nested virtualization is
    enabled, so it's probably triggered by a KVM bug.  This is a
    sensible and safe change anyway, and the KVM bug fix might not
    be suitable for stable releases anyway.

    Cc: stable@vger.kernel.org
    Signed-off-by: Dirk Mueller <dmueller@suse.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fc7030ab9d506cac49acbb50535f5437478434cd
Author: Andy Lutomirski <luto@kernel.org>
Date:   Sun Sep 20 16:32:04 2015 -0700

    x86/paravirt: Replace the paravirt nop with a bona fide empty function

    [ Upstream commit fc57a7c68020dcf954428869eafd934c0ab1536f ]

    PARAVIRT_ADJUST_EXCEPTION_FRAME generates this code (using nmi as an
    example, trimmed for readability):

        ff 15 00 00 00 00       callq  *0x0(%rip)        # 2796 <nmi+0x6>
                  2792: R_X86_64_PC32     pv_irq_ops+0x2c

    That's a call through a function pointer to regular C function that
    does nothing on native boots, but that function isn't protected
    against kprobes, isn't marked notrace, and is certainly not
    guaranteed to preserve any registers if the compiler is feeling
    perverse.  This is bad news for a CLBR_NONE operation.

    Of course, if everything works correctly, once paravirt ops are
    patched, it gets nopped out, but what if we hit this code before
    paravirt ops are patched in?  This can potentially cause breakage
    that is very difficult to debug.

    A more subtle failure is possible here, too: if _paravirt_nop uses
    the stack at all (even just to push RBP), it will overwrite the "NMI
    executing" variable if it's called in the NMI prologue.

    The Xen case, perhaps surprisingly, is fine, because it's already
    written in asm.

    Fix all of the cases that default to paravirt_nop (including
    adjust_exception_frame) with a big hammer: replace paravirt_nop with
    an asm function that is just a ret instruction.

    The Xen case may have other problems, so document them.

    This is part of a fix for some random crashes that Sasha saw.

    Reported-and-tested-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Cc: stable@vger.kernel.org
    Link: http://lkml.kernel.org/r/8f5d2ba295f9d73751c33d97fda03e0495d9ade0.1442791737.git.luto@kernel.org
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit b4bc0132aee9d929b6b5affbbf77a709e872c155
Author: David Woodhouse <dwmw2@infradead.org>
Date:   Wed Sep 16 14:10:03 2015 +0100

    x86/platform: Fix Geode LX timekeeping in the generic x86 build

    [ Upstream commit 03da3ff1cfcd7774c8780d2547ba0d995f7dc03d ]

    In 2007, commit 07190a08eef36 ("Mark TSC on GeodeLX reliable")
    bypassed verification of the TSC on Geode LX. However, this code
    (now in the check_system_tsc_reliable() function in
    arch/x86/kernel/tsc.c) was only present if CONFIG_MGEODE_LX was
    set.

    OpenWRT has recently started building its generic Geode target
    for Geode GX, not LX, to include support for additional
    platforms. This broke the timekeeping on LX-based devices,
    because the TSC wasn't marked as reliable:
    https://dev.openwrt.org/ticket/20531

    By adding a runtime check on is_geode_lx(), we can also include
    the fix if CONFIG_MGEODEGX1 or CONFIG_X86_GENERIC are set, thus
    fixing the problem.

    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Cc: Andres Salomon <dilinger@queued.net>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Marcelo Tosatti <marcelo@kvack.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Link: http://lkml.kernel.org/r/1442409003.131189.87.camel@infradead.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9789806a559e37d3d2f57024476e23f059e2d4fc
Author: Shaohua Li <shli@fb.com>
Date:   Thu Jul 30 16:24:43 2015 -0700

    x86/apic: Serialize LVTT and TSC_DEADLINE writes

    [ Upstream commit 5d7c631d926b59aa16f3c56eaeb83f1036c81dc7 ]

    The APIC LVTT register is MMIO mapped but the TSC_DEADLINE register is an
    MSR. The write to the TSC_DEADLINE MSR is not serializing, so it's not
    guaranteed that the write to LVTT has reached the APIC before the
    TSC_DEADLINE MSR is written. In such a case the write to the MSR is
    ignored and as a consequence the local timer interrupt never fires.

    The SDM decribes this issue for xAPIC and x2APIC modes. The
    serialization methods recommended by the SDM differ.

    xAPIC:
     "1. Memory-mapped write to LVT Timer Register, setting bits 18:17 to 10b.
      2. WRMSR to the IA32_TSC_DEADLINE MSR a value much larger than current time-stamp counter.
      3. If RDMSR of the IA32_TSC_DEADLINE MSR returns zero, go to step 2.
      4. WRMSR to the IA32_TSC_DEADLINE MSR the desired deadline."

    x2APIC:
     "To allow for efficient access to the APIC registers in x2APIC mode,
      the serializing semantics of WRMSR are relaxed when writing to the
      APIC registers. Thus, system software should not use 'WRMSR to APIC
      registers in x2APIC mode' as a serializing instruction. Read and write
      accesses to the APIC registers will occur in program order. A WRMSR to
      an APIC register may complete before all preceding stores are globally
      visible; software can prevent this by inserting a serializing
      instruction, an SFENCE, or an MFENCE before the WRMSR."

    The xAPIC method is to just wait for the memory mapped write to hit
    the LVTT by checking whether the MSR write has reached the hardware.
    There is no reason why a proper MFENCE after the memory mapped write would
    not do the same. Andi Kleen confirmed that MFENCE is sufficient for the
    xAPIC case as well.

    Issue MFENCE before writing to the TSC_DEADLINE MSR. This can be done
    unconditionally as all CPUs which have TSC_DEADLINE also have MFENCE
    support.

    [ tglx: Massaged the changelog ]

    Signed-off-by: Shaohua Li <shli@fb.com>
    Reviewed-by: Ingo Molnar <mingo@kernel.org>
    Cc: <Kernel-team@fb.com>
    Cc: <lenb@kernel.org>
    Cc: <fenghua.yu@intel.com>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: stable@vger.kernel.org #v3.7+
    Link: http://lkml.kernel.org/r/20150909041352.GA2059853@devbig257.prn2.facebook.com
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6848085e78fb3e5849646f3fe4ce1b95cc73cfb1
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Mon Sep 28 18:57:03 2015 +0300

    dmaengine: dw: properly read DWC_PARAMS register

    [ Upstream commit 6bea0f6d1c47b07be88dfd93f013ae05fcb3d8bf ]

    In case we have less than maximum allowed channels (8) and autoconfiguration is
    enabled the DWC_PARAMS read is wrong because it uses different arithmetic to
    what is needed for channel priority setup.

    Re-do the caclulations properly. This now works on AVR32 board well.

    Fixes: fed2574b3c9f (dw_dmac: introduce software emulation of LLP transfers)
    Cc: yitian.bu@tangramtek.com
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit cf9499e2cbf0a0f082a48639e2ec75f5c1fb0ea8
Author: Felipe F. Tonello <eu@felipetonello.com>
Date:   Wed Sep 16 18:40:32 2015 +0100

    ARM: dts: fix usb pin control for imx-rex dts

    [ Upstream commit 0af822110871400908d5b6f83a8908c45f881d8f ]

    This fixes a duplicated pin control causing this error:

    imx6q-pinctrl 20e0000.iomuxc: pin MX6Q_PAD_GPIO_1 already
    requested by regulators:regulator@2; cannot claim for 2184000.usb
    imx6q-pinctrl 20e0000.iomuxc: pin-137 (2184000.usb) status -22
    imx6q-pinctrl 20e0000.iomuxc: could not request pin 137
    (MX6Q_PAD_GPIO_1) from group usbotggrp  on device 20e0000.iomuxc
    imx_usb 2184000.usb: Error applying setting, reverse things
    back
    imx6q-pinctrl 20e0000.iomuxc: pin MX6Q_PAD_EIM_D31 already
    requested by regulators:regulator@1; cannot claim for 2184200.usb
    imx6q-pinctrl 20e0000.iomuxc: pin-52 (2184200.usb) status -22
    imx6q-pinctrl 20e0000.iomuxc: could not request pin 52 (MX6Q_PAD_EIM_D31)
    from group usbh1grp  on device 20e0000.iomuxc
    imx_usb 2184200.usb: Error applying setting, reverse things
    back

    Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
    Fixes: e2047e33f2bd ("ARM: dts: add initial Rex Pro board support")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0c873b18c057d82d7ae10fc3b7a0b6cee5258927
Author: Carl Frederik Werner <frederik@cfbw.eu>
Date:   Wed Sep 2 10:07:57 2015 +0900

    ARM: dts: omap3-beagle: make i2c3, ddc and tfp410 gpio work again

    [ Upstream commit 3a2fa775bd1d0579113666c1a2e37654a34018a0 ]

    Let's fix pinmux address of gpio 170 used by tfp410 powerdown-gpio.

    According to the OMAP35x Technical Reference Manual
      CONTROL_PADCONF_I2C3_SDA[15:0]  0x480021C4 mode0: i2c3_sda
      CONTROL_PADCONF_I2C3_SDA[31:16] 0x480021C4 mode4: gpio_170
    the pinmux address of gpio 170 must be 0x480021C6.

    The former wrong address broke i2c3 (used by hdmi ddc), resulting in
    kernel message:
      omap_i2c 48060000.i2c: controller timed out

    Fixes: 8cecf52befd7 ("ARM: omap3-beagle.dts: add display information")
    Cc: stable@vger.kernel.org # v3.15+
    Signed-off-by: Carl Frederik Werner <frederik@cfbw.eu>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 11fdbfcd5ecbc2be8f0ee8e4f937f04edd943adf
Author: Grazvydas Ignotas <notasas@gmail.com>
Date:   Wed Sep 16 01:34:31 2015 +0300

    ARM: dts: omap5-uevm.dts: fix i2c5 pinctrl offsets

    [ Upstream commit 1dbdad75074d16c3e3005180f81a01cdc04a7872 ]

    The i2c5 pinctrl offsets are wrong. If the bootloader doesn't set the
    pins up, communication with tca6424a doesn't work (controller timeouts)
    and it is not possible to enable HDMI.

    Fixes: 9be495c42609 ("ARM: dts: omap5-evm: Add I2c pinctrl data")
    Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 583d530162e8569818c1019b1e8666cc24b9f210
Author: Paul Bolle <pebolle@tiscali.nl>
Date:   Fri Jul 31 14:08:58 2015 +0200

    windfarm: decrement client count when unregistering

    [ Upstream commit fe2b592173ff0274e70dc44d1d28c19bb995aa7c ]

    wf_unregister_client() increments the client count when a client
    unregisters. That is obviously incorrect. Decrement that client count
    instead.

    Fixes: 75722d3992f5 ("[PATCH] ppc64: Thermal control for SMU based machines")

    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0d665fe30603081abe412f630153b746e99a90a4
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Thu Sep 3 13:24:40 2015 +0100

    ARM: 8429/1: disable GCC SRA optimization

    [ Upstream commit a077224fd35b2f7fbc93f14cf67074fc792fbac2 ]

    While working on the 32-bit ARM port of UEFI, I noticed a strange
    corruption in the kernel log. The following snprintf() statement
    (in drivers/firmware/efi/efi.c:efi_md_typeattr_format())

            snprintf(pos, size, "|%3s|%2s|%2s|%2s|%3s|%2s|%2s|%2s|%2s]",

    was producing the following output in the log:

            |    |   |   |   |    |WB|WT|WC|UC]
            |    |   |   |   |    |WB|WT|WC|UC]
            |    |   |   |   |    |WB|WT|WC|UC]
            |RUN|   |   |   |    |WB|WT|WC|UC]*
            |RUN|   |   |   |    |WB|WT|WC|UC]*
            |    |   |   |   |    |WB|WT|WC|UC]
            |RUN|   |   |   |    |WB|WT|WC|UC]*
            |    |   |   |   |    |WB|WT|WC|UC]
            |RUN|   |   |   |    |   |   |   |UC]
            |RUN|   |   |   |    |   |   |   |UC]

    As it turns out, this is caused by incorrect code being emitted for
    the string() function in lib/vsprintf.c. The following code

            if (!(spec.flags & LEFT)) {
                    while (len < spec.field_width--) {
                            if (buf < end)
                                    *buf = ' ';
                            ++buf;
                    }
            }
            for (i = 0; i < len; ++i) {
                    if (buf < end)
                            *buf = *s;
                    ++buf; ++s;
            }
            while (len < spec.field_width--) {
                    if (buf < end)
                            *buf = ' ';
                    ++buf;
            }

    when called with len == 0, triggers an issue in the GCC SRA optimization
    pass (Scalar Replacement of Aggregates), which handles promotion of signed
    struct members incorrectly. This is a known but as yet unresolved issue.
    (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65932). In this particular
    case, it is causing the second while loop to be executed erroneously a
    single time, causing the additional space characters to be printed.

    So disable the optimization by passing -fno-ipa-sra.

    Cc: <stable@vger.kernel.org>
    Acked-by: Nicolas Pitre <nico@linaro.org>
    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 56e1daf66f9ff64b5782a4fa796ab435f862b126
Author: Russell King <rmk+kernel@arm.linux.org.uk>
Date:   Fri Sep 11 16:44:02 2015 +0100

    ARM: fix Thumb2 signal handling when ARMv6 is enabled

    [ Upstream commit 9b55613f42e8d40d5c9ccb8970bde6af4764b2ab ]

    When a kernel is built covering ARMv6 to ARMv7, we omit to clear the
    IT state when entering a signal handler.  This can cause the first
    few instructions to be conditionally executed depending on the parent
    context.

    In any case, the original test for >= ARMv7 is broken - ARMv6 can have
    Thumb-2 support as well, and an ARMv6T2 specific build would omit this
    code too.

    Relax the test back to ARMv6 or greater.  This results in us always
    clearing the IT state bits in the PSR, even on CPUs where these bits
    are reserved.  However, they're reserved for the IT state, so this
    should cause no harm.

    Cc: <stable@vger.kernel.org>
    Fixes: d71e1352e240 ("Clear the IT state when invoking a Thumb-2 signal handler")
    Acked-by: Tony Lindgren <tony@atomide.com>
    Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
    Tested-by: Grazvydas Ignotas <notasas@gmail.com>
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 494b66391df00c3261cbf0a5fc24a21da97760c2
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Mon Aug 31 16:13:47 2015 -0700

    hwmon: (nct6775) Swap STEP_UP_TIME and STEP_DOWN_TIME registers for most chips

    [ Upstream commit 728d29400488d54974d3317fe8a232b45fdb42ee ]

    The STEP_UP_TIME and STEP_DOWN_TIME registers are swapped for all chips but
    NCT6775.

    Reported-by: Grazvydas Ignotas <notasas@gmail.com>
    Reviewed-by: Jean Delvare <jdelvare@suse.de>
    Cc: stable@vger.kernel.org # v3.10+
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 19241b13ba1964e3bce3ee7e1944bbf5d193c45f
Author: Dominik Dingel <dingel@linux.vnet.ibm.com>
Date:   Fri Sep 18 11:27:45 2015 +0200

    sched: access local runqueue directly in single_task_running

    [ Upstream commit 00cc1633816de8c95f337608a1ea64e228faf771 ]

    Commit 2ee507c47293 ("sched: Add function single_task_running to let a task
    check if it is the only task running on a cpu") referenced the current
    runqueue with the smp_processor_id.  When CONFIG_DEBUG_PREEMPT is enabled,
    that is only allowed if preemption is disabled or the currrent task is
    bound to the local cpu (e.g. kernel worker).

    With commit f78195129963 ("kvm: add halt_poll_ns module parameter") KVM
    calls single_task_running. If CONFIG_DEBUG_PREEMPT is enabled that
    generates a lot of kernel messages.

    To avoid adding preemption in that cases, as it would limit the usefulness,
    we change single_task_running to access directly the cpu local runqueue.

    Cc: Tim Chen <tim.c.chen@linux.intel.com>
    Suggested-by: Peter Zijlstra <peterz@infradead.org>
    Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <stable@vger.kernel.org>
    Fixes: 2ee507c472939db4b146d545352b8a7c79ef47f8
    Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 91c16bc6d9d5195821a0d3a2c6a95855a1788e28
Author: Francesco Lavra <francescolavra.fl@gmail.com>
Date:   Sat Jul 25 08:25:18 2015 +0200

    watchdog: sunxi: fix activation of system reset

    [ Upstream commit 0919e4445190da18496d31aac08b90828a47d45f ]

    Commit f2147de33470 ("watchdog: sunxi: support parameterized compatible
    strings") introduced a regression in sunxi_wdt_start(), by which
    the system reset function of the watchdog is not enabled upon
    starting the watchdog. As a result, the system is not reset when the
    watchdog expires. Fix it.

    Fixes: f2147de33470 ("watchdog: sunxi: support parameterized compatible strings")
    Signed-off-by: Francesco Lavra <francescolavra.fl@gmail.com>
    Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
    Reviewed-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2e1e6fe49ec9c433da336f7234cb3432628d6414
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
Date:   Fri Sep 11 12:36:12 2015 -0300

    perf header: Fixup reading of HEADER_NRCPUS feature

    [ Upstream commit caa470475d9b59eeff093ae650800d34612c4379 ]

    The original patch introducing this header wrote the number of CPUs available
    and online in one order and then swapped those values when reading, fix it.

    Before:

      # perf record usleep 1
      # perf report --header-only | grep 'nrcpus \(online\|avail\)'
      # nrcpus online : 4
      # nrcpus avail : 4
      # echo 0 > /sys/devices/system/cpu/cpu2/online
      # perf record usleep 1
      # perf report --header-only | grep 'nrcpus \(online\|avail\)'
      # nrcpus online : 4
      # nrcpus avail : 3
      # echo 0 > /sys/devices/system/cpu/cpu1/online
      # perf record usleep 1
      # perf report --header-only | grep 'nrcpus \(online\|avail\)'
      # nrcpus online : 4
      # nrcpus avail : 2

    After the fix, bringing back the CPUs online:

      # perf report --header-only | grep 'nrcpus \(online\|avail\)'
      # nrcpus online : 2
      # nrcpus avail : 4
      # echo 1 > /sys/devices/system/cpu/cpu2/online
      # perf record usleep 1
      # perf report --header-only | grep 'nrcpus \(online\|avail\)'
      # nrcpus online : 3
      # nrcpus avail : 4
      # echo 1 > /sys/devices/system/cpu/cpu1/online
      # perf record usleep 1
      # perf report --header-only | grep 'nrcpus \(online\|avail\)'
      # nrcpus online : 4
      # nrcpus avail : 4

    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: David Ahern <dsahern@gmail.com>
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Kan Liang <kan.liang@intel.com>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Wang Nan <wangnan0@huawei.com>
    Fixes: fbe96f29ce4b ("perf tools: Make perf.data more self-descriptive (v8)")
    Link: http://lkml.kernel.org/r/20150911153323.GP23511@kernel.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit cea6abba6d7ffdcfe210ed65612ebc914fffdcfd
Author: Kan Liang <kan.liang@intel.com>
Date:   Thu Jul 2 03:08:43 2015 -0400

    perf stat: Get correct cpu id for print_aggr

    [ Upstream commit 601083cffb7cabdcc55b8195d732f0f7028570fa ]

    print_aggr() fails to print per-core/per-socket statistics after commit
    582ec0829b3d ("perf stat: Fix per-socket output bug for uncore events")
    if events have differnt cpus. Because in print_aggr(), aggr_get_id needs
    index (not cpu id) to find core/pkg id. Also, evsel cpu maps should be
    used to get aggregated id.

    Here is an example:

    Counting events cycles,uncore_imc_0/cas_count_read/. (Uncore event has
    cpumask 0,18)

      $ perf stat -e cycles,uncore_imc_0/cas_count_read/ -C0,18 --per-core sleep 2

    Without this patch, it failes to get CPU 18 result.

       Performance counter stats for 'CPU(s) 0,18':

      S0-C0           1            7526851      cycles
      S0-C0           1               1.05 MiB  uncore_imc_0/cas_count_read/
      S1-C0           0      <not counted>      cycles
      S1-C0           0      <not counted> MiB  uncore_imc_0/cas_count_read/

    With this patch, it can get both CPU0 and CPU18 result.

       Performance counter stats for 'CPU(s) 0,18':

      S0-C0           1            6327768      cycles
      S0-C0           1               0.47 MiB  uncore_imc_0/cas_count_read/
      S1-C0           1             330228      cycles
      S1-C0           1               0.29 MiB  uncore_imc_0/cas_count_read/

    Signed-off-by: Kan Liang <kan.liang@intel.com>
    Acked-by: Jiri Olsa <jolsa@kernel.org>
    Acked-by: Stephane Eranian <eranian@google.com>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: David Ahern <dsahern@gmail.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Fixes: 582ec0829b3d ("perf stat: Fix per-socket output bug for uncore events")
    Link: http://lkml.kernel.org/r/1435820925-51091-1-git-send-email-kan.liang@intel.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9b81b4499a1a6bec228f622822d6fe95e45aca29
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
Date:   Mon Aug 10 16:53:54 2015 -0300

    perf report: Add support for srcfile sort key

    [ Upstream commit 31191a85fb875cf123cea56bbfd34f4b941f3c79 ]

    In some cases it's useful to characterize samples by file. This is
    useful to get a higher level categorization, for example to map cost to
    subsystems.

    Add a srcfile sort key to perf report. It builds on top of the existing
    srcline support.

    Commiter notes:

    E.g.:

      # perf record -F 10000 usleep 1
      [ perf record: Woken up 1 times to write data ]
      [ perf record: Captured and wrote 0.016 MB perf.data (13 samples) ]
      [root@zoo ~]# perf report -s srcfile --stdio
      # Total Lost Samples: 0
      #
      # Samples: 13  of event 'cycles'
      # Event count (approx.): 869878
      #
      # Overhead  Source File
      # ........  ...........
          60.99%  .
          20.62%  paravirt.h
          14.23%  rmap.c
           4.04%  signal.c
           0.11%  msr.h

      #

    The first line is collecting all the files for which srcfiles couldn't somehow
    get resolved to:

      # perf report -s srcfile,dso --stdio
      # Total Lost Samples: 0
      #
      # Samples: 13  of event 'cycles'
      # Event count (approx.): 869878
      #
      # Overhead  Source File  Shared Object
      # ........  ...........  ................
          40.97%  .            ld-2.20.so
          20.62%  paravirt.h   [kernel.vmlinux]
          20.02%  .            libc-2.20.so
          14.23%  rmap.c       [kernel.vmlinux]
           4.04%  signal.c     [kernel.vmlinux]
           0.11%  msr.h        [kernel.vmlinux]

      #

    XXX: Investigate why that is not resolving on Fedora 21, Andi says he hasn't
         seen this on Fedora 22.

    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Link: http://lkml.kernel.org/r/1438988064-21834-1-git-send-email-andi@firstfloor.org
    [ Added column length update, from 0e65bdb3f90f ('perf hists: Update the column width for the "srcline" sort key') ]
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ec50d9d6b275078f709a6192809e1ba42722335b
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Thu Sep 24 13:05:22 2015 +0300

    perf tools: Fix copying of /proc/kcore

    [ Upstream commit b5cabbcbd157a4bf5a92dfc85134999a3b55342d ]

    A copy of /proc/kcore containing the kernel text can be made to the
    buildid cache. e.g.

            perf buildid-cache -v -k /proc/kcore

    To workaround objdump limitations, a copy is also made when annotating
    against /proc/kcore.

    The copying process stops working from libelf about v1.62 onwards (the
    problem was found with v1.63).

    The cause is that a call to gelf_getphdr() in kcore__add_phdr() fails
    because additional validation has been added to gelf_getphdr().

    The use of gelf_getphdr() is a misguided attempt to get default
    initialization of the Gelf_Phdr structure.  That should not be
    necessary because every member of the Gelf_Phdr structure is
    subsequently assigned.  So just remove the call to gelf_getphdr().

    Similarly, a call to gelf_getehdr() in gelf_kcore__init() can be
    removed also.

    Committer notes:

    Note to stable@kernel.org, from Adrian in the cover letter for this
    patchkit:

    The "Fix copying of /proc/kcore" problem goes back to v3.13 if you think
    it is important enough for stable.

    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: stable@kernel.org
    Link: http://lkml.kernel.org/r/1443089122-19082-3-git-send-email-adrian.hunter@intel.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 722554c1a2811ca703dc9e5d7afa029b5b19f4da
Author: Jenny Derzhavetz <jennyf@mellanox.com>
Date:   Sun Sep 6 14:52:20 2015 +0300

    iser-target: remove command with state ISTATE_REMOVE

    [ Upstream commit a4c15cd957cbd728f685645de7a150df5912591a ]

    As documented in iscsit_sequence_cmd:
    /*
     * Existing callers for iscsit_sequence_cmd() will silently
     * ignore commands with CMDSN_LOWER_THAN_EXP, so force this
     * return for CMDSN_MAXCMDSN_OVERRUN as well..
     */

    We need to silently finish a command when it's in ISTATE_REMOVE.
    This fixes an teardown hang we were seeing where a mis-behaved
    initiator (triggered by allocation error injections) sent us a
    cmdsn which was lower than expected.

    Signed-off-by: Jenny Derzhavetz <jennyf@mellanox.com>
    Signed-off-by: Sagi Grimberg <sagig@mellanox.com>
    Cc: <stable@vger.kernel.org> # v3.10+
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 642f48476545bf45bde2047c7bd79ce0ddf121e0
Author: Michal Hocko <mhocko@suse.com>
Date:   Thu Aug 27 20:16:37 2015 +0200

    scsi: fix scsi_error_handler vs. scsi_host_dev_release race

    [ Upstream commit 537b604c8b3aa8b96fe35f87dd085816552e294c ]

    b9d5c6b7ef57 ("[SCSI] cleanup setting task state in
    scsi_error_handler()") has introduced a race between scsi_error_handler
    and scsi_host_dev_release resulting in the hang when the device goes
    away because scsi_error_handler might miss a wake up:

    CPU0                                    CPU1
    scsi_error_handler                      scsi_host_dev_release
                                              kthread_stop()
      kthread_should_stop()
        test_bit(KTHREAD_SHOULD_STOP)
                                                set_bit(KTHREAD_SHOULD_STOP)
                                                wake_up_process()
                                                wait_for_completion()

      set_current_state(TASK_INTERRUPTIBLE)
      schedule()

    The most straightforward solution seems to be to invert the ordering of
    the set_current_state and kthread_should_stop.

    The issue has been noticed during reboot test on a 3.0 based kernel but
    the current code seems to be affected in the same way.

    [jejb: additional comment added]
    Cc: <stable@vger.kernel.org> # 3.6+
    Reported-and-debugged-by: Mike Mayer <Mike.Meyer@teradata.com>
    Signed-off-by: Michal Hocko <mhocko@suse.com>
    Reviewed-by: Dan Williams <dan.j.williams@intel.com>
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: James Bottomley <JBottomley@Odin.com>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c8259f6224297e938da2023bed712f54a6876541
Author: Andy Grover <agrover@redhat.com>
Date:   Mon Aug 24 10:26:03 2015 -0700

    target/iscsi: Fix np_ip bracket issue by removing np_ip

    [ Upstream commit 76c28f1fcfeb42b47f798fe498351ee1d60086ae ]

    Revert commit 1997e6259, which causes double brackets on ipv6
    inaddr_any addresses.

    Since we have np_sockaddr, if we need a textual representation we can
    use "%pISc".

    Change iscsit_add_network_portal() and iscsit_add_np() signatures to remove
    *ip_str parameter.

    Fix and extend some comments earlier in the function.

    Tested to work for :: and ::1 via iscsiadm, previously :: failed, see
    https://bugzilla.redhat.com/show_bug.cgi?id=1249107 .

    CC: stable@vger.kernel.org
    Signed-off-by: Andy Grover <agrover@redhat.com>
    Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4c42a394e4158f92fa24867f52c18f0c196bbfb9
Author: John Stultz <john.stultz@linaro.org>
Date:   Wed Sep 9 16:07:30 2015 -0700

    time: Fix timekeeping_freqadjust()'s incorrect use of abs() instead of abs64()

    [ Upstream commit 2619d7e9c92d524cb155ec89fd72875321512e5b ]

    The internal clocksteering done for fine-grained error
    correction uses a logarithmic approximation, so any time
    adjtimex() adjusts the clock steering, timekeeping_freqadjust()
    quickly approximates the correct clock frequency over a series
    of ticks.

    Unfortunately, the logic in timekeeping_freqadjust(), introduced
    in commit:

      dc491596f639 ("timekeeping: Rework frequency adjustments to work better w/ nohz")

    used the abs() function with a s64 error value to calculate the
    size of the approximated adjustment to be made.

    Per include/linux/kernel.h:

      "abs() should not be used for 64-bit types (s64, u64, long long) - use abs64()".

    Thus on 32-bit platforms, this resulted in the clocksteering to
    take a quite dampended random walk trying to converge on the
    proper frequency, which caused the adjustments to be made much
    slower then intended (most easily observed when large
    adjustments are made).

    This patch fixes the issue by using abs64() instead.

    Reported-by: Nuno Gonçalves <nunojpg@gmail.com>
    Tested-by: Nuno Goncalves <nunojpg@gmail.com>
    Signed-off-by: John Stultz <john.stultz@linaro.org>
    Cc: <stable@vger.kernel.org> # v3.17+
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Miroslav Lichvar <mlichvar@redhat.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Prarit Bhargava <prarit@redhat.com>
    Cc: Richard Cochran <richardcochran@gmail.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/1441840051-20244-1-git-send-email-john.stultz@linaro.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 1d2c99928fed10d937e9a7956a1d7a44dbd4196b
Author: Jason Wang <jasowang@redhat.com>
Date:   Tue Sep 15 14:41:56 2015 +0800

    kvm: fix double free for fast mmio eventfd

    [ Upstream commit eefd6b06b17c5478e7c24bea6f64beaa2c431ca6 ]

    We register wildcard mmio eventfd on two buses, once for KVM_MMIO_BUS
    and once on KVM_FAST_MMIO_BUS but with a single iodev
    instance. This will lead to an issue: kvm_io_bus_destroy() knows
    nothing about the devices on two buses pointing to a single dev. Which
    will lead to double free[1] during exit. Fix this by allocating two
    instances of iodevs then registering one on KVM_MMIO_BUS and another
    on KVM_FAST_MMIO_BUS.

    CPU: 1 PID: 2894 Comm: qemu-system-x86 Not tainted 3.19.0-26-generic #28-Ubuntu
    Hardware name: LENOVO 2356BG6/2356BG6, BIOS G7ET96WW (2.56 ) 09/12/2013
    task: ffff88009ae0c4b0 ti: ffff88020e7f0000 task.ti: ffff88020e7f0000
    RIP: 0010:[<ffffffffc07e25d8>]  [<ffffffffc07e25d8>] ioeventfd_release+0x28/0x60 [kvm]
    RSP: 0018:ffff88020e7f3bc8  EFLAGS: 00010292
    RAX: dead000000200200 RBX: ffff8801ec19c900 RCX: 000000018200016d
    RDX: ffff8801ec19cf80 RSI: ffffea0008bf1d40 RDI: ffff8801ec19c900
    RBP: ffff88020e7f3bd8 R08: 000000002fc75a01 R09: 000000018200016d
    R10: ffffffffc07df6ae R11: ffff88022fc75a98 R12: ffff88021e7cc000
    R13: ffff88021e7cca48 R14: ffff88021e7cca50 R15: ffff8801ec19c880
    FS:  00007fc1ee3e6700(0000) GS:ffff88023e240000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f8f389d8000 CR3: 000000023dc13000 CR4: 00000000001427e0
    Stack:
    ffff88021e7cc000 0000000000000000 ffff88020e7f3be8 ffffffffc07e2622
    ffff88020e7f3c38 ffffffffc07df69a ffff880232524160 ffff88020e792d80
     0000000000000000 ffff880219b78c00 0000000000000008 ffff8802321686a8
    Call Trace:
    [<ffffffffc07e2622>] ioeventfd_destructor+0x12/0x20 [kvm]
    [<ffffffffc07df69a>] kvm_put_kvm+0xca/0x210 [kvm]
    [<ffffffffc07df818>] kvm_vcpu_release+0x18/0x20 [kvm]
    [<ffffffff811f69f7>] __fput+0xe7/0x250
    [<ffffffff811f6bae>] ____fput+0xe/0x10
    [<ffffffff81093f04>] task_work_run+0xd4/0xf0
    [<ffffffff81079358>] do_exit+0x368/0xa50
    [<ffffffff81082c8f>] ? recalc_sigpending+0x1f/0x60
    [<ffffffff81079ad5>] do_group_exit+0x45/0xb0
    [<ffffffff81085c71>] get_signal+0x291/0x750
    [<ffffffff810144d8>] do_signal+0x28/0xab0
    [<ffffffff810f3a3b>] ? do_futex+0xdb/0x5d0
    [<ffffffff810b7028>] ? __wake_up_locked_key+0x18/0x20
    [<ffffffff810f3fa6>] ? SyS_futex+0x76/0x170
    [<ffffffff81014fc9>] do_notify_resume+0x69/0xb0
    [<ffffffff817cb9af>] int_signal+0x12/0x17
    Code: 5d c3 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb 48 83 ec 08 48 8b 7f 20 e8 06 d6 a5 c0 48 8b 43 08 48 8b 13 48 89 df 48 89 42 08 <48> 89 10 48 b8 00 01 10 00 00
     RIP  [<ffffffffc07e25d8>] ioeventfd_release+0x28/0x60 [kvm]
     RSP <ffff88020e7f3bc8>

    Cc: stable@vger.kernel.org
    Cc: Gleb Natapov <gleb@kernel.org>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e26876a7c059fc01dc32f7625e27c8e92b11ac02
Author: Jason Wang <jasowang@redhat.com>
Date:   Tue Sep 15 14:41:55 2015 +0800

    kvm: factor out core eventfd assign/deassign logic

    [ Upstream commit 85da11ca587c8eb73993a1b503052391a73586f9 ]

    This patch factors out core eventfd assign/deassign logic and leaves
    the argument checking and bus index selection to callers.

    Cc: stable@vger.kernel.org
    Cc: Gleb Natapov <gleb@kernel.org>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a5211987ae02a92988717ebbb39191ceb4d8269e
Author: Jason Wang <jasowang@redhat.com>
Date:   Tue Sep 15 14:41:57 2015 +0800

    kvm: fix zero length mmio searching

    [ Upstream commit 8f4216c7d28976f7ec1b2bcbfa0a9f787133c45e ]

    Currently, if we had a zero length mmio eventfd assigned on
    KVM_MMIO_BUS. It will never be found by kvm_io_bus_cmp() since it
    always compares the kvm_io_range() with the length that guest
    wrote. This will cause e.g for vhost, kick will be trapped by qemu
    userspace instead of vhost. Fixing this by using zero length if an
    iodevice is zero length.

    Cc: stable@vger.kernel.org
    Cc: Gleb Natapov <gleb@kernel.org>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 50c79062c4b65ec170f1ce21453fae743a7f25cd
Author: Jason Wang <jasowang@redhat.com>
Date:   Tue Sep 15 14:41:54 2015 +0800

    kvm: don't try to register to KVM_FAST_MMIO_BUS for non mmio eventfd

    [ Upstream commit 8453fecbecae26edb3f278627376caab05d9a88d ]

    We only want zero length mmio eventfd to be registered on
    KVM_FAST_MMIO_BUS. So check this explicitly when arg->len is zero to
    make sure this.

    Cc: stable@vger.kernel.org
    Cc: Gleb Natapov <gleb@kernel.org>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4dd2671da85b129bc287c26f6d9e56bf7af1b2ff
Author: Marek Majtyka <marek.majtyka@tieto.com>
Date:   Wed Sep 16 12:04:55 2015 +0200

    arm: KVM: Fix incorrect device to IPA mapping

    [ Upstream commit ca09f02f122b2ecb0f5ddfc5fd47b29ed657d4fd ]

    A critical bug has been found in device memory stage1 translation for
    VMs with more then 4GB of address space. Once vm_pgoff size is smaller
    then pa (which is true for LPAE case, u32 and u64 respectively) some
    more significant bits of pa may be lost as a shift operation is performed
    on u32 and later cast onto u64.

    Example: vm_pgoff(u32)=0x00210030, PAGE_SHIFT=12
            expected pa(u64):   0x0000002010030000
            produced pa(u64):   0x0000000010030000

    The fix is to change the order of operations (casting first onto phys_addr_t
    and then shifting).

    Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
    [maz: fixed changelog and patch formatting]
    Cc: stable@vger.kernel.org
    Signed-off-by: Marek Majtyka <marek.majtyka@tieto.com>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>

    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a7fd9e578e016ff5cf597fb7dfdc08bd9d260693
Author: Kyle Evans <kvans32@gmail.com>
Date:   Fri Sep 11 10:40:17 2015 -0500

    hp-wmi: limit hotkey enable

    [ Upstream commit 8a1513b49321e503fd6c8b6793e3b1f9a8a3285b ]

    Do not write initialize magic on systems that do not have
    feature query 0xb. Fixes Bug #82451.

    Redefine FEATURE_QUERY to align with 0xb and FEATURE2 with 0xd
    for code clearity.

    Add a new test function, hp_wmi_bios_2008_later() & simplify
    hp_wmi_bios_2009_later(), which fixes a bug in cases where
    an improper value is returned. Probably also fixes Bug #69131.

    Add missing __init tag.

    Signed-off-by: Kyle Evans <kvans32@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit a7e5b4e81bcdae0297594ab5917e40d5ce19fe36
Author: Luis Henriques <luis.henriques@canonical.com>
Date:   Thu Sep 17 16:01:40 2015 -0700

    zram: fix possible use after free in zcomp_create()

    [ Upstream commit 3aaf14da807a4e9931a37f21e4251abb8a67021b ]

    zcomp_create() verifies the success of zcomp_strm_{multi,single}_create()
    through comp->stream, which can potentially be pointing to memory that
    was freed if these functions returned an error.

    While at it, replace a 'ERR_PTR(-ENOMEM)' by a more generic
    'ERR_PTR(error)' as in the future zcomp_strm_{multi,siggle}_create()
    could return other error codes.  Function documentation updated
    accordingly.

    Fixes: beca3ec71fe5 ("zram: add multi stream functionality")
    Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
    Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
    Acked-by: Minchan Kim <minchan@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ae92f497561a09952ac913488f5844a61287d516
Author: Stas Sergeev <stsp@list.ru>
Date:   Mon Jul 20 17:49:57 2015 -0700

    of_mdio: add new DT property 'managed' to specify the PHY management type

    [ Upstream commit 4cba5c2103657d43d0886e4cff8004d95a3d0def ]

    Currently the PHY management type is selected by the MAC driver arbitrary.
    The decision is based on the presence of the "fixed-link" node and on a
    will of the driver's authors.
    This caused a regression recently, when mvneta driver suddenly started
    to use the in-band status for auto-negotiation on fixed links.
    It appears the auto-negotiation may not work when expected by the MAC driver.
    Sebastien Rannou explains:
    << Yes, I confirm that my HW does not generate an in-band status. AFAIK, it's
    a PHY that aggregates 4xSGMIIs to 1xQSGMII ; the MAC side of the PHY (with
    inband status) is connected to the switch through QSGMII, and in this context
    we are on the media side of the PHY. >>
    https://lkml.org/lkml/2015/7/10/206

    This patch introduces the new string property 'managed' that allows
    the user to set the management type explicitly.
    The supported values are:
    "auto" - default. Uses either MDIO or nothing, depending on the presence
    of the fixed-link node
    "in-band-status" - use in-band status

    Signed-off-by: Stas Sergeev <stsp@users.sourceforge.net>

    CC: Rob Herring <robh+dt@kernel.org>
    CC: Pawel Moll <pawel.moll@arm.com>
    CC: Mark Rutland <mark.rutland@arm.com>
    CC: Ian Campbell <ijc+devicetree@hellion.org.uk>
    CC: Kumar Gala <galak@codeaurora.org>
    CC: Florian Fainelli <f.fainelli@gmail.com>
    CC: Grant Likely <grant.likely@linaro.org>
    CC: devicetree@vger.kernel.org
    CC: linux-kernel@vger.kernel.org
    CC: netdev@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 8848902935b212be629e02c5b55d5c52119ba45c
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Mon Jul 20 17:49:55 2015 -0700

    net: dsa: bcm_sf2: Do not override speed settings

    [ Upstream commit d2eac98f7d1b950b762a7eca05a9ce0ea1d878d2 ]

    The SF2 driver currently overrides speed settings for its port
    configured using a fixed PHY, this is both unnecessary and incorrect,
    because we keep feedback to the hardware parameters that we read from
    the PHY device, which in the case of a fixed PHY cannot possibly change
    speed.

    This is a required change to allow the fixed PHY code to allow
    registering a PHY with a link configured as DOWN by default and avoid
    some sort of circular dependency where we require the link_update
    callback to run to program the hardware, and we then utilize the fixed
    PHY parameters to program the hardware with the same settings.

    Fixes: 246d7f773c13 ("net: dsa: add Broadcom SF2 switch driver")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 25da25549f1d08f135dcde8eeb09480e7fae6756
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Sep 23 14:00:21 2015 -0700

    tcp: add proper TS val into RST packets

    [ Upstream commit 675ee231d960af2af3606b4480324e26797eb010 ]

    RST packets sent on behalf of TCP connections with TS option (RFC 7323
    TCP timestamps) have incorrect TS val (set to 0), but correct TS ecr.

    A > B: Flags [S], seq 0, win 65535, options [mss 1000,nop,nop,TS val 100
    ecr 0], length 0
    B > A: Flags [S.], seq 2444755794, ack 1, win 28960, options [mss
    1460,nop,nop,TS val 7264344 ecr 100], length 0
    A > B: Flags [.], ack 1, win 65535, options [nop,nop,TS val 110 ecr
    7264344], length 0

    B > A: Flags [R.], seq 1, ack 1, win 28960, options [nop,nop,TS val 0
    ecr 110], length 0

    We need to call skb_mstamp_get() to get proper TS val,
    derived from skb->skb_mstamp

    Note that RFC 1323 was advocating to not send TS option in RST segment,
    but RFC 7323 recommends the opposite :

      Once TSopt has been successfully negotiated, that is both <SYN> and
      <SYN,ACK> contain TSopt, the TSopt MUST be sent in every non-<RST>
      segment for the duration of the connection, and SHOULD be sent in an
      <RST> segment (see Section 5.2 for details)

    Note this RFC recommends to send TS val = 0, but we believe it is
    premature : We do not know if all TCP stacks are properly
    handling the receive side :

       When an <RST> segment is
       received, it MUST NOT be subjected to the PAWS check by verifying an
       acceptable value in SEG.TSval, and information from the Timestamps
       option MUST NOT be used to update connection state information.
       SEG.TSecr MAY be used to provide stricter <RST> acceptance checks.

    In 5 years, if/when all TCP stack are RFC 7323 ready, we might consider
    to decide to send TS val = 0, if it buys something.

    Fixes: 7faee5c0d514 ("tcp: remove TCP_SKB_CB(skb)->when")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0d79984cc01bf66e2c4a98673b4c6b3bb9a08f66
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Tue Sep 8 20:06:41 2015 -0700

    net: dsa: bcm_sf2: Fix 64-bits register writes

    [ Upstream commit 03679a14739a0d4c14b52ba65a69ff553bfba73b ]

    The macro to write 64-bits quantities to the 32-bits register swapped
    the value and offsets arguments, we want to preserve the ordering of the
    arguments with respect to how writel() is implemented for instance:
    value first, offset/base second.

    Fixes: 246d7f773c13 ("net: dsa: add Broadcom SF2 switch driver")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Reviewed-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 21a8f4ec1874e08358b92cbca0263c23c9d72f16
Author: Atsushi Nemoto <nemoto@toshiba-tops.co.jp>
Date:   Wed Sep 2 17:49:29 2015 +0900

    net: eth: altera: fix napi poll_list corruption

    [ Upstream commit 4548a697e4969d695047cebd6d9af5e2f6cc728e ]

    tse_poll() calls __napi_complete() with irq enabled.  This leads napi
    poll_list corruption and may stop all napi drivers working.
    Use napi_complete() instead of __napi_complete().

    Signed-off-by: Atsushi Nemoto <nemoto@toshiba-tops.co.jp>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5fb432dcb91062176880d21d7249562c2aa75a19
Author: Eric Sandeen <sandeen@redhat.com>
Date:   Sat Aug 15 10:45:06 2015 -0400

    ext4: don't manipulate recovery flag when freezing no-journal fs

    [ Upstream commit c642dc9e1aaed953597e7092d7df329e6234096e ]

    At some point along this sequence of changes:

    f6e63f9 ext4: fold ext4_nojournal_sops into ext4_sops
    bb04457 ext4: support freezing ext2 (nojournal) file systems
    9ca9238 ext4: Use separate super_operations structure for no_journal filesystems

    ext4 started setting needs_recovery on filesystems without journals
    when they are unfrozen.  This makes no sense, and in fact confuses
    blkid to the point where it doesn't recognize the filesystem at all.

    (freeze ext2; unfreeze ext2; run blkid; see no output; run dumpe2fs,
    see needs_recovery set on fs w/ no journal).

    To fix this, don't manipulate the INCOMPAT_RECOVER feature on
    filesystems without journals.

    Reported-by: Stu Mark <smark@datto.com>
    Reviewed-by: Jan Kara <jack@suse.com>
    Signed-off-by: Eric Sandeen <sandeen@redhat.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f6efbdbc3a9bb1676d186d805a4e3475018146c1
Author: Daniel Axtens <dja@axtens.net>
Date:   Tue Sep 15 15:04:07 2015 +1000

    cxl: Fix unbalanced pci_dev_get in cxl_probe

    [ Upstream commit 2925c2fdf1e0eb642482f5b30577e9435aaa8edb ]

    Currently the first thing we do in cxl_probe is to grab a reference
    on the pci device. Later on, we call device_register on our adapter.
    In our remove path, we call device_unregister, but we never call
    pci_dev_put. We therefore leak the device every time we do a
    reflash.

    device_register/unregister is sufficient to hold the reference.
    Therefore, drop the call to pci_dev_get.

    Here's why this is safe.
    The proposed cxl_probe(pdev) calls cxl_adapter_init:
        a) init calls cxl_adapter_alloc, which creates a struct cxl,
           conventionally called adapter. This struct contains a
           device entry, adapter->dev.

        b) init calls cxl_configure_adapter, where we set
           adapter->dev.parent = &dev->dev (here dev is the pci dev)

    So at this point, the cxl adapter's device's parent is the PCI
    device that I want to be refcounted properly.

        c) init calls cxl_register_adapter
           *) cxl_register_adapter calls device_register(&adapter->dev)

    So now we're in device_register, where dev is the adapter device, and
    we want to know if the PCI device is safe after we return.

    device_register(&adapter->dev) calls device_initialize() and then
    device_add().

    device_add() does a get_device(). device_add() also explicitly grabs
    the device's parent, and calls get_device() on it:

             parent = get_device(dev->parent);

    So therefore, device_register() takes a lock on the parent PCI dev,
    which is what pci_dev_get() was guarding. pci_dev_get() can therefore
    be safely removed.

    Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
    Cc: stable@vger.kernel.org
    Signed-off-by: Daniel Axtens <dja@axtens.net>
    Acked-by: Ian Munsie <imunsie@au1.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 788e0546bd53f9a9da38b671bc4fb644f14f1efc
Author: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
Date:   Wed Jul 1 09:25:52 2015 +0900

    igb: Fix oops caused by missing queue pairing

    [ Upstream commit 72ddef0506da852dc82f078f37ced8ef4d74a2bf ]

    When initializing igb driver (e.g. 82576, I350), IGB_FLAG_QUEUE_PAIRS is
    set if adapter->rss_queues exceeds half of max_rss_queues in
    igb_init_queue_configuration().
    On the other hand, IGB_FLAG_QUEUE_PAIRS is not set even if the number of
    queues exceeds half of max_combined in igb_set_channels() when changing
    the number of queues by "ethtool -L".
    In this case, if numvecs is larger than MAX_MSIX_ENTRIES (10), the size
    of adapter->msix_entries[], an overflow can occur in
    igb_set_interrupt_capability(), which in turn leads to an oops.

    Fix this problem as follows:
     - When changing the number of queues by "ethtool -L", set
       IGB_FLAG_QUEUE_PAIRS in the same way as initializing igb driver.
     - When increasing the size of q_vector, reallocate it appropriately.
       (With IGB_FLAG_QUEUE_PAIRS set, the size of q_vector gets larger.)

    Another possible way to fix this problem is to cap the queues at its
    initial number, which is the number of the initial online cpus. But this
    is not the optimal way because we cannot increase queues when another
    cpu becomes online.

    Note that before commit cd14ef54d25b ("igb: Change to use statically
    allocated array for MSIx entries"), this problem did not cause oops
    but just made the number of queues become 1 because of entering msi_only
    mode in igb_set_interrupt_capability().

    Fixes: 907b7835799f ("igb: Add ethtool support to configure number of channels")
    CC: stable <stable@vger.kernel.org>
    Signed-off-by: Shota Suzuki <suzuki_shota_t3@lab.ntt.co.jp>
    Tested-by: Aaron Brown <aaron.f.brown@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit d098c085d0ae8dfa8a52f541fd7ba6c2dc69102d
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date:   Wed Jul 8 10:18:50 2015 -0500

    rtlwifi: rtl8821ae: Fix an expression that is always false

    [ Upstream commit 251086f588720277a6f5782020a648ce32c4e00b ]

    In routine _rtl8821ae_set_media_status(), an incorrect mask results in a test
    for AP status to always be false. Similar bugs were fixed in rtl8192cu and
    rtl8192de, but this instance was missed at that time.

    Reported-by: David Binderman <dcb314@hotmail.com>
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Cc: Stable <stable@vger.kernel.org> [3.18+]
    Cc: David Binderman <dcb314@hotmail.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5cadbe921f575c8cc69907a3ed62541cef571b98
Author: Andy Lutomirski <luto@kernel.org>
Date:   Wed Jul 15 10:29:38 2015 -0700

    x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection

    [ Upstream commit 810bc075f78ff2c221536eb3008eac6a492dba2d ]

    We have a tricky bug in the nested NMI code: if we see RSP
    pointing to the NMI stack on NMI entry from kernel mode, we
    assume that we are executing a nested NMI.

    This isn't quite true.  A malicious userspace program can point
    RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
    happen while RSP is still pointing at the NMI stack.

    Fix it with a sneaky trick.  Set DF in the region of code that
    the RSP check is intended to detect.  IRET will clear DF
    atomically.

    ( Note: other than paravirt, there's little need for all this
      complexity. We could check RIP instead of RSP. )

    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6acb4e24f7101f011d1ab85ddd2f63fc0f26b2b4
Author: Andy Lutomirski <luto@kernel.org>
Date:   Wed Jul 15 10:29:37 2015 -0700

    x86/nmi/64: Reorder nested NMI checks

    [ Upstream commit a27507ca2d796cfa8d907de31ad730359c8a6d06 ]

    Check the repeat_nmi .. end_repeat_nmi special case first.  The
    next patch will rework the RSP check and, as a side effect, the
    RSP check will no longer detect repeat_nmi .. end_repeat_nmi, so
    we'll need this ordering of the checks.

    Note: this is more subtle than it appears.  The check for
    repeat_nmi .. end_repeat_nmi jumps straight out of the NMI code
    instead of adjusting the "iret" frame to force a repeat.  This
    is necessary, because the code between repeat_nmi and
    end_repeat_nmi sets "NMI executing" and then writes to the
    "iret" frame itself.  If a nested NMI comes in and modifies the
    "iret" frame while repeat_nmi is also modifying it, we'll end up
    with garbage.  The old code got this right, as does the new
    code, but the new code is a bit more explicit.

    If we were to move the check right after the "NMI executing"
    check, then we'd get it wrong and have random crashes.

    ( Because the "NMI executing" check would jump to the code that would
      modify the "iret" frame without checking if the interrupted NMI was
      currently modifying it. )

    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit aac26b9c16d68f5b13a606f7100fea119083aa52
Author: Andy Lutomirski <luto@kernel.org>
Date:   Wed Jul 15 10:29:36 2015 -0700

    x86/nmi/64: Improve nested NMI comments

    [ Upstream commit 0b22930ebad563ae97ff3f8d7b9f12060b4c6e6b ]

    I found the nested NMI documentation to be difficult to follow.
    Improve the comments.

    Signed-off-by: Andy Lutomirski <luto@kernel.org>
    Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 838d2bbdb0468307fad3d1d5f396f99bc87d0a65
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Thu Aug 6 22:48:23 2015 +0200

    bna: fix interrupts storm caused by erroneous packets

    [ Upstream commit ade4dc3e616e33c80d7e62855fe1b6f9895bc7c3 ]

    The commit "e29aa33 bna: Enable Multi Buffer RX" moved packets counter
    increment from the beginning of the NAPI processing loop after the check
    for erroneous packets so they are never accounted. This counter is used
    to inform firmware about number of processed completions (packets).
    As these packets are never acked the firmware fires IRQs for them again
    and again.

    Fixes: e29aa33 ("bna: Enable Multi Buffer RX")
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Acked-by: Rasesh Mody <rasesh.mody@qlogic.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3a2c446444593647bdc13d6da6fcabfc99ac7470
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Aug 1 12:14:33 2015 +0200

    udp: fix dst races with multicast early demux

    [ Upstream commit 10e2eb878f3ca07ac2f05fa5ca5e6c4c9174a27a ]

    Multicast dst are not cached. They carry DST_NOCACHE.

    As mentioned in commit f8864972126899 ("ipv4: fix dst race in
    sk_dst_get()"), these dst need special care before caching them
    into a socket.

    Caching them is allowed only if their refcnt was not 0, ie we
    must use atomic_inc_not_zero()

    Also, we must use READ_ONCE() to fetch sk->sk_rx_dst, as mentioned
    in commit d0c294c53a771 ("tcp: prevent fetching dst twice in early demux
    code")

    Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
    Tested-by: Gregory Hoggarth <Gregory.Hoggarth@alliedtelesis.co.nz>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Gregory Hoggarth <Gregory.Hoggarth@alliedtelesis.co.nz>
    Reported-by: Alex Gartrell <agartrell@fb.com>
    Cc: Michal Kubeček <mkubecek@suse.cz>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 4320f02c4667d3106fe0c9e308694490a3b51913
Author: Lars Westerhoff <lars.westerhoff@newtec.eu>
Date:   Tue Jul 28 01:32:21 2015 +0300

    packet: missing dev_put() in packet_do_bind()

    [ Upstream commit 158cd4af8dedbda0d612d448c724c715d0dda649 ]

    When binding a PF_PACKET socket, the use count of the bound interface is
    always increased with dev_hold in dev_get_by_{index,name}.  However,
    when rebound with the same protocol and device as in the previous bind
    the use count of the interface was not decreased.  Ultimately, this
    caused the deletion of the interface to fail with the following message:

    unregister_netdevice: waiting for dummy0 to become free. Usage count = 1

    This patch moves the dev_put out of the conditional part that was only
    executed when either the protocol or device changed on a bind.

    Fixes: 902fefb82ef7 ('packet: improve socket create/bind latency in some cases')
    Signed-off-by: Lars Westerhoff <lars.westerhoff@newtec.eu>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Daniel Borkmann <dborkman@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e6551e40ada2272f7388c7e2d157ef3474ba2c34
Author: Wilson Kok <wkok@cumulusnetworks.com>
Date:   Tue Sep 22 21:40:22 2015 -0700

    fib_rules: fix fib rule dumps across multiple skbs

    [ Upstream commit 41fc014332d91ee90c32840bf161f9685b7fbf2b ]

    dump_rules returns skb length and not error.
    But when family == AF_UNSPEC, the caller of dump_rules
    assumes that it returns an error. Hence, when family == AF_UNSPEC,
    we continue trying to dump on -EMSGSIZE errors resulting in
    incorrect dump idx carried between skbs belonging to the same dump.
    This results in fib rule dump always only dumping rules that fit
    into the first skb.

    This patch fixes dump_rules to return error so that we exit correctly
    and idx is correctly maintained between skbs that are part of the
    same dump.

    Signed-off-by: Wilson Kok <wkok@cumulusnetworks.com>
    Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 8f1cdabcc6ccd7dea59fffc692e122c0b5eaf9f2
Author: Jesse Gross <jesse@nicira.com>
Date:   Mon Sep 21 20:21:20 2015 -0700

    openvswitch: Zero flows on allocation.

    [ Upstream commit ae5f2fb1d51fa128a460bcfbe3c56d7ab8bf6a43 ]

    When support for megaflows was introduced, OVS needed to start
    installing flows with a mask applied to them. Since masking is an
    expensive operation, OVS also had an optimization that would only
    take the parts of the flow keys that were covered by a non-zero
    mask. The values stored in the remaining pieces should not matter
    because they are masked out.

    While this works fine for the purposes of matching (which must always
    look at the mask), serialization to netlink can be problematic. Since
    the flow and the mask are serialized separately, the uninitialized
    portions of the flow can be encoded with whatever values happen to be
    present.

    In terms of functionality, this has little effect since these fields
    will be masked out by definition. However, it leaks kernel memory to
    userspace, which is a potential security vulnerability. It is also
    possible that other code paths could look at the masked key and get
    uninitialized data, although this does not currently appear to be an
    issue in practice.

    This removes the mask optimization for flows that are being installed.
    This was always intended to be the case as the mask optimizations were
    really targetting per-packet flow operations.

    Fixes: 03f0d916 ("openvswitch: Mega flow implementation")
    Signed-off-by: Jesse Gross <jesse@nicira.com>
    Acked-by: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 738a811a9ee144f98717ae29441825615b551c0d
Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date:   Thu Sep 10 17:31:15 2015 -0300

    sctp: fix race on protocol/netns initialization

    [ Upstream commit 8e2d61e0aed2b7c4ecb35844fe07e0b2b762dee4 ]

    Consider sctp module is unloaded and is being requested because an user
    is creating a sctp socket.

    During initialization, sctp will add the new protocol type and then
    initialize pernet subsys:

            status = sctp_v4_protosw_init();
            if (status)
                    goto err_protosw_init;

            status = sctp_v6_protosw_init();
            if (status)
                    goto err_v6_protosw_init;

            status = register_pernet_subsys(&sctp_net_ops);

    The problem is that after those calls to sctp_v{4,6}_protosw_init(), it
    is possible for userspace to create SCTP sockets like if the module is
    already fully loaded. If that happens, one of the possible effects is
    that we will have readers for net->sctp.local_addr_list list earlier
    than expected and sctp_net_init() does not take precautions while
    dealing with that list, leading to a potential panic but not limited to
    that, as sctp_sock_init() will copy a bunch of blank/partially
    initialized values from net->sctp.

    The race happens like this:

         CPU 0                           |  CPU 1
      socket()                           |
       __sock_create                     | socket()
        inet_create                      |  __sock_create
         list_for_each_entry_rcu(        |
            answer, &inetsw[sock->type], |
            list) {                      |   inet_create
          /* no hits */                  |
         if (unlikely(err)) {            |
          ...                            |
          request_module()               |
          /* socket creation is blocked  |
           * the module is fully loaded  |
           */                            |
           sctp_init                     |
            sctp_v4_protosw_init         |
             inet_register_protosw       |
              list_add_rcu(&p->list,     |
                           last_perm);   |
                                         |  list_for_each_entry_rcu(
                                         |     answer, &inetsw[sock->type],
            sctp_v6_protosw_init         |     list) {
                                         |     /* hit, so assumes protocol
                                         |      * is already loaded
                                         |      */
                                         |  /* socket creation continues
                                         |   * before netns is initialized
                                         |   */
            register_pernet_subsys       |

    Simply inverting the initialization order between
    register_pernet_subsys() and sctp_v4_protosw_init() is not possible
    because register_pernet_subsys() will create a control sctp socket, so
    the protocol must be already visible by then. Deferring the socket
    creation to a work-queue is not good specially because we loose the
    ability to handle its errors.

    So, as suggested by Vlad, the fix is to split netns initialization in
    two moments: defaults and control socket, so that the defaults are
    already loaded by when we register the protocol, while control socket
    initialization is kept at the same moment it is today.

    Fixes: 4db67e808640 ("sctp: Make the address lists per network namespace")
    Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 821cb36fe391803e70c61bab8321abc1108ddcce
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Sep 10 20:05:46 2015 +0200

    netlink, mmap: transform mmap skb into full skb on taps

    [ Upstream commit 1853c949646005b5959c483becde86608f548f24 ]

    Ken-ichirou reported that running netlink in mmap mode for receive in
    combination with nlmon will throw a NULL pointer dereference in
    __kfree_skb() on nlmon_xmit(), in my case I can also trigger an "unable
    to handle kernel paging request". The problem is the skb_clone() in
    __netlink_deliver_tap_skb() for skbs that are mmaped.

    I.e. the cloned skb doesn't have a destructor, whereas the mmap netlink
    skb has it pointed to netlink_skb_destructor(), set in the handler
    netlink_ring_setup_skb(). There, skb->head is being set to NULL, so
    that in such cases, __kfree_skb() doesn't perform a skb_release_data()
    via skb_release_all(), where skb->head is possibly being freed through
    kfree(head) into slab allocator, although netlink mmap skb->head points
    to the mmap buffer. Similarly, the same has to be done also for large
    netlink skbs where the data area is vmalloced. Therefore, as discussed,
    make a copy for these rather rare cases for now. This fixes the issue
    on my and Ken-ichirou's test-cases.

    Reference: http://thread.gmane.org/gmane.linux.network/371129
    Fixes: bcbde0d449ed ("net: netlink: virtual tap device management")
    Reported-by: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Tested-by: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 371a4bbb343053875e2165958b98a54514a9c186
Author: Richard Laing <richard.laing@alliedtelesis.co.nz>
Date:   Thu Sep 3 13:52:31 2015 +1200

    net/ipv6: Correct PIM6 mrt_lock handling

    [ Upstream commit 25b4a44c19c83d98e8c0807a7ede07c1f28eab8b ]

    In the IPv6 multicast routing code the mrt_lock was not being released
    correctly in the MFC iterator, as a result adding or deleting a MIF would
    cause a hang because the mrt_lock could not be acquired.

    This fix is a copy of the code for the IPv4 case and ensures that the lock
    is released correctly.

    Signed-off-by: Richard Laing <richard.laing@alliedtelesis.co.nz>
    Acked-by: Cong Wang <cwang@twopensource.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 232baded6d6fd8814de60534d30ced820552c015
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Sep 3 00:29:07 2015 +0200

    ipv6: fix exthdrs offload registration in out_rt path

    [ Upstream commit e41b0bedba0293b9e1e8d1e8ed553104b9693656 ]

    We previously register IPPROTO_ROUTING offload under inet6_add_offload(),
    but in error path, we try to unregister it with inet_del_offload(). This
    doesn't seem correct, it should actually be inet6_del_offload(), also
    ipv6_exthdrs_offload_exit() from that commit seems rather incorrect (it
    also uses rthdr_offload twice), but it got removed entirely later on.

    Fixes: 3336288a9fea ("ipv6: Switch to using new offload infrastructure.")
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f9e86ab009f39ff2d25379f3fed3a5d8f2ad25e7
Author: Eugene Shatokhin <eugene.shatokhin@rosalab.ru>
Date:   Mon Aug 24 23:13:42 2015 +0300

    usbnet: Get EVENT_NO_RUNTIME_PM bit before it is cleared

    [ Upstream commit f50791ac1aca1ac1b0370d62397b43e9f831421a ]

    It is needed to check EVENT_NO_RUNTIME_PM bit of dev->flags in
    usbnet_stop(), but its value should be read before it is cleared
    when dev->flags is set to 0.

    The problem was spotted and the fix was provided by
    Oliver Neukum <oneukum@suse.de>.

    Signed-off-by: Eugene Shatokhin <eugene.shatokhin@rosalab.ru>
    Acked-by: Oliver Neukum <oneukum@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 78aa277b5c1ad0b2091b94bf1d57db9b557e186e
Author: huaibin Wang <huaibin.wang@6wind.com>
Date:   Tue Aug 25 16:20:34 2015 +0200

    ip6_gre: release cached dst on tunnel removal

    [ Upstream commit d4257295ba1b389c693b79de857a96e4b7cd8ac0 ]

    When a tunnel is deleted, the cached dst entry should be released.

    This problem may prevent the removal of a netns (seen with a x-netns IPv6
    gre tunnel):
      unregister_netdevice: waiting for lo to become free. Usage count = 3

    CC: Dmitry Kozlov <xeb@mail.ru>
    Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
    Signed-off-by: huaibin Wang <huaibin.wang@6wind.com>
    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fa89e04f61900d6888517ac0c42907c569fc7c44
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Tue Jul 7 00:07:52 2015 +0200

    rtnetlink: verify IFLA_VF_INFO attributes before passing them to driver

    [ Upstream commit 4f7d2cdfdde71ffe962399b7020c674050329423 ]

    Jason Gunthorpe reported that since commit c02db8c6290b ("rtnetlink: make
    SR-IOV VF interface symmetric"), we don't verify IFLA_VF_INFO attributes
    anymore with respect to their policy, that is, ifla_vfinfo_policy[].

    Before, they were part of ifla_policy[], but they have been nested since
    placed under IFLA_VFINFO_LIST, that contains the attribute IFLA_VF_INFO,
    which is another nested attribute for the actual VF attributes such as
    IFLA_VF_MAC, IFLA_VF_VLAN, etc.

    Despite the policy being split out from ifla_policy[] in this commit,
    it's never applied anywhere. nla_for_each_nested() only does basic nla_ok()
    testing for struct nlattr, but it doesn't know about the data context and
    their requirements.

    Fix, on top of Jason's initial work, does 1) parsing of the attributes
    with the right policy, and 2) using the resulting parsed attribute table
    from 1) instead of the nla_for_each_nested() loop (just like we used to
    do when still part of ifla_policy[]).

    Reference: http://thread.gmane.org/gmane.linux.network/368913
    Fixes: c02db8c6290b ("rtnetlink: make SR-IOV VF interface symmetric")
    Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Cc: Chris Wright <chrisw@sous-sol.org>
    Cc: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
    Cc: Greg Rose <gregory.v.rose@intel.com>
    Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Cc: Rony Efraim <ronye@mellanox.com>
    Cc: Vlad Zolotarov <vladz@cloudius-systems.com>
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Cc: Thomas Graf <tgraf@suug.ch>
    Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Vlad Zolotarov <vladz@cloudius-systems.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7acebc24194b31d4e5b98f9e436ae960c0948dd6
Author: Vlad Zolotarov <vladz@cloudius-systems.com>
Date:   Mon Mar 30 21:35:23 2015 +0300

    if_link: Add an additional parameter to ifla_vf_info for RSS querying

    [ Upstream commit 01a3d796813d6302af9f828f34b73d21a4b96c9a ]

    Add configuration setting for drivers to allow/block an RSS Redirection
    Table and a Hash Key querying for discrete VFs.

    On some devices VF share the mentioned above information with PF and
    querying it may adduce a theoretical security risk. We want to let a
    system administrator to decide if he/she wants to take this risk or not.

    Signed-off-by: Vlad Zolotarov <vladz@cloudius-systems.com>
    Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
    Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2117c584b5952c240d194486a9aeba34265736bc
Author: Hin-Tak Leung <htl10@users.sourceforge.net>
Date:   Wed Sep 9 15:38:04 2015 -0700

    hfs,hfsplus: cache pages correctly between bnode_create and bnode_free

    [ Upstream commit 7cb74be6fd827e314f81df3c5889b87e4c87c569 ]

    Pages looked up by __hfs_bnode_create() (called by hfs_bnode_create() and
    hfs_bnode_find() for finding or creating pages corresponding to an inode)
    are immediately kmap()'ed and used (both read and write) and kunmap()'ed,
    and should not be page_cache_release()'ed until hfs_bnode_free().

    This patch fixes a problem I first saw in July 2012: merely running "du"
    on a large hfsplus-mounted directory a few times on a reasonably loaded
    system would get the hfsplus driver all confused and complaining about
    B-tree inconsistencies, and generates a "BUG: Bad page state".  Most
    recently, I can generate this problem on up-to-date Fedora 22 with shipped
    kernel 4.0.5, by running "du /" (="/" + "/home" + "/mnt" + other smaller
    mounts) and "du /mnt" simultaneously on two windows, where /mnt is a
    lightly-used QEMU VM image of the full Mac OS X 10.9:

    $ df -i / /home /mnt
    Filesystem                  Inodes   IUsed      IFree IUse% Mounted on
    /dev/mapper/fedora-root    3276800  551665    2725135   17% /
    /dev/mapper/fedora-home   52879360  716221   52163139    2% /home
    /dev/nbd0p2             4294967295 1387818 4293579477    1% /mnt

    After applying the patch, I was able to run "du /" (60+ times) and "du
    /mnt" (150+ times) continuously and simultaneously for 6+ hours.

    There are many reports of the hfsplus driver getting confused under load
    and generating "BUG: Bad page state" or other similar issues over the
    years.  [1]

    The unpatched code [2] has always been wrong since it entered the kernel
    tree.  The only reason why it gets away with it is that the
    kmap/memcpy/kunmap follow very quickly after the page_cache_release() so
    the kernel has not had a chance to reuse the memory for something else,
    most of the time.

    The current RW driver appears to have followed the design and development
    of the earlier read-only hfsplus driver [3], where-by version 0.1 (Dec
    2001) had a B-tree node-centric approach to
    read_cache_page()/page_cache_release() per bnode_get()/bnode_put(),
    migrating towards version 0.2 (June 2002) of caching and releasing pages
    per inode extents.  When the current RW code first entered the kernel [2]
    in 2005, there was an REF_PAGES conditional (and "//" commented out code)
    to switch between B-node centric paging to inode-centric paging.  There
    was a mistake with the direction of one of the REF_PAGES conditionals in
    __hfs_bnode_create().  In a subsequent "remove debug code" commit [4], the
    read_cache_page()/page_cache_release() per bnode_get()/bnode_put() were
    removed, but a page_cache_release() was mistakenly left in (propagating
    the "REF_PAGES <-> !REF_PAGE" mistake), and the commented-out
    page_cache_release() in bnode_release() (which should be spanned by
    !REF_PAGES) was never enabled.

    References:
    [1]:
    Michael Fox, Apr 2013
    http://www.spinics.net/lists/linux-fsdevel/msg63807.html
    ("hfsplus volume suddenly inaccessable after 'hfs: recoff %d too large'")

    Sasha Levin, Feb 2015
    http://lkml.org/lkml/2015/2/20/85 ("use after free")

    https://bugs.launchpad.net/ubuntu/+source/linux/+bug/740814
    https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1027887
    https://bugzilla.kernel.org/show_bug.cgi?id=42342
    https://bugzilla.kernel.org/show_bug.cgi?id=63841
    https://bugzilla.kernel.org/show_bug.cgi?id=78761

    [2]:
    http://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/\
    fs/hfs/bnode.c?id=d1081202f1d0ee35ab0beb490da4b65d4bc763db
    commit d1081202f1d0ee35ab0beb490da4b65d4bc763db
    Author: Andrew Morton <akpm@osdl.org>
    Date:   Wed Feb 25 16:17:36 2004 -0800

        [PATCH] HFS rewrite

    http://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/\
    fs/hfsplus/bnode.c?id=91556682e0bf004d98a529bf829d339abb98bbbd

    commit 91556682e0bf004d98a529bf829d339abb98bbbd
    Author: Andrew Morton <akpm@osdl.org>
    Date:   Wed Feb 25 16:17:48 2004 -0800

        [PATCH] HFS+ support

    [3]:
    http://sourceforge.net/projects/linux-hfsplus/

    http://sourceforge.net/projects/linux-hfsplus/files/Linux%202.4.x%20patch/hfsplus%200.1/
    http://sourceforge.net/projects/linux-hfsplus/files/Linux%202.4.x%20patch/hfsplus%200.2/

    http://linux-hfsplus.cvs.sourceforge.net/viewvc/linux-hfsplus/linux/\
    fs/hfsplus/bnode.c?r1=1.4&r2=1.5

    Date:   Thu Jun 6 09:45:14 2002 +0000
    Use buffer cache instead of page cache in bnode.c. Cache inode extents.

    [4]:
    http://git.kernel.org/cgit/linux/kernel/git/\
    stable/linux-stable.git/commit/?id=a5e3985fa014029eb6795664c704953720cc7f7d

    commit a5e3985fa014029eb6795664c704953720cc7f7d
    Author: Roman Zippel <zippel@linux-m68k.org>
    Date:   Tue Sep 6 15:18:47 2005 -0700

    [PATCH] hfs: remove debug code

    Signed-off-by: Hin-Tak Leung <htl10@users.sourceforge.net>
    Signed-off-by: Sergei Antonov <saproj@gmail.com>
    Reviewed-by: Anton Altaparmakov <anton@tuxera.com>
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Sougata Santra <sougata@tuxera.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 13f3dc548b25086fb4e66636f6a1c8ba79b8353c
Author: Noa Osherovich <noaos@mellanox.com>
Date:   Thu Jul 30 17:34:24 2015 +0300

    IB/mlx4: Use correct SL on AH query under RoCE

    [ Upstream commit 5e99b139f1b68acd65e36515ca347b03856dfb5a ]

    The mlx4 IB driver implementation for ib_query_ah used a wrong offset
    (28 instead of 29) when link type is Ethernet. Fixed to use the correct one.

    Fixes: fa417f7b520e ('IB/mlx4: Add support for IBoE')
    Signed-off-by: Shani Michaeli <shanim@mellanox.com>
    Signed-off-by: Noa Osherovich <noaos@mellanox.com>
    Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 40968908297a4416894af5a203b43632d331435c
Author: Jack Morgenstein <jackm@dev.mellanox.co.il>
Date:   Thu Jul 30 17:34:23 2015 +0300

    IB/mlx4: Forbid using sysfs to change RoCE pkeys

    [ Upstream commit 2b135db3e81301d0452e6aa107349abe67b097d6 ]

    The pkey mapping for RoCE must remain the default mapping:
    VFs:
      virtual index 0 = mapped to real index 0 (0xFFFF)
      All others indices: mapped to a real pkey index containing an
                          invalid pkey.
    PF:
      virtual index i = real index i.

    Don't allow users to change these mappings using files found in
    sysfs.

    Fixes: c1e7e466120b ('IB/mlx4: Add iov directory in sysfs under the ib device')
    Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
    Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 15b3aadf15f0bb696184235163ff42ab0cb7e26c
Author: Yishai Hadas <yishaih@mellanox.com>
Date:   Thu Aug 13 18:32:03 2015 +0300

    IB/uverbs: Fix race between ib_uverbs_open and remove_one

    [ Upstream commit 35d4a0b63dc0c6d1177d4f532a9deae958f0662c ]

    Fixes: 2a72f212263701b927559f6850446421d5906c41 ("IB/uverbs: Remove dev_table")

    Before this commit there was a device look-up table that was protected
    by a spin_lock used by ib_uverbs_open and by ib_uverbs_remove_one. When
    it was dropped and container_of was used instead, it enabled the race
    with remove_one as dev might be freed just after:
    dev = container_of(inode->i_cdev, struct ib_uverbs_device, cdev) but
    before the kref_get.

    In addition, this buggy patch added some dead code as
    container_of(x,y,z) can never be NULL and so dev can never be NULL.
    As a result the comment above ib_uverbs_open saying "the open method
    will either immediately run -ENXIO" is wrong as it can never happen.

    The solution follows Jason Gunthorpe suggestion from below URL:
    https://www.mail-archive.com/linux-rdma@vger.kernel.org/msg25692.html

    cdev will hold a kref on the parent (the containing structure,
    ib_uverbs_device) and only when that kref is released it is
    guaranteed that open will never be called again.

    In addition, fixes the active count scheme to use an atomic
    not a kref to prevent WARN_ON as pointed by above comment
    from Jason.

    Signed-off-by: Yishai Hadas <yishaih@mellanox.com>
    Signed-off-by: Shachar Raindel <raindel@mellanox.com>
    Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 7c1d757a1fe62ec2983751441724acd0e2f8cd3c
Author: Christoph Hellwig <hch@lst.de>
Date:   Wed Aug 26 11:00:37 2015 +0200

    IB/uverbs: reject invalid or unknown opcodes

    [ Upstream commit b632ffa7cee439ba5dce3b3bc4a5cbe2b3e20133 ]

    We have many WR opcodes that are only supported in kernel space
    and/or require optional information to be copied into the WR
    structure.  Reject all those not explicitly handled so that we
    can't pass invalid information to drivers.

    Cc: stable@vger.kernel.org
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
    Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f3990e99b398e64af5f75eea3e4acc09260b667a
Author: Mike Marciniszyn <mike.marciniszyn@intel.com>
Date:   Tue Jul 21 08:36:07 2015 -0400

    IB/qib: Change lkey table allocation to support more MRs

    [ Upstream commit d6f1c17e162b2a11e708f28fa93f2f79c164b442 ]

    The lkey table is allocated with with a get_user_pages() with an
    order based on a number of index bits from a module parameter.

    The underlying kernel code cannot allocate that many contiguous pages.

    There is no reason the underlying memory needs to be physically
    contiguous.

    This patch:
    - switches the allocation/deallocation to vmalloc/vfree
    - caps the number of bits to 23 to insure at least 1 generation bit
      o this matches the module parameter description

    Cc: stable@vger.kernel.org
    Reviewed-by: Vinit Agnihotri <vinit.abhay.agnihotri@intel.com>
    Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 15c8f5c3e07d2059e02b686fc8f1abfd7201d4ca
Author: Hin-Tak Leung <htl10@users.sourceforge.net>
Date:   Wed Sep 9 15:38:07 2015 -0700

    hfs: fix B-tree corruption after insertion at position 0

    [ Upstream commit b4cc0efea4f0bfa2477c56af406cfcf3d3e58680 ]

    Fix B-tree corruption when a new record is inserted at position 0 in the
    node in hfs_brec_insert().

    This is an identical change to the corresponding hfs b-tree code to Sergei
    Antonov's "hfsplus: fix B-tree corruption after insertion at position 0",
    to keep similar code paths in the hfs and hfsplus drivers in sync, where
    appropriate.

    Signed-off-by: Hin-Tak Leung <htl10@users.sourceforge.net>
    Cc: Sergei Antonov <saproj@gmail.com>
    Cc: Joe Perches <joe@perches.com>
    Reviewed-by: Vyacheslav Dubeyko <slava@dubeyko.com>
    Cc: Anton Altaparmakov <anton@tuxera.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3a2915dad9da74c13fd6a83c7d0465ce89fd4403
Author: NeilBrown <neilb@suse.com>
Date:   Mon Jul 6 17:37:49 2015 +1000

    md/raid10: always set reshape_safe when initializing reshape_position.

    [ Upstream commit 299b0685e31c9f3dcc2d58ee3beca761a40b44b3 ]

    'reshape_position' tracks where in the reshape we have reached.
    'reshape_safe' tracks where in the reshape we have safely recorded
    in the metadata.

    These are compared to determine when to update the metadata.
    So it is important that reshape_safe is initialised properly.
    Currently it isn't.  When starting a reshape from the beginning
    it usually has the correct value by luck.  But when reducing the
    number of devices in a RAID10, it has the wrong value and this leads
    to the metadata not being updated correctly.
    This can lead to corruption if the reshape is not allowed to complete.

    This patch is suitable for any -stable kernel which supports RAID10
    reshape, which is 3.5 and later.

    Fixes: 3ea7daa5d7fd ("md/raid10: add reshape support")
    Cc: stable@vger.kernel.org (v3.5+ please wait for -final to be out for 2 weeks)
    Signed-off-by: NeilBrown <neilb@suse.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit c1802263482f6ce2501830c8aca14f582b7130cf
Author: Jialing Fu <jlfu@marvell.com>
Date:   Fri Aug 28 11:13:09 2015 +0800

    mmc: core: fix race condition in mmc_wait_data_done

    [ Upstream commit 71f8a4b81d040b3d094424197ca2f1bf811b1245 ]

    The following panic is captured in ker3.14, but the issue still exists
    in latest kernel.
    ---------------------------------------------------------------------
    [   20.738217] c0 3136 (Compiler) Unable to handle kernel NULL pointer dereference
    at virtual address 00000578
    ......
    [   20.738499] c0 3136 (Compiler) PC is at _raw_spin_lock_irqsave+0x24/0x60
    [   20.738527] c0 3136 (Compiler) LR is at _raw_spin_lock_irqsave+0x20/0x60
    [   20.740134] c0 3136 (Compiler) Call trace:
    [   20.740165] c0 3136 (Compiler) [<ffffffc0008ee900>] _raw_spin_lock_irqsave+0x24/0x60
    [   20.740200] c0 3136 (Compiler) [<ffffffc0000dd024>] __wake_up+0x1c/0x54
    [   20.740230] c0 3136 (Compiler) [<ffffffc000639414>] mmc_wait_data_done+0x28/0x34
    [   20.740262] c0 3136 (Compiler) [<ffffffc0006391a0>] mmc_request_done+0xa4/0x220
    [   20.740314] c0 3136 (Compiler) [<ffffffc000656894>] sdhci_tasklet_finish+0xac/0x264
    [   20.740352] c0 3136 (Compiler) [<ffffffc0000a2b58>] tasklet_action+0xa0/0x158
    [   20.740382] c0 3136 (Compiler) [<ffffffc0000a2078>] __do_softirq+0x10c/0x2e4
    [   20.740411] c0 3136 (Compiler) [<ffffffc0000a24bc>] irq_exit+0x8c/0xc0
    [   20.740439] c0 3136 (Compiler) [<ffffffc00008489c>] handle_IRQ+0x48/0xac
    [   20.740469] c0 3136 (Compiler) [<ffffffc000081428>] gic_handle_irq+0x38/0x7c
    ----------------------------------------------------------------------
    Because in SMP, "mrq" has race condition between below two paths:
    path1: CPU0: <tasklet context>
      static void mmc_wait_data_done(struct mmc_request *mrq)
      {
         mrq->host->context_info.is_done_rcv = true;
         //
         // If CPU0 has just finished "is_done_rcv = true" in path1, and at
         // this moment, IRQ or ICache line missing happens in CPU0.
         // What happens in CPU1 (path2)?
         //
         // If the mmcqd thread in CPU1(path2) hasn't entered to sleep mode:
         // path2 would have chance to break from wait_event_interruptible
         // in mmc_wait_for_data_req_done and continue to run for next
         // mmc_request (mmc_blk_rw_rq_prep).
         //
         // Within mmc_blk_rq_prep, mrq is cleared to 0.
         // If below line still gets host from "mrq" as the result of
         // compiler, the panic happens as we traced.
         wake_up_interruptible(&mrq->host->context_info.wait);
      }

    path2: CPU1: <The mmcqd thread runs mmc_queue_thread>
      static int mmc_wait_for_data_req_done(...
      {
         ...
         while (1) {
               wait_event_interruptible(context_info->wait,
                       (context_info->is_done_rcv ||
                        context_info->is_new_req));
               static void mmc_blk_rw_rq_prep(...
               {
               ...
               memset(brq, 0, sizeof(struct mmc_blk_request));

    This issue happens very coincidentally; however adding mdelay(1) in
    mmc_wait_data_done as below could duplicate it easily.

       static void mmc_wait_data_done(struct mmc_request *mrq)
       {
         mrq->host->context_info.is_done_rcv = true;
    +    mdelay(1);
         wake_up_interruptible(&mrq->host->context_info.wait);
        }

    At runtime, IRQ or ICache line missing may just happen at the same place
    of the mdelay(1).

    This patch gets the mmc_context_info at the beginning of function, it can
    avoid this race condition.

    Signed-off-by: Jialing Fu <jlfu@marvell.com>
    Tested-by: Shawn Lin <shawn.lin@rock-chips.com>
    Fixes: 2220eedfd7ae ("mmc: fix async request mechanism ....")
    Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit d8ef0bd7baadc1284b09b817ac61e7fe098b1c54
Author: Jann Horn <jann@thejh.net>
Date:   Wed Sep 9 15:38:28 2015 -0700

    fs: if a coredump already exists, unlink and recreate with O_EXCL

    [ Upstream commit fbb1816942c04429e85dbf4c1a080accc534299e ]

    It was possible for an attacking user to trick root (or another user) into
    writing his coredumps into an attacker-readable, pre-existing file using
    rename() or link(), causing the disclosure of secret data from the victim
    process' virtual memory.  Depending on the configuration, it was also
    possible to trick root into overwriting system files with coredumps.  Fix
    that issue by never writing coredumps into existing files.

    Requirements for the attack:
     - The attack only applies if the victim's process has a nonzero
       RLIMIT_CORE and is dumpable.
     - The attacker can trick the victim into coredumping into an
       attacker-writable directory D, either because the core_pattern is
       relative and the victim's cwd is attacker-writable or because an
       absolute core_pattern pointing to a world-writable directory is used.
     - The attacker has one of these:
      A: on a system with protected_hardlinks=0:
         execute access to a folder containing a victim-owned,
         attacker-readable file on the same partition as D, and the
         victim-owned file will be deleted before the main part of the attack
         takes place. (In practice, there are lots of files that fulfill
         this condition, e.g. entries in Debian's /var/lib/dpkg/info/.)
         This does not apply to most Linux systems because most distros set
         protected_hardlinks=1.
      B: on a system with protected_hardlinks=1:
         execute access to a folder containing a victim-owned,
         attacker-readable and attacker-writable file on the same partition
         as D, and the victim-owned file will be deleted before the main part
         of the attack takes place.
         (This seems to be uncommon.)
      C: on any system, independent of protected_hardlinks:
         write access to a non-sticky folder containing a victim-owned,
         attacker-readable file on the same partition as D
         (This seems to be uncommon.)

    The basic idea is that the attacker moves the victim-owned file to where
    he expects the victim process to dump its core.  The victim process dumps
    its core into the existing file, and the attacker reads the coredump from
    it.

    If the attacker can't move the file because he does not have write access
    to the containing directory, he can instead link the file to a directory
    he controls, then wait for the original link to the file to be deleted
    (because the kernel checks that the link count of the corefile is 1).

    A less reliable variant that requires D to be non-sticky works with link()
    and does not require deletion of the original link: link() the file into
    D, but then unlink() it directly before the kernel performs the link count
    check.

    On systems with protected_hardlinks=0, this variant allows an attacker to
    not only gain information from coredumps, but also clobber existing,
    victim-writable files with coredumps.  (This could theoretically lead to a
    privilege escalation.)

    Signed-off-by: Jann Horn <jann@thejh.net>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 19d585ab7bd36fb656008f8148049acde7643c91
Author: Jaewon Kim <jaewon31.kim@samsung.com>
Date:   Tue Sep 8 15:02:21 2015 -0700

    vmscan: fix increasing nr_isolated incurred by putback unevictable pages

    [ Upstream commit c54839a722a02818677bcabe57e957f0ce4f841d ]

    reclaim_clean_pages_from_list() assumes that shrink_page_list() returns
    number of pages removed from the candidate list.  But shrink_page_list()
    puts back mlocked pages without passing it to caller and without
    counting as nr_reclaimed.  This increases nr_isolated.

    To fix this, this patch changes shrink_page_list() to pass unevictable
    pages back to caller.  Caller will take care those pages.

    Minchan said:

    It fixes two issues.

    1. With unevictable page, cma_alloc will be successful.

    Exactly speaking, cma_alloc of current kernel will fail due to
    unevictable pages.

    2. fix leaking of NR_ISOLATED counter of vmstat

    With it, too_many_isolated works.  Otherwise, it could make hang until
    the process get SIGKILL.

    Signed-off-by: Jaewon Kim <jaewon31.kim@samsung.com>
    Acked-by: Minchan Kim <minchan@kernel.org>
    Cc: Mel Gorman <mgorman@techsingularity.net>
    Acked-by: Vlastimil Babka <vbabka@suse.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ee2cdeabb2b5bff780b1e61af5fc13967573e466
Author: Helge Deller <deller@gmx.de>
Date:   Thu Sep 3 22:45:21 2015 +0200

    parisc: Filter out spurious interrupts in PA-RISC irq handler

    [ Upstream commit b1b4e435e4ef7de77f07bf2a42c8380b960c2d44 ]

    When detecting a serial port on newer PA-RISC machines (with iosapic) we have a
    long way to go to find the right IRQ line, registering it, then registering the
    serial port and the irq handler for the serial port. During this phase spurious
    interrupts for the serial port may happen which then crashes the kernel because
    the action handler might not have been set up yet.

    So, basically it's a race condition between the serial port hardware and the
    CPU which sets up the necessary fields in the irq sructs. The main reason for
    this race is, that we unmask the serial port irqs too early without having set
    up everything properly before (which isn't easily possible because we need the
    IRQ number to register the serial ports).

    This patch is a work-around for this problem. It adds checks to the CPU irq
    handler to verify if the IRQ action field has been initialized already. If not,
    we just skip this interrupt (which isn't critical for a serial port at bootup).
    The real fix would probably involve rewriting all PA-RISC specific IRQ code
    (for CPU, IOSAPIC, GSC and EISA) to use IRQ domains with proper parenting of
    the irq chips and proper irq enabling along this line.

    This bug has been in the PA-RISC port since the beginning, but the crashes
    happened very rarely with currently used hardware.  But on the latest machine
    which I bought (a C8000 workstation), which uses the fastest CPUs (4 x PA8900,
    1GHz) and which has the largest possible L1 cache size (64MB each), the kernel
    crashed at every boot because of this race. So, without this patch the machine
    would currently be unuseable.

    For the record, here is the flow logic:
    1. serial_init_chip() in 8250_gsc.c calls iosapic_serial_irq().
    2. iosapic_serial_irq() calls txn_alloc_irq() to find the irq.
    3. iosapic_serial_irq() calls cpu_claim_irq() to register the CPU irq
    4. cpu_claim_irq() unmasks the CPU irq (which it shouldn't!)
    5. serial_init_chip() then registers the 8250 port.
    Problems:
    - In step 4 the CPU irq shouldn't have been registered yet, but after step 5
    - If serial irq happens between 4 and 5 have finished, the kernel will crash

    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e158509bb2c10c88079043b2acdac71c34b0f666
Author: John David Anglin <dave.anglin@bell.net>
Date:   Mon Sep 7 20:13:28 2015 -0400

    parisc: Use double word condition in 64bit CAS operation

    [ Upstream commit 1b59ddfcf1678de38a1f8ca9fb8ea5eebeff1843 ]

    The attached change fixes the condition used in the "sub" instruction.
    A double word comparison is needed.  This fixes the 64-bit LWS CAS
    operation on 64-bit kernels.

    I can now enable 64-bit atomic support in GCC.

    Cc: <stable@vger.kernel.org>
    Signed-off-by: John David Anglin <dave.anglin>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5d9b942696a6bcf8f1e498991f5eba35329ab1e6
Author: Trond Myklebust <trond.myklebust@primarydata.com>
Date:   Mon Aug 17 12:57:07 2015 -0500

    NFS: nfs_set_pgio_error sometimes misses errors

    [ Upstream commit e9ae58aeee8842a50f7e199d602a5ccb2e41a95f ]

    We should ensure that we always set the pgio_header's error field
    if a READ or WRITE RPC call returns an error. The current code depends
    on 'hdr->good_bytes' always being initialised to a large value, which
    is not always done correctly by callers.
    When this happens, applications may end up missing important errors.

    Cc: stable@vger.kernel.org
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 2e81b26ee568c88b68c7b4e58a71bbdfe83fb338
Author: Kinglong Mee <kinglongmee@gmail.com>
Date:   Sat Aug 15 21:52:10 2015 +0800

    NFS: Fix a NULL pointer dereference of migration recovery ops for v4.2 client

    [ Upstream commit 18e3b739fdc826481c6a1335ce0c5b19b3d415da ]

    ---Steps to Reproduce--
    <nfs-server>
    # cat /etc/exports
    /nfs/referal  *(rw,insecure,no_subtree_check,no_root_squash,crossmnt)
    /nfs/old      *(ro,insecure,subtree_check,root_squash,crossmnt)

    <nfs-client>
    # mount -t nfs nfs-server:/nfs/ /mnt/
    # ll /mnt/*/

    <nfs-server>
    # cat /etc/exports
    /nfs/referal   *(rw,insecure,no_subtree_check,no_root_squash,crossmnt,refer=/nfs/old/@nfs-server)
    /nfs/old       *(ro,insecure,subtree_check,root_squash,crossmnt)
    # service nfs restart

    <nfs-client>
    # ll /mnt/*/    --->>>>> oops here

    [ 5123.102925] BUG: unable to handle kernel NULL pointer dereference at           (null)
    [ 5123.103363] IP: [<ffffffffa03ed38b>] nfs4_proc_get_locations+0x9b/0x120 [nfsv4]
    [ 5123.103752] PGD 587b9067 PUD 3cbf5067 PMD 0
    [ 5123.104131] Oops: 0000 [#1]
    [ 5123.104529] Modules linked in: nfsv4(OE) nfs(OE) fscache(E) nfsd(OE) xfs libcrc32c iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi coretemp crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel ppdev vmw_balloon parport_pc parport i2c_piix4 shpchp auth_rpcgss nfs_acl vmw_vmci lockd grace sunrpc vmwgfx drm_kms_helper ttm drm mptspi serio_raw scsi_transport_spi e1000 mptscsih mptbase ata_generic pata_acpi [last unloaded: nfsd]
    [ 5123.105887] CPU: 0 PID: 15853 Comm: ::1-manager Tainted: G           OE   4.2.0-rc6+ #214
    [ 5123.106358] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
    [ 5123.106860] task: ffff88007620f300 ti: ffff88005877c000 task.ti: ffff88005877c000
    [ 5123.107363] RIP: 0010:[<ffffffffa03ed38b>]  [<ffffffffa03ed38b>] nfs4_proc_get_locations+0x9b/0x120 [nfsv4]
    [ 5123.107909] RSP: 0018:ffff88005877fdb8  EFLAGS: 00010246
    [ 5123.108435] RAX: ffff880053f3bc00 RBX: ffff88006ce6c908 RCX: ffff880053a0d240
    [ 5123.108968] RDX: ffffea0000e6d940 RSI: ffff8800399a0000 RDI: ffff88006ce6c908
    [ 5123.109503] RBP: ffff88005877fe28 R08: ffffffff81c708a0 R09: 0000000000000000
    [ 5123.110045] R10: 00000000000001a2 R11: ffff88003ba7f5c8 R12: ffff880054c55800
    [ 5123.110618] R13: 0000000000000000 R14: ffff880053a0d240 R15: ffff880053a0d240
    [ 5123.111169] FS:  0000000000000000(0000) GS:ffffffff81c27000(0000) knlGS:0000000000000000
    [ 5123.111726] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 5123.112286] CR2: 0000000000000000 CR3: 0000000054cac000 CR4: 00000000001406f0
    [ 5123.112888] Stack:
    [ 5123.113458]  ffffea0000e6d940 ffff8800399a0000 00000000000167d0 0000000000000000
    [ 5123.114049]  0000000000000000 0000000000000000 0000000000000000 00000000a7ec82c6
    [ 5123.114662]  ffff88005877fe18 ffffea0000e6d940 ffff8800399a0000 ffff880054c55800
    [ 5123.115264] Call Trace:
    [ 5123.115868]  [<ffffffffa03fb44b>] nfs4_try_migration+0xbb/0x220 [nfsv4]
    [ 5123.116487]  [<ffffffffa03fcb3b>] nfs4_run_state_manager+0x4ab/0x7b0 [nfsv4]
    [ 5123.117104]  [<ffffffffa03fc690>] ? nfs4_do_reclaim+0x510/0x510 [nfsv4]
    [ 5123.117813]  [<ffffffff810a4527>] kthread+0xd7/0xf0
    [ 5123.118456]  [<ffffffff810a4450>] ? kthread_worker_fn+0x160/0x160
    [ 5123.119108]  [<ffffffff816d9cdf>] ret_from_fork+0x3f/0x70
    [ 5123.119723]  [<ffffffff810a4450>] ? kthread_worker_fn+0x160/0x160
    [ 5123.120329] Code: 4c 8b 6a 58 74 17 eb 52 48 8d 55 a8 89 c6 4c 89 e7 e8 4a b5 ff ff 8b 45 b0 85 c0 74 1c 4c 89 f9 48 8b 55 90 48 8b 75 98 48 89 df <41> ff 55 00 3d e8 d8 ff ff 41 89 c6 74 cf 48 8b 4d c8 65 48 33
    [ 5123.121643] RIP  [<ffffffffa03ed38b>] nfs4_proc_get_locations+0x9b/0x120 [nfsv4]
    [ 5123.122308]  RSP <ffff88005877fdb8>
    [ 5123.122942] CR2: 0000000000000000

    Fixes: ec011fe847 ("NFS: Introduce a vector of migration recovery ops")
    Cc: stable@vger.kernel.org # v3.13+
    Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9c4acd614315606108151ba7f2b13987368ea13c
Author: NeilBrown <neilb@suse.com>
Date:   Thu Jul 30 13:00:56 2015 +1000

    NFSv4: don't set SETATTR for O_RDONLY|O_EXCL

    [ Upstream commit efcbc04e16dfa95fef76309f89710dd1d99a5453 ]

    It is unusual to combine the open flags O_RDONLY and O_EXCL, but
    it appears that libre-office does just that.

    [pid  3250] stat("/home/USER/.config", {st_mode=S_IFDIR|0700, st_size=8192, ...}) = 0
    [pid  3250] open("/home/USER/.config/libreoffice/4-suse/user/extensions/buildid", O_RDONLY|O_EXCL <unfinished ...>

    NFSv4 takes O_EXCL as a sign that a setattr command should be sent,
    probably to reset the timestamps.

    When it was an O_RDONLY open, the SETATTR command does not
    identify any actual attributes to change.
    If no delegation was provided to the open, the SETATTR uses the
    all-zeros stateid and the request is accepted (at least by the
    Linux NFS server - no harm, no foul).

    If a read-delegation was provided, this is used in the SETATTR
    request, and a Netapp filer will justifiably claim
    NFS4ERR_BAD_STATEID, which the Linux client takes as a sign
    to retry - indefinitely.

    So only treat O_EXCL specially if O_CREAT was also given.

    Signed-off-by: NeilBrown <neilb@suse.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fe3882a4751d2b4fd004b4ce6f0e3ddebd093b52
Author: Filipe Manana <fdmanana@suse.com>
Date:   Wed Aug 12 11:54:35 2015 +0100

    Btrfs: check if previous transaction aborted to avoid fs corruption

    [ Upstream commit 1f9b8c8fbc9a4d029760b16f477b9d15500e3a34 ]

    While we are committing a transaction, it's possible the previous one is
    still finishing its commit and therefore we wait for it to finish first.
    However we were not checking if that previous transaction ended up getting
    aborted after we waited for it to commit, so we ended up committing the
    current transaction which can lead to fs corruption because the new
    superblock can point to trees that have had one or more nodes/leafs that
    were never durably persisted.
    The following sequence diagram exemplifies how this is possible:

              CPU 0                                                        CPU 1

      transaction N starts

      (...)

      btrfs_commit_transaction(N)

        cur_trans->state = TRANS_STATE_COMMIT_START;
        (...)
        cur_trans->state = TRANS_STATE_COMMIT_DOING;
        (...)

        cur_trans->state = TRANS_STATE_UNBLOCKED;
        root->fs_info->running_transaction = NULL;

                                                                  btrfs_start_transaction()
                                                                     --> starts transaction N + 1

        btrfs_write_and_wait_transaction(trans, root);
          --> starts writing all new or COWed ebs created
              at transaction N

                                                                  creates some new ebs, COWs some
                                                                  existing ebs but doesn't COW or
                                                                  deletes eb X

                                                                  btrfs_commit_transaction(N + 1)
                                                                    (...)
                                                                    cur_trans->state = TRANS_STATE_COMMIT_START;
                                                                    (...)
                                                                    wait_for_commit(root, prev_trans);
                                                                      --> prev_trans == transaction N

        btrfs_write_and_wait_transaction() continues
        writing ebs
           --> fails writing eb X, we abort transaction N
               and set bit BTRFS_FS_STATE_ERROR on
               fs_info->fs_state, so no new transactions
               can start after setting that bit

           cleanup_transaction()
             btrfs_cleanup_one_transaction()
               wakes up task at CPU 1

                                                                    continues, doesn't abort because
                                                                    cur_trans->aborted (transaction N + 1)
                                                                    is zero, and no checks for bit
                                                                    BTRFS_FS_STATE_ERROR in fs_info->fs_state
                                                                    are made

                                                                    btrfs_write_and_wait_transaction(trans, root);
                                                                      --> succeeds, no errors during writeback

                                                                    write_ctree_super(trans, root, 0);
                                                                      --> succeeds
                                                                      --> we have now a superblock that points us
                                                                          to some root that uses eb X, which was
                                                                          never written to disk

    In this scenario future attempts to read eb X from disk results in an
    error message like "parent transid verify failed on X wanted Y found Z".

    So fix this by aborting the current transaction if after waiting for the
    previous transaction we verify that it was aborted.

    Cc: stable@vger.kernel.org
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: Josef Bacik <jbacik@fb.com>
    Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
    Signed-off-by: Chris Mason <clm@fb.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit e5ce14705d3199531b646c9e03724eaec77c6471
Author: Sakari Ailus <sakari.ailus@iki.fi>
Date:   Fri Jun 12 20:06:23 2015 -0300

    [media] v4l: omap3isp: Fix sub-device power management code

    [ Upstream commit 9d39f05490115bf145e5ea03c0b7ec9d3d015b01 ]

    Commit 813f5c0ac5cc ("media: Change media device link_notify behaviour")
    modified the media controller link setup notification API and updated the
    OMAP3 ISP driver accordingly. As a side effect it introduced a bug by
    turning power on after setting the link instead of before. This results in
    sub-devices not being powered down in some cases when they should be. Fix
    it.

    Fixes: 813f5c0ac5cc [media] media: Change media device link_notify behaviour

    Signed-off-by: Sakari Ailus <sakari.ailus@iki.fi>
    Cc: stable@vger.kernel.org # since v3.10
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 51d0384968780c9532bb63f9842e82c336fa7ab8
Author: David Härdeman <david@hardeman.nu>
Date:   Tue May 19 19:03:12 2015 -0300

    [media] rc-core: fix remove uevent generation

    [ Upstream commit a66b0c41ad277ae62a3ae6ac430a71882f899557 ]

    The input_dev is already gone when the rc device is being unregistered
    so checking for its presence only means that no remove uevent will be
    generated.

    Cc: stable@kernel.org
    Signed-off-by: David Härdeman <david@hardeman.nu>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 8da2e87b95215ef4acd944ed1d552d5082ba98f8
Author: Minfei Huang <mnfhuang@gmail.com>
Date:   Sun Jul 12 20:18:42 2015 +0800

    x86/mm: Initialize pmd_idx in page_table_range_init_count()

    [ Upstream commit 9962eea9e55f797f05f20ba6448929cab2a9f018 ]

    The variable pmd_idx is not initialized for the first iteration of the
    for loop.

    Assign the proper value which indexes the start address.

    Fixes: 719272c45b82 'x86, mm: only call early_ioremap_page_table_range_init() once'
    Signed-off-by: Minfei Huang <mnfhuang@gmail.com>
    Cc: tony.luck@intel.com
    Cc: wangnan0@huawei.com
    Cc: david.vrabel@citrix.com
    Reviewed-by: yinghai@kernel.org
    Link: http://lkml.kernel.org/r/1436703522-29552-1-git-send-email-mhuang@redhat.com
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3cc3b3025f6259e23bfe2e1b95c4173001144cba
Author: Jeffery Miller <jmiller@neverware.com>
Date:   Tue Sep 1 11:23:02 2015 -0400

    Add radeon suspend/resume quirk for HP Compaq dc5750.

    [ Upstream commit 09bfda10e6efd7b65bcc29237bee1765ed779657 ]

    With the radeon driver loaded the HP Compaq dc5750
    Small Form Factor machine fails to resume from suspend.
    Adding a quirk similar to other devices avoids
    the problem and the system resumes properly.

    Signed-off-by: Jeffery Miller <jmiller@neverware.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 01104f30a6751e2b04cfc43a4b745a249d3ad04e
Author: Jann Horn <jann@thejh.net>
Date:   Fri Sep 11 16:27:27 2015 +0200

    CIFS: fix type confusion in copy offload ioctl

    [ Upstream commit 4c17a6d56bb0cad3066a714e94f7185a24b40f49 ]

    This might lead to local privilege escalation (code execution as
    kernel) for systems where the following conditions are met:

     - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled
     - a cifs filesystem is mounted where:
      - the mount option "vers" was used and set to a value >=2.0
      - the attacker has write access to at least one file on the filesystem

    To attack this, an attacker would have to guess the target_tcon
    pointer (but guessing wrong doesn't cause a crash, it just returns an
    error code) and win a narrow race.

    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: Jann Horn <jann@thejh.net>
    Signed-off-by: Steve French <smfrench@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 435facb28b835f014b6a21ff887442d0e03cef03
Author: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Date:   Tue Sep 15 12:30:08 2015 +0530

    powerpc/mm: Recompute hash value after a failed update

    [ Upstream commit 36b35d5d807b7e57aff7d08e63de8b17731ee211 ]

    If we had secondary hash flag set, we ended up modifying hash value in
    the updatepp code path. Hence with a failed updatepp we will be using
    a wrong hash value for the following hash insert. Fix this by
    recomputing hash before insert.

    Without this patch we can end up with using wrong slot number in linux
    pte. That can result in us missing an hash pte update or invalidate
    which can cause memory corruption or even machine check.

    Fixes: 6d492ecc6489 ("powerpc/THP: Add code to handle HPTE faults for hugepages")
    Cc: stable@vger.kernel.org # v3.11+
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Reviewed-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3d108c1cfc2af67d14cb280fb118eee327fbb347
Author: Thomas Huth <thuth@redhat.com>
Date:   Fri Jul 17 12:46:58 2015 +0200

    powerpc/rtas: Introduce rtas_get_sensor_fast() for IRQ handlers

    [ Upstream commit 1c2cb594441d02815d304cccec9742ff5c707495 ]

    The EPOW interrupt handler uses rtas_get_sensor(), which in turn
    uses rtas_busy_delay() to wait for RTAS becoming ready in case it
    is necessary. But rtas_busy_delay() is annotated with might_sleep()
    and thus may not be used by interrupts handlers like the EPOW handler!
    This leads to the following BUG when CONFIG_DEBUG_ATOMIC_SLEEP is
    enabled:

     BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:496
     in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1
     CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.2.0-rc2-thuth #6
     Call Trace:
     [c00000007ffe7b90] [c000000000807670] dump_stack+0xa0/0xdc (unreliable)
     [c00000007ffe7bc0] [c0000000000e1f14] ___might_sleep+0x134/0x180
     [c00000007ffe7c20] [c00000000002aec0] rtas_busy_delay+0x30/0xd0
     [c00000007ffe7c50] [c00000000002bde4] rtas_get_sensor+0x74/0xe0
     [c00000007ffe7ce0] [c000000000083264] ras_epow_interrupt+0x44/0x450
     [c00000007ffe7d90] [c000000000120260] handle_irq_event_percpu+0xa0/0x300
     [c00000007ffe7e70] [c000000000120524] handle_irq_event+0x64/0xc0
     [c00000007ffe7eb0] [c000000000124dbc] handle_fasteoi_irq+0xec/0x260
     [c00000007ffe7ef0] [c00000000011f4f0] generic_handle_irq+0x50/0x80
     [c00000007ffe7f20] [c000000000010f3c] __do_irq+0x8c/0x200
     [c00000007ffe7f90] [c0000000000236cc] call_do_irq+0x14/0x24
     [c00000007e6f39e0] [c000000000011144] do_IRQ+0x94/0x110
     [c00000007e6f3a30] [c000000000002594] hardware_interrupt_common+0x114/0x180

    Fix this issue by introducing a new rtas_get_sensor_fast() function
    that does not use rtas_busy_delay() - and thus can only be used for
    sensors that do not cause a BUSY condition - known as "fast" sensors.

    The EPOW sensor is defined to be "fast" in sPAPR - mpe.

    Fixes: 587f83e8dd50 ("powerpc/pseries: Use rtas_get_sensor in RAS code")
    Signed-off-by: Thomas Huth <thuth@redhat.com>
    Reviewed-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit fb508c16d90ab7964fdbb38374954343159e1435
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Fri Aug 7 16:19:43 2015 +1000

    powerpc/mm: Fix pte_pagesize_index() crash on 4K w/64K hash

    [ Upstream commit 74b5037baa2011a2799e2c43adde7d171b072f9e ]

    The powerpc kernel can be built to have either a 4K PAGE_SIZE or a 64K
    PAGE_SIZE.

    However when built with a 4K PAGE_SIZE there is an additional config
    option which can be enabled, PPC_HAS_HASH_64K, which means the kernel
    also knows how to hash a 64K page even though the base PAGE_SIZE is 4K.

    This is used in one obscure configuration, to support 64K pages for SPU
    local store on the Cell processor when the rest of the kernel is using
    4K pages.

    In this configuration, pte_pagesize_index() is defined to just pass
    through its arguments to get_slice_psize(). However pte_pagesize_index()
    is called for both user and kernel addresses, whereas get_slice_psize()
    only knows how to handle user addresses.

    This has been broken forever, however until recently it happened to
    work. That was because in get_slice_psize() the large kernel address
    would cause the right shift of the slice mask to return zero.

    However in commit 7aa0727f3302 ("powerpc/mm: Increase the slice range to
    64TB"), the get_slice_psize() code was changed so that instead of a
    right shift we do an array lookup based on the address. When passed a
    kernel address this means we index way off the end of the slice array
    and return random junk.

    That is only fatal if we happen to hit something non-zero, but when we
    do return a non-zero value we confuse the MMU code and eventually cause
    a check stop.

    This fix is ugly, but simple. When we're called for a kernel address we
    return 4K, which is always correct in this configuration, otherwise we
    use the slice mask.

    Fixes: 7aa0727f3302 ("powerpc/mm: Increase the slice range to 64TB")
    Reported-by: Cyril Bur <cyrilbur@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 9d2debc73c13911b0969e34b0a2b4ca0c0d249d3
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Aug 13 18:05:06 2015 +0200

    ALSA: hda - Use ALC880_FIXUP_FUJITSU for FSC Amilo M1437

    [ Upstream commit a161574e200ae63a5042120e0d8c36830e81bde3 ]

    It turned out that the machine has a bass speaker, so take a correct
    fixup entry.

    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=102501
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 60300afece1ee742fd4514654d87bd82441821e3
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Aug 13 18:02:39 2015 +0200

    ALSA: hda - Enable headphone jack detect on old Fujitsu laptops

    [ Upstream commit bb148bdeb0ab16fc0ae8009799471e4d7180073b ]

    According to the bug report, FSC Amilo laptops with ALC880 can detect
    the headphone jack but currently the driver disables it.  It's partly
    intentionally, as non-working jack detect was reported in the past.
    Let's enable now.

    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=102501
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit ae78a159fed6e17c22dfeb1c6c18ce442d2f8d89
Author: Takashi Iwai <tiwai@suse.de>
Date:   Thu Sep 3 22:20:00 2015 -0700

    Input: evdev - do not report errors form flush()

    [ Upstream commit eb38f3a4f6e86f8bb10a3217ebd85ecc5d763aae ]

    We've got bug reports showing the old systemd-logind (at least
    system-210) aborting unexpectedly, and this turned out to be because
    of an invalid error code from close() call to evdev devices.  close()
    is supposed to return only either EINTR or EBADFD, while the device
    returned ENODEV.  logind was overreacting to it and decided to kill
    itself when an unexpected error code was received.  What a tragedy.

    The bad error code comes from flush fops, and actually evdev_flush()
    returns ENODEV when device is disconnected or client's access to it is
    revoked. But in these cases the fact that flush did not actually happen is
    not an error, but rather normal behavior. For non-disconnected devices
    result of flush is also not that interesting as there is no potential of
    data loss and even if it fails application has no way of handling the
    error. Because of that we are better off always returning success from
    evdev_flush().

    Also returning EINTR from flush()/close() is discouraged (as it is not
    clear how application should handle this error), so let's stop taking
    evdev->mutex interruptibly.

    Bugzilla: http://bugzilla.suse.com/show_bug.cgi?id=939834
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 5fc83fad2a50c76695d7e56b48a1849b815229ae
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Wed Sep 16 16:18:59 2015 +0100

    arm64: KVM: Disable virtual timer even if the guest is not using it

    [ Upstream commit c4cbba9fa078f55d9f6d081dbb4aec7cf969e7c7 ]

    When running a guest with the architected timer disabled (with QEMU and
    the kernel_irqchip=off option, for example), it is important to make
    sure the timer gets turned off. Otherwise, the guest may try to
    enable it anyway, leading to a screaming HW interrupt.

    The fix is to unconditionally turn off the virtual timer on guest
    exit.

    Cc: stable@vger.kernel.org
    Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 87b71fa85761e22cfb4ba62b6f54bbc57863a37d
Author: Will Deacon <will.deacon@arm.com>
Date:   Tue Mar 17 12:15:02 2015 +0000

    arm64: errata: add module build workaround for erratum #843419

    [ Upstream commit df057cc7b4fa59e9b55f07ffdb6c62bf02e99a00 ]

    Cortex-A53 processors <= r0p4 are affected by erratum #843419 which can
    lead to a memory access using an incorrect address in certain sequences
    headed by an ADRP instruction.

    There is a linker fix to generate veneers for ADRP instructions, but
    this doesn't work for kernel modules which are built as unlinked ELF
    objects.

    This patch adds a new config option for the erratum which, when enabled,
    builds kernel modules with the mcmodel=large flag. This uses absolute
    addressing for all kernel symbols, thereby removing the use of ADRP as
    a PC-relative form of addressing. The ADRP relocs are removed from the
    module loader so that we fail to load any potentially affected modules.

    Cc: <stable@vger.kernel.org>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 0d4e0280e189269c26454584a83c2ab9a10a2c06
Author: Will Deacon <will.deacon@arm.com>
Date:   Wed Sep 2 18:49:28 2015 +0100

    arm64: head.S: initialise mdcr_el2 in el2_setup

    [ Upstream commit d10bcd473301888f957ec4b6b12aa3621be78d59 ]

    When entering the kernel at EL2, we fail to initialise the MDCR_EL2
    register which controls debug access and PMU capabilities at EL1.

    This patch ensures that the register is initialised so that all traps
    are disabled and all the PMU counters are available to the host. When a
    guest is scheduled, KVM takes care to configure trapping appropriately.

    Cc: <stable@vger.kernel.org>
    Acked-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 38dc08cef862db3e36ca9834d64864c15a25b1dc
Author: Will Deacon <will.deacon@arm.com>
Date:   Tue Sep 15 12:07:06 2015 +0100

    arm64: compat: fix vfp save/restore across signal handlers in big-endian

    [ Upstream commit bdec97a855ef1e239f130f7a11584721c9a1bf04 ]

    When saving/restoring the VFP registers from a compat (AArch32)
    signal frame, we rely on the compat registers forming a prefix of the
    native register file and therefore make use of copy_{to,from}_user to
    transfer between the native fpsimd_state and the compat_vfp_sigframe.

    Unfortunately, this doesn't work so well in a big-endian environment.
    Our fpsimd save/restore code operates directly on 128-bit quantities
    (Q registers) whereas the compat_vfp_sigframe represents the registers
    as an array of 64-bit (D) registers. The architecture packs the compat D
    registers into the Q registers, with the least significant bytes holding
    the lower register. Consequently, we need to swap the 64-bit halves when
    converting between these two representations on a big-endian machine.

    This patch replaces the __copy_{to,from}_user invocations in our
    compat VFP signal handling code with explicit __put_user loops that
    operate on 64-bit values and swap them accordingly.

    Cc: <stable@vger.kernel.org>
    Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 6faa56d421e277f8d08ab02de615b9080c629837
Author: Jeff Vander Stoep <jeffv@google.com>
Date:   Tue Aug 18 20:50:10 2015 +0100

    arm64: kconfig: Move LIST_POISON to a safe value

    [ Upstream commit bf0c4e04732479f650ff59d1ee82de761c0071f0 ]

    Move the poison pointer offset to 0xdead000000000000, a
    recognized value that is not mappable by user-space exploits.

    Cc: <stable@vger.kernel.org>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Thierry Strudel <tstrudel@google.com>
    Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit dabbb4936dc232bffb5467c3aaf9d2ced053aa55
Author: Bob Copeland <me@bobcopeland.com>
Date:   Sat Jun 13 10:16:31 2015 -0400

    mac80211: enable assoc check for mesh interfaces

    [ Upstream commit 3633ebebab2bbe88124388b7620442315c968e8f ]

    We already set a station to be associated when peering completes, both
    in user space and in the kernel.  Thus we should always have an
    associated sta before sending data frames to that station.

    Failure to check assoc state can cause crashes in the lower-level driver
    due to transmitting unicast data frames before driver sta structures
    (e.g. ampdu state in ath9k) are initialized.  This occurred when
    forwarding in the presence of fixed mesh paths: frames were transmitted
    to stations with whom we hadn't yet completed peering.

    Cc: stable@vger.kernel.org
    Reported-by: Alexis Green <agreen@cococorp.com>
    Tested-by: Jesse Jones <jjones@cococorp.com>
    Signed-off-by: Bob Copeland <me@bobcopeland.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit f37667746772aaf74372a661ac9be0e2f8bbf87a
Author: Jean Delvare <jdelvare@suse.de>
Date:   Tue Sep 1 18:07:41 2015 +0200

    tg3: Fix temperature reporting

    [ Upstream commit d3d11fe08ccc9bff174fc958722b5661f0932486 ]

    The temperature registers appear to report values in degrees Celsius
    while the hwmon API mandates values to be exposed in millidegrees
    Celsius. Do the conversion so that the values reported by "sensors"
    are correct.

    Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature")
    Signed-off-by: Jean Delvare <jdelvare@suse.de>
    Cc: Prashant Sreedharan <prashant@broadcom.com>
    Cc: Michael Chan <mchan@broadcom.com>
    Cc: stable@vger.kernel.org [v3.6+]
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 125f124f47bdc80702e69e1b912989bad1398a84
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Mon Aug 10 17:35:07 2015 -0500

    unshare: Unsharing a thread does not require unsharing a vm

    [ Upstream commit 12c641ab8270f787dfcce08b5f20ce8b65008096 ]

    In the logic in the initial commit of unshare made creating a new
    thread group for a process, contingent upon creating a new memory
    address space for that process.  That is wrong.  Two separate
    processes in different thread groups can share a memory address space
    and clone allows creation of such proceses.

    This is significant because it was observed that mm_users > 1 does not
    mean that a process is multi-threaded, as reading /proc/PID/maps
    temporarily increments mm_users, which allows other processes to
    (accidentally) interfere with unshare() calls.

    Correct the check in check_unshare_flags() to test for
    !thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM.
    For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM.
    For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM.

    By using the correct checks in unshare this removes the possibility of
    an accidental denial of service attack.

    Additionally using the correct checks in unshare ensures that only an
    explicit unshare(CLONE_VM) can possibly trigger the slow path of
    current_is_single_threaded().  As an explict unshare(CLONE_VM) is
    pointless it is not expected there are many applications that make
    that call.

    Cc: stable@vger.kernel.org
    Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace
    Reported-by: Ricky Zhou <rickyz@chromium.org>
    Reported-by: Kees Cook <keescook@chromium.org>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 14982eddaefdb75c39bb5b1d3459ef21daea33ed
Author: Ming Lei <ming.lei@canonical.com>
Date:   Sun Aug 9 03:41:50 2015 -0400

    blk-mq: fix buffer overflow when reading sysfs file of 'pending'

    [ Upstream commit 596f5aad2a704b72934e5abec1b1b4114c16f45b ]

    There may be lots of pending requests so that the buffer of PAGE_SIZE
    can't hold them at all.

    One typical example is scsi-mq, the queue depth(.can_queue) of
    scsi_host and blk-mq is quite big but scsi_device's queue_depth
    is a bit small(.cmd_per_lun), then it is quite easy to have lots
    of pending requests in hw queue.

    This patch fixes the following warning and the related memory
    destruction.

    [  359.025101] fill_read_buffer: blk_mq_hw_sysfs_show+0x0/0x7d returned bad count^M
    [  359.055595] irq event stamp: 15537^M
    [  359.055606] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M
    [  359.055614] Dumping ftrace buffer:^M
    [  359.055660]    (ftrace buffer empty)^M
    [  359.055672] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M
    [  359.055678] CPU: 4 PID: 21631 Comm: stress-ng-sysfs Not tainted 4.2.0-rc5-next-20150805 #434^M
    [  359.055679] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M
    [  359.055682] task: ffff8802161cc000 ti: ffff88021b4a8000 task.ti: ffff88021b4a8000^M
    [  359.055693] RIP: 0010:[<ffffffff811541c5>]  [<ffffffff811541c5>] __kmalloc+0xe8/0x152^M

    Cc: <stable@vger.kernel.org>
    Signed-off-by: Ming Lei <ming.lei@canonical.com>
    Signed-off-by: Jens Axboe <axboe@fb.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

commit 3c3b6c4338a98d671015c8cc895ef3319c342af5 (tag: 2.9.0_20180918-1544)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Wed Oct 17 14:28:58 2018 +0200

    Version 2.9.0_20180918-1544 released

commit 824af7f4a1fe77948c5e2e9ad297cd006dfc1ee1 (tag: 2.8.0_20180514-1614)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Tue May 29 14:05:49 2018 +0200

    Version 2.8.0_20180514-1614 released

commit da78d0f22f3a31008788071f0b0c7dc69893aa7f (tag: 2.7.0_20180301-0952)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Mon Mar 19 12:49:18 2018 +0100

    Version 2.7.0_20180301-0952 released

commit cae1942ba4d6ba74c3cfd9a9e8e6ebddddb0d542 (tag: 2.6.2_20180126-1035, tag: 2.6.0_20171221-1051)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Fri Dec 29 13:14:00 2017 +0100

    Version 2.6.0_20171221-1051 released

commit eba0fa2f0459fca1207334a8f0e532595bcef53c (tag: 2.5.0_20170911-1032)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Mon Sep 25 12:07:59 2017 +0200

    Version 2.5.0_20170911-1032 released

commit cfd722448994d16140d1ac6289de749f1b6f9c8a (tag: 2.4.0_20170619-0900)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Mon Jun 26 15:06:50 2017 +0200

    Version 2.4.0_20170619-0900 released

commit d53a412245c9ed05f0440270fc83b1db6d250b3b (tag: 2.3.0_20170405-1554)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Mon Apr 24 11:01:59 2017 +0200

    Version 2.3.0_20170405-1554 released

commit 1ebb8de13024abc8a424d8417f75c34daadeaa39 (tag: 2.1.1_20161020-1222)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Mon Oct 31 11:41:10 2016 +0100

    Version 2.1.1_20161020-1222 released

commit 49283b7994e37386c4cfbceaf9927391abfb541b (tag: 2.1.0_20160907-1500)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Mon Oct 31 11:37:24 2016 +0100

    Version 2.1.0_20160907-1500 released

commit ef70771e85978d94062f4d8f48038d3b4a1faec6 (tag: 2.0.0_20160817-1110)
Author: Jenkins <jenkins@bqbot.bq.local>
Date:   Wed Oct 26 16:28:01 2016 +0200

    Version 2.0.0_20160817-1110 released