--- /dev/null
+From 5e45a2589d24573c564630990c88ac93659f8fe4 Mon Sep 17 00:00:00 2001
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+Date: Fri, 19 Feb 2016 20:21:17 +0100
+Subject: ARM: at91/dt: fix typo in sama5d2 pinmux descriptions
+
+From: Ludovic Desroches <ludovic.desroches@atmel.com>
+
+commit 5e45a2589d24573c564630990c88ac93659f8fe4 upstream.
+
+PIN_PA15 macro has the same value as PIN_PA14 so we were overriding PA14
+mux/configuration.
+
+Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Reported-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
+Fixes: 7f16cb676c00 ("ARM: at91/dt: add sama5d2 pinmux")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Olof Johansson <olof@lixom.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/sama5d2-pinfunc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/sama5d2-pinfunc.h
++++ b/arch/arm/boot/dts/sama5d2-pinfunc.h
+@@ -90,7 +90,7 @@
+ #define PIN_PA14__I2SC1_MCK PINMUX_PIN(PIN_PA14, 4, 2)
+ #define PIN_PA14__FLEXCOM3_IO2 PINMUX_PIN(PIN_PA14, 5, 1)
+ #define PIN_PA14__D9 PINMUX_PIN(PIN_PA14, 6, 2)
+-#define PIN_PA15 14
++#define PIN_PA15 15
+ #define PIN_PA15__GPIO PINMUX_PIN(PIN_PA15, 0, 0)
+ #define PIN_PA15__SPI0_MOSI PINMUX_PIN(PIN_PA15, 1, 1)
+ #define PIN_PA15__TF1 PINMUX_PIN(PIN_PA15, 2, 1)
--- /dev/null
+From 3f315c5b850fa7aff73f50de8e316b98f611a32b Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Fri, 5 Feb 2016 16:37:08 +0200
+Subject: ARM: OMAP2+: Fix onenand initialization to avoid filesystem corruption
+
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+
+commit 3f315c5b850fa7aff73f50de8e316b98f611a32b upstream.
+
+Commit e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid
+filesystem corruption") partially fixed onenand configuration when GPMC
+module is reset. Finish the job by also providing the correct values in
+ONENAND_REG_SYS_CFG1 register.
+
+Fixes: e7b11dc7b77b ("ARM: OMAP2+: Fix onenand rate detection to avoid
+filesystem corruption")
+Signed-off-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/gpmc-onenand.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm/mach-omap2/gpmc-onenand.c
++++ b/arch/arm/mach-omap2/gpmc-onenand.c
+@@ -101,10 +101,8 @@ static void omap2_onenand_set_async_mode
+
+ static void set_onenand_cfg(void __iomem *onenand_base)
+ {
+- u32 reg;
++ u32 reg = ONENAND_SYS_CFG1_RDY | ONENAND_SYS_CFG1_INT;
+
+- reg = readw(onenand_base + ONENAND_REG_SYS_CFG1);
+- reg &= ~((0x7 << ONENAND_SYS_CFG1_BRL_SHIFT) | (0x7 << 9));
+ reg |= (latency << ONENAND_SYS_CFG1_BRL_SHIFT) |
+ ONENAND_SYS_CFG1_BL_16;
+ if (onenand_flags & ONENAND_FLAG_SYNCREAD)
+@@ -123,6 +121,7 @@ static void set_onenand_cfg(void __iomem
+ reg |= ONENAND_SYS_CFG1_VHF;
+ else
+ reg &= ~ONENAND_SYS_CFG1_VHF;
++
+ writew(reg, onenand_base + ONENAND_REG_SYS_CFG1);
+ }
+
+@@ -289,6 +288,7 @@ static int omap2_onenand_setup_async(voi
+ }
+ }
+
++ onenand_async.sync_write = true;
+ omap2_onenand_calc_async_timings(&t);
+
+ ret = gpmc_cs_program_settings(gpmc_onenand_data->cs, &onenand_async);
--- /dev/null
+From 2d99b55d378c996b9692a0c93dd25f4ed5d58934 Mon Sep 17 00:00:00 2001
+From: Hannes Reinecke <hare@suse.de>
+Date: Fri, 12 Feb 2016 09:39:15 +0100
+Subject: bio: return EINTR if copying to user space got interrupted
+
+From: Hannes Reinecke <hare@suse.de>
+
+commit 2d99b55d378c996b9692a0c93dd25f4ed5d58934 upstream.
+
+Commit 35dc248383bbab0a7203fca4d722875bc81ef091 introduced a check for
+current->mm to see if we have a user space context and only copies data
+if we do. Now if an IO gets interrupted by a signal data isn't copied
+into user space any more (as we don't have a user space context) but
+user space isn't notified about it.
+
+This patch modifies the behaviour to return -EINTR from bio_uncopy_user()
+to notify userland that a signal has interrupted the syscall, otherwise
+it could lead to a situation where the caller may get a buffer with
+no data returned.
+
+This can be reproduced by issuing SG_IO ioctl()s in one thread while
+constantly sending signals to it.
+
+Fixes: 35dc248 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/bio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1090,9 +1090,12 @@ int bio_uncopy_user(struct bio *bio)
+ if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
+ /*
+ * if we're in a workqueue, the request is orphaned, so
+- * don't copy into a random user address space, just free.
++ * don't copy into a random user address space, just free
++ * and return -EINTR so user space doesn't expect any data.
+ */
+- if (current->mm && bio_data_dir(bio) == READ)
++ if (!current->mm)
++ ret = -EINTR;
++ else if (bio_data_dir(bio) == READ)
+ ret = bio_copy_to_iter(bio, bmd->iter);
+ if (bmd->is_our_pages)
+ bio_free_pages(bio);
--- /dev/null
+From 7ddc971f86aa0a4cee9f6886c356a052461957ae Mon Sep 17 00:00:00 2001
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+Date: Sat, 30 Jan 2016 19:09:59 +0300
+Subject: block: fix use-after-free in dio_bio_complete
+
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+
+commit 7ddc971f86aa0a4cee9f6886c356a052461957ae upstream.
+
+kasan reported the following error when i ran xfstest:
+
+[ 701.826854] ==================================================================
+[ 701.826864] BUG: KASAN: use-after-free in dio_bio_complete+0x41a/0x600 at addr ffff880080b95f94
+[ 701.826870] Read of size 4 by task loop2/3874
+[ 701.826879] page:ffffea000202e540 count:0 mapcount:0 mapping: (null) index:0x0
+[ 701.826890] flags: 0x100000000000000()
+[ 701.826895] page dumped because: kasan: bad access detected
+[ 701.826904] CPU: 3 PID: 3874 Comm: loop2 Tainted: G B W L 4.5.0-rc1-next-20160129 #83
+[ 701.826910] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013
+[ 701.826917] ffff88008fadf800 ffff88008fadf758 ffffffff81ca67bb 0000000041b58ab3
+[ 701.826941] ffffffff830d1e74 ffffffff81ca6724 ffff88008fadf748 ffffffff8161c05c
+[ 701.826963] 0000000000000282 ffff88008fadf800 ffffed0010172bf2 ffffea000202e540
+[ 701.826987] Call Trace:
+[ 701.826997] [<ffffffff81ca67bb>] dump_stack+0x97/0xdc
+[ 701.827005] [<ffffffff81ca6724>] ? _atomic_dec_and_lock+0xc4/0xc4
+[ 701.827014] [<ffffffff8161c05c>] ? __dump_page+0x32c/0x490
+[ 701.827023] [<ffffffff816b0d03>] kasan_report_error+0x5f3/0x8b0
+[ 701.827033] [<ffffffff817c302a>] ? dio_bio_complete+0x41a/0x600
+[ 701.827040] [<ffffffff816b1119>] __asan_report_load4_noabort+0x59/0x80
+[ 701.827048] [<ffffffff817c302a>] ? dio_bio_complete+0x41a/0x600
+[ 701.827053] [<ffffffff817c302a>] dio_bio_complete+0x41a/0x600
+[ 701.827057] [<ffffffff81bd19c8>] ? blk_queue_exit+0x108/0x270
+[ 701.827060] [<ffffffff817c32b0>] dio_bio_end_aio+0xa0/0x4d0
+[ 701.827063] [<ffffffff817c3210>] ? dio_bio_complete+0x600/0x600
+[ 701.827067] [<ffffffff81bd2806>] ? blk_account_io_completion+0x316/0x5d0
+[ 701.827070] [<ffffffff81bafe89>] bio_endio+0x79/0x200
+[ 701.827074] [<ffffffff81bd2c9f>] blk_update_request+0x1df/0xc50
+[ 701.827078] [<ffffffff81c02c27>] blk_mq_end_request+0x57/0x120
+[ 701.827081] [<ffffffff81c03670>] __blk_mq_complete_request+0x310/0x590
+[ 701.827084] [<ffffffff812348d8>] ? set_next_entity+0x2f8/0x2ed0
+[ 701.827088] [<ffffffff8124b34d>] ? put_prev_entity+0x22d/0x2a70
+[ 701.827091] [<ffffffff81c0394b>] blk_mq_complete_request+0x5b/0x80
+[ 701.827094] [<ffffffff821e2a33>] loop_queue_work+0x273/0x19d0
+[ 701.827098] [<ffffffff811f6578>] ? finish_task_switch+0x1c8/0x8e0
+[ 701.827101] [<ffffffff8129d058>] ? trace_hardirqs_on_caller+0x18/0x6c0
+[ 701.827104] [<ffffffff821e27c0>] ? lo_read_simple+0x890/0x890
+[ 701.827108] [<ffffffff8129dd60>] ? debug_check_no_locks_freed+0x350/0x350
+[ 701.827111] [<ffffffff811f63b0>] ? __hrtick_start+0x130/0x130
+[ 701.827115] [<ffffffff82a0c8f6>] ? __schedule+0x936/0x20b0
+[ 701.827118] [<ffffffff811dd6bd>] ? kthread_worker_fn+0x3ed/0x8d0
+[ 701.827121] [<ffffffff811dd4ed>] ? kthread_worker_fn+0x21d/0x8d0
+[ 701.827125] [<ffffffff8129d058>] ? trace_hardirqs_on_caller+0x18/0x6c0
+[ 701.827128] [<ffffffff811dd57f>] kthread_worker_fn+0x2af/0x8d0
+[ 701.827132] [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
+[ 701.827135] [<ffffffff82a1ea46>] ? _raw_spin_unlock_irqrestore+0x36/0x60
+[ 701.827138] [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
+[ 701.827141] [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
+[ 701.827144] [<ffffffff811dd00b>] kthread+0x24b/0x3a0
+[ 701.827148] [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
+[ 701.827151] [<ffffffff8129d70d>] ? trace_hardirqs_on+0xd/0x10
+[ 701.827155] [<ffffffff8116d41d>] ? do_group_exit+0xdd/0x350
+[ 701.827158] [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
+[ 701.827161] [<ffffffff82a1f52f>] ret_from_fork+0x3f/0x70
+[ 701.827165] [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
+[ 701.827167] Memory state around the buggy address:
+[ 701.827170] ffff880080b95e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 701.827172] ffff880080b95f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 701.827175] >ffff880080b95f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 701.827177] ^
+[ 701.827179] ffff880080b96000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 701.827182] ffff880080b96080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 701.827183] ==================================================================
+
+The problem is that bio_check_pages_dirty calls bio_put, so we must
+not access bio fields after bio_check_pages_dirty.
+
+Fixes: 9b81c842355ac96097ba ("block: don't access bio->bi_error after bio_put()").
+Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/fs/direct-io.c b/fs/direct-io.c
+index 1b2f7ffc8b84..d6a9012d42ad 100644
+--- a/fs/direct-io.c
++++ b/fs/direct-io.c
+@@ -472,8 +472,8 @@ static int dio_bio_complete(struct dio *dio, struct bio *bio)
+ dio->io_error = -EIO;
+
+ if (dio->is_async && dio->rw == READ && dio->should_dirty) {
+- bio_check_pages_dirty(bio); /* transfers ownership */
+ err = bio->bi_error;
++ bio_check_pages_dirty(bio); /* transfers ownership */
+ } else {
+ bio_for_each_segment_all(bvec, bio, i) {
+ struct page *page = bvec->bv_page;
--- /dev/null
+From aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 21 Jan 2016 15:31:11 -0500
+Subject: cgroup: make sure a parent css isn't offlined before its children
+
+From: Tejun Heo <tj@kernel.org>
+
+commit aa226ff4a1ce79f229c6b7a4c0a14e17fececd01 upstream.
+
+There are three subsystem callbacks in css shutdown path -
+css_offline(), css_released() and css_free(). Except for
+css_released(), cgroup core didn't guarantee the order of invocation.
+css_offline() or css_free() could be called on a parent css before its
+children. This behavior is unexpected and led to bugs in cpu and
+memory controller.
+
+This patch updates offline path so that a parent css is never offlined
+before its children. Each css keeps online_cnt which reaches zero iff
+itself and all its children are offline and offline_css() is invoked
+only after online_cnt reaches zero.
+
+This fixes the memory controller bug and allows the fix for cpu
+controller.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reported-by: Brian Christiansen <brian.o.christiansen@gmail.com>
+Link: http://lkml.kernel.org/g/5698A023.9070703@de.ibm.com
+Link: http://lkml.kernel.org/g/CAKB58ikDkzc8REt31WBkD99+hxNzjK4+FBmhkgS+NVrC9vjMSg@mail.gmail.com
+Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/cgroup-defs.h | 6 ++++++
+ kernel/cgroup.c | 22 +++++++++++++++++-----
+ 2 files changed, 23 insertions(+), 5 deletions(-)
+
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -133,6 +133,12 @@ struct cgroup_subsys_state {
+ */
+ u64 serial_nr;
+
++ /*
++ * Incremented by online self and children. Used to guarantee that
++ * parents are not offlined before their children.
++ */
++ atomic_t online_cnt;
++
+ /* percpu_ref killing and RCU release */
+ struct rcu_head rcu_head;
+ struct work_struct destroy_work;
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -4784,6 +4784,7 @@ static void init_and_link_css(struct cgr
+ INIT_LIST_HEAD(&css->sibling);
+ INIT_LIST_HEAD(&css->children);
+ css->serial_nr = css_serial_nr_next++;
++ atomic_set(&css->online_cnt, 0);
+
+ if (cgroup_parent(cgrp)) {
+ css->parent = cgroup_css(cgroup_parent(cgrp), ss);
+@@ -4806,6 +4807,10 @@ static int online_css(struct cgroup_subs
+ if (!ret) {
+ css->flags |= CSS_ONLINE;
+ rcu_assign_pointer(css->cgroup->subsys[ss->id], css);
++
++ atomic_inc(&css->online_cnt);
++ if (css->parent)
++ atomic_inc(&css->parent->online_cnt);
+ }
+ return ret;
+ }
+@@ -5037,10 +5042,15 @@ static void css_killed_work_fn(struct wo
+ container_of(work, struct cgroup_subsys_state, destroy_work);
+
+ mutex_lock(&cgroup_mutex);
+- offline_css(css);
+- mutex_unlock(&cgroup_mutex);
+
+- css_put(css);
++ do {
++ offline_css(css);
++ css_put(css);
++ /* @css can't go away while we're holding cgroup_mutex */
++ css = css->parent;
++ } while (css && atomic_dec_and_test(&css->online_cnt));
++
++ mutex_unlock(&cgroup_mutex);
+ }
+
+ /* css kill confirmation processing requires process context, bounce */
+@@ -5049,8 +5059,10 @@ static void css_killed_ref_fn(struct per
+ struct cgroup_subsys_state *css =
+ container_of(ref, struct cgroup_subsys_state, refcnt);
+
+- INIT_WORK(&css->destroy_work, css_killed_work_fn);
+- queue_work(cgroup_destroy_wq, &css->destroy_work);
++ if (atomic_dec_and_test(&css->online_cnt)) {
++ INIT_WORK(&css->destroy_work, css_killed_work_fn);
++ queue_work(cgroup_destroy_wq, &css->destroy_work);
++ }
+ }
+
+ /**
--- /dev/null
+From c80567c82ae4814a41287618e315a60ecf513be6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 27 Feb 2016 19:17:33 -0500
+Subject: do_last(): don't let a bogus return value from ->open() et.al. to confuse us
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c80567c82ae4814a41287618e315a60ecf513be6 upstream.
+
+... into returning a positive to path_openat(), which would interpret that
+as "symlink had been encountered" and proceed to corrupt memory, etc.
+It can only happen due to a bug in some ->open() instance or in some LSM
+hook, etc., so we report any such event *and* make sure it doesn't trick
+us into further unpleasantness.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3210,6 +3210,10 @@ opened:
+ goto exit_fput;
+ }
+ out:
++ if (unlikely(error > 0)) {
++ WARN_ON(1);
++ error = -EINVAL;
++ }
+ if (got_write)
+ mnt_drop_write(nd->path.mnt);
+ path_put(&save_parent);
--- /dev/null
+From 5129fa482b16615fd4464d2f5d23acb1b7056c66 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 27 Feb 2016 19:37:37 -0500
+Subject: do_last(): ELOOP failure exit should be done after leaving RCU mode
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 5129fa482b16615fd4464d2f5d23acb1b7056c66 upstream.
+
+... or we risk seeing a bogus value of d_is_symlink() there.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3149,11 +3149,6 @@ finish_lookup:
+ if (unlikely(error))
+ return error;
+
+- if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
+- path_to_nameidata(&path, nd);
+- return -ELOOP;
+- }
+-
+ if ((nd->flags & LOOKUP_RCU) || nd->path.mnt != path.mnt) {
+ path_to_nameidata(&path, nd);
+ } else {
+@@ -3172,6 +3167,10 @@ finish_open:
+ return error;
+ }
+ audit_inode(nd->name, nd->path.dentry, 0);
++ if (unlikely(d_is_symlink(nd->path.dentry)) && !(open_flag & O_PATH)) {
++ error = -ELOOP;
++ goto out;
++ }
+ error = -EISDIR;
+ if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
+ goto out;
--- /dev/null
+From b6853f78e763d42c7a158d8de3549c9827c604ab Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mikulas@twibright.com>
+Date: Thu, 25 Feb 2016 18:17:38 +0100
+Subject: hpfs: don't truncate the file when delete fails
+
+From: Mikulas Patocka <mikulas@twibright.com>
+
+commit b6853f78e763d42c7a158d8de3549c9827c604ab upstream.
+
+The delete opration can allocate additional space on the HPFS filesystem
+due to btree split. The HPFS driver checks in advance if there is
+available space, so that it won't corrupt the btree if we run out of space
+during splitting.
+
+If there is not enough available space, the HPFS driver attempted to
+truncate the file, but this results in a deadlock since the commit
+7dd29d8d865efdb00c0542a5d2c87af8c52ea6c7 ("HPFS: Introduce a global mutex
+and lock it on every callback from VFS").
+
+This patch removes the code that tries to truncate the file and -ENOSPC is
+returned instead. If the user hits -ENOSPC on delete, he should try to
+delete other files (that are stored in a leaf btree node), so that the
+delete operation will make some space for deleting the file stored in
+non-leaf btree node.
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Signed-off-by: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hpfs/namei.c | 31 +++----------------------------
+ 1 file changed, 3 insertions(+), 28 deletions(-)
+
+--- a/fs/hpfs/namei.c
++++ b/fs/hpfs/namei.c
+@@ -375,12 +375,11 @@ static int hpfs_unlink(struct inode *dir
+ struct inode *inode = d_inode(dentry);
+ dnode_secno dno;
+ int r;
+- int rep = 0;
+ int err;
+
+ hpfs_lock(dir->i_sb);
+ hpfs_adjust_length(name, &len);
+-again:
++
+ err = -ENOENT;
+ de = map_dirent(dir, hpfs_i(dir)->i_dno, name, len, &dno, &qbh);
+ if (!de)
+@@ -400,33 +399,9 @@ again:
+ hpfs_error(dir->i_sb, "there was error when removing dirent");
+ err = -EFSERROR;
+ break;
+- case 2: /* no space for deleting, try to truncate file */
+-
++ case 2: /* no space for deleting */
+ err = -ENOSPC;
+- if (rep++)
+- break;
+-
+- dentry_unhash(dentry);
+- if (!d_unhashed(dentry)) {
+- hpfs_unlock(dir->i_sb);
+- return -ENOSPC;
+- }
+- if (generic_permission(inode, MAY_WRITE) ||
+- !S_ISREG(inode->i_mode) ||
+- get_write_access(inode)) {
+- d_rehash(dentry);
+- } else {
+- struct iattr newattrs;
+- /*pr_info("truncating file before delete.\n");*/
+- newattrs.ia_size = 0;
+- newattrs.ia_valid = ATTR_SIZE | ATTR_CTIME;
+- err = notify_change(dentry, &newattrs, NULL);
+- put_write_access(inode);
+- if (!err)
+- goto again;
+- }
+- hpfs_unlock(dir->i_sb);
+- return -ENOSPC;
++ break;
+ default:
+ drop_nlink(inode);
+ err = 0;
--- /dev/null
+From 1a1503c5396eb7f2edf4b8ef6067853014478c0c Mon Sep 17 00:00:00 2001
+From: Alexandra Yates <alexandra.yates@linux.intel.com>
+Date: Wed, 17 Feb 2016 18:21:21 -0800
+Subject: i2c: i801: Adding Intel Lewisburg support for iTCO
+
+From: Alexandra Yates <alexandra.yates@linux.intel.com>
+
+commit 1a1503c5396eb7f2edf4b8ef6067853014478c0c upstream.
+
+Starting from Intel Sunrisepoint (Skylake PCH) the iTCO watchdog
+resources have been moved to reside under the i801 SMBus host
+controller whereas previously they were under the LPC device.
+
+This patch adds Intel lewisburg SMBus support for iTCO device.
+It allows to load watchdog dynamically when the hardware is
+present.
+
+Fixes: cdc5a3110e7c ("i2c: i801: add Intel Lewisburg device IDs")
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Alexandra Yates <alexandra.yates@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-i801.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -1271,6 +1271,8 @@ static int i801_probe(struct pci_dev *de
+ switch (dev->device) {
+ case PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_SMBUS:
+ case PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_SMBUS:
++ case PCI_DEVICE_ID_INTEL_LEWISBURG_SMBUS:
++ case PCI_DEVICE_ID_INTEL_LEWISBURG_SSKU_SMBUS:
+ case PCI_DEVICE_ID_INTEL_DNV_SMBUS:
+ priv->features |= FEATURE_I2C_BLOCK_READ;
+ priv->features |= FEATURE_IRQ;
--- /dev/null
+From 59ceeaaf355fa0fb16558ef7c24413c804932ada Mon Sep 17 00:00:00 2001
+From: Simon Guinot <simon.guinot@sequanux.org>
+Date: Thu, 10 Sep 2015 00:15:18 +0200
+Subject: kernel/resource.c: fix muxed resource handling in __request_region()
+
+From: Simon Guinot <simon.guinot@sequanux.org>
+
+commit 59ceeaaf355fa0fb16558ef7c24413c804932ada upstream.
+
+In __request_region, if a conflict with a BUSY and MUXED resource is
+detected, then the caller goes to sleep and waits for the resource to be
+released. A pointer on the conflicting resource is kept. At wake-up
+this pointer is used as a parent to retry to request the region.
+
+A first problem is that this pointer might well be invalid (if for
+example the conflicting resource have already been freed). Another
+problem is that the next call to __request_region() fails to detect a
+remaining conflict. The previously conflicting resource is passed as a
+parameter and __request_region() will look for a conflict among the
+children of this resource and not at the resource itself. It is likely
+to succeed anyway, even if there is still a conflict.
+
+Instead, the parent of the conflicting resource should be passed to
+__request_region().
+
+As a fix, this patch doesn't update the parent resource pointer in the
+case we have to wait for a muxed region right after.
+
+Reported-and-tested-by: Vincent Pelletier <plr.vincent@gmail.com>
+Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
+Tested-by: Vincent Donnefort <vdonnefort@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/resource.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/resource.c
++++ b/kernel/resource.c
+@@ -1083,9 +1083,10 @@ struct resource * __request_region(struc
+ if (!conflict)
+ break;
+ if (conflict != parent) {
+- parent = conflict;
+- if (!(conflict->flags & IORESOURCE_BUSY))
++ if (!(conflict->flags & IORESOURCE_BUSY)) {
++ parent = conflict;
+ continue;
++ }
+ }
+ if (conflict->flags & flags & IORESOURCE_MUXED) {
+ add_wait_queue(&muxed_resource_wait, &wait);
--- /dev/null
+From 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Tue, 16 Feb 2016 14:47:31 +0000
+Subject: KVM: arm/arm64: vgic: Ensure bitmaps are long enough
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 236cf17c2502007a9d2dda3c39fb0d9a6bd03cc2 upstream.
+
+When we allocate bitmaps in vgic_vcpu_init_maps, we divide the number of
+bits we need by 8 to figure out how many bytes to allocate. However,
+bitmap elements are always accessed as unsigned longs, and if we didn't
+happen to allocate a size such that size % sizeof(unsigned long) == 0,
+bitmap accesses may go past the end of the allocation.
+
+When using KASAN (which does byte-granular access checks), this results
+in a continuous stream of BUGs whenever these bitmaps are accessed:
+
+=============================================================================
+BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+INFO: Allocated in vgic_init.part.25+0x55c/0x990 age=7493 cpu=3 pid=1730
+INFO: Slab 0xffffffbde6d5da40 objects=16 used=15 fp=0xffffffc935769700 flags=0x4000000000000080
+INFO: Object 0xffffffc935769500 @offset=1280 fp=0x (null)
+
+Bytes b4 ffffffc9357694f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffffffc935769570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Padding ffffffc9357695b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Padding ffffffc9357695c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Padding ffffffc9357695d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Padding ffffffc9357695e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Padding ffffffc9357695f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+CPU: 3 PID: 1740 Comm: kvm-vcpu-0 Tainted: G B 4.4.0+ #17
+Hardware name: ARM Juno development board (r1) (DT)
+Call trace:
+[<ffffffc00008e770>] dump_backtrace+0x0/0x280
+[<ffffffc00008ea04>] show_stack+0x14/0x20
+[<ffffffc000726360>] dump_stack+0x100/0x188
+[<ffffffc00030d324>] print_trailer+0xfc/0x168
+[<ffffffc000312294>] object_err+0x3c/0x50
+[<ffffffc0003140fc>] kasan_report_error+0x244/0x558
+[<ffffffc000314548>] __asan_report_load8_noabort+0x48/0x50
+[<ffffffc000745688>] __bitmap_or+0xc0/0xc8
+[<ffffffc0000d9e44>] kvm_vgic_flush_hwstate+0x1bc/0x650
+[<ffffffc0000c514c>] kvm_arch_vcpu_ioctl_run+0x2ec/0xa60
+[<ffffffc0000b9a6c>] kvm_vcpu_ioctl+0x474/0xa68
+[<ffffffc00036b7b0>] do_vfs_ioctl+0x5b8/0xcb0
+[<ffffffc00036bf34>] SyS_ioctl+0x8c/0xa0
+[<ffffffc000086cb0>] el0_svc_naked+0x24/0x28
+Memory state around the buggy address:
+ ffffffc935769400: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffffc935769480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffffffc935769500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffffffc935769580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffffc935769600: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
+==================================================================
+
+Fix the issue by always allocating a multiple of sizeof(unsigned long),
+as we do elsewhere in the vgic code.
+
+Fixes: c1bfb577a ("arm/arm64: KVM: vgic: switch to dynamic allocation")
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/vgic.c
++++ b/virt/kvm/arm/vgic.c
+@@ -1875,8 +1875,8 @@ void kvm_vgic_vcpu_destroy(struct kvm_vc
+ static int vgic_vcpu_init_maps(struct kvm_vcpu *vcpu, int nr_irqs)
+ {
+ struct vgic_cpu *vgic_cpu = &vcpu->arch.vgic_cpu;
+-
+- int sz = (nr_irqs - VGIC_NR_PRIVATE_IRQS) / 8;
++ int nr_longs = BITS_TO_LONGS(nr_irqs - VGIC_NR_PRIVATE_IRQS);
++ int sz = nr_longs * sizeof(unsigned long);
+ vgic_cpu->pending_shared = kzalloc(sz, GFP_KERNEL);
+ vgic_cpu->active_shared = kzalloc(sz, GFP_KERNEL);
+ vgic_cpu->pend_act_shared = kzalloc(sz, GFP_KERNEL);
--- /dev/null
+From d7444794a02ff655eda87e3cc54e86b940e7736f Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Fri, 19 Feb 2016 13:11:46 +0100
+Subject: KVM: async_pf: do not warn on page allocation failures
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit d7444794a02ff655eda87e3cc54e86b940e7736f upstream.
+
+In async_pf we try to allocate with NOWAIT to get an element quickly
+or fail. This code also handle failures gracefully. Lets silence
+potential page allocation failures under load.
+
+qemu-system-s39: page allocation failure: order:0,mode:0x2200000
+[...]
+Call Trace:
+([<00000000001146b8>] show_trace+0xf8/0x148)
+[<000000000011476a>] show_stack+0x62/0xe8
+[<00000000004a36b8>] dump_stack+0x70/0x98
+[<0000000000272c3a>] warn_alloc_failed+0xd2/0x148
+[<000000000027709e>] __alloc_pages_nodemask+0x94e/0xb38
+[<00000000002cd36a>] new_slab+0x382/0x400
+[<00000000002cf7ac>] ___slab_alloc.constprop.30+0x2dc/0x378
+[<00000000002d03d0>] kmem_cache_alloc+0x160/0x1d0
+[<0000000000133db4>] kvm_setup_async_pf+0x6c/0x198
+[<000000000013dee8>] kvm_arch_vcpu_ioctl_run+0xd48/0xd58
+[<000000000012fcaa>] kvm_vcpu_ioctl+0x372/0x690
+[<00000000002f66f6>] do_vfs_ioctl+0x3be/0x510
+[<00000000002f68ec>] SyS_ioctl+0xa4/0xb8
+[<0000000000781c5e>] system_call+0xd6/0x264
+[<000003ffa24fa06a>] 0x3ffa24fa06a
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/async_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/async_pf.c
++++ b/virt/kvm/async_pf.c
+@@ -173,7 +173,7 @@ int kvm_setup_async_pf(struct kvm_vcpu *
+ * do alloc nowait since if we are going to sleep anyway we
+ * may as well sleep faulting in page
+ */
+- work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT);
++ work = kmem_cache_zalloc(async_pf_cache, GFP_NOWAIT | __GFP_NOWARN);
+ if (!work)
+ return 0;
+
--- /dev/null
+From 0c1d77f4ba5cc9c05a29adca3d6466cdf4969b70 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 19 Feb 2016 18:07:21 +0100
+Subject: KVM: x86: fix conversion of addresses to linear in 32-bit protected mode
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 0c1d77f4ba5cc9c05a29adca3d6466cdf4969b70 upstream.
+
+Commit e8dd2d2d641c ("Silence compiler warning in arch/x86/kvm/emulate.c",
+2015-09-06) broke boot of the Hurd. The bug is that the "default:"
+case actually could modify "la", but after the patch this change is
+not reflected in *linear.
+
+The bug is visible whenever a non-zero segment base causes the linear
+address to wrap around the 4GB mark.
+
+Fixes: e8dd2d2d641cb2724ee10e76c0ad02e04289c017
+Reported-by: Aurelien Jarno <aurelien@aurel32.net>
+Tested-by: Aurelien Jarno <aurelien@aurel32.net>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/emulate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -650,10 +650,10 @@ static __always_inline int __linearize(s
+ u16 sel;
+
+ la = seg_base(ctxt, addr.seg) + addr.ea;
+- *linear = la;
+ *max_size = 0;
+ switch (mode) {
+ case X86EMUL_MODE_PROT64:
++ *linear = la;
+ if (is_noncanonical_address(la))
+ goto bad;
+
+@@ -662,6 +662,7 @@ static __always_inline int __linearize(s
+ goto bad;
+ break;
+ default:
++ *linear = la = (u32)la;
+ usable = ctxt->ops->get_segment(ctxt, &sel, &desc, NULL,
+ addr.seg);
+ if (!usable)
+@@ -689,7 +690,6 @@ static __always_inline int __linearize(s
+ if (size > *max_size)
+ goto bad;
+ }
+- la &= (u32)-1;
+ break;
+ }
+ if (insn_aligned(ctxt, size) && ((la & (size - 1)) != 0))
--- /dev/null
+From 172b2386ed16a9143d9a456aae5ec87275c61489 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 10 Feb 2016 17:50:23 +0100
+Subject: KVM: x86: fix missed hardware breakpoints
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 172b2386ed16a9143d9a456aae5ec87275c61489 upstream.
+
+Sometimes when setting a breakpoint a process doesn't stop on it.
+This is because the debug registers are not loaded correctly on
+VCPU load.
+
+The following simple reproducer from Oleg Nesterov tries using debug
+registers in two threads. To see the bug, run a 2-VCPU guest with
+"taskset -c 0" and run "./bp 0 1" inside the guest.
+
+ #include <unistd.h>
+ #include <signal.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <sys/wait.h>
+ #include <sys/ptrace.h>
+ #include <sys/user.h>
+ #include <asm/debugreg.h>
+ #include <assert.h>
+
+ #define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
+
+ unsigned long encode_dr7(int drnum, int enable, unsigned int type, unsigned int len)
+ {
+ unsigned long dr7;
+
+ dr7 = ((len | type) & 0xf)
+ << (DR_CONTROL_SHIFT + drnum * DR_CONTROL_SIZE);
+ if (enable)
+ dr7 |= (DR_GLOBAL_ENABLE << (drnum * DR_ENABLE_SIZE));
+
+ return dr7;
+ }
+
+ int write_dr(int pid, int dr, unsigned long val)
+ {
+ return ptrace(PTRACE_POKEUSER, pid,
+ offsetof (struct user, u_debugreg[dr]),
+ val);
+ }
+
+ void set_bp(pid_t pid, void *addr)
+ {
+ unsigned long dr7;
+ assert(write_dr(pid, 0, (long)addr) == 0);
+ dr7 = encode_dr7(0, 1, DR_RW_EXECUTE, DR_LEN_1);
+ assert(write_dr(pid, 7, dr7) == 0);
+ }
+
+ void *get_rip(int pid)
+ {
+ return (void*)ptrace(PTRACE_PEEKUSER, pid,
+ offsetof(struct user, regs.rip), 0);
+ }
+
+ void test(int nr)
+ {
+ void *bp_addr = &&label + nr, *bp_hit;
+ int pid;
+
+ printf("test bp %d\n", nr);
+ assert(nr < 16); // see 16 asm nops below
+
+ pid = fork();
+ if (!pid) {
+ assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
+ kill(getpid(), SIGSTOP);
+ for (;;) {
+ label: asm (
+ "nop; nop; nop; nop;"
+ "nop; nop; nop; nop;"
+ "nop; nop; nop; nop;"
+ "nop; nop; nop; nop;"
+ );
+ }
+ }
+
+ assert(pid == wait(NULL));
+ set_bp(pid, bp_addr);
+
+ for (;;) {
+ assert(ptrace(PTRACE_CONT, pid, 0, 0) == 0);
+ assert(pid == wait(NULL));
+
+ bp_hit = get_rip(pid);
+ if (bp_hit != bp_addr)
+ fprintf(stderr, "ERR!! hit wrong bp %ld != %d\n",
+ bp_hit - &&label, nr);
+ }
+ }
+
+ int main(int argc, const char *argv[])
+ {
+ while (--argc) {
+ int nr = atoi(*++argv);
+ if (!fork())
+ test(nr);
+ }
+
+ while (wait(NULL) > 0)
+ ;
+ return 0;
+ }
+
+Suggested-by: Nadav Amit <namit@cs.technion.ac.il>
+Reported-by: Andrey Wagin <avagin@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -2736,6 +2736,7 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
+ }
+
+ kvm_make_request(KVM_REQ_STEAL_UPDATE, vcpu);
++ vcpu->arch.switch_db_regs |= KVM_DEBUGREG_RELOAD;
+ }
+
+ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
--- /dev/null
+From 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 Mon Sep 17 00:00:00 2001
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+Date: Wed, 24 Feb 2016 21:02:31 +0300
+Subject: KVM: x86: MMU: fix ubsan index-out-of-range warning
+
+From: Mike Krinkin <krinkin.m.u@gmail.com>
+
+commit 17e4bce0ae63c7e03f3c7fa8d80890e7af3d4971 upstream.
+
+Ubsan reports the following warning due to a typo in
+update_accessed_dirty_bits template, the patch fixes
+the typo:
+
+[ 168.791851] ================================================================================
+[ 168.791862] UBSAN: Undefined behaviour in arch/x86/kvm/paging_tmpl.h:252:15
+[ 168.791866] index 4 is out of range for type 'u64 [4]'
+[ 168.791871] CPU: 0 PID: 2950 Comm: qemu-system-x86 Tainted: G O L 4.5.0-rc5-next-20160222 #7
+[ 168.791873] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013
+[ 168.791876] 0000000000000000 ffff8801cfcaf208 ffffffff81c9f780 0000000041b58ab3
+[ 168.791882] ffffffff82eb2cc1 ffffffff81c9f6b4 ffff8801cfcaf230 ffff8801cfcaf1e0
+[ 168.791886] 0000000000000004 0000000000000001 0000000000000000 ffffffffa1981600
+[ 168.791891] Call Trace:
+[ 168.791899] [<ffffffff81c9f780>] dump_stack+0xcc/0x12c
+[ 168.791904] [<ffffffff81c9f6b4>] ? _atomic_dec_and_lock+0xc4/0xc4
+[ 168.791910] [<ffffffff81da9e81>] ubsan_epilogue+0xd/0x8a
+[ 168.791914] [<ffffffff81daafa2>] __ubsan_handle_out_of_bounds+0x15c/0x1a3
+[ 168.791918] [<ffffffff81daae46>] ? __ubsan_handle_shift_out_of_bounds+0x2bd/0x2bd
+[ 168.791922] [<ffffffff811287ef>] ? get_user_pages_fast+0x2bf/0x360
+[ 168.791954] [<ffffffffa1794050>] ? kvm_largepages_enabled+0x30/0x30 [kvm]
+[ 168.791958] [<ffffffff81128530>] ? __get_user_pages_fast+0x360/0x360
+[ 168.791987] [<ffffffffa181b818>] paging64_walk_addr_generic+0x1b28/0x2600 [kvm]
+[ 168.792014] [<ffffffffa1819cf0>] ? init_kvm_mmu+0x1100/0x1100 [kvm]
+[ 168.792019] [<ffffffff8129e350>] ? debug_check_no_locks_freed+0x350/0x350
+[ 168.792044] [<ffffffffa1819cf0>] ? init_kvm_mmu+0x1100/0x1100 [kvm]
+[ 168.792076] [<ffffffffa181c36d>] paging64_gva_to_gpa+0x7d/0x110 [kvm]
+[ 168.792121] [<ffffffffa181c2f0>] ? paging64_walk_addr_generic+0x2600/0x2600 [kvm]
+[ 168.792130] [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
+[ 168.792178] [<ffffffffa17d9a4a>] emulator_read_write_onepage+0x27a/0x1150 [kvm]
+[ 168.792208] [<ffffffffa1794d44>] ? __kvm_read_guest_page+0x54/0x70 [kvm]
+[ 168.792234] [<ffffffffa17d97d0>] ? kvm_task_switch+0x160/0x160 [kvm]
+[ 168.792238] [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
+[ 168.792263] [<ffffffffa17daa07>] emulator_read_write+0xe7/0x6d0 [kvm]
+[ 168.792290] [<ffffffffa183b620>] ? em_cr_write+0x230/0x230 [kvm]
+[ 168.792314] [<ffffffffa17db005>] emulator_write_emulated+0x15/0x20 [kvm]
+[ 168.792340] [<ffffffffa18465f8>] segmented_write+0xf8/0x130 [kvm]
+[ 168.792367] [<ffffffffa1846500>] ? em_lgdt+0x20/0x20 [kvm]
+[ 168.792374] [<ffffffffa14db512>] ? vmx_read_guest_seg_ar+0x42/0x1e0 [kvm_intel]
+[ 168.792400] [<ffffffffa1846d82>] writeback+0x3f2/0x700 [kvm]
+[ 168.792424] [<ffffffffa1846990>] ? em_sidt+0xa0/0xa0 [kvm]
+[ 168.792449] [<ffffffffa185554d>] ? x86_decode_insn+0x1b3d/0x4f70 [kvm]
+[ 168.792474] [<ffffffffa1859032>] x86_emulate_insn+0x572/0x3010 [kvm]
+[ 168.792499] [<ffffffffa17e71dd>] x86_emulate_instruction+0x3bd/0x2110 [kvm]
+[ 168.792524] [<ffffffffa17e6e20>] ? reexecute_instruction.part.110+0x2e0/0x2e0 [kvm]
+[ 168.792532] [<ffffffffa14e9a81>] handle_ept_misconfig+0x61/0x460 [kvm_intel]
+[ 168.792539] [<ffffffffa14e9a20>] ? handle_pause+0x450/0x450 [kvm_intel]
+[ 168.792546] [<ffffffffa15130ea>] vmx_handle_exit+0xd6a/0x1ad0 [kvm_intel]
+[ 168.792572] [<ffffffffa17f6a6c>] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm]
+[ 168.792597] [<ffffffffa17f6bcd>] kvm_arch_vcpu_ioctl_run+0xd3d/0x6090 [kvm]
+[ 168.792621] [<ffffffffa17f6a6c>] ? kvm_arch_vcpu_ioctl_run+0xbdc/0x6090 [kvm]
+[ 168.792627] [<ffffffff8293b530>] ? __ww_mutex_lock_interruptible+0x1630/0x1630
+[ 168.792651] [<ffffffffa17f5e90>] ? kvm_arch_vcpu_runnable+0x4f0/0x4f0 [kvm]
+[ 168.792656] [<ffffffff811eeb30>] ? preempt_notifier_unregister+0x190/0x190
+[ 168.792681] [<ffffffffa17e0447>] ? kvm_arch_vcpu_load+0x127/0x650 [kvm]
+[ 168.792704] [<ffffffffa178e9a3>] kvm_vcpu_ioctl+0x553/0xda0 [kvm]
+[ 168.792727] [<ffffffffa178e450>] ? vcpu_put+0x40/0x40 [kvm]
+[ 168.792732] [<ffffffff8129e350>] ? debug_check_no_locks_freed+0x350/0x350
+[ 168.792735] [<ffffffff82946087>] ? _raw_spin_unlock+0x27/0x40
+[ 168.792740] [<ffffffff8163a943>] ? handle_mm_fault+0x1673/0x2e40
+[ 168.792744] [<ffffffff8129daa8>] ? trace_hardirqs_on_caller+0x478/0x6c0
+[ 168.792747] [<ffffffff8129dcfd>] ? trace_hardirqs_on+0xd/0x10
+[ 168.792751] [<ffffffff812e848b>] ? debug_lockdep_rcu_enabled+0x7b/0x90
+[ 168.792756] [<ffffffff81725a80>] do_vfs_ioctl+0x1b0/0x12b0
+[ 168.792759] [<ffffffff817258d0>] ? ioctl_preallocate+0x210/0x210
+[ 168.792763] [<ffffffff8174aef3>] ? __fget+0x273/0x4a0
+[ 168.792766] [<ffffffff8174acd0>] ? __fget+0x50/0x4a0
+[ 168.792770] [<ffffffff8174b1f6>] ? __fget_light+0x96/0x2b0
+[ 168.792773] [<ffffffff81726bf9>] SyS_ioctl+0x79/0x90
+[ 168.792777] [<ffffffff82946880>] entry_SYSCALL_64_fastpath+0x23/0xc1
+[ 168.792780] ================================================================================
+
+Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
+Reviewed-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/paging_tmpl.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/paging_tmpl.h
++++ b/arch/x86/kvm/paging_tmpl.h
+@@ -249,7 +249,7 @@ static int FNAME(update_accessed_dirty_b
+ return ret;
+
+ kvm_vcpu_mark_page_dirty(vcpu, table_gfn);
+- walker->ptes[level] = pte;
++ walker->ptes[level - 1] = pte;
+ }
+ return 0;
+ }
--- /dev/null
+From 50ab8ec74a153eb30db26529088bc57dd700b24c Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Mon, 8 Feb 2016 21:11:50 +0100
+Subject: nfs: fix nfs_size_to_loff_t
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 50ab8ec74a153eb30db26529088bc57dd700b24c upstream.
+
+See http: //www.infradead.org/rpr.html
+X-Evolution-Source: 1451162204.2173.11@leira.trondhjem.org
+Content-Transfer-Encoding: 8bit
+Mime-Version: 1.0
+
+We support OFFSET_MAX just fine, so don't round down below it. Also
+switch to using min_t to make the helper more readable.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Fixes: 433c92379d9c ("NFS: Clean up nfs_size_to_loff_t()")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/nfs_fs.h | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/linux/nfs_fs.h
++++ b/include/linux/nfs_fs.h
+@@ -544,9 +544,7 @@ extern int nfs_readpage_async(struct nf
+
+ static inline loff_t nfs_size_to_loff_t(__u64 size)
+ {
+- if (size > (__u64) OFFSET_MAX - 1)
+- return OFFSET_MAX - 1;
+- return (loff_t) size;
++ return min_t(u64, size, OFFSET_MAX);
+ }
+
+ static inline ino_t
--- /dev/null
+From d9dfd8d741683347ee159d25f5b50c346a0df557 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Wed, 17 Feb 2016 10:41:41 -0500
+Subject: NFSv4: Fix a dentry leak on alias use
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit d9dfd8d741683347ee159d25f5b50c346a0df557 upstream.
+
+In the case where d_add_unique() finds an appropriate alias to use it will
+have already incremented the reference count. An additional dget() to swap
+the open context's dentry is unnecessary and will leak a reference.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: 275bb307865a3 ("NFSv4: Move dentry instantiation into the NFSv4-...")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2461,9 +2461,9 @@ static int _nfs4_open_and_get_state(stru
+ dentry = d_add_unique(dentry, igrab(state->inode));
+ if (dentry == NULL) {
+ dentry = opendata->dentry;
+- } else if (dentry != ctx->dentry) {
++ } else {
+ dput(ctx->dentry);
+- ctx->dentry = dget(dentry);
++ ctx->dentry = dentry;
+ }
+ nfs_set_verifier(dentry,
+ nfs_save_change_attribute(d_inode(opendata->dir)));
--- /dev/null
+From 5d589d81acf974d23af98044aac56c6339d659f8 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Tue, 9 Feb 2016 11:04:45 +0000
+Subject: of/irq: Fix msi-map calculation for nonzero rid-base
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 5d589d81acf974d23af98044aac56c6339d659f8 upstream.
+
+The existing msi-map code is fine for shifting the entire RID space
+upwards, but attempting finer-grained remapping reveals a bug. It turns
+out that we are mistakenly treating the msi-base part as an offset, not
+as a new base to remap onto, so things get squiffy when rid-base is
+nonzero. Fix this, and at the same time add a sanity check against
+having msi-map-mask clash with a nonzero rid-base, as that's another
+thing one can easily get wrong.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
+Tested-by: Stuart Yoder <stuart.yoder@nxp.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: David Daney <david.daney@cavium.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/irq.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -636,6 +636,13 @@ static u32 __of_msi_map_rid(struct devic
+ msi_base = be32_to_cpup(msi_map + 2);
+ rid_len = be32_to_cpup(msi_map + 3);
+
++ if (rid_base & ~map_mask) {
++ dev_err(parent_dev,
++ "Invalid msi-map translation - msi-map-mask (0x%x) ignores rid-base (0x%x)\n",
++ map_mask, rid_base);
++ return rid_out;
++ }
++
+ msi_controller_node = of_find_node_by_phandle(phandle);
+
+ matched = (masked_rid >= rid_base &&
+@@ -655,7 +662,7 @@ static u32 __of_msi_map_rid(struct devic
+ if (!matched)
+ return rid_out;
+
+- rid_out = masked_rid + msi_base;
++ rid_out = masked_rid - rid_base + msi_base;
+ dev_dbg(dev,
+ "msi-map at: %s, using mask %08x, rid-base: %08x, msi-base: %08x, length: %08x, rid: %08x -> %08x\n",
+ dev_name(parent_dev), map_mask, rid_base, msi_base,
--- /dev/null
+From b82fcabe212a11698fd4b3e604d2f81d929d22f6 Mon Sep 17 00:00:00 2001
+From: Shawn Lin <shawn.lin@rock-chips.com>
+Date: Thu, 28 Jan 2016 16:14:18 +0800
+Subject: phy: core: fix wrong err handle for phy_power_on
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+commit b82fcabe212a11698fd4b3e604d2f81d929d22f6 upstream.
+
+If phy_pm_runtime_get_sync failed but we already
+enable regulator, current code return directly without
+doing regulator_disable. This patch fix this problem
+and cleanup err handle of phy_power_on to be more readable.
+
+Fixes: 3be88125d85d ("phy: core: Support regulator ...")
+Cc: Roger Quadros <rogerq@ti.com>
+Cc: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/phy-core.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/phy/phy-core.c
++++ b/drivers/phy/phy-core.c
+@@ -275,20 +275,21 @@ EXPORT_SYMBOL_GPL(phy_exit);
+
+ int phy_power_on(struct phy *phy)
+ {
+- int ret;
++ int ret = 0;
+
+ if (!phy)
+- return 0;
++ goto out;
+
+ if (phy->pwr) {
+ ret = regulator_enable(phy->pwr);
+ if (ret)
+- return ret;
++ goto out;
+ }
+
+ ret = phy_pm_runtime_get_sync(phy);
+ if (ret < 0 && ret != -ENOTSUPP)
+- return ret;
++ goto err_pm_sync;
++
+ ret = 0; /* Override possible ret == -ENOTSUPP */
+
+ mutex_lock(&phy->mutex);
+@@ -296,19 +297,20 @@ int phy_power_on(struct phy *phy)
+ ret = phy->ops->power_on(phy);
+ if (ret < 0) {
+ dev_err(&phy->dev, "phy poweron failed --> %d\n", ret);
+- goto out;
++ goto err_pwr_on;
+ }
+ }
+ ++phy->power_count;
+ mutex_unlock(&phy->mutex);
+ return 0;
+
+-out:
++err_pwr_on:
+ mutex_unlock(&phy->mutex);
+ phy_pm_runtime_put_sync(phy);
++err_pm_sync:
+ if (phy->pwr)
+ regulator_disable(phy->pwr);
+-
++out:
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(phy_power_on);
--- /dev/null
+From f6bf0fa14cf848ae770e0b7842c9b11ce2f01645 Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Date: Fri, 12 Feb 2016 16:03:05 +1100
+Subject: powerpc/eeh: Fix partial hotplug criterion
+
+From: Gavin Shan <gwshan@linux.vnet.ibm.com>
+
+commit f6bf0fa14cf848ae770e0b7842c9b11ce2f01645 upstream.
+
+During error recovery, the device could be removed as part of the
+partial hotplug. The criterion used to come with partial hotplug
+is: if the device driver provides error_detected(), slot_reset()
+and resume() callbacks, it's immune from hotplug. Otherwise,
+it's going to experience partial hotplug during EEH recovery. But
+the criterion isn't correct enough: mlx4_core driver for Mellanox
+adapters provides error_detected(), slot_reset() callbacks, but
+resume() isn't there. Those Mellanox adapters won't be to involved
+in the partial hotplug.
+
+This fixes the criterion to a practical one: adpater with driver
+that provides error_detected(), slot_reset() will be immune from
+partial hotplug. resume() isn't mandatory.
+
+Fixes: f2da4ccf ("powerpc/eeh: More relaxed hotplug criterion")
+Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/eeh_driver.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/powerpc/kernel/eeh_driver.c
++++ b/arch/powerpc/kernel/eeh_driver.c
+@@ -418,8 +418,7 @@ static void *eeh_rmv_device(void *data,
+ eeh_pcid_put(dev);
+ if (driver->err_handler &&
+ driver->err_handler->error_detected &&
+- driver->err_handler->slot_reset &&
+- driver->err_handler->resume)
++ driver->err_handler->slot_reset)
+ return NULL;
+ }
+
arcv2-smp-emulate-ipi-to-self-using-software-triggered-interrupt.patch
pci-aer-flush-workqueue-on-device-remove-to-avoid-use-after-free.patch
cpuset-make-mm-migration-asynchronous.patch
+cgroup-make-sure-a-parent-css-isn-t-offlined-before-its-children.patch
+writeback-keep-superblock-pinned-during-cgroup-writeback-association-switches.patch
+phy-core-fix-wrong-err-handle-for-phy_power_on.patch
+i2c-i801-adding-intel-lewisburg-support-for-itco.patch
+bio-return-eintr-if-copying-to-user-space-got-interrupted.patch
+block-fix-use-after-free-in-dio_bio_complete.patch
+nfs-fix-nfs_size_to_loff_t.patch
+nfsv4-fix-a-dentry-leak-on-alias-use.patch
+of-irq-fix-msi-map-calculation-for-nonzero-rid-base.patch
+kvm-async_pf-do-not-warn-on-page-allocation-failures.patch
+kvm-arm-arm64-vgic-ensure-bitmaps-are-long-enough.patch
+kvm-x86-fix-missed-hardware-breakpoints.patch
+kvm-x86-fix-conversion-of-addresses-to-linear-in-32-bit-protected-mode.patch
+kvm-x86-mmu-fix-ubsan-index-out-of-range-warning.patch
+powerpc-eeh-fix-partial-hotplug-criterion.patch
+tracing-fix-showing-function-event-in-available_events.patch
+sunrpc-cache-fix-off-by-one-in-qword_get.patch
+kernel-resource.c-fix-muxed-resource-handling-in-__request_region.patch
+do_last-don-t-let-a-bogus-return-value-from-open-et.al.-to-confuse-us.patch
+arm-omap2-fix-onenand-initialization-to-avoid-filesystem-corruption.patch
+arm-at91-dt-fix-typo-in-sama5d2-pinmux-descriptions.patch
+xen-arm-correctly-handle-dma-mapping-of-compound-pages.patch
+xen-scsiback-correct-frontend-counting.patch
+xen-pciback-check-pf-instead-of-vf-for-pci_command_memory.patch
+xen-pciback-save-the-number-of-msi-x-entries-to-be-copied-later.patch
+xen-pcifront-fix-mysterious-crashes-when-numa-locality-information-was-extracted.patch
+should_follow_link-validate-d_seq-after-having-decided-to-follow.patch
+do_last-eloop-failure-exit-should-be-done-after-leaving-rcu-mode.patch
+hpfs-don-t-truncate-the-file-when-delete-fails.patch
+x86-mpx-fix-off-by-one-comparison-with-nr_registers.patch
+x86-entry-compat-add-missing-clac-to-entry_int80_32.patch
--- /dev/null
+From a7f775428b8f5808815c0e3004020cedb94cbe3b Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 27 Feb 2016 19:31:01 -0500
+Subject: should_follow_link(): validate ->d_seq after having decided to follow
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a7f775428b8f5808815c0e3004020cedb94cbe3b upstream.
+
+... otherwise d_is_symlink() above might have nothing to do with
+the inode value we've got.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1711,6 +1711,11 @@ static inline int should_follow_link(str
+ return 0;
+ if (!follow)
+ return 0;
++ /* make sure that d_is_symlink above matches inode */
++ if (nd->flags & LOOKUP_RCU) {
++ if (read_seqcount_retry(&link->dentry->d_seq, seq))
++ return -ECHILD;
++ }
+ return pick_link(nd, link, inode, seq);
+ }
+
--- /dev/null
+From b7052cd7bcf3c1478796e93e3dff2b44c9e82943 Mon Sep 17 00:00:00 2001
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Thu, 18 Feb 2016 18:55:54 +0000
+Subject: sunrpc/cache: fix off-by-one in qword_get()
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+commit b7052cd7bcf3c1478796e93e3dff2b44c9e82943 upstream.
+
+The qword_get() function NUL-terminates its output buffer. If the input
+string is in hex format \xXXXX... and the same length as the output
+buffer, there is an off-by-one:
+
+ int qword_get(char **bpp, char *dest, int bufsize)
+ {
+ ...
+ while (len < bufsize) {
+ ...
+ *dest++ = (h << 4) | l;
+ len++;
+ }
+ ...
+ *dest = '\0';
+ return len;
+ }
+
+This patch ensures the NUL terminator doesn't fall outside the output
+buffer.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1225,7 +1225,7 @@ int qword_get(char **bpp, char *dest, in
+ if (bp[0] == '\\' && bp[1] == 'x') {
+ /* HEX STRING */
+ bp += 2;
+- while (len < bufsize) {
++ while (len < bufsize - 1) {
+ int h, l;
+
+ h = hex_to_bin(bp[0]);
--- /dev/null
+From d045437a169f899dfb0f6f7ede24cc042543ced9 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 24 Feb 2016 09:04:24 -0500
+Subject: tracing: Fix showing function event in available_events
+
+From: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+
+commit d045437a169f899dfb0f6f7ede24cc042543ced9 upstream.
+
+The ftrace:function event is only displayed for parsing the function tracer
+data. It is not used to enable function tracing, and does not include an
+"enable" file in its event directory.
+
+Originally, this event was kept separate from other events because it did
+not have a ->reg parameter. But perf added a "reg" parameter for its use
+which caused issues, because it made the event available to functions where
+it was not compatible for.
+
+Commit 9b63776fa3ca9 "tracing: Do not enable function event with enable"
+added a TRACE_EVENT_FL_IGNORE_ENABLE flag that prevented the function event
+from being enabled by normal trace events. But this commit missed keeping
+the function event from being displayed by the "available_events" directory,
+which is used to show what events can be enabled by set_event.
+
+One documented way to enable all events is to:
+
+ cat available_events > set_event
+
+But because the function event is displayed in the available_events, this
+now causes an INVALID error:
+
+ cat: write error: Invalid argument
+
+Reported-by: Chunyu Hu <chuhu@redhat.com>
+Fixes: 9b63776fa3ca9 "tracing: Do not enable function event with enable"
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -869,7 +869,8 @@ t_next(struct seq_file *m, void *v, loff
+ * The ftrace subsystem is for showing formats only.
+ * They can not be enabled or disabled via the event files.
+ */
+- if (call->class && call->class->reg)
++ if (call->class && call->class->reg &&
++ !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE))
+ return file;
+ }
+
--- /dev/null
+From 5ff8eaac1636bf6deae86491f4818c4c69d1a9ac Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 16 Feb 2016 11:34:07 -0700
+Subject: writeback: keep superblock pinned during cgroup writeback association switches
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 5ff8eaac1636bf6deae86491f4818c4c69d1a9ac upstream.
+
+If cgroup writeback is in use, an inode is associated with a cgroup
+for writeback. If the inode's main dirtier changes to another cgroup,
+the association gets updated asynchronously. Nothing was pinning the
+superblock while such switches are in progress and superblock could go
+away while async switching is pending or in progress leading to
+crashes like the following.
+
+ kernel BUG at fs/jbd2/transaction.c:319!
+ invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
+ CPU: 1 PID: 29158 Comm: kworker/1:10 Not tainted 4.5.0-rc3 #51
+ Hardware name: Google Google, BIOS Google 01/01/2011
+ Workqueue: events inode_switch_wbs_work_fn
+ task: ffff880213dbbd40 ti: ffff880209264000 task.ti: ffff880209264000
+ RIP: 0010:[<ffffffff803e6922>] [<ffffffff803e6922>] start_this_handle+0x382/0x3e0
+ RSP: 0018:ffff880209267c30 EFLAGS: 00010202
+ ...
+ Call Trace:
+ [<ffffffff803e6be4>] jbd2__journal_start+0xf4/0x190
+ [<ffffffff803cfc7e>] __ext4_journal_start_sb+0x4e/0x70
+ [<ffffffff803b31ec>] ext4_evict_inode+0x12c/0x3d0
+ [<ffffffff8035338b>] evict+0xbb/0x190
+ [<ffffffff80354190>] iput+0x130/0x190
+ [<ffffffff80360223>] inode_switch_wbs_work_fn+0x343/0x4c0
+ [<ffffffff80279819>] process_one_work+0x129/0x300
+ [<ffffffff80279b16>] worker_thread+0x126/0x480
+ [<ffffffff8027ed14>] kthread+0xc4/0xe0
+ [<ffffffff809771df>] ret_from_fork+0x3f/0x70
+
+Fix it by bumping s_active while cgroup association switching is in
+flight.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-and-tested-by: Tahsin Erdogan <tahsin@google.com>
+Link: http://lkml.kernel.org/g/CAAeU0aNCq7LGODvVGRU-oU_o-6enii5ey0p1c26D1ZzYwkDc5A@mail.gmail.com
+Fixes: d10c80955265 ("writeback: implement foreign cgroup inode bdi_writeback switching")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 6915c950e6e8..1f76d8950a57 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -317,6 +317,7 @@ static void inode_switch_wbs_work_fn(struct work_struct *work)
+ struct inode_switch_wbs_context *isw =
+ container_of(work, struct inode_switch_wbs_context, work);
+ struct inode *inode = isw->inode;
++ struct super_block *sb = inode->i_sb;
+ struct address_space *mapping = inode->i_mapping;
+ struct bdi_writeback *old_wb = inode->i_wb;
+ struct bdi_writeback *new_wb = isw->new_wb;
+@@ -423,6 +424,7 @@ skip_switch:
+ wb_put(new_wb);
+
+ iput(inode);
++ deactivate_super(sb);
+ kfree(isw);
+ }
+
+@@ -469,11 +471,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+
+ /* while holding I_WB_SWITCH, no one else can update the association */
+ spin_lock(&inode->i_lock);
++
+ if (inode->i_state & (I_WB_SWITCH | I_FREEING) ||
+- inode_to_wb(inode) == isw->new_wb) {
+- spin_unlock(&inode->i_lock);
+- goto out_free;
+- }
++ inode_to_wb(inode) == isw->new_wb)
++ goto out_unlock;
++
++ if (!atomic_inc_not_zero(&inode->i_sb->s_active))
++ goto out_unlock;
++
+ inode->i_state |= I_WB_SWITCH;
+ spin_unlock(&inode->i_lock);
+
+@@ -489,6 +494,8 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+ call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
+ return;
+
++out_unlock:
++ spin_unlock(&inode->i_lock);
+ out_free:
+ if (isw->new_wb)
+ wb_put(isw->new_wb);
--- /dev/null
+From 3d44d51bd339766f0178f0cf2e8d048b4a4872aa Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@kernel.org>
+Date: Wed, 24 Feb 2016 12:18:49 -0800
+Subject: x86/entry/compat: Add missing CLAC to entry_INT80_32
+
+From: Andy Lutomirski <luto@kernel.org>
+
+commit 3d44d51bd339766f0178f0cf2e8d048b4a4872aa upstream.
+
+This doesn't seem to fix a regression -- I don't think the CLAC was
+ever there.
+
+I double-checked in a debugger: entries through the int80 gate do
+not automatically clear AC.
+
+Stable maintainers: I can provide a backport to 4.3 and earlier if
+needed. This needs to be backported all the way to 3.10.
+
+Reported-by: Brian Gerst <brgerst@gmail.com>
+Signed-off-by: Andy Lutomirski <luto@kernel.org>
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 63bcff2a307b ("x86, smap: Add STAC and CLAC instructions to control user space access")
+Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.org
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/entry/entry_64_compat.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/entry/entry_64_compat.S
++++ b/arch/x86/entry/entry_64_compat.S
+@@ -267,6 +267,7 @@ ENTRY(entry_INT80_compat)
+ * Interrupts are off on entry.
+ */
+ PARAVIRT_ADJUST_EXCEPTION_FRAME
++ ASM_CLAC /* Do this early to minimize exposure */
+ SWAPGS
+
+ /*
--- /dev/null
+From 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 26 Feb 2016 18:55:31 +0000
+Subject: x86/mpx: Fix off-by-one comparison with nr_registers
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 9bf148cb0812595bfdf5100bd2c07e9bec9c6ef5 upstream.
+
+In the unlikely event that regno == nr_registers then we get an array
+overrun on regoff because the invalid register check is currently
+off-by-one. Fix this with a check that regno is >= nr_registers instead.
+
+Detected with static analysis using CoverityScan.
+
+Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information"
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
+Link: http://lkml.kernel.org/r/1456512931-3388-1-git-send-email-colin.king@canonical.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c
+index b2fd67da1701..ef05755a1900 100644
+--- a/arch/x86/mm/mpx.c
++++ b/arch/x86/mm/mpx.c
+@@ -123,7 +123,7 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs,
+ break;
+ }
+
+- if (regno > nr_registers) {
++ if (regno >= nr_registers) {
+ WARN_ONCE(1, "decoded an instruction with an invalid register");
+ return -EINVAL;
+ }
--- /dev/null
+From 52ba0746b3b44c86aee121babf3b2fd9b8f84090 Mon Sep 17 00:00:00 2001
+From: Ian Campbell <ian.campbell@citrix.com>
+Date: Mon, 8 Feb 2016 16:02:06 +0000
+Subject: xen/arm: correctly handle DMA mapping of compound pages
+
+From: Ian Campbell <ian.campbell@citrix.com>
+
+commit 52ba0746b3b44c86aee121babf3b2fd9b8f84090 upstream.
+
+Currently xen_dma_map_page concludes that DMA to anything other than
+the head page of a compound page must be foreign, since the PFN of the
+page is that of the head.
+
+Fix the check to instead consider the whole of a compound page to be
+local if the PFN of the head passes the 1:1 check.
+
+We can never see a compound page which is a mixture of foreign and
+local sub-pages.
+
+The comment already correctly described the intention, but fixup the
+spelling and some grammar.
+
+This fixes the various SSH protocol errors which we have been seeing
+on the cubietrucks in our automated test infrastructure.
+
+This has been broken since commit 3567258d281b ("xen/arm: use
+hypercall to flush caches in map_page"), which was in v3.19-rc1.
+
+NB arch/arm64/.../xen/page-coherent.h also includes this file.
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/arch/arm/include/asm/xen/page-coherent.h b/arch/arm/include/asm/xen/page-coherent.h
+index 0375c8caa061..9408a994cc91 100644
+--- a/arch/arm/include/asm/xen/page-coherent.h
++++ b/arch/arm/include/asm/xen/page-coherent.h
+@@ -35,14 +35,21 @@ static inline void xen_dma_map_page(struct device *hwdev, struct page *page,
+ dma_addr_t dev_addr, unsigned long offset, size_t size,
+ enum dma_data_direction dir, struct dma_attrs *attrs)
+ {
+- bool local = XEN_PFN_DOWN(dev_addr) == page_to_xen_pfn(page);
++ unsigned long page_pfn = page_to_xen_pfn(page);
++ unsigned long dev_pfn = XEN_PFN_DOWN(dev_addr);
++ unsigned long compound_pages =
++ (1<<compound_order(page)) * XEN_PFN_PER_PAGE;
++ bool local = (page_pfn <= dev_pfn) &&
++ (dev_pfn - page_pfn < compound_pages);
++
+ /*
+- * Dom0 is mapped 1:1, while the Linux page can be spanned accross
+- * multiple Xen page, it's not possible to have a mix of local and
+- * foreign Xen page. So if the first xen_pfn == mfn the page is local
+- * otherwise it's a foreign page grant-mapped in dom0. If the page is
+- * local we can safely call the native dma_ops function, otherwise we
+- * call the xen specific function.
++ * Dom0 is mapped 1:1, while the Linux page can span across
++ * multiple Xen pages, it's not possible for it to contain a
++ * mix of local and foreign Xen pages. So if the first xen_pfn
++ * == mfn the page is local otherwise it's a foreign page
++ * grant-mapped in dom0. If the page is local we can safely
++ * call the native dma_ops function, otherwise we call the xen
++ * specific function.
+ */
+ if (local)
+ __generic_dma_ops(hwdev)->map_page(hwdev, page, offset, size, dir, attrs);
--- /dev/null
+From 8d47065f7d1980dde52abb874b301054f3013602 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 11 Feb 2016 16:10:23 -0500
+Subject: xen/pciback: Check PF instead of VF for PCI_COMMAND_MEMORY
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 8d47065f7d1980dde52abb874b301054f3013602 upstream.
+
+Commit 408fb0e5aa7fda0059db282ff58c3b2a4278baa0 (xen/pciback: Don't
+allow MSI-X ops if PCI_COMMAND_MEMORY is not set) prevented enabling
+MSI-X on passed-through virtual functions, because it checked the VF
+for PCI_COMMAND_MEMORY but this is not a valid bit for VFs.
+
+Instead, check the physical function for PCI_COMMAND_MEMORY.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-pciback/pciback_ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xen-pciback/pciback_ops.c
++++ b/drivers/xen/xen-pciback/pciback_ops.c
+@@ -227,8 +227,9 @@ int xen_pcibk_enable_msix(struct xen_pci
+ /*
+ * PCI_COMMAND_MEMORY must be enabled, otherwise we may not be able
+ * to access the BARs where the MSI-X entries reside.
++ * But VF devices are unique in which the PF needs to be checked.
+ */
+- pci_read_config_word(dev, PCI_COMMAND, &cmd);
++ pci_read_config_word(pci_physfn(dev), PCI_COMMAND, &cmd);
+ if (dev->msi_enabled || !(cmd & PCI_COMMAND_MEMORY))
+ return -ENXIO;
+
--- /dev/null
+From d159457b84395927b5a52adb72f748dd089ad5e5 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 11 Feb 2016 16:10:24 -0500
+Subject: xen/pciback: Save the number of MSI-X entries to be copied later.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit d159457b84395927b5a52adb72f748dd089ad5e5 upstream.
+
+Commit 8135cf8b092723dbfcc611fe6fdcb3a36c9951c5 (xen/pciback: Save
+xen_pci_op commands before processing it) broke enabling MSI-X because
+it would never copy the resulting vectors into the response. The
+number of vectors requested was being overwritten by the return value
+(typically zero for success).
+
+Save the number of vectors before processing the op, so the correct
+number of vectors are copied afterwards.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-pciback/pciback_ops.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/xen-pciback/pciback_ops.c
++++ b/drivers/xen/xen-pciback/pciback_ops.c
+@@ -333,6 +333,9 @@ void xen_pcibk_do_op(struct work_struct
+ struct xen_pcibk_dev_data *dev_data = NULL;
+ struct xen_pci_op *op = &pdev->op;
+ int test_intx = 0;
++#ifdef CONFIG_PCI_MSI
++ unsigned int nr = 0;
++#endif
+
+ *op = pdev->sh_info->op;
+ barrier();
+@@ -361,6 +364,7 @@ void xen_pcibk_do_op(struct work_struct
+ op->err = xen_pcibk_disable_msi(pdev, dev, op);
+ break;
+ case XEN_PCI_OP_enable_msix:
++ nr = op->value;
+ op->err = xen_pcibk_enable_msix(pdev, dev, op);
+ break;
+ case XEN_PCI_OP_disable_msix:
+@@ -383,7 +387,7 @@ void xen_pcibk_do_op(struct work_struct
+ if (op->cmd == XEN_PCI_OP_enable_msix && op->err == 0) {
+ unsigned int i;
+
+- for (i = 0; i < op->value; i++)
++ for (i = 0; i < nr; i++)
+ pdev->sh_info->op.msix_entries[i].vector =
+ op->msix_entries[i].vector;
+ }
--- /dev/null
+From 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 11 Feb 2016 16:10:26 -0500
+Subject: xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 4d8c8bd6f2062c9988817183a91fe2e623c8aa5e upstream.
+
+Occasionaly PV guests would crash with:
+
+pciback 0000:00:00.1: Xen PCI mapped GSI0 to IRQ16
+BUG: unable to handle kernel paging request at 0000000d1a8c0be0
+.. snip..
+ <ffffffff8139ce1b>] find_next_bit+0xb/0x10
+ [<ffffffff81387f22>] cpumask_next_and+0x22/0x40
+ [<ffffffff813c1ef8>] pci_device_probe+0xb8/0x120
+ [<ffffffff81529097>] ? driver_sysfs_add+0x77/0xa0
+ [<ffffffff815293e4>] driver_probe_device+0x1a4/0x2d0
+ [<ffffffff813c1ddd>] ? pci_match_device+0xdd/0x110
+ [<ffffffff81529657>] __device_attach_driver+0xa7/0xb0
+ [<ffffffff815295b0>] ? __driver_attach+0xa0/0xa0
+ [<ffffffff81527622>] bus_for_each_drv+0x62/0x90
+ [<ffffffff8152978d>] __device_attach+0xbd/0x110
+ [<ffffffff815297fb>] device_attach+0xb/0x10
+ [<ffffffff813b75ac>] pci_bus_add_device+0x3c/0x70
+ [<ffffffff813b7618>] pci_bus_add_devices+0x38/0x80
+ [<ffffffff813dc34e>] pcifront_scan_root+0x13e/0x1a0
+ [<ffffffff817a0692>] pcifront_backend_changed+0x262/0x60b
+ [<ffffffff814644c6>] ? xenbus_gather+0xd6/0x160
+ [<ffffffff8120900f>] ? put_object+0x2f/0x50
+ [<ffffffff81465c1d>] xenbus_otherend_changed+0x9d/0xa0
+ [<ffffffff814678ee>] backend_changed+0xe/0x10
+ [<ffffffff81463a28>] xenwatch_thread+0xc8/0x190
+ [<ffffffff810f22f0>] ? woken_wake_function+0x10/0x10
+
+which was the result of two things:
+
+When we call pci_scan_root_bus we would pass in 'sd' (sysdata)
+pointer which was an 'pcifront_sd' structure. However in the
+pci_device_add it expects that the 'sd' is 'struct sysdata' and
+sets the dev->node to what is in sd->node (offset 4):
+
+set_dev_node(&dev->dev, pcibus_to_node(bus));
+
+ __pcibus_to_node(const struct pci_bus *bus)
+{
+ const struct pci_sysdata *sd = bus->sysdata;
+
+ return sd->node;
+}
+
+However our structure was pcifront_sd which had nothing at that
+offset:
+
+struct pcifront_sd {
+ int domain; /* 0 4 */
+ /* XXX 4 bytes hole, try to pack */
+ struct pcifront_device * pdev; /* 8 8 */
+}
+
+That is an hole - filled with garbage as we used kmalloc instead of
+kzalloc (the second problem).
+
+This patch fixes the issue by:
+ 1) Use kzalloc to initialize to a well known state.
+ 2) Put 'struct pci_sysdata' at the start of 'pcifront_sd'. That
+ way access to the 'node' will access the right offset.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/xen-pcifront.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/xen-pcifront.c
++++ b/drivers/pci/xen-pcifront.c
+@@ -53,7 +53,7 @@ struct pcifront_device {
+ };
+
+ struct pcifront_sd {
+- int domain;
++ struct pci_sysdata sd;
+ struct pcifront_device *pdev;
+ };
+
+@@ -67,7 +67,9 @@ static inline void pcifront_init_sd(stru
+ unsigned int domain, unsigned int bus,
+ struct pcifront_device *pdev)
+ {
+- sd->domain = domain;
++ /* Because we do not expose that information via XenBus. */
++ sd->sd.node = first_online_node;
++ sd->sd.domain = domain;
+ sd->pdev = pdev;
+ }
+
+@@ -468,8 +470,8 @@ static int pcifront_scan_root(struct pci
+ dev_info(&pdev->xdev->dev, "Creating PCI Frontend Bus %04x:%02x\n",
+ domain, bus);
+
+- bus_entry = kmalloc(sizeof(*bus_entry), GFP_KERNEL);
+- sd = kmalloc(sizeof(*sd), GFP_KERNEL);
++ bus_entry = kzalloc(sizeof(*bus_entry), GFP_KERNEL);
++ sd = kzalloc(sizeof(*sd), GFP_KERNEL);
+ if (!bus_entry || !sd) {
+ err = -ENOMEM;
+ goto err_out;
--- /dev/null
+From f285aa8db7cc4432c1a03f8b55ff34fe96317c11 Mon Sep 17 00:00:00 2001
+From: Juergen Gross <jgross@suse.com>
+Date: Mon, 8 Feb 2016 15:30:18 +0100
+Subject: xen/scsiback: correct frontend counting
+
+From: Juergen Gross <jgross@suse.com>
+
+commit f285aa8db7cc4432c1a03f8b55ff34fe96317c11 upstream.
+
+When adding a new frontend to xen-scsiback don't decrement the number
+of active frontends in case of no error. Doing so results in a failure
+when trying to remove the xen-pvscsi nexus even if no domain is using
+it.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xen-scsiback.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/xen/xen-scsiback.c
++++ b/drivers/xen/xen-scsiback.c
+@@ -939,12 +939,12 @@ out:
+ spin_unlock_irqrestore(&info->v2p_lock, flags);
+
+ out_free:
+- mutex_lock(&tpg->tv_tpg_mutex);
+- tpg->tv_tpg_fe_count--;
+- mutex_unlock(&tpg->tv_tpg_mutex);
+-
+- if (err)
++ if (err) {
++ mutex_lock(&tpg->tv_tpg_mutex);
++ tpg->tv_tpg_fe_count--;
++ mutex_unlock(&tpg->tv_tpg_mutex);
+ kfree(new);
++ }
+
+ return err;
+ }