--- /dev/null
+From 85e84ba31039595995dae80b277378213602891b Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Mon, 16 Mar 2015 10:59:43 +0000
+Subject: arm: KVM: force execution of HCPTR access on VM exit
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 85e84ba31039595995dae80b277378213602891b upstream.
+
+On VM entry, we disable access to the VFP registers in order to
+perform a lazy save/restore of these registers.
+
+On VM exit, we restore access, test if we did enable them before,
+and save/restore the guest/host registers if necessary. In this
+sequence, the FPEXC register is always accessed, irrespective
+of the trapping configuration.
+
+If the guest didn't touch the VFP registers, then the HCPTR access
+has now enabled such access, but we're missing a barrier to ensure
+architectural execution of the new HCPTR configuration. If the HCPTR
+access has been delayed/reordered, the subsequent access to FPEXC
+will cause a trap, which we aren't prepared to handle at all.
+
+The same condition exists when trapping to enable VFP for the guest.
+
+The fix is to introduce a barrier after enabling VFP access. In the
+vmexit case, it can be relaxed to only takes place if the guest hasn't
+accessed its view of the VFP registers, making the access to FPEXC safe.
+
+The set_hcptr macro is modified to deal with both vmenter/vmexit and
+vmtrap operations, and now takes an optional label that is branched to
+when the guest hasn't touched the VFP registers.
+
+Reported-by: Vikram Sethi <vikrams@codeaurora.org>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/interrupts.S | 10 ++++------
+ arch/arm/kvm/interrupts_head.S | 20 ++++++++++++++++++--
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/kvm/interrupts.S
++++ b/arch/arm/kvm/interrupts.S
+@@ -170,13 +170,9 @@ __kvm_vcpu_return:
+ @ Don't trap coprocessor accesses for host kernel
+ set_hstr vmexit
+ set_hdcr vmexit
+- set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11))
++ set_hcptr vmexit, (HCPTR_TTA | HCPTR_TCP(10) | HCPTR_TCP(11)), after_vfp_restore
+
+ #ifdef CONFIG_VFPv3
+- @ Save floating point registers we if let guest use them.
+- tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11))
+- bne after_vfp_restore
+-
+ @ Switch VFP/NEON hardware state to the host's
+ add r7, vcpu, #VCPU_VFP_GUEST
+ store_vfp_state r7
+@@ -188,6 +184,8 @@ after_vfp_restore:
+ @ Restore FPEXC_EN which we clobbered on entry
+ pop {r2}
+ VFPFMXR FPEXC, r2
++#else
++after_vfp_restore:
+ #endif
+
+ @ Reset Hyp-role
+@@ -483,7 +481,7 @@ switch_to_guest_vfp:
+ push {r3-r7}
+
+ @ NEON/VFP used. Turn on VFP access.
+- set_hcptr vmexit, (HCPTR_TCP(10) | HCPTR_TCP(11))
++ set_hcptr vmtrap, (HCPTR_TCP(10) | HCPTR_TCP(11))
+
+ @ Switch VFP/NEON hardware state to the guest's
+ add r7, r0, #VCPU_VFP_HOST
+--- a/arch/arm/kvm/interrupts_head.S
++++ b/arch/arm/kvm/interrupts_head.S
+@@ -599,8 +599,13 @@ ARM_BE8(rev r6, r6 )
+ .endm
+
+ /* Configures the HCPTR (Hyp Coprocessor Trap Register) on entry/return
+- * (hardware reset value is 0). Keep previous value in r2. */
+-.macro set_hcptr operation, mask
++ * (hardware reset value is 0). Keep previous value in r2.
++ * An ISB is emited on vmexit/vmtrap, but executed on vmexit only if
++ * VFP wasn't already enabled (always executed on vmtrap).
++ * If a label is specified with vmexit, it is branched to if VFP wasn't
++ * enabled.
++ */
++.macro set_hcptr operation, mask, label = none
+ mrc p15, 4, r2, c1, c1, 2
+ ldr r3, =\mask
+ .if \operation == vmentry
+@@ -609,6 +614,17 @@ ARM_BE8(rev r6, r6 )
+ bic r3, r2, r3 @ Don't trap defined coproc-accesses
+ .endif
+ mcr p15, 4, r3, c1, c1, 2
++ .if \operation != vmentry
++ .if \operation == vmexit
++ tst r2, #(HCPTR_TCP(10) | HCPTR_TCP(11))
++ beq 1f
++ .endif
++ isb
++ .if \label != none
++ b \label
++ .endif
++1:
++ .endif
+ .endm
+
+ /* Configures the HDCR (Hyp Debug Configuration Register) on entry/return
--- /dev/null
+From e2d997366dc5b6c9d14035867f73957f93e7578c Mon Sep 17 00:00:00 2001
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Date: Wed, 10 Jun 2015 15:19:24 +0100
+Subject: ARM: kvm: psci: fix handling of unimplemented functions
+
+From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+
+commit e2d997366dc5b6c9d14035867f73957f93e7578c upstream.
+
+According to the PSCI specification and the SMC/HVC calling
+convention, PSCI function_ids that are not implemented must
+return NOT_SUPPORTED as return value.
+
+Current KVM implementation takes an unhandled PSCI function_id
+as an error and injects an undefined instruction into the guest
+if PSCI implementation is called with a function_id that is not
+handled by the resident PSCI version (ie it is not implemented),
+which is not the behaviour expected by a guest when calling a
+PSCI function_id that is not implemented.
+
+This patch fixes this issue by returning NOT_SUPPORTED whenever
+the kvm PSCI call is executed for a function_id that is not
+implemented by the PSCI kvm layer.
+
+Cc: Christoffer Dall <christoffer.dall@linaro.org>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kvm/psci.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+--- a/arch/arm/kvm/psci.c
++++ b/arch/arm/kvm/psci.c
+@@ -230,10 +230,6 @@ static int kvm_psci_0_2_call(struct kvm_
+ case PSCI_0_2_FN64_AFFINITY_INFO:
+ val = kvm_psci_vcpu_affinity_info(vcpu);
+ break;
+- case PSCI_0_2_FN_MIGRATE:
+- case PSCI_0_2_FN64_MIGRATE:
+- val = PSCI_RET_NOT_SUPPORTED;
+- break;
+ case PSCI_0_2_FN_MIGRATE_INFO_TYPE:
+ /*
+ * Trusted OS is MP hence does not require migration
+@@ -242,10 +238,6 @@ static int kvm_psci_0_2_call(struct kvm_
+ */
+ val = PSCI_0_2_TOS_MP;
+ break;
+- case PSCI_0_2_FN_MIGRATE_INFO_UP_CPU:
+- case PSCI_0_2_FN64_MIGRATE_INFO_UP_CPU:
+- val = PSCI_RET_NOT_SUPPORTED;
+- break;
+ case PSCI_0_2_FN_SYSTEM_OFF:
+ kvm_psci_system_off(vcpu);
+ /*
+@@ -271,7 +263,8 @@ static int kvm_psci_0_2_call(struct kvm_
+ ret = 0;
+ break;
+ default:
+- return -EINVAL;
++ val = PSCI_RET_NOT_SUPPORTED;
++ break;
+ }
+
+ *vcpu_reg(vcpu, 0) = val;
+@@ -291,12 +284,9 @@ static int kvm_psci_0_1_call(struct kvm_
+ case KVM_PSCI_FN_CPU_ON:
+ val = kvm_psci_vcpu_on(vcpu);
+ break;
+- case KVM_PSCI_FN_CPU_SUSPEND:
+- case KVM_PSCI_FN_MIGRATE:
++ default:
+ val = PSCI_RET_NOT_SUPPORTED;
+ break;
+- default:
+- return -EINVAL;
+ }
+
+ *vcpu_reg(vcpu, 0) = val;
--- /dev/null
+From 2f5bc307be2480ba89e4c5d118f406f04a4a7299 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Tue, 16 Jun 2015 14:12:57 +0200
+Subject: ARM: mvebu: fix suspend to RAM on big-endian configurations
+
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+commit 2f5bc307be2480ba89e4c5d118f406f04a4a7299 upstream.
+
+The current Armada XP suspend to RAM implementation, as added in
+commit 27432825ae19f ("ARM: mvebu: Armada XP GP specific
+suspend/resume code") does not handle big-endian configurations
+properly: the small bit of assembly code putting the DRAM in
+self-refresh and toggling the GPIOs to turn off power forgets to
+convert the values to little-endian.
+
+This commit fixes that by making sure the two values we will write to
+the DRAM controller register and GPIO register are already in
+little-endian before entering the critical assembly code.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Fixes: 27432825ae19f ("ARM: mvebu: Armada XP GP specific suspend/resume code")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-mvebu/pm-board.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm/mach-mvebu/pm-board.c
++++ b/arch/arm/mach-mvebu/pm-board.c
+@@ -43,6 +43,9 @@ static void mvebu_armada_xp_gp_pm_enter(
+ for (i = 0; i < ARMADA_XP_GP_PIC_NR_GPIOS; i++)
+ ackcmd |= BIT(pic_raw_gpios[i]);
+
++ srcmd = cpu_to_le32(srcmd);
++ ackcmd = cpu_to_le32(ackcmd);
++
+ /*
+ * Wait a while, the PIC needs quite a bit of time between the
+ * two GPIO commands.
--- /dev/null
+From 4d48edb3c3e1234d6b3fcdfb9ac24d7c6de449cb Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Thu, 15 Jan 2015 13:58:57 +0300
+Subject: ARM: tegra20: Store CPU "resettable" status in IRAM
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 4d48edb3c3e1234d6b3fcdfb9ac24d7c6de449cb upstream.
+
+Commit 7232398abc6a ("ARM: tegra: Convert PMC to a driver") changed tegra_resume()
+location storing from late to early and, as a result, broke suspend on Tegra20.
+PMC scratch register 41 is used by tegra LP1 resume code for retrieving stored
+physical memory address of common resume function and in the same time used by
+tegra20_cpu_shutdown() (shared by Tegra20 cpuidle driver and platform SMP code),
+which is storing CPU1 "resettable" status. It implies strict order of scratch
+register usage, otherwise resume function address is lost on Tegra20 after
+disabling non-boot CPU's on suspend. Fix it by storing "resettable" status in
+IRAM instead of PMC scratch register.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Fixes: 7232398abc6a (ARM: tegra: Convert PMC to a driver)
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-tegra/cpuidle-tegra20.c | 5 +---
+ arch/arm/mach-tegra/reset-handler.S | 10 ++++++---
+ arch/arm/mach-tegra/reset.h | 4 +++
+ arch/arm/mach-tegra/sleep-tegra20.S | 37 +++++++++++++++++++---------------
+ arch/arm/mach-tegra/sleep.h | 4 +++
+ 5 files changed, 38 insertions(+), 22 deletions(-)
+
+--- a/arch/arm/mach-tegra/cpuidle-tegra20.c
++++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
+@@ -35,6 +35,7 @@
+ #include "iomap.h"
+ #include "irq.h"
+ #include "pm.h"
++#include "reset.h"
+ #include "sleep.h"
+
+ #ifdef CONFIG_PM_SLEEP
+@@ -71,15 +72,13 @@ static struct cpuidle_driver tegra_idle_
+
+ #ifdef CONFIG_PM_SLEEP
+ #ifdef CONFIG_SMP
+-static void __iomem *pmc = IO_ADDRESS(TEGRA_PMC_BASE);
+-
+ static int tegra20_reset_sleeping_cpu_1(void)
+ {
+ int ret = 0;
+
+ tegra_pen_lock();
+
+- if (readl(pmc + PMC_SCRATCH41) == CPU_RESETTABLE)
++ if (readb(tegra20_cpu1_resettable_status) == CPU_RESETTABLE)
+ tegra20_cpu_shutdown(1);
+ else
+ ret = -EINVAL;
+--- a/arch/arm/mach-tegra/reset-handler.S
++++ b/arch/arm/mach-tegra/reset-handler.S
+@@ -169,10 +169,10 @@ after_errata:
+ cmp r6, #TEGRA20
+ bne 1f
+ /* If not CPU0, don't let CPU0 reset CPU1 now that CPU1 is coming up. */
+- mov32 r5, TEGRA_PMC_BASE
+- mov r0, #0
++ mov32 r5, TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET
++ mov r0, #CPU_NOT_RESETTABLE
+ cmp r10, #0
+- strne r0, [r5, #PMC_SCRATCH41]
++ strneb r0, [r5, #__tegra20_cpu1_resettable_status_offset]
+ 1:
+ #endif
+
+@@ -281,6 +281,10 @@ __tegra_cpu_reset_handler_data:
+ .rept TEGRA_RESET_DATA_SIZE
+ .long 0
+ .endr
++ .globl __tegra20_cpu1_resettable_status_offset
++ .equ __tegra20_cpu1_resettable_status_offset, \
++ . - __tegra_cpu_reset_handler_start
++ .byte 0
+ .align L1_CACHE_SHIFT
+
+ ENTRY(__tegra_cpu_reset_handler_end)
+--- a/arch/arm/mach-tegra/reset.h
++++ b/arch/arm/mach-tegra/reset.h
+@@ -35,6 +35,7 @@ extern unsigned long __tegra_cpu_reset_h
+
+ void __tegra_cpu_reset_handler_start(void);
+ void __tegra_cpu_reset_handler(void);
++void __tegra20_cpu1_resettable_status_offset(void);
+ void __tegra_cpu_reset_handler_end(void);
+ void tegra_secondary_startup(void);
+
+@@ -47,6 +48,9 @@ void tegra_secondary_startup(void);
+ (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \
+ ((u32)&__tegra_cpu_reset_handler_data[TEGRA_RESET_MASK_LP2] - \
+ (u32)__tegra_cpu_reset_handler_start)))
++#define tegra20_cpu1_resettable_status \
++ (IO_ADDRESS(TEGRA_IRAM_BASE + TEGRA_IRAM_RESET_HANDLER_OFFSET + \
++ (u32)__tegra20_cpu1_resettable_status_offset))
+ #endif
+
+ #define tegra_cpu_reset_handler_offset \
+--- a/arch/arm/mach-tegra/sleep-tegra20.S
++++ b/arch/arm/mach-tegra/sleep-tegra20.S
+@@ -97,9 +97,10 @@ ENDPROC(tegra20_hotplug_shutdown)
+ ENTRY(tegra20_cpu_shutdown)
+ cmp r0, #0
+ reteq lr @ must not be called for CPU 0
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
+ mov r12, #CPU_RESETTABLE
+- str r12, [r1]
++ strb r12, [r1, r2]
+
+ cpu_to_halt_reg r1, r0
+ ldr r3, =TEGRA_FLOW_CTRL_VIRT
+@@ -182,38 +183,41 @@ ENDPROC(tegra_pen_unlock)
+ /*
+ * tegra20_cpu_clear_resettable(void)
+ *
+- * Called to clear the "resettable soon" flag in PMC_SCRATCH41 when
++ * Called to clear the "resettable soon" flag in IRAM variable when
+ * it is expected that the secondary CPU will be idle soon.
+ */
+ ENTRY(tegra20_cpu_clear_resettable)
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
+ mov r12, #CPU_NOT_RESETTABLE
+- str r12, [r1]
++ strb r12, [r1, r2]
+ ret lr
+ ENDPROC(tegra20_cpu_clear_resettable)
+
+ /*
+ * tegra20_cpu_set_resettable_soon(void)
+ *
+- * Called to set the "resettable soon" flag in PMC_SCRATCH41 when
++ * Called to set the "resettable soon" flag in IRAM variable when
+ * it is expected that the secondary CPU will be idle soon.
+ */
+ ENTRY(tegra20_cpu_set_resettable_soon)
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
+ mov r12, #CPU_RESETTABLE_SOON
+- str r12, [r1]
++ strb r12, [r1, r2]
+ ret lr
+ ENDPROC(tegra20_cpu_set_resettable_soon)
+
+ /*
+ * tegra20_cpu_is_resettable_soon(void)
+ *
+- * Returns true if the "resettable soon" flag in PMC_SCRATCH41 has been
++ * Returns true if the "resettable soon" flag in IRAM variable has been
+ * set because it is expected that the secondary CPU will be idle soon.
+ */
+ ENTRY(tegra20_cpu_is_resettable_soon)
+- mov32 r1, TEGRA_PMC_VIRT + PMC_SCRATCH41
+- ldr r12, [r1]
++ mov32 r1, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r2, =__tegra20_cpu1_resettable_status_offset
++ ldrb r12, [r1, r2]
+ cmp r12, #CPU_RESETTABLE_SOON
+ moveq r0, #1
+ movne r0, #0
+@@ -256,9 +260,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish
+ mov r0, #TEGRA_FLUSH_CACHE_LOUIS
+ bl tegra_disable_clean_inv_dcache
+
+- mov32 r0, TEGRA_PMC_VIRT + PMC_SCRATCH41
++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r4, =__tegra20_cpu1_resettable_status_offset
+ mov r3, #CPU_RESETTABLE
+- str r3, [r0]
++ strb r3, [r0, r4]
+
+ bl tegra_cpu_do_idle
+
+@@ -274,10 +279,10 @@ ENTRY(tegra20_sleep_cpu_secondary_finish
+
+ bl tegra_pen_lock
+
+- mov32 r3, TEGRA_PMC_VIRT
+- add r0, r3, #PMC_SCRATCH41
++ mov32 r0, TEGRA_IRAM_RESET_BASE_VIRT
++ ldr r4, =__tegra20_cpu1_resettable_status_offset
+ mov r3, #CPU_NOT_RESETTABLE
+- str r3, [r0]
++ strb r3, [r0, r4]
+
+ bl tegra_pen_unlock
+
+--- a/arch/arm/mach-tegra/sleep.h
++++ b/arch/arm/mach-tegra/sleep.h
+@@ -18,6 +18,7 @@
+ #define __MACH_TEGRA_SLEEP_H
+
+ #include "iomap.h"
++#include "irammap.h"
+
+ #define TEGRA_ARM_PERIF_VIRT (TEGRA_ARM_PERIF_BASE - IO_CPU_PHYS \
+ + IO_CPU_VIRT)
+@@ -29,6 +30,9 @@
+ + IO_APB_VIRT)
+ #define TEGRA_PMC_VIRT (TEGRA_PMC_BASE - IO_APB_PHYS + IO_APB_VIRT)
+
++#define TEGRA_IRAM_RESET_BASE_VIRT (IO_IRAM_VIRT + \
++ TEGRA_IRAM_RESET_HANDLER_OFFSET)
++
+ /* PMC_SCRATCH37-39 and 41 are used for tegra_pen_lock and idle */
+ #define PMC_SCRATCH37 0x130
+ #define PMC_SCRATCH38 0x134
--- /dev/null
+From 5fa7dadc898567ce14d6d6d427e7bd8ce6eb5d39 Mon Sep 17 00:00:00 2001
+From: Horia Geant? <horia.geanta@freescale.com>
+Date: Mon, 11 May 2015 20:03:24 +0300
+Subject: crypto: talitos - avoid memleak in talitos_alg_alloc()
+
+From: Horia Geant? <horia.geanta@freescale.com>
+
+commit 5fa7dadc898567ce14d6d6d427e7bd8ce6eb5d39 upstream.
+
+Fixes: 1d11911a8c57 ("crypto: talitos - fix warning: 'alg' may be used uninitialized in this function")
+Signed-off-by: Horia Geanta <horia.geanta@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -2563,6 +2563,7 @@ static struct talitos_crypto_alg *talito
+ break;
+ default:
+ dev_err(dev, "unknown algorithm type %d\n", t_alg->algt.type);
++ kfree(t_alg);
+ return ERR_PTR(-EINVAL);
+ }
+
--- /dev/null
+From 2426f3910069ed47c0cc58559a6d088af7920201 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 21 May 2015 16:05:52 +0200
+Subject: fs: Fix S_NOSEC handling
+
+From: Jan Kara <jack@suse.cz>
+
+commit 2426f3910069ed47c0cc58559a6d088af7920201 upstream.
+
+file_remove_suid() could mistakenly set S_NOSEC inode bit when root was
+modifying the file. As a result following writes to the file by ordinary
+user would avoid clearing suid or sgid bits.
+
+Fix the bug by checking actual mode bits before setting S_NOSEC.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -1693,8 +1693,8 @@ int file_remove_suid(struct file *file)
+ error = security_inode_killpriv(dentry);
+ if (!error && killsuid)
+ error = __remove_suid(dentry, killsuid);
+- if (!error && (inode->i_sb->s_flags & MS_NOSEC))
+- inode->i_flags |= S_NOSEC;
++ if (!error)
++ inode_has_no_xattr(inode);
+
+ return error;
+ }
--- /dev/null
+From cdd9eefdf905e92e7fc6cc393314efe68dc6ff66 Mon Sep 17 00:00:00 2001
+From: Fabian Frederick <fabf@skynet.be>
+Date: Wed, 10 Jun 2015 10:09:32 +1000
+Subject: fs/ufs: restore s_lock mutex
+
+From: Fabian Frederick <fabf@skynet.be>
+
+commit cdd9eefdf905e92e7fc6cc393314efe68dc6ff66 upstream.
+
+Commit 0244756edc4b98c ("ufs: sb mutex merge + mutex_destroy") generated
+deadlocks in read/write mode on mkdir.
+
+This patch partially reverts it keeping fixes by Andrew Morton and
+mutex_destroy()
+
+[AV: fixed a missing bit in ufs_remount()]
+
+Signed-off-by: Fabian Frederick <fabf@skynet.be>
+Reported-by: Ian Campbell <ian.campbell@citrix.com>
+Suggested-by: Jan Kara <jack@suse.cz>
+Cc: Ian Campbell <ian.campbell@citrix.com>
+Cc: Evgeniy Dushistov <dushistov@mail.ru>
+Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Roger Pau Monne <roger.pau@citrix.com>
+Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ufs/balloc.c | 34 +++++++++++++++++-----------------
+ fs/ufs/ialloc.c | 16 ++++++++--------
+ fs/ufs/super.c | 10 ++++++++++
+ fs/ufs/ufs.h | 1 +
+ 4 files changed, 36 insertions(+), 25 deletions(-)
+
+--- a/fs/ufs/balloc.c
++++ b/fs/ufs/balloc.c
+@@ -51,8 +51,8 @@ void ufs_free_fragments(struct inode *in
+
+ if (ufs_fragnum(fragment) + count > uspi->s_fpg)
+ ufs_error (sb, "ufs_free_fragments", "internal error");
+-
+- lock_ufs(sb);
++
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ cgno = ufs_dtog(uspi, fragment);
+ bit = ufs_dtogd(uspi, fragment);
+@@ -115,13 +115,13 @@ void ufs_free_fragments(struct inode *in
+ if (sb->s_flags & MS_SYNCHRONOUS)
+ ubh_sync_block(UCPI_UBH(ucpi));
+ ufs_mark_sb_dirty(sb);
+-
+- unlock_ufs(sb);
++
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT\n");
+ return;
+
+ failed:
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT (FAILED)\n");
+ return;
+ }
+@@ -151,7 +151,7 @@ void ufs_free_blocks(struct inode *inode
+ goto failed;
+ }
+
+- lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ do_more:
+ overflow = 0;
+@@ -211,12 +211,12 @@ do_more:
+ }
+
+ ufs_mark_sb_dirty(sb);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT\n");
+ return;
+
+ failed_unlock:
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ failed:
+ UFSD("EXIT (FAILED)\n");
+ return;
+@@ -357,7 +357,7 @@ u64 ufs_new_fragments(struct inode *inod
+ usb1 = ubh_get_usb_first(uspi);
+ *err = -ENOSPC;
+
+- lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+ tmp = ufs_data_ptr_to_cpu(sb, p);
+
+ if (count + ufs_fragnum(fragment) > uspi->s_fpb) {
+@@ -378,19 +378,19 @@ u64 ufs_new_fragments(struct inode *inod
+ "fragment %llu, tmp %llu\n",
+ (unsigned long long)fragment,
+ (unsigned long long)tmp);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return INVBLOCK;
+ }
+ if (fragment < UFS_I(inode)->i_lastfrag) {
+ UFSD("EXIT (ALREADY ALLOCATED)\n");
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return 0;
+ }
+ }
+ else {
+ if (tmp) {
+ UFSD("EXIT (ALREADY ALLOCATED)\n");
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return 0;
+ }
+ }
+@@ -399,7 +399,7 @@ u64 ufs_new_fragments(struct inode *inod
+ * There is not enough space for user on the device
+ */
+ if (!capable(CAP_SYS_RESOURCE) && ufs_freespace(uspi, UFS_MINFREE) <= 0) {
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT (FAILED)\n");
+ return 0;
+ }
+@@ -424,7 +424,7 @@ u64 ufs_new_fragments(struct inode *inod
+ ufs_clear_frags(inode, result + oldcount,
+ newcount - oldcount, locked_page != NULL);
+ }
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT, result %llu\n", (unsigned long long)result);
+ return result;
+ }
+@@ -439,7 +439,7 @@ u64 ufs_new_fragments(struct inode *inod
+ fragment + count);
+ ufs_clear_frags(inode, result + oldcount, newcount - oldcount,
+ locked_page != NULL);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT, result %llu\n", (unsigned long long)result);
+ return result;
+ }
+@@ -477,7 +477,7 @@ u64 ufs_new_fragments(struct inode *inod
+ *err = 0;
+ UFS_I(inode)->i_lastfrag = max(UFS_I(inode)->i_lastfrag,
+ fragment + count);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ if (newcount < request)
+ ufs_free_fragments (inode, result + newcount, request - newcount);
+ ufs_free_fragments (inode, tmp, oldcount);
+@@ -485,7 +485,7 @@ u64 ufs_new_fragments(struct inode *inod
+ return result;
+ }
+
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT (FAILED)\n");
+ return 0;
+ }
+--- a/fs/ufs/ialloc.c
++++ b/fs/ufs/ialloc.c
+@@ -69,11 +69,11 @@ void ufs_free_inode (struct inode * inod
+
+ ino = inode->i_ino;
+
+- lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ if (!((ino > 1) && (ino < (uspi->s_ncg * uspi->s_ipg )))) {
+ ufs_warning(sb, "ufs_free_inode", "reserved inode or nonexistent inode %u\n", ino);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return;
+ }
+
+@@ -81,7 +81,7 @@ void ufs_free_inode (struct inode * inod
+ bit = ufs_inotocgoff (ino);
+ ucpi = ufs_load_cylinder (sb, cg);
+ if (!ucpi) {
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ return;
+ }
+ ucg = ubh_get_ucg(UCPI_UBH(ucpi));
+@@ -115,7 +115,7 @@ void ufs_free_inode (struct inode * inod
+ ubh_sync_block(UCPI_UBH(ucpi));
+
+ ufs_mark_sb_dirty(sb);
+- unlock_ufs(sb);
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ UFSD("EXIT\n");
+ }
+
+@@ -193,7 +193,7 @@ struct inode *ufs_new_inode(struct inode
+ sbi = UFS_SB(sb);
+ uspi = sbi->s_uspi;
+
+- lock_ufs(sb);
++ mutex_lock(&sbi->s_lock);
+
+ /*
+ * Try to place the inode in its parent directory
+@@ -331,21 +331,21 @@ cg_found:
+ sync_dirty_buffer(bh);
+ brelse(bh);
+ }
+- unlock_ufs(sb);
++ mutex_unlock(&sbi->s_lock);
+
+ UFSD("allocating inode %lu\n", inode->i_ino);
+ UFSD("EXIT\n");
+ return inode;
+
+ fail_remove_inode:
+- unlock_ufs(sb);
++ mutex_unlock(&sbi->s_lock);
+ clear_nlink(inode);
+ unlock_new_inode(inode);
+ iput(inode);
+ UFSD("EXIT (FAILED): err %d\n", err);
+ return ERR_PTR(err);
+ failed:
+- unlock_ufs(sb);
++ mutex_unlock(&sbi->s_lock);
+ make_bad_inode(inode);
+ iput (inode);
+ UFSD("EXIT (FAILED): err %d\n", err);
+--- a/fs/ufs/super.c
++++ b/fs/ufs/super.c
+@@ -694,6 +694,7 @@ static int ufs_sync_fs(struct super_bloc
+ unsigned flags;
+
+ lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+
+ UFSD("ENTER\n");
+
+@@ -711,6 +712,7 @@ static int ufs_sync_fs(struct super_bloc
+ ufs_put_cstotal(sb);
+
+ UFSD("EXIT\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+
+ return 0;
+@@ -1277,6 +1279,7 @@ static int ufs_remount (struct super_blo
+
+ sync_filesystem(sb);
+ lock_ufs(sb);
++ mutex_lock(&UFS_SB(sb)->s_lock);
+ uspi = UFS_SB(sb)->s_uspi;
+ flags = UFS_SB(sb)->s_flags;
+ usb1 = ubh_get_usb_first(uspi);
+@@ -1290,6 +1293,7 @@ static int ufs_remount (struct super_blo
+ new_mount_opt = 0;
+ ufs_set_opt (new_mount_opt, ONERROR_LOCK);
+ if (!ufs_parse_options (data, &new_mount_opt)) {
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ }
+@@ -1297,12 +1301,14 @@ static int ufs_remount (struct super_blo
+ new_mount_opt |= ufstype;
+ } else if ((new_mount_opt & UFS_MOUNT_UFSTYPE) != ufstype) {
+ pr_err("ufstype can't be changed during remount\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ }
+
+ if ((*mount_flags & MS_RDONLY) == (sb->s_flags & MS_RDONLY)) {
+ UFS_SB(sb)->s_mount_opt = new_mount_opt;
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return 0;
+ }
+@@ -1326,6 +1332,7 @@ static int ufs_remount (struct super_blo
+ */
+ #ifndef CONFIG_UFS_FS_WRITE
+ pr_err("ufs was compiled with read-only support, can't be mounted as read-write\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ #else
+@@ -1335,11 +1342,13 @@ static int ufs_remount (struct super_blo
+ ufstype != UFS_MOUNT_UFSTYPE_SUNx86 &&
+ ufstype != UFS_MOUNT_UFSTYPE_UFS2) {
+ pr_err("this ufstype is read-only supported\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EINVAL;
+ }
+ if (!ufs_read_cylinder_structures(sb)) {
+ pr_err("failed during remounting\n");
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return -EPERM;
+ }
+@@ -1347,6 +1356,7 @@ static int ufs_remount (struct super_blo
+ #endif
+ }
+ UFS_SB(sb)->s_mount_opt = new_mount_opt;
++ mutex_unlock(&UFS_SB(sb)->s_lock);
+ unlock_ufs(sb);
+ return 0;
+ }
+--- a/fs/ufs/ufs.h
++++ b/fs/ufs/ufs.h
+@@ -30,6 +30,7 @@ struct ufs_sb_info {
+ int work_queued; /* non-zero if the delayed work is queued */
+ struct delayed_work sync_work; /* FS sync delayed work */
+ spinlock_t work_lock; /* protects sync_work and work_queued */
++ struct mutex s_lock;
+ };
+
+ struct ufs_inode_info {
--- /dev/null
+From 13b987ea275840d74d9df9a44326632fab1894da Mon Sep 17 00:00:00 2001
+From: Fabian Frederick <fabf@skynet.be>
+Date: Wed, 10 Jun 2015 10:09:32 +1000
+Subject: fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge"
+
+From: Fabian Frederick <fabf@skynet.be>
+
+commit 13b987ea275840d74d9df9a44326632fab1894da upstream.
+
+This reverts commit 9ef7db7f38d0 ("ufs: fix deadlocks introduced by sb
+mutex merge") That patch tried to solve commit 0244756edc4b98c ("ufs: sb
+mutex merge + mutex_destroy") which is itself partially reverted due to
+multiple deadlocks.
+
+Signed-off-by: Fabian Frederick <fabf@skynet.be>
+Suggested-by: Jan Kara <jack@suse.cz>
+Cc: Ian Campbell <ian.campbell@citrix.com>
+Cc: Evgeniy Dushistov <dushistov@mail.ru>
+Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Roger Pau Monne <roger.pau@citrix.com>
+Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ufs/inode.c | 5 ++++-
+ fs/ufs/namei.c | 14 ++++++++------
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/fs/ufs/inode.c
++++ b/fs/ufs/inode.c
+@@ -902,6 +902,9 @@ void ufs_evict_inode(struct inode * inod
+ invalidate_inode_buffers(inode);
+ clear_inode(inode);
+
+- if (want_delete)
++ if (want_delete) {
++ lock_ufs(inode->i_sb);
+ ufs_free_inode(inode);
++ unlock_ufs(inode->i_sb);
++ }
+ }
+--- a/fs/ufs/namei.c
++++ b/fs/ufs/namei.c
+@@ -128,12 +128,12 @@ static int ufs_symlink (struct inode * d
+ if (l > sb->s_blocksize)
+ goto out_notlocked;
+
++ lock_ufs(dir->i_sb);
+ inode = ufs_new_inode(dir, S_IFLNK | S_IRWXUGO);
+ err = PTR_ERR(inode);
+ if (IS_ERR(inode))
+- goto out_notlocked;
++ goto out;
+
+- lock_ufs(dir->i_sb);
+ if (l > UFS_SB(sb)->s_uspi->s_maxsymlinklen) {
+ /* slow symlink */
+ inode->i_op = &ufs_symlink_inode_operations;
+@@ -184,9 +184,13 @@ static int ufs_mkdir(struct inode * dir,
+ struct inode * inode;
+ int err;
+
++ lock_ufs(dir->i_sb);
++ inode_inc_link_count(dir);
++
+ inode = ufs_new_inode(dir, S_IFDIR|mode);
++ err = PTR_ERR(inode);
+ if (IS_ERR(inode))
+- return PTR_ERR(inode);
++ goto out_dir;
+
+ inode->i_op = &ufs_dir_inode_operations;
+ inode->i_fop = &ufs_dir_operations;
+@@ -194,9 +198,6 @@ static int ufs_mkdir(struct inode * dir,
+
+ inode_inc_link_count(inode);
+
+- lock_ufs(dir->i_sb);
+- inode_inc_link_count(dir);
+-
+ err = ufs_make_empty(inode, dir);
+ if (err)
+ goto out_fail;
+@@ -215,6 +216,7 @@ out_fail:
+ inode_dec_link_count(inode);
+ unlock_new_inode(inode);
+ iput (inode);
++out_dir:
+ inode_dec_link_count(dir);
+ unlock_ufs(dir->i_sb);
+ goto out;
--- /dev/null
+From 0dd23f94251f49da99a6cbfb22418b2d757d77d6 Mon Sep 17 00:00:00 2001
+From: Joe Konno <joe.konno@intel.com>
+Date: Tue, 12 May 2015 07:59:42 -0700
+Subject: intel_pstate: set BYT MSR with wrmsrl_on_cpu()
+
+From: Joe Konno <joe.konno@intel.com>
+
+commit 0dd23f94251f49da99a6cbfb22418b2d757d77d6 upstream.
+
+Commit 007bea098b86 (intel_pstate: Add setting voltage value for
+baytrail P states.) introduced byt_set_pstate() with the assumption that
+it would always be run by the CPU whose MSR is to be written by it. It
+turns out, however, that is not always the case in practice, so modify
+byt_set_pstate() to enforce the MSR write done by it to always happen on
+the right CPU.
+
+Fixes: 007bea098b86 (intel_pstate: Add setting voltage value for baytrail P states.)
+Signed-off-by: Joe Konno <joe.konno@intel.com>
+Acked-by: Kristen Carlson Accardi <kristen@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/intel_pstate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -534,7 +534,7 @@ static void byt_set_pstate(struct cpudat
+
+ val |= vid;
+
+- wrmsrl(MSR_IA32_PERF_CTL, val);
++ wrmsrl_on_cpu(cpudata->cpu, MSR_IA32_PERF_CTL, val);
+ }
+
+ #define BYT_BCLK_FREQS 5
--- /dev/null
+From 0b3fff54bc01e8e6064d222a33e6fa7adabd94cd Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Thu, 18 Jun 2015 10:48:34 +0200
+Subject: iommu/amd: Handle large pages correctly in free_pagetable
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 0b3fff54bc01e8e6064d222a33e6fa7adabd94cd upstream.
+
+Make sure that we are skipping over large PTEs while walking
+the page-table tree.
+
+Fixes: 5c34c403b723 ("iommu/amd: Fix memory leak in free_pagetable")
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/iommu/amd_iommu.c
++++ b/drivers/iommu/amd_iommu.c
+@@ -1870,9 +1870,15 @@ static void free_pt_##LVL (unsigned long
+ pt = (u64 *)__pt; \
+ \
+ for (i = 0; i < 512; ++i) { \
++ /* PTE present? */ \
+ if (!IOMMU_PTE_PRESENT(pt[i])) \
+ continue; \
+ \
++ /* Large PTE? */ \
++ if (PM_PTE_LEVEL(pt[i]) == 0 || \
++ PM_PTE_LEVEL(pt[i]) == 7) \
++ continue; \
++ \
+ p = (unsigned long)IOMMU_PTE_PAGE(pt[i]); \
+ FN(p); \
+ } \
--- /dev/null
+From d38f0ff9ab35414644995bae187d015c31aae19c Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 29 Jun 2015 17:47:42 +0100
+Subject: iommu/arm-smmu: Fix broken ATOS check
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit d38f0ff9ab35414644995bae187d015c31aae19c upstream.
+
+Commit 83a60ed8f0b5 ("iommu/arm-smmu: fix ARM_SMMU_FEAT_TRANS_OPS
+condition") accidentally negated the ID0_ATOSNS predicate in the ATOS
+feature check, causing the driver to attempt ATOS requests on SMMUv2
+hardware without the ATOS feature implemented.
+
+This patch restores the predicate to the correct value.
+
+Reported-by: Varun Sethi <varun.sethi@freescale.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/arm-smmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/arm-smmu.c
++++ b/drivers/iommu/arm-smmu.c
+@@ -1533,7 +1533,7 @@ static int arm_smmu_device_cfg_probe(str
+ return -ENODEV;
+ }
+
+- if ((id & ID0_S1TS) && ((smmu->version == 1) || (id & ID0_ATOSNS))) {
++ if ((id & ID0_S1TS) && ((smmu->version == 1) || !(id & ID0_ATOSNS))) {
+ smmu->features |= ARM_SMMU_FEAT_TRANS_OPS;
+ dev_notice(smmu->dev, "\taddress translation ops\n");
+ }
--- /dev/null
+From 69a1220060c1523fd0515216eaa29e22f133b894 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 18 May 2015 08:35:43 +0200
+Subject: KVM: mips: use id_to_memslot correctly
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 69a1220060c1523fd0515216eaa29e22f133b894 upstream.
+
+The argument to KVM_GET_DIRTY_LOG is a memslot id; it may not match the
+position in the memslots array, which is sorted by gfn.
+
+Reviewed-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kvm/mips.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/mips.c
++++ b/arch/mips/kvm/mips.c
+@@ -785,7 +785,7 @@ int kvm_vm_ioctl_get_dirty_log(struct kv
+
+ /* If nothing is dirty, don't bother messing with page tables. */
+ if (is_dirty) {
+- memslot = &kvm->memslots->memslots[log->slot];
++ memslot = id_to_memslot(kvm->memslots, log->slot);
+
+ ga = memslot->base_gfn << PAGE_SHIFT;
+ ga_end = ga + (memslot->npages << PAGE_SHIFT);
--- /dev/null
+From b938eacea0b6881f2116a061e6da3ec840e75137 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Date: Thu, 30 Apr 2015 13:33:59 +0200
+Subject: KVM: s390: fix external call injection without sigp interpretation
+
+From: David Hildenbrand <dahi@linux.vnet.ibm.com>
+
+commit b938eacea0b6881f2116a061e6da3ec840e75137 upstream.
+
+Commit ea5f49692575 ("KVM: s390: only one external call may be pending
+at a time") introduced a bug on machines that don't have SIGP
+interpretation facility installed.
+The injection of an external call will now always fail with -EBUSY
+(if none is already pending).
+
+This leads to the following symptoms:
+- An external call will be injected but with the wrong "src cpu id",
+ as this id will not be remembered.
+- The target vcpu will not be woken up, therefore the guest will hang if
+ it cannot deal with unexpected failures of the SIGP EXTERNAL CALL
+ instruction.
+- If an external call is already pending, -EBUSY will not be reported.
+
+Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Reviewed-by: Jens Freimann <jfrei@linux.vnet.ibm.com>
+Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kvm/interrupt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -1037,7 +1037,7 @@ static int __inject_extcall(struct kvm_v
+ if (sclp_has_sigpif())
+ return __inject_extcall_sigpif(vcpu, src_id);
+
+- if (!test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs))
++ if (test_and_set_bit(IRQ_PEND_EXT_EXTERNAL, &li->pending_irqs))
+ return -EBUSY;
+ *extcall = irq->u.extcall;
+ atomic_set_mask(CPUSTAT_EXT_INT, li->cpuflags);
--- /dev/null
+From 431dae778aea4eed31bd12e5ee82edc571cd4d70 Mon Sep 17 00:00:00 2001
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+Date: Mon, 29 Jun 2015 16:44:01 +0200
+Subject: KVM: s390: virtio-ccw: don't overwrite config space values
+
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+
+commit 431dae778aea4eed31bd12e5ee82edc571cd4d70 upstream.
+
+Eric noticed problems with vhost-scsi and virtio-ccw: vhost-scsi
+complained about overwriting values in the config space, which
+was triggered by a broken implementation of virtio-ccw's config
+get/set routines. It was probably sheer luck that we did not hit
+this before.
+
+When writing a value to the config space, the WRITE_CONF ccw will
+always write from the beginning of the config space up to and
+including the value to be set. If the config space up to the value
+has not yet been retrieved from the device, however, we'll end up
+overwriting values. Keep track of the known config space and update
+if needed to avoid this.
+
+Moreover, READ_CONF will only read the number of bytes it has been
+instructed to retrieve, so we must not copy more than that to the
+buffer, or we might overwrite trailing values.
+
+Reported-by: Eric Farman <farman@linux.vnet.ibm.com>
+Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Reviewed-by: Eric Farman <farman@linux.vnet.ibm.com>
+Tested-by: Eric Farman <farman@linux.vnet.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/kvm/virtio_ccw.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/s390/kvm/virtio_ccw.c
++++ b/drivers/s390/kvm/virtio_ccw.c
+@@ -65,6 +65,7 @@ struct virtio_ccw_device {
+ bool is_thinint;
+ bool going_away;
+ bool device_lost;
++ unsigned int config_ready;
+ void *airq_info;
+ };
+
+@@ -833,8 +834,11 @@ static void virtio_ccw_get_config(struct
+ if (ret)
+ goto out_free;
+
+- memcpy(vcdev->config, config_area, sizeof(vcdev->config));
+- memcpy(buf, &vcdev->config[offset], len);
++ memcpy(vcdev->config, config_area, offset + len);
++ if (buf)
++ memcpy(buf, &vcdev->config[offset], len);
++ if (vcdev->config_ready < offset + len)
++ vcdev->config_ready = offset + len;
+
+ out_free:
+ kfree(config_area);
+@@ -857,6 +861,9 @@ static void virtio_ccw_set_config(struct
+ if (!config_area)
+ goto out_free;
+
++ /* Make sure we don't overwrite fields. */
++ if (vcdev->config_ready < offset)
++ virtio_ccw_get_config(vdev, 0, NULL, offset);
+ memcpy(&vcdev->config[offset], buf, len);
+ /* Write the config area to the host. */
+ memcpy(config_area, vcdev->config, sizeof(vcdev->config));
--- /dev/null
+From 42720138b06301cc8a7ee8a495a6d021c4b6a9bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Wed, 1 Jul 2015 15:31:49 +0200
+Subject: KVM: x86: make vapics_in_nmi_mode atomic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+
+commit 42720138b06301cc8a7ee8a495a6d021c4b6a9bc upstream.
+
+Writes were a bit racy, but hard to turn into a bug at the same time.
+(Particularly because modern Linux doesn't use this feature anymore.)
+
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+[Actually the next patch makes it much, much easier to trigger the race
+ so I'm including this one for stable@ as well. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ arch/x86/kvm/i8254.c | 2 +-
+ arch/x86/kvm/lapic.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -583,7 +583,7 @@ struct kvm_arch {
+ struct kvm_pic *vpic;
+ struct kvm_ioapic *vioapic;
+ struct kvm_pit *vpit;
+- int vapics_in_nmi_mode;
++ atomic_t vapics_in_nmi_mode;
+ struct mutex apic_map_lock;
+ struct kvm_apic_map *apic_map;
+
+--- a/arch/x86/kvm/i8254.c
++++ b/arch/x86/kvm/i8254.c
+@@ -305,7 +305,7 @@ static void pit_do_work(struct kthread_w
+ * LVT0 to NMI delivery. Other PIC interrupts are just sent to
+ * VCPU0, and only if its LVT0 is in EXTINT mode.
+ */
+- if (kvm->arch.vapics_in_nmi_mode > 0)
++ if (atomic_read(&kvm->arch.vapics_in_nmi_mode) > 0)
+ kvm_for_each_vcpu(i, vcpu, kvm)
+ kvm_apic_nmi_wd_deliver(vcpu);
+ }
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1224,10 +1224,10 @@ static void apic_manage_nmi_watchdog(str
+ if (!nmi_wd_enabled) {
+ apic_debug("Receive NMI setting on APIC_LVT0 "
+ "for cpu %d\n", apic->vcpu->vcpu_id);
+- apic->vcpu->kvm->arch.vapics_in_nmi_mode++;
++ atomic_inc(&apic->vcpu->kvm->arch.vapics_in_nmi_mode);
+ }
+ } else if (nmi_wd_enabled)
+- apic->vcpu->kvm->arch.vapics_in_nmi_mode--;
++ atomic_dec(&apic->vcpu->kvm->arch.vapics_in_nmi_mode);
+ }
+
+ static int apic_reg_write(struct kvm_lapic *apic, u32 reg, u32 val)
--- /dev/null
+From db1385624c686fe99fe2d1b61a36e1537b915d08 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Tue, 30 Jun 2015 22:19:17 +0200
+Subject: KVM: x86: properly restore LVT0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+
+commit db1385624c686fe99fe2d1b61a36e1537b915d08 upstream.
+
+Legacy NMI watchdog didn't work after migration/resume, because
+vapics_in_nmi_mode was left at 0.
+
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/lapic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -1784,6 +1784,7 @@ void kvm_apic_post_state_restore(struct
+ apic_update_ppr(apic);
+ hrtimer_cancel(&apic->lapic_timer.timer);
+ apic_update_lvtt(apic);
++ apic_manage_nmi_watchdog(apic, kvm_apic_get_reg(apic, APIC_LVT0));
+ update_divide_count(apic);
+ start_apic_timer(apic);
+ apic->irr_pending = true;
--- /dev/null
+From 8e748c8d09a9314eedb5c6367d9acfaacddcdc88 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Mon, 27 Apr 2015 15:07:16 +0100
+Subject: MIPS: Fix KVM guest fixmap address
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 8e748c8d09a9314eedb5c6367d9acfaacddcdc88 upstream.
+
+KVM guest kernels for trap & emulate run in user mode, with a modified
+set of kernel memory segments. However the fixmap address is still in
+the normal KSeg3 region at 0xfffe0000 regardless, causing problems when
+cache alias handling makes use of them when handling copy on write.
+
+Therefore define FIXADDR_TOP as 0x7ffe0000 in the guest kernel mapped
+region when CONFIG_KVM_GUEST is defined.
+
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/9887/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/mach-generic/spaces.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/mips/include/asm/mach-generic/spaces.h
++++ b/arch/mips/include/asm/mach-generic/spaces.h
+@@ -94,7 +94,11 @@
+ #endif
+
+ #ifndef FIXADDR_TOP
++#ifdef CONFIG_KVM_GUEST
++#define FIXADDR_TOP ((unsigned long)(long)(int)0x7ffe0000)
++#else
+ #define FIXADDR_TOP ((unsigned long)(long)(int)0xfffe0000)
+ #endif
++#endif
+
+ #endif /* __ASM_MACH_GENERIC_SPACES_H */
--- /dev/null
+From 62a7f368ffbc13d9aedfdd7aeae711b177db69ac Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 12 Jun 2015 11:45:02 +0200
+Subject: mmc: sdhci: fix low memory corruption
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 62a7f368ffbc13d9aedfdd7aeae711b177db69ac upstream.
+
+When dma mapping (dma_map_sg) fails in sdhci_pre_dma_transfer, -EINVAL
+is returned. There are 3 callers of sdhci_pre_dma_transfer:
+* sdhci_pre_req and sdhci_adma_table_pre: handle negative return
+* sdhci_prepare_data: handles 0 (error) and "else" (good) only
+
+sdhci_prepare_data is therefore broken. When it receives -EINVAL from
+sdhci_pre_dma_transfer, it assumes 1 sg mapping was mapped. Later,
+this non-existent mapping with address 0 is kmap'ped and written to:
+Corrupted low memory at ffff880000001000 (1000 phys) = 22b7d67df2f6d1cf
+Corrupted low memory at ffff880000001008 (1008 phys) = 63848a5216b7dd95
+Corrupted low memory at ffff880000001010 (1010 phys) = 330eb7ddef39e427
+Corrupted low memory at ffff880000001018 (1018 phys) = 8017ac7295039bda
+Corrupted low memory at ffff880000001020 (1020 phys) = 8ce039eac119074f
+...
+
+So teach sdhci_prepare_data to understand negative return values from
+sdhci_pre_dma_transfer and disable DMA in that case, as well as for
+zero.
+
+It was introduced in 348487cb28e66b032bae1b38424d81bf5b444408 (mmc:
+sdhci: use pipeline mmc requests to improve performance). The commit
+seems to be suspicious also by assigning host->sg_count both in
+sdhci_pre_dma_transfer and sdhci_adma_table_pre.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Fixes: 348487cb28e6
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Haibo Chen <haibo.chen@freescale.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -846,7 +846,7 @@ static void sdhci_prepare_data(struct sd
+ int sg_cnt;
+
+ sg_cnt = sdhci_pre_dma_transfer(host, data, NULL);
+- if (sg_cnt == 0) {
++ if (sg_cnt <= 0) {
+ /*
+ * This only happens when someone fed
+ * us an invalid request.
--- /dev/null
+From 72e349f1124a114435e599479c9b8d14bfd1ebcd Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Tue, 26 May 2015 15:10:24 +1000
+Subject: powerpc/perf: Fix book3s kernel to userspace backtraces
+
+From: Anton Blanchard <anton@samba.org>
+
+commit 72e349f1124a114435e599479c9b8d14bfd1ebcd upstream.
+
+When we take a PMU exception or a software event we call
+perf_read_regs(). This overloads regs->result with a boolean that
+describes if we should use the sampled instruction address register
+(SIAR) or the regs.
+
+If the exception is in kernel, we start with the kernel regs and
+backtrace through the kernel stack. At this point we switch to the
+userspace regs and backtrace the user stack with perf_callchain_user().
+
+Unfortunately these regs have not got the perf_read_regs() treatment,
+so regs->result could be anything. If it is non zero,
+perf_instruction_pointer() decides to use the SIAR, and we get issues
+like this:
+
+0.11% qemu-system-ppc [kernel.kallsyms] [k] _raw_spin_lock_irqsave
+ |
+ ---_raw_spin_lock_irqsave
+ |
+ |--52.35%-- 0
+ | |
+ | |--46.39%-- __hrtimer_start_range_ns
+ | | kvmppc_run_core
+ | | kvmppc_vcpu_run_hv
+ | | kvmppc_vcpu_run
+ | | kvm_arch_vcpu_ioctl_run
+ | | kvm_vcpu_ioctl
+ | | do_vfs_ioctl
+ | | sys_ioctl
+ | | system_call
+ | | |
+ | | |--67.08%-- _raw_spin_lock_irqsave <--- hi mum
+ | | | |
+ | | | --100.00%-- 0x7e714
+ | | | 0x7e714
+
+Notice the bogus _raw_spin_irqsave when we transition from kernel
+(system_call) to userspace (0x7e714). We inserted what was in the SIAR.
+
+Add a check in regs_use_siar() to check that the regs in question
+are from a PMU exception. With this fix the backtrace makes sense:
+
+ 0.47% qemu-system-ppc [kernel.vmlinux] [k] _raw_spin_lock_irqsave
+ |
+ ---_raw_spin_lock_irqsave
+ |
+ |--53.83%-- 0
+ | |
+ | |--44.73%-- hrtimer_try_to_cancel
+ | | kvmppc_start_thread
+ | | kvmppc_run_core
+ | | kvmppc_vcpu_run_hv
+ | | kvmppc_vcpu_run
+ | | kvm_arch_vcpu_ioctl_run
+ | | kvm_vcpu_ioctl
+ | | do_vfs_ioctl
+ | | sys_ioctl
+ | | system_call
+ | | __ioctl
+ | | 0x7e714
+ | | 0x7e714
+
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/core-book3s.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -131,7 +131,16 @@ static void pmao_restore_workaround(bool
+
+ static bool regs_use_siar(struct pt_regs *regs)
+ {
+- return !!regs->result;
++ /*
++ * When we take a performance monitor exception the regs are setup
++ * using perf_read_regs() which overloads some fields, in particular
++ * regs->result to tell us whether to use SIAR.
++ *
++ * However if the regs are from another exception, eg. a syscall, then
++ * they have not been setup using perf_read_regs() and so regs->result
++ * is something random.
++ */
++ return ((TRAP(regs) == 0xf00) && regs->result);
+ }
+
+ /*
--- /dev/null
+From 69d9cd8c592f1abce820dbce7181bbbf6812cfbd Mon Sep 17 00:00:00 2001
+From: Horia Geant? <horia.geanta@freescale.com>
+Date: Mon, 11 May 2015 20:04:49 +0300
+Subject: Revert "crypto: talitos - convert to use be16_add_cpu()"
+
+From: Horia Geant? <horia.geanta@freescale.com>
+
+commit 69d9cd8c592f1abce820dbce7181bbbf6812cfbd upstream.
+
+This reverts commit 7291a932c6e27d9768e374e9d648086636daf61c.
+
+The conversion to be16_add_cpu() is incorrect in case cryptlen is
+negative due to premature (i.e. before addition / subtraction)
+implicit conversion of cryptlen (int -> u16) leading to sign loss.
+
+Cc: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
+Signed-off-by: Horia Geanta <horia.geanta@freescale.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/talitos.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/talitos.c
++++ b/drivers/crypto/talitos.c
+@@ -927,7 +927,8 @@ static int sg_to_link_tbl(struct scatter
+ sg_count--;
+ link_tbl_ptr--;
+ }
+- be16_add_cpu(&link_tbl_ptr->len, cryptlen);
++ link_tbl_ptr->len = cpu_to_be16(be16_to_cpu(link_tbl_ptr->len)
++ + cryptlen);
+
+ /* tag end of link table */
+ link_tbl_ptr->j_extent = DESC_PTR_LNKTBL_RETURN;
--- /dev/null
+From 3c8e5105e759e7b2d88ea8a85b1285e535bc7500 Mon Sep 17 00:00:00 2001
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Date: Thu, 11 Jun 2015 19:59:04 +0200
+Subject: s390/kdump: fix REGSET_VX_LOW vector register ELF notes
+
+From: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+commit 3c8e5105e759e7b2d88ea8a85b1285e535bc7500 upstream.
+
+The REGSET_VX_LOW ELF notes should contain the lower 64 bit halfes of the
+first sixteen 128 bit vector registers. Unfortunately currently we copy
+the upper halfes.
+
+Fix this and correctly copy the lower halfes.
+
+Fixes: a62bc0739253 ("s390/kdump: add support for vector extension")
+Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/kernel/crash_dump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -415,7 +415,7 @@ static void *nt_s390_vx_low(void *ptr, _
+ ptr += len;
+ /* Copy lower halves of SIMD registers 0-15 */
+ for (i = 0; i < 16; i++) {
+- memcpy(ptr, &vx_regs[i], 8);
++ memcpy(ptr, &vx_regs[i].u[2], 8);
+ ptr += 8;
+ }
+ return ptr;
--- /dev/null
+From 9fc2b4b436cff7d8403034676014f1be9d534942 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 4 Jun 2015 15:57:25 -0400
+Subject: selinux: fix setting of security labels on NFS
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 9fc2b4b436cff7d8403034676014f1be9d534942 upstream.
+
+Before calling into the filesystem, vfs_setxattr calls
+security_inode_setxattr, which ends up calling selinux_inode_setxattr in
+our case. That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
+SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
+only if selinux_is_sblabel_mnt returns true.
+
+The selinux_is_sblabel_mnt logic was broken by eadcabc697e9 "SELinux: do
+all flags twiddling in one place", which didn't take into the account
+the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
+with eb9ae686507b "SELinux: Add new labeling type native labels".
+
+This caused setxattr's of security labels over NFSv4.2 to fail.
+
+Cc: Eric Paris <eparis@redhat.com>
+Cc: David Quigley <dpquigl@davequigley.com>
+Reported-by: Richard Chan <rc556677@outlook.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+[PM: added the stable dependency]
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -404,6 +404,7 @@ static int selinux_is_sblabel_mnt(struct
+ return sbsec->behavior == SECURITY_FS_USE_XATTR ||
+ sbsec->behavior == SECURITY_FS_USE_TRANS ||
+ sbsec->behavior == SECURITY_FS_USE_TASK ||
++ sbsec->behavior == SECURITY_FS_USE_NATIVE ||
+ /* Special handling. Genfs but also in-core setxattr handler */
+ !strcmp(sb->s_type->name, "sysfs") ||
+ !strcmp(sb->s_type->name, "pstore") ||
net-mvneta-disable-ip-checksum-with-jumbo-frames-for-armada-370.patch
usb-gadget-f_fs-fix-check-in-read-operation.patch
usb-gadget-f_fs-add-extra-check-before-unregister_gadget_item.patch
+crypto-talitos-avoid-memleak-in-talitos_alg_alloc.patch
+revert-crypto-talitos-convert-to-use-be16_add_cpu.patch
+iommu-arm-smmu-fix-broken-atos-check.patch
+iommu-amd-handle-large-pages-correctly-in-free_pagetable.patch
+mmc-sdhci-fix-low-memory-corruption.patch
+intel_pstate-set-byt-msr-with-wrmsrl_on_cpu.patch
+selinux-fix-setting-of-security-labels-on-nfs.patch
+arm-kvm-force-execution-of-hcptr-access-on-vm-exit.patch
+arm-kvm-psci-fix-handling-of-unimplemented-functions.patch
+arm-tegra20-store-cpu-resettable-status-in-iram.patch
+arm-mvebu-fix-suspend-to-ram-on-big-endian-configurations.patch
+tick-idle-powerpc-do-not-register-idle-states-with-cpuidle_flag_timer_stop-set-in-periodic-mode.patch
+powerpc-perf-fix-book3s-kernel-to-userspace-backtraces.patch
+x86-pci-use-host-bridge-_crs-info-on-systems-with-32-bit-addressing.patch
+x86-pci-use-host-bridge-_crs-info-on-foxconn-k8m890-8237a.patch
+kvm-mips-use-id_to_memslot-correctly.patch
+mips-fix-kvm-guest-fixmap-address.patch
+kvm-s390-fix-external-call-injection-without-sigp-interpretation.patch
+s390-kdump-fix-regset_vx_low-vector-register-elf-notes.patch
+kvm-s390-virtio-ccw-don-t-overwrite-config-space-values.patch
+kvm-x86-properly-restore-lvt0.patch
+kvm-x86-make-vapics_in_nmi_mode-atomic.patch
+fs-fix-s_nosec-handling.patch
+fs-ufs-revert-ufs-fix-deadlocks-introduced-by-sb-mutex-merge.patch
+fs-ufs-restore-s_lock-mutex.patch
+vfs-remove-incorrect-debugging-warn-in-prepend_path.patch
+vfs-ignore-unlocked-mounts-in-fs_fully_visible.patch
--- /dev/null
+From cc5a2f7b8f39e7db559778f7913a2410257b3e50 Mon Sep 17 00:00:00 2001
+From: preeti <preeti@linux.vnet.ibm.com>
+Date: Wed, 24 Jun 2015 01:48:01 -0500
+Subject: tick/idle/powerpc: Do not register idle states with CPUIDLE_FLAG_TIMER_STOP set in periodic mode
+
+From: preeti <preeti@linux.vnet.ibm.com>
+
+commit cc5a2f7b8f39e7db559778f7913a2410257b3e50 upstream.
+
+On some archs, the local clockevent device stops in deep cpuidle states.
+The broadcast framework is used to wakeup cpus in these idle states, in
+which either an external clockevent device is used to send wakeup ipis
+or the hrtimer broadcast framework kicks in in the absence of such a
+device. One cpu is nominated as the broadcast cpu and this cpu sends
+wakeup ipis to sleeping cpus at the appropriate time. This is the
+implementation in the oneshot mode of broadcast.
+
+In periodic mode of broadcast however, the presence of such cpuidle
+states results in the cpuidle driver calling tick_broadcast_enable()
+which shuts down the local clockevent devices of all the cpus and
+appoints the tick broadcast device as the clockevent device for each of
+them. This works on those archs where the tick broadcast device is a
+real clockevent device. But on archs which depend on the hrtimer mode
+of broadcast, the tick broadcast device hapens to be a pseudo device.
+The consequence is that the local clockevent devices of all cpus are
+shutdown and the kernel hangs at boot time in periodic mode.
+
+Let us thus not register the cpuidle states which have
+CPUIDLE_FLAG_TIMER_STOP flag set, on archs which depend on the hrtimer
+mode of broadcast in periodic mode. This patch takes care of doing this
+on powerpc. The cpus would not have entered into such deep cpuidle
+states in periodic mode on powerpc anyway. So there is no loss here.
+
+Signed-off-by: Preeti U Murthy <preeti@linux.vnet.ibm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/cpuidle-powernv.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-powernv.c
++++ b/drivers/cpuidle/cpuidle-powernv.c
+@@ -60,6 +60,8 @@ static int nap_loop(struct cpuidle_devic
+ return index;
+ }
+
++/* Register for fastsleep only in oneshot mode of broadcast */
++#ifdef CONFIG_TICK_ONESHOT
+ static int fastsleep_loop(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv,
+ int index)
+@@ -83,7 +85,7 @@ static int fastsleep_loop(struct cpuidle
+
+ return index;
+ }
+-
++#endif
+ /*
+ * States for dedicated partition case.
+ */
+@@ -209,7 +211,14 @@ static int powernv_add_idle_states(void)
+ powernv_states[nr_idle_states].flags = 0;
+ powernv_states[nr_idle_states].target_residency = 100;
+ powernv_states[nr_idle_states].enter = &nap_loop;
+- } else if (flags[i] & OPAL_PM_SLEEP_ENABLED ||
++ }
++
++ /*
++ * All cpuidle states with CPUIDLE_FLAG_TIMER_STOP set must come
++ * within this config dependency check.
++ */
++#ifdef CONFIG_TICK_ONESHOT
++ if (flags[i] & OPAL_PM_SLEEP_ENABLED ||
+ flags[i] & OPAL_PM_SLEEP_ENABLED_ER1) {
+ /* Add FASTSLEEP state */
+ strcpy(powernv_states[nr_idle_states].name, "FastSleep");
+@@ -218,7 +227,7 @@ static int powernv_add_idle_states(void)
+ powernv_states[nr_idle_states].target_residency = 300000;
+ powernv_states[nr_idle_states].enter = &fastsleep_loop;
+ }
+-
++#endif
+ powernv_states[nr_idle_states].exit_latency =
+ ((unsigned int)latency_ns[i]) / 1000;
+
--- /dev/null
+From ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 7 Jan 2015 08:10:09 -0600
+Subject: vfs: Ignore unlocked mounts in fs_fully_visible
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit ceeb0e5d39fcdf4dca2c997bf225c7fc49200b37 upstream.
+
+Limit the mounts fs_fully_visible considers to locked mounts.
+Unlocked can always be unmounted so considering them adds hassle
+but no security benefit.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -3187,11 +3187,15 @@ bool fs_fully_visible(struct file_system
+ if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
+ continue;
+
+- /* This mount is not fully visible if there are any child mounts
+- * that cover anything except for empty directories.
++ /* This mount is not fully visible if there are any
++ * locked child mounts that cover anything except for
++ * empty directories.
+ */
+ list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
+ struct inode *inode = child->mnt_mountpoint->d_inode;
++ /* Only worry about locked mounts */
++ if (!(mnt->mnt.mnt_flags & MNT_LOCKED))
++ continue;
+ if (!S_ISDIR(inode->i_mode))
+ goto next;
+ if (inode->i_nlink > 2)
--- /dev/null
+From 93e3bce6287e1fb3e60d3324ed08555b5bbafa89 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sun, 24 May 2015 09:25:00 -0500
+Subject: vfs: Remove incorrect debugging WARN in prepend_path
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit 93e3bce6287e1fb3e60d3324ed08555b5bbafa89 upstream.
+
+The warning message in prepend_path is unclear and outdated. It was
+added as a warning that the mechanism for generating names of pseudo
+files had been removed from prepend_path and d_dname should be used
+instead. Unfortunately the warning reads like a general warning,
+making it unclear what to do with it.
+
+Remove the warning. The transition it was added to warn about is long
+over, and I added code several years ago which in rare cases causes
+the warning to fire on legitimate code, and the warning is now firing
+and scaring people for no good reason.
+
+Reported-by: Ivan Delalande <colona@arista.com>
+Reported-by: Omar Sandoval <osandov@osandov.com>
+Fixes: f48cfddc6729e ("vfs: In d_path don't call d_dname on a mount point")
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/dcache.c | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2896,17 +2896,6 @@ restart:
+ vfsmnt = &mnt->mnt;
+ continue;
+ }
+- /*
+- * Filesystems needing to implement special "root names"
+- * should do so with ->d_dname()
+- */
+- if (IS_ROOT(dentry) &&
+- (dentry->d_name.len != 1 ||
+- dentry->d_name.name[0] != '/')) {
+- WARN(1, "Root dentry has weird name <%.*s>\n",
+- (int) dentry->d_name.len,
+- dentry->d_name.name);
+- }
+ if (!error)
+ error = is_mounted(vfsmnt) ? 1 : 2;
+ break;
--- /dev/null
+From 1dace0116d0b05c967d94644fc4dfe96be2ecd3d Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Tue, 9 Jun 2015 18:54:07 -0500
+Subject: x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 1dace0116d0b05c967d94644fc4dfe96be2ecd3d upstream.
+
+The Foxconn K8M890-8237A has two PCI host bridges, and we can't assign
+resources correctly without the information from _CRS that tells us which
+address ranges are claimed by which bridge. In the bugs mentioned below,
+we incorrectly assign a sound card address (this example is from 1033299):
+
+ bus: 00 index 2 [mem 0x80000000-0xfcffffffff]
+ ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-7f])
+ pci_root PNP0A08:00: host bridge window [mem 0x80000000-0xbfefffff] (ignored)
+ pci_root PNP0A08:00: host bridge window [mem 0xc0000000-0xdfffffff] (ignored)
+ pci_root PNP0A08:00: host bridge window [mem 0xf0000000-0xfebfffff] (ignored)
+ ACPI: PCI Root Bridge [PCI1] (domain 0000 [bus 80-ff])
+ pci_root PNP0A08:01: host bridge window [mem 0xbff00000-0xbfffffff] (ignored)
+ pci 0000:80:01.0: [1106:3288] type 0 class 0x000403
+ pci 0000:80:01.0: reg 10: [mem 0xbfffc000-0xbfffffff 64bit]
+ pci 0000:80:01.0: address space collision: [mem 0xbfffc000-0xbfffffff 64bit] conflicts with PCI Bus #00 [mem 0x80000000-0xfcffffffff]
+ pci 0000:80:01.0: BAR 0: assigned [mem 0xfd00000000-0xfd00003fff 64bit]
+ BUG: unable to handle kernel paging request at ffffc90000378000
+ IP: [<ffffffffa0345f63>] azx_create+0x37c/0x822 [snd_hda_intel]
+
+We assigned 0xfd_0000_0000, but that is not in any of the host bridge
+windows, and the sound card doesn't work.
+
+Turn on pci=use_crs automatically for this system.
+
+Link: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368
+Link: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/pci/acpi.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/pci/acpi.c
++++ b/arch/x86/pci/acpi.c
+@@ -81,6 +81,17 @@ static const struct dmi_system_id pci_cr
+ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
+ },
+ },
++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/931368 */
++ /* https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1033299 */
++ {
++ .callback = set_use_crs,
++ .ident = "Foxconn K8M890-8237A",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Foxconn"),
++ DMI_MATCH(DMI_BOARD_NAME, "K8M890-8237A"),
++ DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies, LTD"),
++ },
++ },
+
+ /* Now for the blacklist.. */
+
--- /dev/null
+From 3d9fecf6bfb8b12bc2f9a4c7109895a2a2bb9436 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Tue, 9 Jun 2015 17:31:38 -0500
+Subject: x86/PCI: Use host bridge _CRS info on systems with >32 bit addressing
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 3d9fecf6bfb8b12bc2f9a4c7109895a2a2bb9436 upstream.
+
+We enable _CRS on all systems from 2008 and later. On older systems, we
+ignore _CRS and assume the whole physical address space (excluding RAM and
+other devices) is available for PCI devices, but on systems that support
+physical address spaces larger than 4GB, it's doubtful that the area above
+4GB is really available for PCI.
+
+After d56dbf5bab8c ("PCI: Allocate 64-bit BARs above 4G when possible"), we
+try to use that space above 4GB *first*, so we're more likely to put a
+device there.
+
+On Juan's Toshiba Satellite Pro U200, BIOS left the graphics, sound, 1394,
+and card reader devices unassigned (but only after Windows had been
+booted). Only the sound device had a 64-bit BAR, so it was the only device
+placed above 4GB, and hence the only device that didn't work.
+
+Keep _CRS enabled even on pre-2008 systems if they support physical address
+space larger than 4GB.
+
+Fixes: d56dbf5bab8c ("PCI: Allocate 64-bit BARs above 4G when possible")
+Reported-and-tested-by: Juan Dayer <jdayer@outlook.com>
+Reported-and-tested-by: Alan Horsfield <alan@hazelgarth.co.uk>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=99221
+Link: https://bugzilla.opensuse.org/show_bug.cgi?id=907092
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/pci/acpi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/pci/acpi.c
++++ b/arch/x86/pci/acpi.c
+@@ -121,8 +121,10 @@ void __init pci_acpi_crs_quirks(void)
+ {
+ int year;
+
+- if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008)
+- pci_use_crs = false;
++ if (dmi_get_date(DMI_BIOS_DATE, &year, NULL, NULL) && year < 2008) {
++ if (iomem_resource.end <= 0xffffffff)
++ pci_use_crs = false;
++ }
+
+ dmi_check_system(pci_crs_quirks);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
