--- /dev/null
+From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001
+From: Mirza Krak <mirza.krak@hostmobility.com>
+Date: Tue, 10 Nov 2015 14:59:34 +0100
+Subject: can: sja1000: clear interrupts on start
+
+From: Mirza Krak <mirza.krak@hostmobility.com>
+
+commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream.
+
+According to SJA1000 data sheet error-warning (EI) interrupt is not
+cleared by setting the controller in to reset-mode.
+
+Then if we have the following case:
+- system is suspended (echo mem > /sys/power/state) and SJA1000 is left
+ in operating state
+- A bus error condition occurs which activates EI interrupt, system is
+ still suspended which means EI interrupt will be not be handled nor
+ cleared.
+
+If the above two events occur, on resume there is no way to return the
+SJA1000 to operating state, except to cycle power to it.
+
+By simply reading the IR register on start we will clear any previous
+conditions that could be present.
+
+Signed-off-by: Mirza Krak <mirza.krak@hostmobility.com>
+Reported-by: Christian Magnusson <Christian.Magnusson@semcon.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/sja1000/sja1000.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/sja1000/sja1000.c
++++ b/drivers/net/can/sja1000/sja1000.c
+@@ -187,6 +187,9 @@ static void sja1000_start(struct net_dev
+ /* clear interrupt flags */
+ priv->read_reg(priv, SJA1000_IR);
+
++ /* clear interrupt flags */
++ priv->read_reg(priv, SJA1000_IR);
++
+ /* leave reset mode */
+ set_normal_mode(dev);
+ }
--- /dev/null
+From ed8b45a3679eb49069b094c0711b30833f27c734 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Thu, 10 Dec 2015 14:37:53 +0000
+Subject: dm btree: fix bufio buffer leaks in dm_btree_del() error path
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit ed8b45a3679eb49069b094c0711b30833f27c734 upstream.
+
+If dm_btree_del()'s call to push_frame() fails, e.g. due to
+btree_node_validator finding invalid metadata, the dm_btree_del() error
+path must unlock all frames (which have active dm-bufio buffers) that
+were pushed onto the del_stack.
+
+Otherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio
+buffers have leaked, e.g.:
+ device-mapper: bufio: leaked buffer 3, hold count 1, list 0
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-btree.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree.c
++++ b/drivers/md/persistent-data/dm-btree.c
+@@ -250,6 +250,16 @@ static void pop_frame(struct del_stack *
+ dm_tm_unlock(s->tm, f->b);
+ }
+
++static void unlock_all_frames(struct del_stack *s)
++{
++ struct frame *f;
++
++ while (unprocessed_frames(s)) {
++ f = s->spine + s->top--;
++ dm_tm_unlock(s->tm, f->b);
++ }
++}
++
+ int dm_btree_del(struct dm_btree_info *info, dm_block_t root)
+ {
+ int r;
+@@ -306,9 +316,13 @@ int dm_btree_del(struct dm_btree_info *i
+ pop_frame(s);
+ }
+ }
+-
+ out:
++ if (r) {
++ /* cleanup all frames of del_stack */
++ unlock_all_frames(s);
++ }
+ kfree(s);
++
+ return r;
+ }
+ EXPORT_SYMBOL_GPL(dm_btree_del);
--- /dev/null
+From 50dd842ad83b43bed71790efb31cfb2f6c05c9c1 Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Wed, 9 Dec 2015 16:38:12 +0000
+Subject: dm space map metadata: fix ref counting bug when bootstrapping a new space map
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 50dd842ad83b43bed71790efb31cfb2f6c05c9c1 upstream.
+
+When applying block operations (BOPs) do not remove them from the
+uncommitted BOP ring-buffer until after they've been applied -- in case
+we recurse.
+
+Also, perform BOP_INC operation, in dm_sm_metadata_create() and
+sm_metadata_extend(), in terms of the uncommitted BOP ring-buffer rather
+than using direct calls to sm_ll_inc().
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/persistent-data/dm-space-map-metadata.c | 32 ++++++++++++++-------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+--- a/drivers/md/persistent-data/dm-space-map-metadata.c
++++ b/drivers/md/persistent-data/dm-space-map-metadata.c
+@@ -136,7 +136,7 @@ static int brb_push(struct bop_ring_buff
+ return 0;
+ }
+
+-static int brb_pop(struct bop_ring_buffer *brb, struct block_op *result)
++static int brb_peek(struct bop_ring_buffer *brb, struct block_op *result)
+ {
+ struct block_op *bop;
+
+@@ -147,6 +147,17 @@ static int brb_pop(struct bop_ring_buffe
+ result->type = bop->type;
+ result->block = bop->block;
+
++ return 0;
++}
++
++static int brb_pop(struct bop_ring_buffer *brb)
++{
++ struct block_op *bop;
++
++ if (brb_empty(brb))
++ return -ENODATA;
++
++ bop = brb->bops + brb->begin;
+ brb->begin = brb_next(brb, brb->begin);
+
+ return 0;
+@@ -211,7 +222,7 @@ static int apply_bops(struct sm_metadata
+ while (!brb_empty(&smm->uncommitted)) {
+ struct block_op bop;
+
+- r = brb_pop(&smm->uncommitted, &bop);
++ r = brb_peek(&smm->uncommitted, &bop);
+ if (r) {
+ DMERR("bug in bop ring buffer");
+ break;
+@@ -220,6 +231,8 @@ static int apply_bops(struct sm_metadata
+ r = commit_bop(smm, &bop);
+ if (r)
+ break;
++
++ brb_pop(&smm->uncommitted);
+ }
+
+ return r;
+@@ -681,7 +694,6 @@ static struct dm_space_map bootstrap_ops
+ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks)
+ {
+ int r, i;
+- enum allocation_event ev;
+ struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
+ dm_block_t old_len = smm->ll.nr_blocks;
+
+@@ -703,11 +715,12 @@ static int sm_metadata_extend(struct dm_
+ * allocate any new blocks.
+ */
+ do {
+- for (i = old_len; !r && i < smm->begin; i++) {
+- r = sm_ll_inc(&smm->ll, i, &ev);
+- if (r)
+- goto out;
+- }
++ for (i = old_len; !r && i < smm->begin; i++)
++ r = add_bop(smm, BOP_INC, i);
++
++ if (r)
++ goto out;
++
+ old_len = smm->begin;
+
+ r = apply_bops(smm);
+@@ -752,7 +765,6 @@ int dm_sm_metadata_create(struct dm_spac
+ {
+ int r;
+ dm_block_t i;
+- enum allocation_event ev;
+ struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm);
+
+ smm->begin = superblock + 1;
+@@ -780,7 +792,7 @@ int dm_sm_metadata_create(struct dm_spac
+ * allocated blocks that they were built from.
+ */
+ for (i = superblock; !r && i < smm->begin; i++)
+- r = sm_ll_inc(&smm->ll, i, &ev);
++ r = add_bop(smm, BOP_INC, i);
+
+ if (r)
+ return r;
--- /dev/null
+From d5d4fdd86f5759924fe54efa793e22eccf508db6 Mon Sep 17 00:00:00 2001
+From: Guillaume Delbergue <guillaume.delbergue@greensocs.com>
+Date: Tue, 1 Dec 2015 18:55:51 +0100
+Subject: irqchip/versatile-fpga: Fix PCI IRQ mapping on Versatile PB
+
+From: Guillaume Delbergue <guillaume.delbergue@greensocs.com>
+
+commit d5d4fdd86f5759924fe54efa793e22eccf508db6 upstream.
+
+This patch is specifically for PCI support on the Versatile PB board using
+a DT. Currently, the dynamic IRQ mapping is broken when using DTs. For
+example, on QEMU, the SCSI driver is unable to request the IRQ. To fix
+this issue, this patch replaces the current dynamic mechanism with a
+static value as is done in the non-DT case.
+
+Signed-off-by: Guillaume Delbergue <guillaume.delbergue@greensocs.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-versatile-fpga.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/irqchip/irq-versatile-fpga.c
++++ b/drivers/irqchip/irq-versatile-fpga.c
+@@ -204,7 +204,12 @@ int __init fpga_irq_of_init(struct devic
+ if (!parent_irq)
+ parent_irq = -1;
+
++#ifdef CONFIG_ARCH_VERSATILE
++ fpga_irq_init(base, node->name, IRQ_SIC_START, parent_irq, valid_mask,
++ node);
++#else
+ fpga_irq_init(base, node->name, 0, parent_irq, valid_mask, node);
++#endif
+
+ writel(clear_mask, base + IRQ_ENABLE_CLEAR);
+ writel(clear_mask, base + FIQ_ENABLE_CLEAR);
--- /dev/null
+From c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 17 Nov 2015 14:25:21 +0100
+Subject: mac80211: mesh: fix call_rcu() usage
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream.
+
+When using call_rcu(), the called function may be delayed quite
+significantly, and without a matching rcu_barrier() there's no
+way to be sure it has finished.
+Therefore, global state that could be gone/freed/reused should
+never be touched in the callback.
+
+Fix this in mesh by moving the atomic_dec() into the caller;
+that's not really a problem since we already unlinked the path
+and it will be destroyed anyway.
+
+This fixes a crash Jouni observed when running certain tests in
+a certain order, in which the mesh interface was torn down, the
+memory reused for a function pointer (work struct) and running
+that then crashed since the pointer had been decremented by 1,
+resulting in an invalid instruction byte stream.
+
+Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation")
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mesh_pathtbl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -746,10 +746,8 @@ void mesh_plink_broken(struct sta_info *
+ static void mesh_path_node_reclaim(struct rcu_head *rp)
+ {
+ struct mpath_node *node = container_of(rp, struct mpath_node, rcu);
+- struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
+
+ del_timer_sync(&node->mpath->timer);
+- atomic_dec(&sdata->u.mesh.mpaths);
+ kfree(node->mpath);
+ kfree(node);
+ }
+@@ -757,8 +755,9 @@ static void mesh_path_node_reclaim(struc
+ /* needs to be called with the corresponding hashwlock taken */
+ static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node)
+ {
+- struct mesh_path *mpath;
+- mpath = node->mpath;
++ struct mesh_path *mpath = node->mpath;
++ struct ieee80211_sub_if_data *sdata = node->mpath->sdata;
++
+ spin_lock(&mpath->state_lock);
+ mpath->flags |= MESH_PATH_RESOLVING;
+ if (mpath->is_gate)
+@@ -766,6 +765,7 @@ static void __mesh_path_del(struct mesh_
+ hlist_del_rcu(&node->list);
+ call_rcu(&node->rcu, mesh_path_node_reclaim);
+ spin_unlock(&mpath->state_lock);
++ atomic_dec(&sdata->u.mesh.mpaths);
+ atomic_dec(&tbl->entries);
+ }
+
--- /dev/null
+From 79a21dbfae3cd40d5a801778071a9967b79c2c20 Mon Sep 17 00:00:00 2001
+From: Prarit Bhargava <prarit@redhat.com>
+Date: Wed, 9 Dec 2015 08:31:12 -0500
+Subject: powercap / RAPL: fix BIOS lock check
+
+From: Prarit Bhargava <prarit@redhat.com>
+
+commit 79a21dbfae3cd40d5a801778071a9967b79c2c20 upstream.
+
+Intel RAPL initialized on several systems where the BIOS lock bit (msr
+0x610, bit 63) was set. This occured because the return value of
+rapl_read_data_raw() was being checked, rather than the value of the variable
+passed in, locked.
+
+This patch properly implments the rapl_read_data_raw() call to check the
+variable locked, and now the Intel RAPL driver outputs the warning:
+
+ intel_rapl: RAPL package 0 domain package locked by BIOS
+
+and does not initialize for the package.
+
+Signed-off-by: Prarit Bhargava <prarit@redhat.com>
+Acked-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/powercap/intel_rapl.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/powercap/intel_rapl.c
++++ b/drivers/powercap/intel_rapl.c
+@@ -1194,10 +1194,13 @@ static int rapl_detect_domains(struct ra
+
+ for (rd = rp->domains; rd < rp->domains + rp->nr_domains; rd++) {
+ /* check if the domain is locked by BIOS */
+- if (rapl_read_data_raw(rd, FW_LOCK, false, &locked)) {
++ ret = rapl_read_data_raw(rd, FW_LOCK, false, &locked);
++ if (ret)
++ return ret;
++ if (locked) {
+ pr_info("RAPL package %d domain %s locked by BIOS\n",
+ rp->id, rd->name);
+- rd->state |= DOMAIN_STATE_BIOS_LOCKED;
++ rd->state |= DOMAIN_STATE_BIOS_LOCKED;
+ }
+ }
+
--- /dev/null
+From 8c7188b23474cca017b3ef354c4a58456f68303a Mon Sep 17 00:00:00 2001
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue, 24 Nov 2015 17:13:21 -0500
+Subject: RDS: fix race condition when sending a message on unbound socket
+
+From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+
+commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
+
+Sasha's found a NULL pointer dereference in the RDS connection code when
+sending a message to an apparently unbound socket. The problem is caused
+by the code checking if the socket is bound in rds_sendmsg(), which checks
+the rs_bound_addr field without taking a lock on the socket. This opens a
+race where rs_bound_addr is temporarily set but where the transport is not
+in rds_bind(), leading to a NULL pointer dereference when trying to
+dereference 'trans' in __rds_conn_create().
+
+Vegard wrote a reproducer for this issue, so kindly ask him to share if
+you're interested.
+
+I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+with this patch, whereas I could without.
+
+Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/connection.c | 6 ------
+ net/rds/send.c | 4 +++-
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+
+--- a/net/rds/connection.c
++++ b/net/rds/connection.c
+@@ -189,12 +189,6 @@ static struct rds_connection *__rds_conn
+ goto out;
+ }
+
+- if (trans == NULL) {
+- kmem_cache_free(rds_conn_slab, conn);
+- conn = ERR_PTR(-ENODEV);
+- goto out;
+- }
+-
+ conn->c_trans = trans;
+
+ ret = trans->conn_alloc(conn, gfp);
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru
+ release_sock(sk);
+ }
+
+- /* racing with another thread binding seems ok here */
++ lock_sock(sk);
+ if (daddr == 0 || rs->rs_bound_addr == 0) {
++ release_sock(sk);
+ ret = -ENOTCONN; /* XXX not a great errno */
+ goto out;
+ }
++ release_sock(sk);
+
+ /* size of rm including all sgs */
+ ret = rds_rm_size(msg, payload_len);
--- /dev/null
+From b7bb110008607a915298bf0f47d25886ecb94477 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 10 Dec 2015 10:37:51 +0100
+Subject: rfkill: copy the name into the rfkill struct
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b7bb110008607a915298bf0f47d25886ecb94477 upstream.
+
+Some users of rfkill, like NFC and cfg80211, use a dynamic name when
+allocating rfkill, in those cases dev_name(). Therefore, the pointer
+passed to rfkill_alloc() might not be valid forever, I specifically
+found the case that the rfkill name was quite obviously an invalid
+pointer (or at least garbage) when the wiphy had been renamed.
+
+Fix this by making a copy of the rfkill name in rfkill_alloc().
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rfkill/core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -49,7 +49,6 @@
+ struct rfkill {
+ spinlock_t lock;
+
+- const char *name;
+ enum rfkill_type type;
+
+ unsigned long state;
+@@ -73,6 +72,7 @@ struct rfkill {
+ struct delayed_work poll_work;
+ struct work_struct uevent_work;
+ struct work_struct sync_work;
++ char name[];
+ };
+ #define to_rfkill(d) container_of(d, struct rfkill, dev)
+
+@@ -861,14 +861,14 @@ struct rfkill * __must_check rfkill_allo
+ if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
+ return NULL;
+
+- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
++ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
+ if (!rfkill)
+ return NULL;
+
+ spin_lock_init(&rfkill->lock);
+ INIT_LIST_HEAD(&rfkill->node);
+ rfkill->type = type;
+- rfkill->name = name;
++ strcpy(rfkill->name, name);
+ rfkill->ops = ops;
+ rfkill->data = ops_data;
+
--- /dev/null
+From d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 26 Nov 2015 12:00:59 -0500
+Subject: sata_sil: disable trim
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 upstream.
+
+When I connect an Intel SSD to SATA SIL controller (PCI ID 1095:3114), any
+TRIM command results in I/O errors being reported in the log. There is
+other similar error reported with TRIM and the SIL controller:
+https://bugs.centos.org/view.php?id=5880
+
+Apparently the controller doesn't support TRIM commands. This patch
+disables TRIM support on the SATA SIL controller.
+
+ata7.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
+ata7.00: BMDMA2 stat 0x50001
+ata7.00: failed command: DATA SET MANAGEMENT
+ata7.00: cmd 06/01:01:00:00:00/00:00:00:00:00/a0 tag 0 dma 512 out
+ res 51/04:01:00:00:00/00:00:00:00:00/a0 Emask 0x1 (device error)
+ata7.00: status: { DRDY ERR }
+ata7.00: error: { ABRT }
+ata7.00: device reported invalid CHS sector 0
+sd 8:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
+sd 8:0:0:0: [sdb] tag#0 Sense Key : Illegal Request [current] [descriptor]
+sd 8:0:0:0: [sdb] tag#0 Add. Sense: Unaligned write command
+sd 8:0:0:0: [sdb] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 21 95 88 00 20 00 00 00 00
+blk_update_request: I/O error, dev sdb, sector 2200968
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/sata_sil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/ata/sata_sil.c
++++ b/drivers/ata/sata_sil.c
+@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_de
+ unsigned int n, quirks = 0;
+ unsigned char model_num[ATA_ID_PROD_LEN + 1];
+
++ /* This controller doesn't support trim */
++ dev->horkage |= ATA_HORKAGE_NOTRIM;
++
+ ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num));
+
+ for (n = 0; sil_blacklist[n].product; n++)
--- /dev/null
+From 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 Mon Sep 17 00:00:00 2001
+From: Xunlei Pang <xlpang@redhat.com>
+Date: Wed, 2 Dec 2015 19:52:59 +0800
+Subject: sched/core: Clear the root_domain cpumasks in init_rootdomain()
+
+From: Xunlei Pang <xlpang@redhat.com>
+
+commit 8295c69925ad53ec32ca54ac9fc194ff21bc40e2 upstream.
+
+root_domain::rto_mask allocated through alloc_cpumask_var()
+contains garbage data, this may cause problems. For instance,
+When doing pull_rt_task(), it may do useless iterations if
+rto_mask retains some extra garbage bits. Worse still, this
+violates the isolated domain rule for clustered scheduling
+using cpuset, because the tasks(with all the cpus allowed)
+belongs to one root domain can be pulled away into another
+root domain.
+
+The patch cleans the garbage by using zalloc_cpumask_var()
+instead of alloc_cpumask_var() for root_domain::rto_mask
+allocation, thereby addressing the issues.
+
+Do the same thing for root_domain's other cpumask memembers:
+dlo_mask, span, and online.
+
+Signed-off-by: Xunlei Pang <xlpang@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/1449057179-29321-1-git-send-email-xlpang@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5420,13 +5420,13 @@ static int init_rootdomain(struct root_d
+ {
+ memset(rd, 0, sizeof(*rd));
+
+- if (!alloc_cpumask_var(&rd->span, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&rd->span, GFP_KERNEL))
+ goto out;
+- if (!alloc_cpumask_var(&rd->online, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&rd->online, GFP_KERNEL))
+ goto free_span;
+- if (!alloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&rd->dlo_mask, GFP_KERNEL))
+ goto free_online;
+- if (!alloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
++ if (!zalloc_cpumask_var(&rd->rto_mask, GFP_KERNEL))
+ goto free_dlo_mask;
+
+ init_dl_bw(&rd->dl_bw);
--- /dev/null
+From 119d6f6a3be8b424b200dcee56e74484d5445f7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon, 30 Nov 2015 20:34:20 -0500
+Subject: sched/core: Remove false-positive warning from wake_up_process()
+
+From: Sasha Levin <sasha.levin@oracle.com>
+
+commit 119d6f6a3be8b424b200dcee56e74484d5445f7e upstream.
+
+Because wakeups can (fundamentally) be late, a task might not be in
+the expected state. Therefore testing against a task's state is racy,
+and can yield false positives.
+
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mike Galbraith <efault@gmx.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: oleg@redhat.com
+Fixes: 9067ac85d533 ("wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task")
+Link: http://lkml.kernel.org/r/1448933660-23082-1-git-send-email-sasha.levin@oracle.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -1696,7 +1696,6 @@ out:
+ */
+ int wake_up_process(struct task_struct *p)
+ {
+- WARN_ON(task_is_stopped_or_traced(p));
+ return try_to_wake_up(p, TASK_NORMAL, 0);
+ }
+ EXPORT_SYMBOL(wake_up_process);
--- /dev/null
+From dd39a26538e37f6c6131e829a4a510787e43c783 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Fri, 11 Dec 2015 12:09:03 +0000
+Subject: scripts: recordmcount: break hardlinks
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit dd39a26538e37f6c6131e829a4a510787e43c783 upstream.
+
+recordmcount edits the file in-place, which can cause problems when
+using ccache in hardlink mode. Arrange for recordmcount to break a
+hardlinked object.
+
+Link: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk
+
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/recordmcount.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/scripts/recordmcount.c
++++ b/scripts/recordmcount.c
+@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname
+ addr = umalloc(sb.st_size);
+ uread(fd_map, addr, sb.st_size);
+ }
++ if (sb.st_nlink != 1) {
++ /* file is hard-linked, break the hard link */
++ close(fd_map);
++ if (unlink(fname) < 0) {
++ perror(fname);
++ fail_file();
++ }
++ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode);
++ if (fd_map < 0) {
++ perror(fname);
++ fail_file();
++ }
++ uwrite(fd_map, addr, sb.st_size);
++ }
+ return addr;
+ }
+
target-fix-compare_and_write-non-zero-sgl-offset-data-corruption.patch
ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch
virtio-fix-memory-leak-of-virtio-ida-cache-layers.patch
+mac80211-mesh-fix-call_rcu-usage.patch
+rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
+can-sja1000-clear-interrupts-on-start.patch
+sched-core-clear-the-root_domain-cpumasks-in-init_rootdomain.patch
+sched-core-remove-false-positive-warning-from-wake_up_process.patch
+sata_sil-disable-trim.patch
+dm-space-map-metadata-fix-ref-counting-bug-when-bootstrapping-a-new-space-map.patch
+dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch
+irqchip-versatile-fpga-fix-pci-irq-mapping-on-versatile-pb.patch
+vgaarb-fix-signal-handling-in-vga_get.patch
+rfkill-copy-the-name-into-the-rfkill-struct.patch
+ses-fix-problems-with-simple-enclosures.patch
+ses-fix-additional-element-traversal-bug.patch
+powercap-rapl-fix-bios-lock-check.patch
+scripts-recordmcount-break-hardlinks.patch
--- /dev/null
+From 5e1033561da1152c57b97ee84371dba2b3d64c25 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Fri, 11 Dec 2015 09:16:38 -0800
+Subject: ses: fix additional element traversal bug
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream.
+
+KASAN found that our additional element processing scripts drop off
+the end of the VPD page into unallocated space. The reason is that
+not every element has additional information but our traversal
+routines think they do, leading to them expecting far more additional
+information than is present. Fix this by adding a gate to the
+traversal routine so that it only processes elements that are expected
+to have additional information (list is in SES-2 section 6.1.13.1:
+Additional Element Status diagnostic page overview)
+
+Reported-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ses.c | 10 +++++++++-
+ include/linux/enclosure.h | 4 ++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -454,7 +454,15 @@ static void ses_enclosure_data_process(s
+ if (desc_ptr)
+ desc_ptr += len;
+
+- if (addl_desc_ptr)
++ if (addl_desc_ptr &&
++ /* only find additional descriptions for specific devices */
++ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER ||
++ /* these elements are optional */
++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT ||
++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS))
+ addl_desc_ptr += addl_desc_ptr[1] + 2;
+
+ }
+--- a/include/linux/enclosure.h
++++ b/include/linux/enclosure.h
+@@ -29,7 +29,11 @@
+ /* A few generic types ... taken from ses-2 */
+ enum enclosure_component_type {
+ ENCLOSURE_COMPONENT_DEVICE = 0x01,
++ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07,
++ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14,
++ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15,
+ ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17,
++ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18,
+ };
+
+ /* ses-2 common element status */
--- /dev/null
+From 3417c1b5cb1fdc10261dbed42b05cc93166a78fd Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Tue, 8 Dec 2015 09:00:31 -0800
+Subject: ses: Fix problems with simple enclosures
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream.
+
+Simple enclosure implementations (mostly USB) are allowed to return only
+page 8 to every diagnostic query. That really confuses our
+implementation because we assume the return is the page we asked for and
+end up doing incorrect offsets based on bogus information leading to
+accesses outside of allocated ranges. Fix that by checking the page
+code of the return and giving an error if it isn't the one we asked for.
+This should fix reported bugs with USB storage by simply refusing to
+attach to enclosures that behave like this. It's also good defensive
+practise now that we're starting to see more USB enclosures.
+
+Reported-by: Andrea Gelmini <andrea.gelmini@gelma.net>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/ses.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev)
+ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
+ void *buf, int bufflen)
+ {
++ int ret;
+ unsigned char cmd[] = {
+ RECEIVE_DIAGNOSTIC,
+ 1, /* Set PCV bit */
+@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_dev
+ bufflen & 0xff,
+ 0
+ };
++ unsigned char recv_page_code;
+
+- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
++ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen,
+ NULL, SES_TIMEOUT, SES_RETRIES, NULL);
++ if (unlikely(!ret))
++ return ret;
++
++ recv_page_code = ((unsigned char *)buf)[0];
++
++ if (likely(recv_page_code == page_code))
++ return ret;
++
++ /* successful diagnostic but wrong page code. This happens to some
++ * USB devices, just print a message and pretend there was an error */
++
++ sdev_printk(KERN_ERR, sdev,
++ "Wrong diagnostic page; asked for %d got %u\n",
++ page_code, recv_page_code);
++
++ return -EINVAL;
+ }
+
+ static int ses_send_diag(struct scsi_device *sdev, int page_code,
--- /dev/null
+From 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill@shutemov.name>
+Date: Mon, 30 Nov 2015 04:17:31 +0200
+Subject: vgaarb: fix signal handling in vga_get()
+
+From: Kirill A. Shutemov <kirill@shutemov.name>
+
+commit 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e upstream.
+
+There are few defects in vga_get() related to signal hadning:
+
+ - we shouldn't check for pending signals for TASK_UNINTERRUPTIBLE
+ case;
+
+ - if we found pending signal we must remove ourself from wait queue
+ and change task state back to running;
+
+ - -ERESTARTSYS is more appropriate, I guess.
+
+Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
+Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/vga/vgaarb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/vga/vgaarb.c
++++ b/drivers/gpu/vga/vgaarb.c
+@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsign
+ set_current_state(interruptible ?
+ TASK_INTERRUPTIBLE :
+ TASK_UNINTERRUPTIBLE);
+- if (signal_pending(current)) {
+- rc = -EINTR;
++ if (interruptible && signal_pending(current)) {
++ __set_current_state(TASK_RUNNING);
++ remove_wait_queue(&vga_wait_queue, &wait);
++ rc = -ERESTARTSYS;
+ break;
+ }
+ schedule();