--- /dev/null
+From 0a73d0a204a4a04a1e110539c5a524ae51f91d6d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 12 Jul 2015 10:34:29 -0400
+Subject: 9p: don't leave a half-initialized inode sitting around
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 0a73d0a204a4a04a1e110539c5a524ae51f91d6d upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/vfs_inode.c | 3 +--
+ fs/9p/vfs_inode_dotl.c | 3 +--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -540,8 +540,7 @@ static struct inode *v9fs_qid_iget(struc
+ unlock_new_inode(inode);
+ return inode;
+ error:
+- unlock_new_inode(inode);
+- iput(inode);
++ iget_failed(inode);
+ return ERR_PTR(retval);
+
+ }
+--- a/fs/9p/vfs_inode_dotl.c
++++ b/fs/9p/vfs_inode_dotl.c
+@@ -149,8 +149,7 @@ static struct inode *v9fs_qid_iget_dotl(
+ unlock_new_inode(inode);
+ return inode;
+ error:
+- unlock_new_inode(inode);
+- iput(inode);
++ iget_failed(inode);
+ return ERR_PTR(retval);
+
+ }
--- /dev/null
+From a84b69cb6e0a41e86bc593904faa6def3b957343 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 4 Jul 2015 16:04:19 -0400
+Subject: 9p: forgetting to cancel request on interrupted zero-copy RPC
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit a84b69cb6e0a41e86bc593904faa6def3b957343 upstream.
+
+If we'd already sent a request and decide to abort it, we *must*
+issue TFLUSH properly and not just blindly reuse the tag, or
+we'll get seriously screwed when response eventually arrives
+and we confuse it for response to later request that had reused
+the same tag.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -843,7 +843,8 @@ static struct p9_req_t *p9_client_zc_rpc
+ if (err < 0) {
+ if (err == -EIO)
+ c->status = Disconnected;
+- goto reterr;
++ if (err != -ERESTARTSYS)
++ goto reterr;
+ }
+ if (req->status == REQ_STATUS_ERROR) {
+ p9_debug(P9_DEBUG_ERROR, "req_status error %d\n", req->t_err);
--- /dev/null
+From 8b572a4200828b4e75cc22ed2f494b58d5372d65 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sun, 28 Jun 2015 14:18:16 +0100
+Subject: agp/intel: Fix typo in needs_ilk_vtd_wa()
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 8b572a4200828b4e75cc22ed2f494b58d5372d65 upstream.
+
+In needs_ilk_vtd_wa(), we pass in the GPU device but compared it against
+the ids for the mobile GPU and the mobile host bridge. That latter is
+impossible and so likely was just a typo for the desktop GPU device id
+(which is also buggy).
+
+Fixes commit da88a5f7f7d434e2cde1b3e19d952e6d84533662
+Author: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Wed Feb 13 09:31:53 2013 +0000
+
+ drm/i915: Disable WC PTE updates to w/a buggy IOMMU on ILK
+
+Reported-by: Ting-Wei Lan <lantw44@gmail.com>
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91127
+References: https://bugzilla.freedesktop.org/show_bug.cgi?id=60391
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/agp/intel-gtt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/agp/intel-gtt.c
++++ b/drivers/char/agp/intel-gtt.c
+@@ -581,7 +581,7 @@ static inline int needs_ilk_vtd_wa(void)
+ /* Query intel_iommu to see if we need the workaround. Presumably that
+ * was loaded first.
+ */
+- if ((gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB ||
++ if ((gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_D_IG ||
+ gpu_devid == PCI_DEVICE_ID_INTEL_IRONLAKE_M_IG) &&
+ intel_iommu_gfx_mapped)
+ return 1;
--- /dev/null
+From 398f74569cebbf06bc6b069442bcd0e9616ca465 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <sboyd@codeaurora.org>
+Date: Fri, 19 Jun 2015 21:37:56 +0100
+Subject: ARM: 8393/1: smp: Fix suspicious RCU usage with ipi tracepoints
+
+From: Stephen Boyd <sboyd@codeaurora.org>
+
+commit 398f74569cebbf06bc6b069442bcd0e9616ca465 upstream.
+
+John Stultz reports an RCU splat on boot with ARM ipi trace
+events enabled.
+
+===============================
+[ INFO: suspicious RCU usage. ]
+4.1.0-rc7-00033-gb5bed2f #153 Not tainted
+-------------------------------
+include/trace/events/ipi.h:68 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+RCU used illegally from idle CPU!
+rcu_scheduler_active = 1, debug_locks = 0
+RCU used illegally from extended quiescent state!
+no locks held by swapper/0/0.
+
+stack backtrace:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.1.0-rc7-00033-gb5bed2f #153
+Hardware name: Qualcomm (Flattened Device Tree)
+[<c0216b08>] (unwind_backtrace) from [<c02136e8>] (show_stack+0x10/0x14)
+[<c02136e8>] (show_stack) from [<c075e678>] (dump_stack+0x70/0xbc)
+[<c075e678>] (dump_stack) from [<c0215a80>] (handle_IPI+0x428/0x604)
+[<c0215a80>] (handle_IPI) from [<c020942c>] (gic_handle_irq+0x54/0x5c)
+[<c020942c>] (gic_handle_irq) from [<c0766604>] (__irq_svc+0x44/0x7c)
+Exception stack(0xc09f3f48 to 0xc09f3f90)
+3f40: 00000001 00000001 00000000 c09f73b8 c09f4528 c0a5de9c
+3f60: c076b4f0 00000000 00000000 c09ef108 c0a5cec1 00000001 00000000 c09f3f90
+3f80: c026bf60 c0210ab8 20000113 ffffffff
+[<c0766604>] (__irq_svc) from [<c0210ab8>] (arch_cpu_idle+0x20/0x3c)
+[<c0210ab8>] (arch_cpu_idle) from [<c02647f0>] (cpu_startup_entry+0x2c0/0x5dc)
+[<c02647f0>] (cpu_startup_entry) from [<c099bc1c>] (start_kernel+0x358/0x3c4)
+[<c099bc1c>] (start_kernel) from [<8020807c>] (0x8020807c)
+
+At this point in the IPI handling path we haven't called
+irq_enter() yet, so RCU doesn't know that we're about to exit
+idle and properly warns that we're using RCU from an idle CPU.
+Use trace_ipi_entry_rcuidle() instead of trace_ipi_entry() so
+that RCU is informed about our exit from idle.
+
+Fixes: 365ec7b17327 ("ARM: add IPI tracepoints")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Tested-by: John Stultz <john.stultz@linaro.org>
+Acked-by: Steven Rostedt <rostedt@goodmis.org>
+Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/kernel/smp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/kernel/smp.c
++++ b/arch/arm/kernel/smp.c
+@@ -576,7 +576,7 @@ void handle_IPI(int ipinr, struct pt_reg
+ struct pt_regs *old_regs = set_irq_regs(regs);
+
+ if ((unsigned)ipinr < NR_IPI) {
+- trace_ipi_entry(ipi_types[ipinr]);
++ trace_ipi_entry_rcuidle(ipi_types[ipinr]);
+ __inc_irq_stat(cpu, ipi_irqs[ipinr]);
+ }
+
+@@ -635,7 +635,7 @@ void handle_IPI(int ipinr, struct pt_reg
+ }
+
+ if ((unsigned)ipinr < NR_IPI)
+- trace_ipi_exit(ipi_types[ipinr]);
++ trace_ipi_exit_rcuidle(ipi_types[ipinr]);
+ set_irq_regs(old_regs);
+ }
+
--- /dev/null
+From 13ee9fdba96577eb1583dcd7b15767ef623fae12 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Wed, 1 Jul 2015 23:08:10 +0100
+Subject: ARM: 8397/1: fix vdsomunge not to depend on glibc specific error.h
+
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+
+commit 13ee9fdba96577eb1583dcd7b15767ef623fae12 upstream.
+
+If the host toolchain is not glibc based then the arm kernel build
+fails with
+
+ arch/arm/vdso/vdsomunge.c:53:19: fatal error: error.h: No such file or directory
+
+error.h is a glibc only header (ie not available in musl, newlib and
+bsd libcs). Changed the error reporting to standard conforming code
+to avoid depending on specific C implementations.
+
+Signed-off-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Fixes: 8512287a8165 ("ARM: 8330/1: add VDSO user-space code")
+Signed-off-by: Nathan Lynch <nathan_lynch@mentor.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/vdso/vdsomunge.c | 56 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 33 insertions(+), 23 deletions(-)
+
+--- a/arch/arm/vdso/vdsomunge.c
++++ b/arch/arm/vdso/vdsomunge.c
+@@ -45,13 +45,11 @@
+ * it does.
+ */
+
+-#define _GNU_SOURCE
+-
+ #include <byteswap.h>
+ #include <elf.h>
+ #include <errno.h>
+-#include <error.h>
+ #include <fcntl.h>
++#include <stdarg.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -82,11 +80,25 @@
+ #define EF_ARM_ABI_FLOAT_HARD 0x400
+ #endif
+
++static int failed;
++static const char *argv0;
+ static const char *outfile;
+
++static void fail(const char *fmt, ...)
++{
++ va_list ap;
++
++ failed = 1;
++ fprintf(stderr, "%s: ", argv0);
++ va_start(ap, fmt);
++ vfprintf(stderr, fmt, ap);
++ va_end(ap);
++ exit(EXIT_FAILURE);
++}
++
+ static void cleanup(void)
+ {
+- if (error_message_count > 0 && outfile != NULL)
++ if (failed && outfile != NULL)
+ unlink(outfile);
+ }
+
+@@ -119,68 +131,66 @@ int main(int argc, char **argv)
+ int infd;
+
+ atexit(cleanup);
++ argv0 = argv[0];
+
+ if (argc != 3)
+- error(EXIT_FAILURE, 0, "Usage: %s [infile] [outfile]", argv[0]);
++ fail("Usage: %s [infile] [outfile]\n", argv[0]);
+
+ infile = argv[1];
+ outfile = argv[2];
+
+ infd = open(infile, O_RDONLY);
+ if (infd < 0)
+- error(EXIT_FAILURE, errno, "Cannot open %s", infile);
++ fail("Cannot open %s: %s\n", infile, strerror(errno));
+
+ if (fstat(infd, &stat) != 0)
+- error(EXIT_FAILURE, errno, "Failed stat for %s", infile);
++ fail("Failed stat for %s: %s\n", infile, strerror(errno));
+
+ inbuf = mmap(NULL, stat.st_size, PROT_READ, MAP_PRIVATE, infd, 0);
+ if (inbuf == MAP_FAILED)
+- error(EXIT_FAILURE, errno, "Failed to map %s", infile);
++ fail("Failed to map %s: %s\n", infile, strerror(errno));
+
+ close(infd);
+
+ inhdr = inbuf;
+
+ if (memcmp(&inhdr->e_ident, ELFMAG, SELFMAG) != 0)
+- error(EXIT_FAILURE, 0, "Not an ELF file");
++ fail("Not an ELF file\n");
+
+ if (inhdr->e_ident[EI_CLASS] != ELFCLASS32)
+- error(EXIT_FAILURE, 0, "Unsupported ELF class");
++ fail("Unsupported ELF class\n");
+
+ swap = inhdr->e_ident[EI_DATA] != HOST_ORDER;
+
+ if (read_elf_half(inhdr->e_type, swap) != ET_DYN)
+- error(EXIT_FAILURE, 0, "Not a shared object");
++ fail("Not a shared object\n");
+
+- if (read_elf_half(inhdr->e_machine, swap) != EM_ARM) {
+- error(EXIT_FAILURE, 0, "Unsupported architecture %#x",
+- inhdr->e_machine);
+- }
++ if (read_elf_half(inhdr->e_machine, swap) != EM_ARM)
++ fail("Unsupported architecture %#x\n", inhdr->e_machine);
+
+ e_flags = read_elf_word(inhdr->e_flags, swap);
+
+ if (EF_ARM_EABI_VERSION(e_flags) != EF_ARM_EABI_VER5) {
+- error(EXIT_FAILURE, 0, "Unsupported EABI version %#x",
+- EF_ARM_EABI_VERSION(e_flags));
++ fail("Unsupported EABI version %#x\n",
++ EF_ARM_EABI_VERSION(e_flags));
+ }
+
+ if (e_flags & EF_ARM_ABI_FLOAT_HARD)
+- error(EXIT_FAILURE, 0,
+- "Unexpected hard-float flag set in e_flags");
++ fail("Unexpected hard-float flag set in e_flags\n");
+
+ clear_soft_float = !!(e_flags & EF_ARM_ABI_FLOAT_SOFT);
+
+ outfd = open(outfile, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+ if (outfd < 0)
+- error(EXIT_FAILURE, errno, "Cannot open %s", outfile);
++ fail("Cannot open %s: %s\n", outfile, strerror(errno));
+
+ if (ftruncate(outfd, stat.st_size) != 0)
+- error(EXIT_FAILURE, errno, "Cannot truncate %s", outfile);
++ fail("Cannot truncate %s: %s\n", outfile, strerror(errno));
+
+ outbuf = mmap(NULL, stat.st_size, PROT_READ | PROT_WRITE, MAP_SHARED,
+ outfd, 0);
+ if (outbuf == MAP_FAILED)
+- error(EXIT_FAILURE, errno, "Failed to map %s", outfile);
++ fail("Failed to map %s: %s\n", outfile, strerror(errno));
+
+ close(outfd);
+
+@@ -195,7 +205,7 @@ int main(int argc, char **argv)
+ }
+
+ if (msync(outbuf, stat.st_size, MS_SYNC) != 0)
+- error(EXIT_FAILURE, errno, "Failed to sync %s", outfile);
++ fail("Failed to sync %s: %s\n", outfile, strerror(errno));
+
+ return EXIT_SUCCESS;
+ }
--- /dev/null
+From 5d6bed2a9c8bc161bff4cc7cede00f2e0e27a7e7 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Mon, 22 Jun 2015 18:39:43 +0100
+Subject: ARM: dove: fix legacy dove IRQ numbers
+
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+
+commit 5d6bed2a9c8bc161bff4cc7cede00f2e0e27a7e7 upstream.
+
+v3.18 changed handle_IRQ() to call __handle_domain_irq(), which now
+rejects attempts to deliver IRQ0. Since IRQ 0 is used as the timer
+interrupt (just like the PIT on x86), this causes boot to fail as the
+bogomips calibration never completes.
+
+Fix this by shuffling all interrupts up by one.
+
+Fixes: a71b092a9c68 ("ARM: Convert handle_IRQ to use __handle_domain_irq")
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-dove/include/mach/irqs.h | 118 ++++++++++++++++-----------------
+ arch/arm/mach-dove/irq.c | 8 +-
+ 2 files changed, 63 insertions(+), 63 deletions(-)
+
+--- a/arch/arm/mach-dove/include/mach/irqs.h
++++ b/arch/arm/mach-dove/include/mach/irqs.h
+@@ -14,73 +14,73 @@
+ /*
+ * Dove Low Interrupt Controller
+ */
+-#define IRQ_DOVE_BRIDGE 0
+-#define IRQ_DOVE_H2C 1
+-#define IRQ_DOVE_C2H 2
+-#define IRQ_DOVE_NAND 3
+-#define IRQ_DOVE_PDMA 4
+-#define IRQ_DOVE_SPI1 5
+-#define IRQ_DOVE_SPI0 6
+-#define IRQ_DOVE_UART_0 7
+-#define IRQ_DOVE_UART_1 8
+-#define IRQ_DOVE_UART_2 9
+-#define IRQ_DOVE_UART_3 10
+-#define IRQ_DOVE_I2C 11
+-#define IRQ_DOVE_GPIO_0_7 12
+-#define IRQ_DOVE_GPIO_8_15 13
+-#define IRQ_DOVE_GPIO_16_23 14
+-#define IRQ_DOVE_PCIE0_ERR 15
+-#define IRQ_DOVE_PCIE0 16
+-#define IRQ_DOVE_PCIE1_ERR 17
+-#define IRQ_DOVE_PCIE1 18
+-#define IRQ_DOVE_I2S0 19
+-#define IRQ_DOVE_I2S0_ERR 20
+-#define IRQ_DOVE_I2S1 21
+-#define IRQ_DOVE_I2S1_ERR 22
+-#define IRQ_DOVE_USB_ERR 23
+-#define IRQ_DOVE_USB0 24
+-#define IRQ_DOVE_USB1 25
+-#define IRQ_DOVE_GE00_RX 26
+-#define IRQ_DOVE_GE00_TX 27
+-#define IRQ_DOVE_GE00_MISC 28
+-#define IRQ_DOVE_GE00_SUM 29
+-#define IRQ_DOVE_GE00_ERR 30
+-#define IRQ_DOVE_CRYPTO 31
++#define IRQ_DOVE_BRIDGE (1 + 0)
++#define IRQ_DOVE_H2C (1 + 1)
++#define IRQ_DOVE_C2H (1 + 2)
++#define IRQ_DOVE_NAND (1 + 3)
++#define IRQ_DOVE_PDMA (1 + 4)
++#define IRQ_DOVE_SPI1 (1 + 5)
++#define IRQ_DOVE_SPI0 (1 + 6)
++#define IRQ_DOVE_UART_0 (1 + 7)
++#define IRQ_DOVE_UART_1 (1 + 8)
++#define IRQ_DOVE_UART_2 (1 + 9)
++#define IRQ_DOVE_UART_3 (1 + 10)
++#define IRQ_DOVE_I2C (1 + 11)
++#define IRQ_DOVE_GPIO_0_7 (1 + 12)
++#define IRQ_DOVE_GPIO_8_15 (1 + 13)
++#define IRQ_DOVE_GPIO_16_23 (1 + 14)
++#define IRQ_DOVE_PCIE0_ERR (1 + 15)
++#define IRQ_DOVE_PCIE0 (1 + 16)
++#define IRQ_DOVE_PCIE1_ERR (1 + 17)
++#define IRQ_DOVE_PCIE1 (1 + 18)
++#define IRQ_DOVE_I2S0 (1 + 19)
++#define IRQ_DOVE_I2S0_ERR (1 + 20)
++#define IRQ_DOVE_I2S1 (1 + 21)
++#define IRQ_DOVE_I2S1_ERR (1 + 22)
++#define IRQ_DOVE_USB_ERR (1 + 23)
++#define IRQ_DOVE_USB0 (1 + 24)
++#define IRQ_DOVE_USB1 (1 + 25)
++#define IRQ_DOVE_GE00_RX (1 + 26)
++#define IRQ_DOVE_GE00_TX (1 + 27)
++#define IRQ_DOVE_GE00_MISC (1 + 28)
++#define IRQ_DOVE_GE00_SUM (1 + 29)
++#define IRQ_DOVE_GE00_ERR (1 + 30)
++#define IRQ_DOVE_CRYPTO (1 + 31)
+
+ /*
+ * Dove High Interrupt Controller
+ */
+-#define IRQ_DOVE_AC97 32
+-#define IRQ_DOVE_PMU 33
+-#define IRQ_DOVE_CAM 34
+-#define IRQ_DOVE_SDIO0 35
+-#define IRQ_DOVE_SDIO1 36
+-#define IRQ_DOVE_SDIO0_WAKEUP 37
+-#define IRQ_DOVE_SDIO1_WAKEUP 38
+-#define IRQ_DOVE_XOR_00 39
+-#define IRQ_DOVE_XOR_01 40
+-#define IRQ_DOVE_XOR0_ERR 41
+-#define IRQ_DOVE_XOR_10 42
+-#define IRQ_DOVE_XOR_11 43
+-#define IRQ_DOVE_XOR1_ERR 44
+-#define IRQ_DOVE_LCD_DCON 45
+-#define IRQ_DOVE_LCD1 46
+-#define IRQ_DOVE_LCD0 47
+-#define IRQ_DOVE_GPU 48
+-#define IRQ_DOVE_PERFORM_MNTR 49
+-#define IRQ_DOVE_VPRO_DMA1 51
+-#define IRQ_DOVE_SSP_TIMER 54
+-#define IRQ_DOVE_SSP 55
+-#define IRQ_DOVE_MC_L2_ERR 56
+-#define IRQ_DOVE_CRYPTO_ERR 59
+-#define IRQ_DOVE_GPIO_24_31 60
+-#define IRQ_DOVE_HIGH_GPIO 61
+-#define IRQ_DOVE_SATA 62
++#define IRQ_DOVE_AC97 (1 + 32)
++#define IRQ_DOVE_PMU (1 + 33)
++#define IRQ_DOVE_CAM (1 + 34)
++#define IRQ_DOVE_SDIO0 (1 + 35)
++#define IRQ_DOVE_SDIO1 (1 + 36)
++#define IRQ_DOVE_SDIO0_WAKEUP (1 + 37)
++#define IRQ_DOVE_SDIO1_WAKEUP (1 + 38)
++#define IRQ_DOVE_XOR_00 (1 + 39)
++#define IRQ_DOVE_XOR_01 (1 + 40)
++#define IRQ_DOVE_XOR0_ERR (1 + 41)
++#define IRQ_DOVE_XOR_10 (1 + 42)
++#define IRQ_DOVE_XOR_11 (1 + 43)
++#define IRQ_DOVE_XOR1_ERR (1 + 44)
++#define IRQ_DOVE_LCD_DCON (1 + 45)
++#define IRQ_DOVE_LCD1 (1 + 46)
++#define IRQ_DOVE_LCD0 (1 + 47)
++#define IRQ_DOVE_GPU (1 + 48)
++#define IRQ_DOVE_PERFORM_MNTR (1 + 49)
++#define IRQ_DOVE_VPRO_DMA1 (1 + 51)
++#define IRQ_DOVE_SSP_TIMER (1 + 54)
++#define IRQ_DOVE_SSP (1 + 55)
++#define IRQ_DOVE_MC_L2_ERR (1 + 56)
++#define IRQ_DOVE_CRYPTO_ERR (1 + 59)
++#define IRQ_DOVE_GPIO_24_31 (1 + 60)
++#define IRQ_DOVE_HIGH_GPIO (1 + 61)
++#define IRQ_DOVE_SATA (1 + 62)
+
+ /*
+ * DOVE General Purpose Pins
+ */
+-#define IRQ_DOVE_GPIO_START 64
++#define IRQ_DOVE_GPIO_START 65
+ #define NR_GPIO_IRQS 64
+
+ /*
+--- a/arch/arm/mach-dove/irq.c
++++ b/arch/arm/mach-dove/irq.c
+@@ -126,14 +126,14 @@ __exception_irq_entry dove_legacy_handle
+ stat = readl_relaxed(dove_irq_base + IRQ_CAUSE_LOW_OFF);
+ stat &= readl_relaxed(dove_irq_base + IRQ_MASK_LOW_OFF);
+ if (stat) {
+- unsigned int hwirq = __fls(stat);
++ unsigned int hwirq = 1 + __fls(stat);
+ handle_IRQ(hwirq, regs);
+ return;
+ }
+ stat = readl_relaxed(dove_irq_base + IRQ_CAUSE_HIGH_OFF);
+ stat &= readl_relaxed(dove_irq_base + IRQ_MASK_HIGH_OFF);
+ if (stat) {
+- unsigned int hwirq = 32 + __fls(stat);
++ unsigned int hwirq = 33 + __fls(stat);
+ handle_IRQ(hwirq, regs);
+ return;
+ }
+@@ -144,8 +144,8 @@ void __init dove_init_irq(void)
+ {
+ int i;
+
+- orion_irq_init(0, IRQ_VIRT_BASE + IRQ_MASK_LOW_OFF);
+- orion_irq_init(32, IRQ_VIRT_BASE + IRQ_MASK_HIGH_OFF);
++ orion_irq_init(1, IRQ_VIRT_BASE + IRQ_MASK_LOW_OFF);
++ orion_irq_init(33, IRQ_VIRT_BASE + IRQ_MASK_HIGH_OFF);
+
+ #ifdef CONFIG_MULTI_IRQ_HANDLER
+ set_handle_irq(dove_legacy_handle_irq);
--- /dev/null
+From d63903bbc30c7ccad040851dfdb4da12d9a17bcf Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Thu, 25 Jun 2015 18:39:15 -0700
+Subject: arm64: bpf: fix endianness conversion bugs
+
+From: Xi Wang <xi.wang@gmail.com>
+
+commit d63903bbc30c7ccad040851dfdb4da12d9a17bcf upstream.
+
+Upper bits should be zeroed in endianness conversion:
+
+- even when there's no need to change endianness (i.e., BPF_FROM_BE
+ on big endian or BPF_FROM_LE on little endian);
+
+- after rev16.
+
+This patch fixes such bugs by emitting extra instructions to clear
+upper bits.
+
+Cc: Zi Shen Lim <zlim.lnx@gmail.com>
+Acked-by: Alexei Starovoitov <ast@plumgrid.com>
+Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler")
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/net/bpf_jit.h | 4 ++++
+ arch/arm64/net/bpf_jit_comp.c | 22 ++++++++++++++++++++--
+ 2 files changed, 24 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/net/bpf_jit.h
++++ b/arch/arm64/net/bpf_jit.h
+@@ -110,6 +110,10 @@
+ /* Rd = Rn >> shift; signed */
+ #define A64_ASR(sf, Rd, Rn, shift) A64_SBFM(sf, Rd, Rn, shift, (sf) ? 63 : 31)
+
++/* Zero extend */
++#define A64_UXTH(sf, Rd, Rn) A64_UBFM(sf, Rd, Rn, 0, 15)
++#define A64_UXTW(sf, Rd, Rn) A64_UBFM(sf, Rd, Rn, 0, 31)
++
+ /* Move wide (immediate) */
+ #define A64_MOVEW(sf, Rd, imm16, shift, type) \
+ aarch64_insn_gen_movewide(Rd, imm16, shift, \
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -289,23 +289,41 @@ static int build_insn(const struct bpf_i
+ case BPF_ALU | BPF_END | BPF_FROM_BE:
+ #ifdef CONFIG_CPU_BIG_ENDIAN
+ if (BPF_SRC(code) == BPF_FROM_BE)
+- break;
++ goto emit_bswap_uxt;
+ #else /* !CONFIG_CPU_BIG_ENDIAN */
+ if (BPF_SRC(code) == BPF_FROM_LE)
+- break;
++ goto emit_bswap_uxt;
+ #endif
+ switch (imm) {
+ case 16:
+ emit(A64_REV16(is64, dst, dst), ctx);
++ /* zero-extend 16 bits into 64 bits */
++ emit(A64_UXTH(is64, dst, dst), ctx);
+ break;
+ case 32:
+ emit(A64_REV32(is64, dst, dst), ctx);
++ /* upper 32 bits already cleared */
+ break;
+ case 64:
+ emit(A64_REV64(dst, dst), ctx);
+ break;
+ }
+ break;
++emit_bswap_uxt:
++ switch (imm) {
++ case 16:
++ /* zero-extend 16 bits into 64 bits */
++ emit(A64_UXTH(is64, dst, dst), ctx);
++ break;
++ case 32:
++ /* zero-extend 32 bits into 64 bits */
++ emit(A64_UXTW(is64, dst, dst), ctx);
++ break;
++ case 64:
++ /* nop */
++ break;
++ }
++ break;
+ /* dst = imm */
+ case BPF_ALU | BPF_MOV | BPF_K:
+ case BPF_ALU64 | BPF_MOV | BPF_K:
--- /dev/null
+From 8eee539ddea09bccae2426f09b0ba6a18b72b691 Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Thu, 25 Jun 2015 05:47:39 -0700
+Subject: arm64: bpf: fix out-of-bounds read in bpf2a64_offset()
+
+From: Xi Wang <xi.wang@gmail.com>
+
+commit 8eee539ddea09bccae2426f09b0ba6a18b72b691 upstream.
+
+Problems occur when bpf_to or bpf_from has value prog->len - 1 (e.g.,
+"Very long jump backwards" in test_bpf where the last instruction is a
+jump): since ctx->offset has length prog->len, ctx->offset[bpf_to + 1]
+or ctx->offset[bpf_from + 1] will cause an out-of-bounds read, leading
+to a bogus jump offset and kernel panic.
+
+This patch moves updating ctx->offset to after calling build_insn(),
+and changes indexing to use bpf_to and bpf_from without + 1.
+
+Fixes: e54bcde3d69d ("arm64: eBPF JIT compiler")
+Cc: Zi Shen Lim <zlim.lnx@gmail.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Acked-by: Alexei Starovoitov <ast@plumgrid.com>
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/net/bpf_jit_comp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -113,9 +113,9 @@ static inline void emit_a64_mov_i(const
+ static inline int bpf2a64_offset(int bpf_to, int bpf_from,
+ const struct jit_ctx *ctx)
+ {
+- int to = ctx->offset[bpf_to + 1];
++ int to = ctx->offset[bpf_to];
+ /* -1 to account for the Branch instruction */
+- int from = ctx->offset[bpf_from + 1] - 1;
++ int from = ctx->offset[bpf_from] - 1;
+
+ return to - from;
+ }
+@@ -640,10 +640,11 @@ static int build_body(struct jit_ctx *ct
+ const struct bpf_insn *insn = &prog->insnsi[i];
+ int ret;
+
++ ret = build_insn(insn, ctx);
++
+ if (ctx->image == NULL)
+ ctx->offset[i] = ctx->idx;
+
+- ret = build_insn(insn, ctx);
+ if (ret > 0) {
+ i++;
+ continue;
--- /dev/null
+From fd28f5d439fca77348c129d5b73043a56f8a0296 Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Wed, 1 Jul 2015 14:08:31 +0200
+Subject: arm64: Don't report clear pmds and puds as huge
+
+From: Christoffer Dall <christoffer.dall@linaro.org>
+
+commit fd28f5d439fca77348c129d5b73043a56f8a0296 upstream.
+
+The current pmd_huge() and pud_huge() functions simply check if the table
+bit is not set and reports the entries as huge in that case. This is
+counter-intuitive as a clear pmd/pud cannot also be a huge pmd/pud, and
+it is inconsistent with at least arm and x86.
+
+To prevent others from making the same mistake as me in looking at code
+that calls these functions and to fix an issue with KVM on arm64 that
+causes memory corruption due to incorrect page reference counting
+resulting from this mistake, let's change the behavior.
+
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Reviewed-by: Steve Capper <steve.capper@linaro.org>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Fixes: 084bd29810a5 ("ARM64: mm: HugeTLB support.")
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/hugetlbpage.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/mm/hugetlbpage.c
++++ b/arch/arm64/mm/hugetlbpage.c
+@@ -40,13 +40,13 @@ int huge_pmd_unshare(struct mm_struct *m
+
+ int pmd_huge(pmd_t pmd)
+ {
+- return !(pmd_val(pmd) & PMD_TABLE_BIT);
++ return pmd_val(pmd) && !(pmd_val(pmd) & PMD_TABLE_BIT);
+ }
+
+ int pud_huge(pud_t pud)
+ {
+ #ifndef __PAGETABLE_PMD_FOLDED
+- return !(pud_val(pud) & PUD_TABLE_BIT);
++ return pud_val(pud) && !(pud_val(pud) & PUD_TABLE_BIT);
+ #else
+ return 0;
+ #endif
--- /dev/null
+From be081d9bf3e163a9ed1ca2f0f14f08424c7f9016 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <sboyd@codeaurora.org>
+Date: Wed, 24 Jun 2015 13:14:18 -0700
+Subject: ARM64: smp: Fix suspicious RCU usage with ipi tracepoints
+
+From: Stephen Boyd <sboyd@codeaurora.org>
+
+commit be081d9bf3e163a9ed1ca2f0f14f08424c7f9016 upstream.
+
+John Stultz reported an RCU splat on ARM with ipi trace events
+enabled. It looks like the same problem exists on ARM64.
+
+At this point in the IPI handling path we haven't called
+irq_enter() yet, so RCU doesn't know that we're about to exit
+idle and properly warns that we're using RCU from an idle CPU.
+Use trace_ipi_entry_rcuidle() instead of trace_ipi_entry() so
+that RCU is informed about our exit from idle.
+
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
+Acked-by: Steven Rostedt <rostedt@goodmis.org>
+Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Fixes: 45ed695ac10a ("ARM64: add IPI tracepoints")
+Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/smp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -569,7 +569,7 @@ void handle_IPI(int ipinr, struct pt_reg
+ struct pt_regs *old_regs = set_irq_regs(regs);
+
+ if ((unsigned)ipinr < NR_IPI) {
+- trace_ipi_entry(ipi_types[ipinr]);
++ trace_ipi_entry_rcuidle(ipi_types[ipinr]);
+ __inc_irq_stat(cpu, ipi_irqs[ipinr]);
+ }
+
+@@ -612,7 +612,7 @@ void handle_IPI(int ipinr, struct pt_reg
+ }
+
+ if ((unsigned)ipinr < NR_IPI)
+- trace_ipi_exit(ipi_types[ipinr]);
++ trace_ipi_exit_rcuidle(ipi_types[ipinr]);
+ set_irq_regs(old_regs);
+ }
+
--- /dev/null
+From 75a15a7864c9e281c74a1670b10b69d1d7ff1c82 Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Wed, 1 Jul 2015 13:38:52 +0300
+Subject: EDAC, octeon: Fix broken build due to model helper renames
+
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+
+commit 75a15a7864c9e281c74a1670b10b69d1d7ff1c82 upstream.
+
+Commit
+
+ debe6a623d3c ("MIPS: OCTEON: Update octeon-model.h code for new SoCs.")
+
+renamed some SoC model helper functions, but forgot to update the EDAC
+drivers resulting in build failures. Fix that.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Acked-by: David Daney <david.daney@cavium.com>
+Cc: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Cc: linux-mips@linux-mips.org
+Link: http://lkml.kernel.org/r/1435747132-10954-1-git-send-email-aaro.koskinen@nokia.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/octeon_edac-l2c.c | 2 +-
+ drivers/edac/octeon_edac-lmc.c | 2 +-
+ drivers/edac/octeon_edac-pc.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/octeon_edac-l2c.c
++++ b/drivers/edac/octeon_edac-l2c.c
+@@ -151,7 +151,7 @@ static int octeon_l2c_probe(struct platf
+ l2c->ctl_name = "octeon_l2c_err";
+
+
+- if (OCTEON_IS_MODEL(OCTEON_FAM_1_PLUS)) {
++ if (OCTEON_IS_OCTEON1PLUS()) {
+ union cvmx_l2t_err l2t_err;
+ union cvmx_l2d_err l2d_err;
+
+--- a/drivers/edac/octeon_edac-lmc.c
++++ b/drivers/edac/octeon_edac-lmc.c
+@@ -234,7 +234,7 @@ static int octeon_lmc_edac_probe(struct
+ layers[0].size = 1;
+ layers[0].is_virt_csrow = false;
+
+- if (OCTEON_IS_MODEL(OCTEON_FAM_1_PLUS)) {
++ if (OCTEON_IS_OCTEON1PLUS()) {
+ union cvmx_lmcx_mem_cfg0 cfg0;
+
+ cfg0.u64 = cvmx_read_csr(CVMX_LMCX_MEM_CFG0(0));
+--- a/drivers/edac/octeon_edac-pc.c
++++ b/drivers/edac/octeon_edac-pc.c
+@@ -73,7 +73,7 @@ static int co_cache_error_event(struct
+ edac_device_handle_ce(p->ed, cpu, 0, "dcache");
+
+ /* Clear the error indication */
+- if (OCTEON_IS_MODEL(OCTEON_FAM_2))
++ if (OCTEON_IS_OCTEON2())
+ write_octeon_c0_dcacheerr(1);
+ else
+ write_octeon_c0_dcacheerr(0);
--- /dev/null
+From 6f957724b94cb19f5c1c97efd01dd4df8ced323c Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 9 Jul 2015 11:20:01 -0700
+Subject: Fix firmware loader uevent buffer NULL pointer dereference
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 6f957724b94cb19f5c1c97efd01dd4df8ced323c upstream.
+
+The firmware class uevent function accessed the "fw_priv->buf" buffer
+without the proper locking and testing for NULL. This is an old bug
+(looks like it goes back to 2012 and commit 1244691c73b2: "firmware
+loader: introduce firmware_buf"), but for some reason it's triggering
+only now in 4.2-rc1.
+
+Shuah Khan is trying to bisect what it is that causes this to trigger
+more easily, but in the meantime let's just fix the bug since others are
+hitting it too (at least Ingo reports having seen it as well).
+
+Reported-and-tested-by: Shuah Khan <shuahkh@osg.samsung.com>
+Acked-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/firmware_class.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -544,10 +544,8 @@ static void fw_dev_release(struct device
+ kfree(fw_priv);
+ }
+
+-static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env)
++static int do_firmware_uevent(struct firmware_priv *fw_priv, struct kobj_uevent_env *env)
+ {
+- struct firmware_priv *fw_priv = to_firmware_priv(dev);
+-
+ if (add_uevent_var(env, "FIRMWARE=%s", fw_priv->buf->fw_id))
+ return -ENOMEM;
+ if (add_uevent_var(env, "TIMEOUT=%i", loading_timeout))
+@@ -558,6 +556,18 @@ static int firmware_uevent(struct device
+ return 0;
+ }
+
++static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env)
++{
++ struct firmware_priv *fw_priv = to_firmware_priv(dev);
++ int err = 0;
++
++ mutex_lock(&fw_lock);
++ if (fw_priv->buf)
++ err = do_firmware_uevent(fw_priv, env);
++ mutex_unlock(&fw_lock);
++ return err;
++}
++
+ static struct class firmware_class = {
+ .name = "firmware",
+ .class_attrs = firmware_class_attrs,
--- /dev/null
+From e8d975e73e5fa05f983fbf2723120edcf68e0b38 Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <kolga@netapp.com>
+Date: Fri, 15 May 2015 11:45:31 -0400
+Subject: fixing infinite OPEN loop in 4.0 stateid recovery
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+commit e8d975e73e5fa05f983fbf2723120edcf68e0b38 upstream.
+
+Problem: When an operation like WRITE receives a BAD_STATEID, even though
+recovery code clears the RECLAIM_NOGRACE recovery flag before recovering
+the open state, because of clearing delegation state for the associated
+inode, nfs_inode_find_state_and_recover() gets called and it makes the
+same state with RECLAIM_NOGRACE flag again. As a results, when we restart
+looking over the open states, we end up in the infinite loop instead of
+breaking out in the next test of state flags.
+
+Solution: unset the RECLAIM_NOGRACE set because of
+calling of nfs_inode_find_state_and_recover() after returning from calling
+recover_open() function.
+
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/nfs4state.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1482,6 +1482,8 @@ restart:
+ spin_unlock(&state->state_lock);
+ }
+ nfs4_put_open_state(state);
++ clear_bit(NFS4CLNT_RECLAIM_NOGRACE,
++ &state->flags);
+ spin_lock(&sp->so_lock);
+ goto restart;
+ }
--- /dev/null
+From a28e4b2b18ccb90df402da3f21e1a83c9d4f8ec1 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Thu, 26 Mar 2015 20:47:10 -0700
+Subject: hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead
+
+From: Joe Perches <joe@perches.com>
+
+commit a28e4b2b18ccb90df402da3f21e1a83c9d4f8ec1 upstream.
+
+Removing unnecessary static buffers is good.
+Use the vsprintf %pV extension instead.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Signed-off-by: Mikulas Patocka <mikulas@twibright.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hpfs/super.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/fs/hpfs/super.c
++++ b/fs/hpfs/super.c
+@@ -52,17 +52,20 @@ static void unmark_dirty(struct super_bl
+ }
+
+ /* Filesystem error... */
+-static char err_buf[1024];
+-
+ void hpfs_error(struct super_block *s, const char *fmt, ...)
+ {
++ struct va_format vaf;
+ va_list args;
+
+ va_start(args, fmt);
+- vsnprintf(err_buf, sizeof(err_buf), fmt, args);
++
++ vaf.fmt = fmt;
++ vaf.va = &args;
++
++ pr_err("filesystem error: %pV", &vaf);
++
+ va_end(args);
+
+- pr_err("filesystem error: %s", err_buf);
+ if (!hpfs_sb(s)->sb_was_error) {
+ if (hpfs_sb(s)->sb_err == 2) {
+ pr_cont("; crashing the system because you wanted it\n");
--- /dev/null
+From ce657611baf902f14ae559ce4e0787ead6712067 Mon Sep 17 00:00:00 2001
+From: Sanidhya Kashyap <sanidhya.gatech@gmail.com>
+Date: Sat, 21 Mar 2015 12:57:50 -0400
+Subject: hpfs: kstrdup() out of memory handling
+
+From: Sanidhya Kashyap <sanidhya.gatech@gmail.com>
+
+commit ce657611baf902f14ae559ce4e0787ead6712067 upstream.
+
+There is a possibility of nothing being allocated to the new_opts in
+case of memory pressure, therefore return ENOMEM for such case.
+
+Signed-off-by: Sanidhya Kashyap <sanidhya.gatech@gmail.com>
+Signed-off-by: Mikulas Patocka <mikulas@twibright.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hpfs/super.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/hpfs/super.c
++++ b/fs/hpfs/super.c
+@@ -424,11 +424,14 @@ static int hpfs_remount_fs(struct super_
+ int o;
+ struct hpfs_sb_info *sbi = hpfs_sb(s);
+ char *new_opts = kstrdup(data, GFP_KERNEL);
+-
++
++ if (!new_opts)
++ return -ENOMEM;
++
+ sync_filesystem(s);
+
+ *flags |= MS_NOATIME;
+-
++
+ hpfs_lock(s);
+ uid = sbi->sb_uid; gid = sbi->sb_gid;
+ umask = 0777 & ~sbi->sb_mode;
--- /dev/null
+From 0c8315dd56577445dd1afe6b9cfa06b7efdf2f82 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@poochiereds.net>
+Date: Wed, 24 Jun 2015 12:10:24 -0400
+Subject: nfs: always update creds in mirror, even when we have an already connected ds
+
+From: Jeff Layton <jlayton@poochiereds.net>
+
+commit 0c8315dd56577445dd1afe6b9cfa06b7efdf2f82 upstream.
+
+A ds can be associated with more than one mirror, but we currently skip
+setting a mirror's credentials if we find that it's already set up with
+a connected client.
+
+The upshot is that we can end up sending DS writes with MDS credentials
+instead of properly setting them up. Fix nfs4_ff_layout_prepare_ds to
+always verify that the mirror's credentials are set up, even when we
+have a DS that's already connected.
+
+Reported-by: Tom Haynes <thomas.haynes@primarydata.com>
+Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -387,7 +387,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
+ /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */
+ smp_rmb();
+ if (ds->ds_clp)
+- goto out;
++ goto out_update_creds;
+
+ flavor = nfs4_ff_layout_choose_authflavor(mirror);
+
+@@ -431,7 +431,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la
+ }
+ }
+ }
+-
++out_update_creds:
+ if (ff_layout_update_mirror_cred(mirror, ds))
+ ds = NULL;
+ out:
--- /dev/null
+From c70701131f7a8edea91fc49d11796d342cff7c62 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Wed, 17 Jun 2015 19:56:22 -0400
+Subject: NFS: Ensure we set NFS_CONTEXT_RESEND_WRITES when requeuing writes
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit c70701131f7a8edea91fc49d11796d342cff7c62 upstream.
+
+If a write attempt fails, and the write is queued up for resending to
+the server, as opposed to being dropped, then we need to set the
+appropriate flag so that nfs_file_fsync() does the right thing.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/pnfs.c | 1 +
+ fs/nfs/write.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1821,6 +1821,7 @@ int pnfs_write_done_resend_to_mds(struct
+ /* Resend all requests through the MDS */
+ nfs_pageio_init_write(&pgio, hdr->inode, FLUSH_STABLE, true,
+ hdr->completion_ops);
++ set_bit(NFS_CONTEXT_RESEND_WRITES, &hdr->args.context->flags);
+ return nfs_pageio_resend(&pgio, hdr);
+ }
+ EXPORT_SYMBOL_GPL(pnfs_write_done_resend_to_mds);
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -1289,6 +1289,7 @@ static void nfs_initiate_write(struct nf
+ static void nfs_redirty_request(struct nfs_page *req)
+ {
+ nfs_mark_request_dirty(req);
++ set_bit(NFS_CONTEXT_RESEND_WRITES, &req->wb_context->flags);
+ nfs_unlock_request(req);
+ nfs_end_page_writeback(req);
+ nfs_release_request(req);
--- /dev/null
+From a24221dca1868101c9b4b5adde4a6a5b1a3a64a7 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@poochiereds.net>
+Date: Wed, 24 Jun 2015 12:10:23 -0400
+Subject: nfs: fix potential credential leak in ff_layout_update_mirror_cred
+
+From: Jeff Layton <jlayton@poochiereds.net>
+
+commit a24221dca1868101c9b4b5adde4a6a5b1a3a64a7 upstream.
+
+If we have two tasks racing to update a mirror's credentials, then they
+can end up leaking one (or more) sets of credentials. The first task
+will set mirror->cred and then the second task will just overwrite it.
+
+Use a cmpxchg to ensure that the creds are only set once. If we get to
+the point where we would set mirror->cred and find that they're already
+set, then we just release the creds that were just found.
+
+Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfs/flexfilelayout/flexfilelayoutdev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+@@ -324,7 +324,8 @@ static int ff_layout_update_mirror_cred(
+ __func__, PTR_ERR(cred));
+ return PTR_ERR(cred);
+ } else {
+- mirror->cred = cred;
++ if (cmpxchg(&mirror->cred, NULL, cred))
++ put_rpccred(cred);
+ }
+ }
+ return 0;
--- /dev/null
+From 764ad8ba8cd4c6f836fca9378f8c5121aece0842 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@poochiereds.net>
+Date: Tue, 9 Jun 2015 19:43:56 -0400
+Subject: nfs: increase size of EXCHANGE_ID name string buffer
+
+From: Jeff Layton <jlayton@poochiereds.net>
+
+commit 764ad8ba8cd4c6f836fca9378f8c5121aece0842 upstream.
+
+The current buffer is much too small if you have a relatively long
+hostname. Bring it up to the size of the one that SETCLIENTID has.
+
+Reported-by: Michael Skralivetsky <michael.skralivetsky@primarydata.com>
+Signed-off-by: Jeff Layton <jeff.layton@primarydata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/nfs_xdr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/nfs_xdr.h
++++ b/include/linux/nfs_xdr.h
+@@ -1142,7 +1142,7 @@ struct nfs41_state_protection {
+ struct nfs4_op_map allow;
+ };
+
+-#define NFS4_EXCHANGE_ID_LEN (48)
++#define NFS4_EXCHANGE_ID_LEN (127)
+ struct nfs41_exchange_id_args {
+ struct nfs_client *client;
+ nfs4_verifier *verifier;
--- /dev/null
+From 67e808fbb0404a12d9b9830a44bbb48d447d8bc9 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 4 Jul 2015 16:11:05 -0400
+Subject: p9_client_write(): avoid double p9_free_req()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 67e808fbb0404a12d9b9830a44bbb48d447d8bc9 upstream.
+
+Braino in "9p: switch p9_client_write() to passing it struct iov_iter *";
+if response is impossible to parse and we discard the request, get the
+out of the loop right there.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/client.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -1648,6 +1648,7 @@ p9_client_write(struct p9_fid *fid, u64
+ if (*err) {
+ trace_9p_protocol_dump(clnt, req->rc);
+ p9_free_req(clnt, req);
++ break;
+ }
+
+ p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count);
--- /dev/null
+From 2b42b09b88c831ba4da2d669581dde371c38c2af Mon Sep 17 00:00:00 2001
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Date: Wed, 24 Jun 2015 16:40:04 +0530
+Subject: perf bench numa: Fix to show proper convergence stats
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+commit 2b42b09b88c831ba4da2d669581dde371c38c2af upstream.
+
+With commit: e1e455f4f4d3 (perf tools: Work around lack of sched_getcpu
+in glibc < 2.6), perf_bench numa mem with -c or -m option is not able to
+correctly calculate convergence.
+
+With the above commit, sched_getcpu always seems to return -1. The
+intention of commit e1e455f was to add a sched_getcpu in glibc < 2.6.
+Hence keep the sched_getcpu definition under an ifdef.
+
+This regression happened occurred between v4.0 and v4.1
+
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Vinson Lee <vlee@twitter.com>
+Fixes: e1e455f4f4d3 ("perf tools: Work around lack of sched_getcpu in glibc < 2.6")
+Link: http://lkml.kernel.org/r/20150624111004.GA5220@linux.vnet.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/util/cloexec.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/perf/util/cloexec.c
++++ b/tools/perf/util/cloexec.c
+@@ -7,11 +7,15 @@
+
+ static unsigned long flag = PERF_FLAG_FD_CLOEXEC;
+
++#ifdef __GLIBC_PREREQ
++#if !__GLIBC_PREREQ(2, 6)
+ int __weak sched_getcpu(void)
+ {
+ errno = ENOSYS;
+ return -1;
+ }
++#endif
++#endif
+
+ static int perf_flag_probe(void)
+ {
--- /dev/null
+From 5a60e87603c4c533492c515b7f62578189b03c9c Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Wed, 24 Jun 2015 17:24:33 +0300
+Subject: rbd: use GFP_NOIO in rbd_obj_request_create()
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 5a60e87603c4c533492c515b7f62578189b03c9c upstream.
+
+rbd_obj_request_create() is called on the main I/O path, so we need to
+use GFP_NOIO to make sure allocation doesn't blow back on us. Not all
+callers need this, but I'm still hardcoding the flag inside rather than
+making it a parameter because a) this is going to stable, and b) those
+callers shouldn't really use rbd_obj_request_create() and will be fixed
+in the future.
+
+More memory allocation fixes will follow.
+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Alex Elder <elder@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/rbd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/rbd.c
++++ b/drivers/block/rbd.c
+@@ -2001,11 +2001,11 @@ static struct rbd_obj_request *rbd_obj_r
+ rbd_assert(obj_request_type_valid(type));
+
+ size = strlen(object_name) + 1;
+- name = kmalloc(size, GFP_KERNEL);
++ name = kmalloc(size, GFP_NOIO);
+ if (!name)
+ return NULL;
+
+- obj_request = kmem_cache_zalloc(rbd_obj_request_cache, GFP_KERNEL);
++ obj_request = kmem_cache_zalloc(rbd_obj_request_cache, GFP_NOIO);
+ if (!obj_request) {
+ kfree(name);
+ return NULL;
pnfs-fix-a-memory-leak-when-attempted-pnfs-fails.patch
pnfs-flexfiles-fix-the-reset-of-struct-pgio_header-when-resending.patch
nfs-fix-size-of-nfsacl-setacl-operations.patch
+fixing-infinite-open-loop-in-4.0-stateid-recovery.patch
+nfs-increase-size-of-exchange_id-name-string-buffer.patch
+nfs-ensure-we-set-nfs_context_resend_writes-when-requeuing-writes.patch
+nfs-fix-potential-credential-leak-in-ff_layout_update_mirror_cred.patch
+nfs-always-update-creds-in-mirror-even-when-we-have-an-already-connected-ds.patch
+sunrpc-fix-a-memory-leak-in-the-backchannel-code.patch
+9p-forgetting-to-cancel-request-on-interrupted-zero-copy-rpc.patch
+9p-don-t-leave-a-half-initialized-inode-sitting-around.patch
+rbd-use-gfp_noio-in-rbd_obj_request_create.patch
+agp-intel-fix-typo-in-needs_ilk_vtd_wa.patch
+arm-dove-fix-legacy-dove-irq-numbers.patch
+edac-octeon-fix-broken-build-due-to-model-helper-renames.patch
+p9_client_write-avoid-double-p9_free_req.patch
+arm64-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch
+arm64-bpf-fix-out-of-bounds-read-in-bpf2a64_offset.patch
+arm64-bpf-fix-endianness-conversion-bugs.patch
+arm64-don-t-report-clear-pmds-and-puds-as-huge.patch
+perf-bench-numa-fix-to-show-proper-convergence-stats.patch
+arm-8393-1-smp-fix-suspicious-rcu-usage-with-ipi-tracepoints.patch
+arm-8397-1-fix-vdsomunge-not-to-depend-on-glibc-specific-error.h.patch
+hpfs-kstrdup-out-of-memory-handling.patch
+hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch
+fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch
--- /dev/null
+From 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Mon, 1 Jun 2015 15:10:25 -0400
+Subject: SUNRPC: Fix a memory leak in the backchannel code
+
+From: Trond Myklebust <trond.myklebust@primarydata.com>
+
+commit 88de6af24f2b48b06c514d3c3d0a8f22fafe30bd upstream.
+
+req->rq_private_buf isn't initialised when xprt_setup_backchannel calls
+xprt_free_allocation.
+
+Fixes: fb7a0b9addbdb ("nfs41: New backchannel helper routines")
+Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/backchannel_rqst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/backchannel_rqst.c
++++ b/net/sunrpc/backchannel_rqst.c
+@@ -60,7 +60,7 @@ static void xprt_free_allocation(struct
+
+ dprintk("RPC: free allocations for req= %p\n", req);
+ WARN_ON_ONCE(test_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state));
+- xbufp = &req->rq_private_buf;
++ xbufp = &req->rq_rcv_buf;
+ free_page((unsigned long)xbufp->head[0].iov_base);
+ xbufp = &req->rq_snd_buf;
+ free_page((unsigned long)xbufp->head[0].iov_base);
projects / thirdparty / kernel / stable-queue.git / commitdiff
