commit 07bd6f89f7ff56495c31505985af690c976374d6
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Oct 27 09:46:24 2015 +0900

    Linux 3.14.56

commit e211cb68dd3c951b104ff0b47dbaed2c8b8d2399
Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date:   Wed Jul 15 12:52:04 2015 +0300

    sched/preempt: Fix cond_resched_lock() and cond_resched_softirq()
    
    commit fe32d3cd5e8eb0f82e459763374aa80797023403 upstream.
    
    These functions check should_resched() before unlocking spinlock/bh-enable:
    preempt_count always non-zero => should_resched() always returns false.
    cond_resched_lock() worked iff spin_needbreak is set.
    
    This patch adds argument "preempt_offset" to should_resched().
    
    preempt_count offset constants for that:
    
      PREEMPT_DISABLE_OFFSET  - offset after preempt_disable()
      PREEMPT_LOCK_OFFSET     - offset after spin_lock()
      SOFTIRQ_DISABLE_OFFSET  - offset after local_bh_distable()
      SOFTIRQ_LOCK_OFFSET     - offset after spin_lock_bh()
    
    Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Alexander Graf <agraf@suse.de>
    Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Cc: David Vrabel <david.vrabel@citrix.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Fixes: bdb438065890 ("sched: Extract the basic add/sub preempt_count modifiers")
    Link: http://lkml.kernel.org/r/20150715095204.12246.98268.stgit@buzz
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Mike Galbraith <efault@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d379e64ca4fc535334a02dc0314cba6e50f4b720
Author: Frederic Weisbecker <fweisbec@gmail.com>
Date:   Tue May 12 16:41:48 2015 +0200

    sched/preempt: Rename PREEMPT_CHECK_OFFSET to PREEMPT_DISABLE_OFFSET
    
    commit 90b62b5129d5cb50f62f40e684de7a1961e57197 upstream.
    
    "CHECK" suggests it's only used as a comparison mask. But now it's used
    further as a config-conditional preempt disabler offset. Lets
    disambiguate this name.
    
    Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Link: http://lkml.kernel.org/r/1431441711-29753-4-git-send-email-fweisbec@gmail.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Mike Galbraith <efault@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d11f754e68258c46d07b1e48ba1e4bf69a802637
Author: Ilya Dryomov <idryomov@gmail.com>
Date:   Mon Aug 31 15:21:39 2015 +0300

    rbd: fix double free on rbd_dev->header_name
    
    commit 3ebe138ac642a195c7f2efdb918f464734421fd6 upstream.
    
    If rbd_dev_image_probe() in rbd_dev_probe_parent() fails, header_name
    is freed twice: once in rbd_dev_probe_parent() and then in its caller
    rbd_dev_image_probe() (rbd_dev_image_probe() is called recursively to
    handle parent images).
    
    rbd_dev_probe_parent() is responsible for probing the parent, so it
    shouldn't muck with clone's fields.
    
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Reviewed-by: Alex Elder <elder@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9e7042c2fffcd110d4265f6b258f22175673c28f
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Tue Oct 13 12:04:28 2015 -0400

    dm thin: fix missing pool reference count decrement in pool_ctr error path
    
    commit ba30670f4d5292c4e7f7980bbd5071f7c4794cdd upstream.
    
    Fixes: ac8c3f3df ("dm thin: generate event when metadata threshold passed")
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f3fd6d9c6a8ffc3d5c4a866d7d2e51c4646ff408
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Sep 30 16:45:52 2015 -0400

    drm/radeon: add pm sysfs files late
    
    commit 51a4726b04e880fdd9b4e0e58b13f70b0a68a7f5 upstream.
    
    They were added relatively early in the driver init process
    which meant that in some cases the driver was not finished
    initializing before external tools tried to use them which
    could result in a crash depending on the timing.
    
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b40de58cccbd9d9ad4ea89d5ccb9365192d182cf
Author: Ben Skeggs <bskeggs@redhat.com>
Date:   Fri Oct 2 14:03:19 2015 +1000

    drm/nouveau/fbcon: take runpm reference when userspace has an open fd
    
    commit f231976c2e8964ceaa9250e57d27c35ff03825c2 upstream.
    
    We need to do this in order to prevent accesses to the device while it's
    powered down.  Userspace may have an mmap of the fb, and there's no good
    way (that I know of) to prevent it from touching the device otherwise.
    
    This fixes some nasty races between runpm and plymouth on some systems,
    which result in the GPU getting very upset and hanging the boot.
    
    Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e3ce9507285435ed2015672bac549dc10fecbf5a
Author: Shaohua Li <shli@fb.com>
Date:   Wed Sep 30 09:05:30 2015 -0700

    workqueue: make sure delayed work run in local cpu
    
    commit 874bbfe600a660cba9c776b3957b1ce393151b76 upstream.
    
    My system keeps crashing with below message. vmstat_update() schedules a delayed
    work in current cpu and expects the work runs in the cpu.
    schedule_delayed_work() is expected to make delayed work run in local cpu. The
    problem is timer can be migrated with NO_HZ. __queue_work() queues work in
    timer handler, which could run in a different cpu other than where the delayed
    work is scheduled. The end result is the delayed work runs in different cpu.
    The patch makes __queue_delayed_work records local cpu earlier. Where the timer
    runs doesn't change where the work runs with the change.
    
    [   28.010131] ------------[ cut here ]------------
    [   28.010609] kernel BUG at ../mm/vmstat.c:1392!
    [   28.011099] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
    [   28.011860] Modules linked in:
    [   28.012245] CPU: 0 PID: 289 Comm: kworker/0:3 Tainted: G        W4.3.0-rc3+ #634
    [   28.013065] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140709_153802- 04/01/2014
    [   28.014160] Workqueue: events vmstat_update
    [   28.014571] task: ffff880117682580 ti: ffff8800ba428000 task.ti: ffff8800ba428000
    [   28.015445] RIP: 0010:[<ffffffff8115f921>]  [<ffffffff8115f921>]vmstat_update+0x31/0x80
    [   28.016282] RSP: 0018:ffff8800ba42fd80  EFLAGS: 00010297
    [   28.016812] RAX: 0000000000000000 RBX: ffff88011a858dc0 RCX:0000000000000000
    [   28.017585] RDX: ffff880117682580 RSI: ffffffff81f14d8c RDI:ffffffff81f4df8d
    [   28.018366] RBP: ffff8800ba42fd90 R08: 0000000000000001 R09:0000000000000000
    [   28.019169] R10: 0000000000000000 R11: 0000000000000121 R12:ffff8800baa9f640
    [   28.019947] R13: ffff88011a81e340 R14: ffff88011a823700 R15:0000000000000000
    [   28.020071] FS:  0000000000000000(0000) GS:ffff88011a800000(0000)knlGS:0000000000000000
    [   28.020071] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    [   28.020071] CR2: 00007ff6144b01d0 CR3: 00000000b8e93000 CR4:00000000000006f0
    [   28.020071] Stack:
    [   28.020071]  ffff88011a858dc0 ffff8800baa9f640 ffff8800ba42fe00ffffffff8106bd88
    [   28.020071]  ffffffff8106bd0b 0000000000000096 0000000000000000ffffffff82f9b1e8
    [   28.020071]  ffffffff829f0b10 0000000000000000 ffffffff81f18460ffff88011a81e340
    [   28.020071] Call Trace:
    [   28.020071]  [<ffffffff8106bd88>] process_one_work+0x1c8/0x540
    [   28.020071]  [<ffffffff8106bd0b>] ? process_one_work+0x14b/0x540
    [   28.020071]  [<ffffffff8106c214>] worker_thread+0x114/0x460
    [   28.020071]  [<ffffffff8106c100>] ? process_one_work+0x540/0x540
    [   28.020071]  [<ffffffff81071bf8>] kthread+0xf8/0x110
    [   28.020071]  [<ffffffff81071b00>] ?kthread_create_on_node+0x200/0x200
    [   28.020071]  [<ffffffff81a6522f>] ret_from_fork+0x3f/0x70
    [   28.020071]  [<ffffffff81071b00>] ?kthread_create_on_node+0x200/0x200
    
    Signed-off-by: Shaohua Li <shli@fb.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 62c81f51d6bcdd53797098b61c3437bae46fd4d1
Author: Mika Westerberg <mika.westerberg@linux.intel.com>
Date:   Thu Sep 24 12:06:54 2015 +0300

    i2c: designware: Do not use parameters from ACPI on Dell Inspiron 7348
    
    commit 56d4b8a24cef5d66f0d10ac778a520d3c2c68a48 upstream.
    
    ACPI SSCN/FMCN methods were originally added because then the platform can
    provide the most accurate HCNT/LCNT values to the driver. However, this
    seems not to be true for Dell Inspiron 7348 where using these causes the
    touchpad to fail in boot:
    
      i2c_hid i2c-DLL0675:00: failed to retrieve report from device.
      i2c_designware INT3433:00: i2c_dw_handle_tx_abort: lost arbitration
      i2c_hid i2c-DLL0675:00: failed to retrieve report from device.
      i2c_designware INT3433:00: controller timed out
    
    The values received from ACPI are (in fast mode):
    
      HCNT: 72
      LCNT: 160
    
    this translates to following timings (input clock is 100MHz on Broadwell):
    
      tHIGH: 720 ns (spec min 600 ns)
      tLOW: 1600 ns (spec min 1300 ns)
      Bus period: 2920 ns (assuming 300 ns tf and tr)
      Bus speed: 342.5 kHz
    
    Both tHIGH and tLOW are within the I2C specification.
    
    The calculated values when ACPI parameters are not used are (in fast mode):
    
      HCNT: 87
      LCNT: 159
    
    which translates to:
    
      tHIGH: 870 ns (spec min 600 ns)
      tLOW: 1590 ns (spec min 1300 ns)
      Bus period 3060 ns (assuming 300 ns tf and tr)
      Bus speed 326.8 kHz
    
    These values are also within the I2C specification.
    
    Since both ACPI and calculated values meet the I2C specification timing
    requirements it is hard to say why the touchpad does not function properly
    with the ACPI values except that the bus speed is higher in this case (but
    still well below the max 400kHz).
    
    Solve this by adding DMI quirk to the driver that disables using ACPI
    parameters on this particulare machine.
    
    Reported-by: Pavel Roskin <plroskin@gmail.com>
    Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
    Tested-by: Pavel Roskin <plroskin@gmail.com>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5ebbba3039832b9ec097785ce70c0efa9b7da30b
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Sat Oct 10 08:24:23 2015 +0100

    i2c: s3c2410: enable RuntimePM before registering to the core
    
    commit eadd709f5d2e8aebb1b7bf49460e97a68d81a9b0 upstream.
    
    The core may register clients attached to this master which may use
    funtionality from the master. So, RuntimePM must be enabled before, otherwise
    this will fail. While here, move drvdata, too.
    
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Tested-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
    Acked-by: Kukjin Kim <kgene@kernel.org>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3d79721574be95394e1875daa85fb5d5eb6409b8
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Fri Oct 9 10:39:25 2015 +0100

    i2c: rcar: enable RuntimePM before registering to the core
    
    commit 4f7effddf4549d57114289f273710f077c4c330a upstream.
    
    The core may register clients attached to this master which may use
    funtionality from the master. So, RuntimePM must be enabled before, otherwise
    this will fail. While here, move drvdata, too.
    
    Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d60c2e8a872f7c9de482d063e12cae985dc24274
Author: Will Deacon <will.deacon@arm.com>
Date:   Thu Oct 8 11:11:17 2015 +0100

    arm64: errata: use KBUILD_CFLAGS_MODULE for erratum #843419
    
    commit b6dd8e0719c0d2d01429639a11b7bc2677de240c upstream.
    
    Commit df057cc7b4fa ("arm64: errata: add module build workaround for
    erratum #843419") sets CFLAGS_MODULE to ensure that the large memory
    model is used by the compiler when building kernel modules.
    
    However, CFLAGS_MODULE is an environment variable and intended to be
    overridden on the command line, which appears to be the case with the
    Ubuntu kernel packaging system, so use KBUILD_CFLAGS_MODULE instead.
    
    Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Fixes: df057cc7b4fa ("arm64: errata: add module build workaround for erratum #843419")
    Reported-by: Dann Frazier <dann.frazier@canonical.com>
    Tested-by: Dann Frazier <dann.frazier@canonical.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 997badf1e03dfd39854094f7767e1a4cf5ed310b
Author: Chris Mason <clm@fb.com>
Date:   Tue Oct 13 14:06:48 2015 -0400

    btrfs: fix use after free iterating extrefs
    
    commit dc6c5fb3b514221f2e9d21ee626a9d95d3418dff upstream.
    
    The code for btrfs inode-resolve has never worked properly for
    files with enough hard links to trigger extrefs.  It was trying to
    get the leaf out of a path after freeing the path:
    
    	btrfs_release_path(path);
    	leaf = path->nodes[0];
    	item_size = btrfs_item_size_nr(leaf, slot);
    
    The fix here is to use the extent buffer we cloned just a little higher
    up to avoid deadlocks caused by using the leaf in the path.
    
    Signed-off-by: Chris Mason <clm@fb.com>
    cc: Mark Fasheh <mfasheh@suse.de>
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: Mark Fasheh <mfasheh@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3408c1b1193ec14c555e21a41b452c1ed012ccec
Author: Russell King <rmk+kernel@arm.linux.org.uk>
Date:   Fri Oct 9 20:43:33 2015 +0100

    crypto: ahash - ensure statesize is non-zero
    
    commit 8996eafdcbad149ac0f772fb1649fbb75c482a6a upstream.
    
    Unlike shash algorithms, ahash drivers must implement export
    and import as their descriptors may contain hardware state and
    cannot be exported as is.  Unfortunately some ahash drivers did
    not provide them and end up causing crashes with algif_hash.
    
    This patch adds a check to prevent these drivers from registering
    ahash algorithms until they are fixed.
    
    Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7024b51a74df657b0e7f537ad5c05783b5f91acb
Author: Dave Kleikamp <dave.kleikamp@oracle.com>
Date:   Mon Oct 5 10:08:51 2015 -0500

    crypto: sparc - initialize blkcipher.ivsize
    
    commit a66d7f724a96d6fd279bfbd2ee488def6b081bea upstream.
    
    Some of the crypto algorithms write to the initialization vector,
    but no space has been allocated for it. This clobbers adjacent memory.
    
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aca250d1c7fee5cb848cc6e42101955084d31ef5
Author: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Date:   Thu Nov 6 15:49:41 2014 +0000

    asix: Do full reset during ax88772_bind
    
    [ Upstream commit 436c2a5036b6ffe813310df2cf327d3b69be0734 ]
    
    commit 3cc81d85ee01 ("asix: Don't reset PHY on if_up for ASIX 88772")
    causes the ethernet on Arndale to no longer function. This appears to
    be because the Arndale ethernet requires a full reset before it will
    function correctly, however simply reverting the above patch causes
    problems with ethtool settings getting reset.
    
    It seems the problem is that the ethernet is not properly reset during
    bind, and indeed the code in ax88772_bind that resets the device is a
    very small subset of the actual ax88772_reset function. This patch uses
    ax88772_reset in place of the existing reset code in ax88772_bind which
    removes some code duplication and fixes the ethernet on Arndale.
    
    It is still possible that the original patch causes some issues with
    suspend and resume but that seems like a separate issue and I haven't
    had a chance to test that yet.
    
    Signed-off-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
    Tested-by: Riku Voipio <riku.voipio@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6b7bcc9840d7c0ab5856c1469b6dc3664396ba57
Author: Michel Stam <m.stam@fugro.nl>
Date:   Thu Oct 2 10:22:02 2014 +0200

    asix: Don't reset PHY on if_up for ASIX 88772
    
    [ Upstream commit 3cc81d85ee01e5a0b7ea2f4190e2ed1165f53c31 ]
    
    I've noticed every time the interface is set to 'up,', the kernel
    reports that the link speed is set to 100 Mbps/Full Duplex, even
    when ethtool is used to set autonegotiation to 'off', half
    duplex, 10 Mbps.
    It can be tested by:
     ifconfig eth0 down
     ethtool -s eth0 autoneg off speed 10 duplex half
     ifconfig eth0 up
    
    Then checking 'dmesg' for the link speed.
    
    Signed-off-by: Michel Stam <m.stam@fugro.nl>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8c7a0e4993937c47b7584ce98e67dede323f29f6
Author: Joe Perches <joe@perches.com>
Date:   Wed Oct 14 01:09:40 2015 -0700

    ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
    
    [ Upstream commit 077cb37fcf6f00a45f375161200b5ee0cd4e937b ]
    
    It seems that kernel memory can leak into userspace by a
    kmalloc, ethtool_get_strings, then copy_to_user sequence.
    
    Avoid this by using kcalloc to zero fill the copied buffer.
    
    Signed-off-by: Joe Perches <joe@perches.com>
    Acked-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 321e117944dd09975ec42bd3da57894fe38d893a
Author: Guillaume Nault <g.nault@alphalink.fr>
Date:   Wed Sep 30 11:45:33 2015 +0200

    ppp: don't override sk->sk_state in pppoe_flush_dev()
    
    [ Upstream commit e6740165b8f7f06d8caee0fceab3fb9d790a6fed ]
    
    Since commit 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release"),
    pppoe_release() calls dev_put(po->pppoe_dev) if sk is in the
    PPPOX_ZOMBIE state. But pppoe_flush_dev() can set sk->sk_state to
    PPPOX_ZOMBIE _and_ reset po->pppoe_dev to NULL. This leads to the
    following oops:
    
    [  570.140800] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e0
    [  570.142931] IP: [<ffffffffa018c701>] pppoe_release+0x50/0x101 [pppoe]
    [  570.144601] PGD 3d119067 PUD 3dbc1067 PMD 0
    [  570.144601] Oops: 0000 [#1] SMP
    [  570.144601] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pppoe pppox ppp_generic slhc loop crc32c_intel ghash_clmulni_intel jitterentropy_rng sha256_generic hmac drbg ansi_cprng aesni_intel aes_x86_64 ablk_helper cryptd lrw gf128mul glue_helper acpi_cpufreq evdev serio_raw processor button ext4 crc16 mbcache jbd2 virtio_net virtio_blk virtio_pci virtio_ring virtio
    [  570.144601] CPU: 1 PID: 15738 Comm: ppp-apitest Not tainted 4.2.0 #1
    [  570.144601] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
    [  570.144601] task: ffff88003d30d600 ti: ffff880036b60000 task.ti: ffff880036b60000
    [  570.144601] RIP: 0010:[<ffffffffa018c701>]  [<ffffffffa018c701>] pppoe_release+0x50/0x101 [pppoe]
    [  570.144601] RSP: 0018:ffff880036b63e08  EFLAGS: 00010202
    [  570.144601] RAX: 0000000000000000 RBX: ffff880034340000 RCX: 0000000000000206
    [  570.144601] RDX: 0000000000000006 RSI: ffff88003d30dd20 RDI: ffff88003d30dd20
    [  570.144601] RBP: ffff880036b63e28 R08: 0000000000000001 R09: 0000000000000000
    [  570.144601] R10: 00007ffee9b50420 R11: ffff880034340078 R12: ffff8800387ec780
    [  570.144601] R13: ffff8800387ec7b0 R14: ffff88003e222aa0 R15: ffff8800387ec7b0
    [  570.144601] FS:  00007f5672f48700(0000) GS:ffff88003fc80000(0000) knlGS:0000000000000000
    [  570.144601] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  570.144601] CR2: 00000000000004e0 CR3: 0000000037f7e000 CR4: 00000000000406a0
    [  570.144601] Stack:
    [  570.144601]  ffffffffa018f240 ffff8800387ec780 ffffffffa018f240 ffff8800387ec7b0
    [  570.144601]  ffff880036b63e48 ffffffff812caabe ffff880039e4e000 0000000000000008
    [  570.144601]  ffff880036b63e58 ffffffff812cabad ffff880036b63ea8 ffffffff811347f5
    [  570.144601] Call Trace:
    [  570.144601]  [<ffffffff812caabe>] sock_release+0x1a/0x75
    [  570.144601]  [<ffffffff812cabad>] sock_close+0xd/0x11
    [  570.144601]  [<ffffffff811347f5>] __fput+0xff/0x1a5
    [  570.144601]  [<ffffffff811348cb>] ____fput+0x9/0xb
    [  570.144601]  [<ffffffff81056682>] task_work_run+0x66/0x90
    [  570.144601]  [<ffffffff8100189e>] prepare_exit_to_usermode+0x8c/0xa7
    [  570.144601]  [<ffffffff81001a26>] syscall_return_slowpath+0x16d/0x19b
    [  570.144601]  [<ffffffff813babb1>] int_ret_from_sys_call+0x25/0x9f
    [  570.144601] Code: 48 8b 83 c8 01 00 00 a8 01 74 12 48 89 df e8 8b 27 14 e1 b8 f7 ff ff ff e9 b7 00 00 00 8a 43 12 a8 0b 74 1c 48 8b 83 a8 04 00 00 <48> 8b 80 e0 04 00 00 65 ff 08 48 c7 83 a8 04 00 00 00 00 00 00
    [  570.144601] RIP  [<ffffffffa018c701>] pppoe_release+0x50/0x101 [pppoe]
    [  570.144601]  RSP <ffff880036b63e08>
    [  570.144601] CR2: 00000000000004e0
    [  570.200518] ---[ end trace 46956baf17349563 ]---
    
    pppoe_flush_dev() has no reason to override sk->sk_state with
    PPPOX_ZOMBIE. pppox_unbind_sock() already sets sk->sk_state to
    PPPOX_DEAD, which is the correct state given that sk is unbound and
    po->pppoe_dev is NULL.
    
    Fixes: 2b018d57ff18 ("pppoe: drop PPPOX_ZOMBIEs in pppoe_release")
    Tested-by: Oleksii Berezhniak <core@irc.lg.ua>
    Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 700bbb12d1866af5c9ba6ab17fb5c0d6d0547eff
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Sep 29 18:52:25 2015 -0700

    net: add pfmemalloc check in sk_add_backlog()
    
    [ Upstream commit c7c49b8fde26b74277188bdc6c9dca38db6fa35b ]
    
    Greg reported crashes hitting the following check in __sk_backlog_rcv()
    
    	BUG_ON(!sock_flag(sk, SOCK_MEMALLOC));
    
    The pfmemalloc bit is currently checked in sk_filter().
    
    This works correctly for TCP, because sk_filter() is ran in
    tcp_v[46]_rcv() before hitting the prequeue or backlog checks.
    
    For UDP or other protocols, this does not work, because the sk_filter()
    is ran from sock_queue_rcv_skb(), which might be called _after_ backlog
    queuing if socket is owned by user by the time packet is processed by
    softirq handler.
    
    Fixes: b4b9e35585089 ("netvm: set PF_MEMALLOC as appropriate during SKB processing")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Greg Thelen <gthelen@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e261933c5242b2eba6e5820967e34644d41c28b
Author: Pravin B Shelar <pshelar@nicira.com>
Date:   Mon Sep 28 17:24:25 2015 -0700

    skbuff: Fix skb checksum partial check.
    
    [ Upstream commit 31b33dfb0a144469dd805514c9e63f4993729a48 ]
    
    Earlier patch 6ae459bda tried to detect void ckecksum partial
    skb by comparing pull length to checksum offset. But it does
    not work for all cases since checksum-offset depends on
    updates to skb->data.
    
    Following patch fixes it by validating checksum start offset
    after skb-data pointer is updated. Negative value of checksum
    offset start means there is no need to checksum.
    
    Fixes: 6ae459bda ("skbuff: Fix skb checksum flag on skb pull")
    Reported-by: Andrew Vagin <avagin@odin.com>
    Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 81feda9cbe3881504fe16d4e00a5bef69855761a
Author: Pravin B Shelar <pshelar@nicira.com>
Date:   Tue Sep 22 12:57:53 2015 -0700

    skbuff: Fix skb checksum flag on skb pull
    
    [ Upstream commit 6ae459bdaaeebc632b16e54dcbabb490c6931d61 ]
    
    VXLAN device can receive skb with checksum partial. But the checksum
    offset could be in outer header which is pulled on receive. This results
    in negative checksum offset for the skb. Such skb can cause the assert
    failure in skb_checksum_help(). Following patch fixes the bug by setting
    checksum-none while pulling outer header.
    
    Following is the kernel panic msg from old kernel hitting the bug.
    
    ------------[ cut here ]------------
    kernel BUG at net/core/dev.c:1906!
    RIP: 0010:[<ffffffff81518034>] skb_checksum_help+0x144/0x150
    Call Trace:
    <IRQ>
    [<ffffffffa0164c28>] queue_userspace_packet+0x408/0x470 [openvswitch]
    [<ffffffffa016614d>] ovs_dp_upcall+0x5d/0x60 [openvswitch]
    [<ffffffffa0166236>] ovs_dp_process_packet_with_key+0xe6/0x100 [openvswitch]
    [<ffffffffa016629b>] ovs_dp_process_received_packet+0x4b/0x80 [openvswitch]
    [<ffffffffa016c51a>] ovs_vport_receive+0x2a/0x30 [openvswitch]
    [<ffffffffa0171383>] vxlan_rcv+0x53/0x60 [openvswitch]
    [<ffffffffa01734cb>] vxlan_udp_encap_recv+0x8b/0xf0 [openvswitch]
    [<ffffffff8157addc>] udp_queue_rcv_skb+0x2dc/0x3b0
    [<ffffffff8157b56f>] __udp4_lib_rcv+0x1cf/0x6c0
    [<ffffffff8157ba7a>] udp_rcv+0x1a/0x20
    [<ffffffff8154fdbd>] ip_local_deliver_finish+0xdd/0x280
    [<ffffffff81550128>] ip_local_deliver+0x88/0x90
    [<ffffffff8154fa7d>] ip_rcv_finish+0x10d/0x370
    [<ffffffff81550365>] ip_rcv+0x235/0x300
    [<ffffffff8151ba1d>] __netif_receive_skb+0x55d/0x620
    [<ffffffff8151c360>] netif_receive_skb+0x80/0x90
    [<ffffffff81459935>] virtnet_poll+0x555/0x6f0
    [<ffffffff8151cd04>] net_rx_action+0x134/0x290
    [<ffffffff810683d8>] __do_softirq+0xa8/0x210
    [<ffffffff8162fe6c>] call_softirq+0x1c/0x30
    [<ffffffff810161a5>] do_softirq+0x65/0xa0
    [<ffffffff810687be>] irq_exit+0x8e/0xb0
    [<ffffffff81630733>] do_IRQ+0x63/0xe0
    [<ffffffff81625f2e>] common_interrupt+0x6e/0x6e
    
    Reported-by: Anupam Chanda <achanda@vmware.com>
    Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
    Acked-by: Tom Herbert <tom@herbertland.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a2ef31286c9832eca96d4a57c841d1734faeac28
Author: Andrey Vagin <avagin@openvz.org>
Date:   Fri Oct 2 00:05:36 2015 +0300

    net/unix: fix logic about sk_peek_offset
    
    [ Upstream commit e9193d60d363e4dff75ff6d43a48f22be26d59c7 ]
    
    Now send with MSG_PEEK can return data from multiple SKBs.
    
    Unfortunately we take into account the peek offset for each skb,
    that is wrong. We need to apply the peek offset only once.
    
    In addition, the peek offset should be used only if MSG_PEEK is set.
    
    Cc: "David S. Miller" <davem@davemloft.net> (maintainer:NETWORKING
    Cc: Eric Dumazet <edumazet@google.com> (commit_signer:1/14=7%)
    Cc: Aaron Conole <aconole@bytheb.org>
    Fixes: 9f389e35674f ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag")
    Signed-off-by: Andrey Vagin <avagin@openvz.org>
    Tested-by: Aaron Conole <aconole@bytheb.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9eea993b64f57fba0807961a6db5fa53c034a104
Author: Aaron Conole <aconole@bytheb.org>
Date:   Sat Sep 26 18:50:43 2015 -0400

    af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
    
    [ Upstream commit 9f389e35674f5b086edd70ed524ca0f287259725 ]
    
    AF_UNIX sockets now return multiple skbs from recv() when MSG_PEEK flag
    is set.
    
    This is referenced in kernel bugzilla #12323 @
    https://bugzilla.kernel.org/show_bug.cgi?id=12323
    
    As described both in the BZ and lkml thread @
    http://lkml.org/lkml/2008/1/8/444 calling recv() with MSG_PEEK on an
    AF_UNIX socket only reads a single skb, where the desired effect is
    to return as much skb data has been queued, until hitting the recv
    buffer size (whichever comes first).
    
    The modified MSG_PEEK path will now move to the next skb in the tree
    and jump to the again: label, rather than following the natural loop
    structure. This requires duplicating some of the loop head actions.
    
    This was tested using the python socketpair python code attached to
    the bugzilla issue.
    
    Signed-off-by: Aaron Conole <aconole@bytheb.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a9cbee97ae37329e6d6b568c4f707dfd655d79e9
Author: Aaron Conole <aconole@bytheb.org>
Date:   Sat Sep 26 18:50:42 2015 -0400

    af_unix: Convert the unix_sk macro to an inline function for type safety
    
    [ Upstream commit 4613012db1d911f80897f9446a49de817b2c4c47 ]
    
    As suggested by Eric Dumazet this change replaces the
    #define with a static inline function to enjoy
    complaints by the compiler when misusing the API.
    
    Signed-off-by: Aaron Conole <aconole@bytheb.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 91f536c1fa37c84e4771d28b1aee198cd08a41c5
Author: Alexander Couzens <lynxis@fe80.eu>
Date:   Mon Sep 28 11:32:42 2015 +0200

    l2tp: protect tunnel->del_work by ref_count
    
    [ Upstream commit 06a15f51cf3618e32a73871ee6a547ef7fd902b5 ]
    
    There is a small chance that tunnel_free() is called before tunnel->del_work scheduled
    resulting in a zero pointer dereference.
    
    Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
    Acked-by: James Chapman <jchapman@katalix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>