Add commits cc'd to stable up to 4.8, and their obvious dependencies
diff --git a/queue-3.16/aacraid-check-size-values-after-double-fetch-from-user.patch b/queue-3.16/aacraid-check-size-values-after-double-fetch-from-user.patch
new file mode 100644
index 0000000..3fb8a7e
--- /dev/null
+++ b/queue-3.16/aacraid-check-size-values-after-double-fetch-from-user.patch
@@ -0,0 +1,61 @@
+From: Dave Carroll <david.carroll@microsemi.com>
+Date: Fri, 5 Aug 2016 13:44:10 -0600
+Subject: aacraid: Check size values after double-fetch from user
+
+commit fa00c437eef8dc2e7b25f8cd868cfa405fcc2bb3 upstream.
+
+In aacraid's ioctl_send_fib() we do two fetches from userspace, one the
+get the fib header's size and one for the fib itself. Later we use the
+size field from the second fetch to further process the fib. If for some
+reason the size from the second fetch is different than from the first
+fix, we may encounter an out-of- bounds access in aac_fib_send(). We
+also check the sender size to insure it is not out of bounds. This was
+reported in https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was
+assigned CVE-2016-6480.
+
+Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
+Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
+Signed-off-by: Dave Carroll <david.carroll@microsemi.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/scsi/aacraid/commctrl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -63,7 +63,7 @@ static int ioctl_send_fib(struct aac_dev
+ 	struct fib *fibptr;
+ 	struct hw_fib * hw_fib = (struct hw_fib *)0;
+ 	dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
+-	unsigned size;
++	unsigned int size, osize;
+ 	int retval;
+ 
+ 	if (dev->in_reset) {
+@@ -87,7 +87,8 @@ static int ioctl_send_fib(struct aac_dev
+ 	 *	will not overrun the buffer when we copy the memory. Return
+ 	 *	an error if we would.
+ 	 */
+-	size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
++	osize = size = le16_to_cpu(kfib->header.Size) +
++		sizeof(struct aac_fibhdr);
+ 	if (size < le16_to_cpu(kfib->header.SenderSize))
+ 		size = le16_to_cpu(kfib->header.SenderSize);
+ 	if (size > dev->max_fib_size) {
+@@ -118,6 +119,14 @@ static int ioctl_send_fib(struct aac_dev
+ 		goto cleanup;
+ 	}
+ 
++	/* Sanity check the second copy */
++	if ((osize != le16_to_cpu(kfib->header.Size) +
++		sizeof(struct aac_fibhdr))
++		|| (size < le16_to_cpu(kfib->header.SenderSize))) {
++		retval = -EINVAL;
++		goto cleanup;
++	}
++
+ 	if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
+ 		aac_adapter_interrupt(dev);
+ 		/*
diff --git a/queue-3.16/alpha-fix-copy_from_user.patch b/queue-3.16/alpha-fix-copy_from_user.patch
new file mode 100644
index 0000000..66cd899
--- /dev/null
+++ b/queue-3.16/alpha-fix-copy_from_user.patch
@@ -0,0 +1,58 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 16:02:32 -0400
+Subject: alpha: fix copy_from_user()
+
+commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.
+
+it should clear the destination even when access_ok() fails.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/arch/alpha/include/asm/uaccess.h
++++ b/arch/alpha/include/asm/uaccess.h
+@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con
+ 	return __cu_len;
+ }
+ 
+-extern inline long
+-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
+-{
+-	if (__access_ok((unsigned long)validate, len, get_fs()))
+-		len = __copy_tofrom_user_nocheck(to, from, len);
+-	return len;
+-}
+-
+ #define __copy_to_user(to,from,n)					\
+ ({									\
+ 	__chk_user_ptr(to);						\
+@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+ 
+-
+ extern inline long
+ copy_to_user(void __user *to, const void *from, long n)
+ {
+-	return __copy_tofrom_user((__force void *)to, from, n, to);
++	if (likely(__access_ok((unsigned long)to, n, get_fs())))
++		n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
++	return n;
+ }
+ 
+ extern inline long
+ copy_from_user(void *to, const void __user *from, long n)
+ {
+-	return __copy_tofrom_user(to, (__force void *)from, n, from);
++	if (likely(__access_ok((unsigned long)from, n, get_fs())))
++		n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
++	else
++		memset(to, 0, n);
++	return n;
+ }
+ 
+ extern void __do_clear_user(void);
diff --git a/queue-3.16/alsa-ctl-stop-notification-after-disconnection.patch b/queue-3.16/alsa-ctl-stop-notification-after-disconnection.patch
new file mode 100644
index 0000000..9ed18a7
--- /dev/null
+++ b/queue-3.16/alsa-ctl-stop-notification-after-disconnection.patch
@@ -0,0 +1,33 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 8 Jul 2016 08:05:19 +0200
+Subject: ALSA: ctl: Stop notification after disconnection
+
+commit f388cdcdd160687c6650833f286b9c89c50960ff upstream.
+
+snd_ctl_remove() has a notification for the removal event.  It's
+superfluous when done during the device got disconnected.  Although
+the notification itself is mostly harmless, it may potentially be
+harmful, and should be suppressed.  Actually some components PCM may
+free ctl elements during the disconnect or free callbacks, thus it's
+no theoretical issue.
+
+This patch adds the check of card->shutdown flag for avoiding
+unnecessary notifications after (or during) the disconnect.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/control.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *car
+ 	
+ 	if (snd_BUG_ON(!card || !id))
+ 		return;
++	if (card->shutdown)
++		return;
+ 	read_lock(&card->ctl_files_rwlock);
+ #if IS_ENABLED(CONFIG_SND_MIXER_OSS)
+ 	card->mixer_oss_change_count++;
diff --git a/queue-3.16/alsa-fireworks-accessing-to-user-space-outside-spinlock.patch b/queue-3.16/alsa-fireworks-accessing-to-user-space-outside-spinlock.patch
new file mode 100644
index 0000000..a1c517c
--- /dev/null
+++ b/queue-3.16/alsa-fireworks-accessing-to-user-space-outside-spinlock.patch
@@ -0,0 +1,225 @@
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Wed, 31 Aug 2016 22:58:42 +0900
+Subject: ALSA: fireworks: accessing to user space outside spinlock
+
+commit 6b1ca4bcadf9ef077cc5f03c6822ba276ed14902 upstream.
+
+In hwdep interface of fireworks driver, accessing to user space is in a
+critical section with disabled local interrupt. Depending on architecture,
+accessing to user space can cause page fault exception. Then local
+processor stores machine status and handles the synchronous event. A
+handler corresponding to the event can call task scheduler to wait for
+preparing pages. In a case of usage of single core processor, the state to
+disable local interrupt is worse because it don't handle usual interrupts
+from hardware.
+
+This commit fixes this bug, performing the accessing outside spinlock. This
+commit also gives up counting the number of queued response messages to
+simplify ring-buffer management.
+
+Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
+Fixes: 555e8a8f7f14('ALSA: fireworks: Add command/response functionality into hwdep interface')
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/firewire/fireworks/fireworks.h             |  1 -
+ sound/firewire/fireworks/fireworks_hwdep.c       | 71 +++++++++++++++++-------
+ sound/firewire/fireworks/fireworks_proc.c        |  4 +-
+ sound/firewire/fireworks/fireworks_transaction.c |  5 +-
+ 4 files changed, 56 insertions(+), 25 deletions(-)
+
+--- a/sound/firewire/fireworks/fireworks.h
++++ b/sound/firewire/fireworks/fireworks.h
+@@ -106,7 +106,6 @@ struct snd_efw {
+ 	u8 *resp_buf;
+ 	u8 *pull_ptr;
+ 	u8 *push_ptr;
+-	unsigned int resp_queues;
+ };
+ 
+ int snd_efw_transaction_cmd(struct fw_unit *unit,
+--- a/sound/firewire/fireworks/fireworks_hwdep.c
++++ b/sound/firewire/fireworks/fireworks_hwdep.c
+@@ -25,6 +25,7 @@ hwdep_read_resp_buf(struct snd_efw *efw,
+ {
+ 	unsigned int length, till_end, type;
+ 	struct snd_efw_transaction *t;
++	u8 *pull_ptr;
+ 	long count = 0;
+ 
+ 	if (remained < sizeof(type) + sizeof(struct snd_efw_transaction))
+@@ -38,8 +39,17 @@ hwdep_read_resp_buf(struct snd_efw *efw,
+ 	buf += sizeof(type);
+ 
+ 	/* write into buffer as many responses as possible */
+-	while (efw->resp_queues > 0) {
+-		t = (struct snd_efw_transaction *)(efw->pull_ptr);
++	spin_lock_irq(&efw->lock);
++
++	/*
++	 * When another task reaches here during this task's access to user
++	 * space, it picks up current position in buffer and can read the same
++	 * series of responses.
++	 */
++	pull_ptr = efw->pull_ptr;
++
++	while (efw->push_ptr != pull_ptr) {
++		t = (struct snd_efw_transaction *)(pull_ptr);
+ 		length = be32_to_cpu(t->length) * sizeof(__be32);
+ 
+ 		/* confirm enough space for this response */
+@@ -49,26 +59,39 @@ hwdep_read_resp_buf(struct snd_efw *efw,
+ 		/* copy from ring buffer to user buffer */
+ 		while (length > 0) {
+ 			till_end = snd_efw_resp_buf_size -
+-				(unsigned int)(efw->pull_ptr - efw->resp_buf);
++				(unsigned int)(pull_ptr - efw->resp_buf);
+ 			till_end = min_t(unsigned int, length, till_end);
+ 
+-			if (copy_to_user(buf, efw->pull_ptr, till_end))
++			spin_unlock_irq(&efw->lock);
++
++			if (copy_to_user(buf, pull_ptr, till_end))
+ 				return -EFAULT;
+ 
+-			efw->pull_ptr += till_end;
+-			if (efw->pull_ptr >= efw->resp_buf +
+-					     snd_efw_resp_buf_size)
+-				efw->pull_ptr -= snd_efw_resp_buf_size;
++			spin_lock_irq(&efw->lock);
++
++			pull_ptr += till_end;
++			if (pull_ptr >= efw->resp_buf + snd_efw_resp_buf_size)
++				pull_ptr -= snd_efw_resp_buf_size;
+ 
+ 			length -= till_end;
+ 			buf += till_end;
+ 			count += till_end;
+ 			remained -= till_end;
+ 		}
+-
+-		efw->resp_queues--;
+ 	}
+ 
++	/*
++	 * All of tasks can read from the buffer nearly simultaneously, but the
++	 * last position for each task is different depending on the length of
++	 * given buffer. Here, for simplicity, a position of buffer is set by
++	 * the latest task. It's better for a listening application to allow one
++	 * thread to read from the buffer. Unless, each task can read different
++	 * sequence of responses depending on variation of buffer length.
++	 */
++	efw->pull_ptr = pull_ptr;
++
++	spin_unlock_irq(&efw->lock);
++
+ 	return count;
+ }
+ 
+@@ -76,14 +99,17 @@ static long
+ hwdep_read_locked(struct snd_efw *efw, char __user *buf, long count,
+ 		  loff_t *offset)
+ {
+-	union snd_firewire_event event;
++	union snd_firewire_event event = {
++		.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS,
++	};
+ 
+-	memset(&event, 0, sizeof(event));
++	spin_lock_irq(&efw->lock);
+ 
+-	event.lock_status.type = SNDRV_FIREWIRE_EVENT_LOCK_STATUS;
+ 	event.lock_status.status = (efw->dev_lock_count > 0);
+ 	efw->dev_lock_changed = false;
+ 
++	spin_unlock_irq(&efw->lock);
++
+ 	count = min_t(long, count, sizeof(event.lock_status));
+ 
+ 	if (copy_to_user(buf, &event, count))
+@@ -98,10 +124,15 @@ hwdep_read(struct snd_hwdep *hwdep, char
+ {
+ 	struct snd_efw *efw = hwdep->private_data;
+ 	DEFINE_WAIT(wait);
++	bool dev_lock_changed;
++	bool queued;
+ 
+ 	spin_lock_irq(&efw->lock);
+ 
+-	while ((!efw->dev_lock_changed) && (efw->resp_queues == 0)) {
++	dev_lock_changed = efw->dev_lock_changed;
++	queued = efw->push_ptr != efw->pull_ptr;
++
++	while (!dev_lock_changed && !queued) {
+ 		prepare_to_wait(&efw->hwdep_wait, &wait, TASK_INTERRUPTIBLE);
+ 		spin_unlock_irq(&efw->lock);
+ 		schedule();
+@@ -109,15 +140,17 @@ hwdep_read(struct snd_hwdep *hwdep, char
+ 		if (signal_pending(current))
+ 			return -ERESTARTSYS;
+ 		spin_lock_irq(&efw->lock);
++		dev_lock_changed = efw->dev_lock_changed;
++		queued = efw->push_ptr != efw->pull_ptr;
+ 	}
+ 
+-	if (efw->dev_lock_changed)
++	spin_unlock_irq(&efw->lock);
++
++	if (dev_lock_changed)
+ 		count = hwdep_read_locked(efw, buf, count, offset);
+-	else if (efw->resp_queues > 0)
++	else if (queued)
+ 		count = hwdep_read_resp_buf(efw, buf, count, offset);
+ 
+-	spin_unlock_irq(&efw->lock);
+-
+ 	return count;
+ }
+ 
+@@ -160,7 +193,7 @@ hwdep_poll(struct snd_hwdep *hwdep, stru
+ 	poll_wait(file, &efw->hwdep_wait, wait);
+ 
+ 	spin_lock_irq(&efw->lock);
+-	if (efw->dev_lock_changed || (efw->resp_queues > 0))
++	if (efw->dev_lock_changed || efw->pull_ptr != efw->push_ptr)
+ 		events = POLLIN | POLLRDNORM;
+ 	else
+ 		events = 0;
+--- a/sound/firewire/fireworks/fireworks_proc.c
++++ b/sound/firewire/fireworks/fireworks_proc.c
+@@ -188,8 +188,8 @@ proc_read_queues_state(struct snd_info_e
+ 	else
+ 		consumed = (unsigned int)(efw->push_ptr - efw->pull_ptr);
+ 
+-	snd_iprintf(buffer, "%d %d/%d\n",
+-		    efw->resp_queues, consumed, snd_efw_resp_buf_size);
++	snd_iprintf(buffer, "%d/%d\n",
++		    consumed, snd_efw_resp_buf_size);
+ }
+ 
+ static void
+--- a/sound/firewire/fireworks/fireworks_transaction.c
++++ b/sound/firewire/fireworks/fireworks_transaction.c
+@@ -121,11 +121,11 @@ copy_resp_to_buf(struct snd_efw *efw, vo
+ 	size_t capacity, till_end;
+ 	struct snd_efw_transaction *t;
+ 
+-	spin_lock_irq(&efw->lock);
+-
+ 	t = (struct snd_efw_transaction *)data;
+ 	length = min_t(size_t, be32_to_cpu(t->length) * sizeof(u32), length);
+ 
++	spin_lock_irq(&efw->lock);
++
+ 	if (efw->push_ptr < efw->pull_ptr)
+ 		capacity = (unsigned int)(efw->pull_ptr - efw->push_ptr);
+ 	else
+@@ -155,7 +155,6 @@ copy_resp_to_buf(struct snd_efw *efw, vo
+ 	}
+ 
+ 	/* for hwdep */
+-	efw->resp_queues++;
+ 	wake_up(&efw->hwdep_wait);
+ 
+ 	*rcode = RCODE_COMPLETE;
diff --git a/queue-3.16/alsa-hda-fix-krealloc-with-__gfp_zero-usage.patch b/queue-3.16/alsa-hda-fix-krealloc-with-__gfp_zero-usage.patch
new file mode 100644
index 0000000..ffeced8
--- /dev/null
+++ b/queue-3.16/alsa-hda-fix-krealloc-with-__gfp_zero-usage.patch
@@ -0,0 +1,37 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 3 Aug 2016 15:13:00 +0200
+Subject: ALSA: hda: Fix krealloc() with __GFP_ZERO usage
+
+commit 33baefe5e72f17a6df378e48196cd8cada11deec upstream.
+
+krealloc() doesn't work always properly with __GFP_ZERO flag as
+expected.  For clearing the reallocated area, we need to clear
+explicitly instead.
+
+Reported-by: Joe Perches <joe@perches.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/pci/hda/hda_codec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -5793,13 +5793,15 @@ void *snd_array_new(struct snd_array *ar
+ 		return NULL;
+ 	if (array->used >= array->alloced) {
+ 		int num = array->alloced + array->alloc_align;
++		int oldsize = array->alloced * array->elem_size;
+ 		int size = (num + 1) * array->elem_size;
+ 		void *nlist;
+ 		if (snd_BUG_ON(num >= 4096))
+ 			return NULL;
+-		nlist = krealloc(array->list, size, GFP_KERNEL | __GFP_ZERO);
++		nlist = krealloc(array->list, size, GFP_KERNEL);
+ 		if (!nlist)
+ 			return NULL;
++		memset(nlist + oldsize, 0, size - oldsize);
+ 		array->list = nlist;
+ 		array->alloced = num;
+ 	}
diff --git a/queue-3.16/alsa-hda-fix-use-after-free-after-module-unload.patch b/queue-3.16/alsa-hda-fix-use-after-free-after-module-unload.patch
new file mode 100644
index 0000000..d308a5c
--- /dev/null
+++ b/queue-3.16/alsa-hda-fix-use-after-free-after-module-unload.patch
@@ -0,0 +1,34 @@
+From: Peter Wu <peter@lekensteyn.nl>
+Date: Mon, 11 Jul 2016 19:51:06 +0200
+Subject: ALSA: hda - fix use-after-free after module unload
+
+commit ab58d8cc870ef3f0771c197700441936898d1f1d upstream.
+
+register_vga_switcheroo() sets the PM ops from the hda structure which
+is freed later in azx_free. Make sure that these ops are cleared.
+
+Caught by KASAN, initially noticed due to a general protection fault.
+
+Fixes: 246efa4a072f ("snd/hda: add runtime suspend/resume on optimus support (v4)")
+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/pci/hda/hda_intel.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -950,8 +950,10 @@ static int azx_free(struct azx *chip)
+ 	if (use_vga_switcheroo(chip)) {
+ 		if (chip->disabled && chip->bus)
+ 			snd_hda_unlock_devices(chip->bus);
+-		if (chip->vga_switcheroo_registered)
++		if (chip->vga_switcheroo_registered) {
+ 			vga_switcheroo_unregister_client(chip->pci);
++			vga_switcheroo_fini_domain_pm_ops(chip->card->dev);
++		}
+ 	}
+ 
+ 	if (chip->initialized) {
diff --git a/queue-3.16/alsa-hda-on-board-speaker-fixup-on-acer-veriton.patch b/queue-3.16/alsa-hda-on-board-speaker-fixup-on-acer-veriton.patch
new file mode 100644
index 0000000..2628cd5
--- /dev/null
+++ b/queue-3.16/alsa-hda-on-board-speaker-fixup-on-acer-veriton.patch
@@ -0,0 +1,53 @@
+From: Shrirang Bagul <shrirang.bagul@canonical.com>
+Date: Mon, 1 Aug 2016 13:16:17 +0800
+Subject: ALSA: hda - On-board speaker fixup on ACER Veriton
+
+commit 9b51fe3efe4c270005e34f55a97e5a84ad68e581 upstream.
+
+On Acer Veriton machines, codec with subsystem-id 0x1b0a01b8 the port at
+0x15 is configured by default as an Internal Speaker (0x90170120).
+However, no physical is speaker installed on-board. This patch adds a quirk
+which disables the physical connection on this pin.
+
+BugLink: https://bugs.launchpad.net/bugs/1607647
+
+Signed-off-by: Shrirang Bagul <shrirang.bagul@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/pci/hda/patch_realtek.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5837,6 +5837,7 @@ enum {
+ 	ALC668_FIXUP_DELL_XPS13,
+ 	ALC662_FIXUP_ASUS_Nx50,
+ 	ALC668_FIXUP_ASUS_Nx51,
++	ALC662_FIXUP_ACER_VERITON,
+ };
+ 
+ static const struct hda_fixup alc662_fixups[] = {
+@@ -6078,6 +6079,13 @@ static const struct hda_fixup alc662_fix
+ 		.chained = true,
+ 		.chain_id = ALC662_FIXUP_BASS_CHMAP,
+ 	},
++	[ALC662_FIXUP_ACER_VERITON] = {
++		.type = HDA_FIXUP_PINS,
++		.v.pins = (const struct hda_pintbl[]) {
++			{ 0x15, 0x50170120 }, /* no internal speaker */
++			{ }
++		}
++	},
+ };
+ 
+ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
+@@ -6113,6 +6121,7 @@ static const struct snd_pci_quirk alc662
+ 	SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
+ 	SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
+ 	SND_PCI_QUIRK(0x19da, 0xa130, "Zotac Z68", ALC662_FIXUP_ZOTAC_Z68),
++	SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON),
+ 	SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T),
+ 
+ #if 0
diff --git a/queue-3.16/alsa-pcm-free-chmap-at-pcm-free-callback-too.patch b/queue-3.16/alsa-pcm-free-chmap-at-pcm-free-callback-too.patch
new file mode 100644
index 0000000..db1f767
--- /dev/null
+++ b/queue-3.16/alsa-pcm-free-chmap-at-pcm-free-callback-too.patch
@@ -0,0 +1,62 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 8 Jul 2016 08:23:43 +0200
+Subject: ALSA: pcm: Free chmap at PCM free callback, too
+
+commit a8ff48cb70835f48de5703052760312019afea55 upstream.
+
+The chmap ctls assigned to PCM streams are freed in the PCM disconnect
+callback.  However, since the disconnect callback isn't called when
+the card gets freed before registering, the chmap ctls may still be
+left assigned.  They are eventually freed together with other ctls,
+but it may cause an Oops at pcm_chmap_ctl_private_free(), as the
+function refers to the assigned PCM stream, while the PCM objects have
+been already freed beforehand.
+
+The fix is to free the chmap ctls also at PCM free callback, not only
+at PCM disconnect.
+
+Reported-by: Laxminath Kasam <b_lkasam@codeaurora.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/pcm.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/sound/core/pcm.c
++++ b/sound/core/pcm.c
+@@ -806,6 +806,14 @@ int snd_pcm_new_internal(struct snd_card
+ }
+ EXPORT_SYMBOL(snd_pcm_new_internal);
+ 
++static void free_chmap(struct snd_pcm_str *pstr)
++{
++	if (pstr->chmap_kctl) {
++		snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl);
++		pstr->chmap_kctl = NULL;
++	}
++}
++
+ static void snd_pcm_free_stream(struct snd_pcm_str * pstr)
+ {
+ 	struct snd_pcm_substream *substream, *substream_next;
+@@ -828,6 +836,7 @@ static void snd_pcm_free_stream(struct s
+ 		kfree(setup);
+ 	}
+ #endif
++	free_chmap(pstr);
+ }
+ 
+ static int snd_pcm_free(struct snd_pcm *pcm)
+@@ -1142,10 +1151,7 @@ static int snd_pcm_dev_disconnect(struct
+ 			break;
+ 		}
+ 		snd_unregister_device(devtype, pcm->card, pcm->device);
+-		if (pcm->streams[cidx].chmap_kctl) {
+-			snd_ctl_remove(pcm->card, pcm->streams[cidx].chmap_kctl);
+-			pcm->streams[cidx].chmap_kctl = NULL;
+-		}
++		free_chmap(&pcm->streams[cidx]);
+ 	}
+ 	mutex_unlock(&pcm->open_mutex);
+  unlock:
diff --git a/queue-3.16/alsa-rawmidi-fix-possible-deadlock-with-virmidi-registration.patch b/queue-3.16/alsa-rawmidi-fix-possible-deadlock-with-virmidi-registration.patch
new file mode 100644
index 0000000..50c300a
--- /dev/null
+++ b/queue-3.16/alsa-rawmidi-fix-possible-deadlock-with-virmidi-registration.patch
@@ -0,0 +1,130 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 30 Aug 2016 14:45:46 +0200
+Subject: ALSA: rawmidi: Fix possible deadlock with virmidi registration
+
+commit 816f318b2364262a51024096da7ca3b84e78e3b5 upstream.
+
+When a seq-virmidi driver is initialized, it registers a rawmidi
+instance with its callback to create an associated seq kernel client.
+Currently it's done throughly in rawmidi's register_mutex context.
+Recently it was found that this may lead to a deadlock another rawmidi
+device that is being attached with the sequencer is accessed, as both
+open with the same register_mutex.  This was actually triggered by
+syzkaller, as Dmitry Vyukov reported:
+
+======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 4.8.0-rc1+ #11 Not tainted
+ -------------------------------------------------------
+ syz-executor/7154 is trying to acquire lock:
+  (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
+
+ but task is already holding lock:
+  (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #1 (&grp->list_mutex){++++.+}:
+    [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
+    [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
+    [<     inline     >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
+    [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
+    [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
+    [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
+    [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
+    [<     inline     >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
+    [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
+    [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
+    [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
+    [<     inline     >] __snd_device_register sound/core/device.c:162
+    [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
+    [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
+    [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
+    [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
+    ......
+
+ -> #0 (register_mutex#5){+.+.+.}:
+    [<     inline     >] check_prev_add kernel/locking/lockdep.c:1829
+    [<     inline     >] check_prevs_add kernel/locking/lockdep.c:1939
+    [<     inline     >] validate_chain kernel/locking/lockdep.c:2266
+    [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
+    [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
+    [<     inline     >] __mutex_lock_common kernel/locking/mutex.c:521
+    [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
+    [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
+    [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
+    [<     inline     >] subscribe_port sound/core/seq/seq_ports.c:427
+    [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
+    [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
+    [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
+    [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
+    [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
+    [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
+    [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
+    [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
+    [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
+    [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
+    ......
+
+ other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+        CPU0                    CPU1
+        ----                    ----
+   lock(&grp->list_mutex);
+                                lock(register_mutex#5);
+                                lock(&grp->list_mutex);
+   lock(register_mutex#5);
+
+ *** DEADLOCK ***
+======================================================
+
+The fix is to simply move the registration parts in
+snd_rawmidi_dev_register() to the outside of the register_mutex lock.
+The lock is needed only to manage the linked list, and it's not
+necessarily to cover the whole initialization process.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/rawmidi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -1637,12 +1637,14 @@ static int snd_rawmidi_dev_register(stru
+ 		return -EBUSY;
+ 	}
+ 	list_add_tail(&rmidi->list, &snd_rawmidi_devices);
++	mutex_unlock(&register_mutex);
+ 	sprintf(name, "midiC%iD%i", rmidi->card->number, rmidi->device);
+ 	if ((err = snd_register_device(SNDRV_DEVICE_TYPE_RAWMIDI,
+ 				       rmidi->card, rmidi->device,
+ 				       &snd_rawmidi_f_ops, rmidi, name)) < 0) {
+ 		rmidi_err(rmidi, "unable to register rawmidi device %i:%i\n",
+ 			  rmidi->card->number, rmidi->device);
++		mutex_lock(&register_mutex);
+ 		list_del(&rmidi->list);
+ 		mutex_unlock(&register_mutex);
+ 		return err;
+@@ -1650,6 +1652,7 @@ static int snd_rawmidi_dev_register(stru
+ 	if (rmidi->ops && rmidi->ops->dev_register &&
+ 	    (err = rmidi->ops->dev_register(rmidi)) < 0) {
+ 		snd_unregister_device(SNDRV_DEVICE_TYPE_RAWMIDI, rmidi->card, rmidi->device);
++		mutex_lock(&register_mutex);
+ 		list_del(&rmidi->list);
+ 		mutex_unlock(&register_mutex);
+ 		return err;
+@@ -1682,7 +1685,6 @@ static int snd_rawmidi_dev_register(stru
+ 		}
+ 	}
+ #endif /* CONFIG_SND_OSSEMUL */
+-	mutex_unlock(&register_mutex);
+ 	sprintf(name, "midi%d", rmidi->device);
+ 	entry = snd_info_create_card_entry(rmidi->card, name, rmidi->card->proc_root);
+ 	if (entry) {
diff --git a/queue-3.16/alsa-timer-fix-division-by-zero-after-sndrv_timer_ioctl_continue.patch b/queue-3.16/alsa-timer-fix-division-by-zero-after-sndrv_timer_ioctl_continue.patch
new file mode 100644
index 0000000..032b5df
--- /dev/null
+++ b/queue-3.16/alsa-timer-fix-division-by-zero-after-sndrv_timer_ioctl_continue.patch
@@ -0,0 +1,85 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 29 Aug 2016 00:33:50 +0200
+Subject: ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
+
+commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 upstream.
+
+I got this:
+
+    divide error: 0000 [#1] PREEMPT SMP KASAN
+    CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+    task: ffff8801120a9580 task.stack: ffff8801120b0000
+    RIP: 0010:[<ffffffff82c8bd9a>]  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
+    RSP: 0018:ffff88011aa87da8  EFLAGS: 00010006
+    RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000
+    RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001
+    RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048
+    R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00
+    R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000
+    FS:  00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0
+    Stack:
+     0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76
+     ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0
+     00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0
+    Call Trace:
+     <IRQ>
+     [<ffffffff813abce7>] __hrtimer_run_queues+0x347/0xa00
+     [<ffffffff82c8bbc0>] ? snd_hrtimer_close+0x130/0x130
+     [<ffffffff813ab9a0>] ? retrigger_next_event+0x1b0/0x1b0
+     [<ffffffff813ae1a6>] ? hrtimer_interrupt+0x136/0x4b0
+     [<ffffffff813ae220>] hrtimer_interrupt+0x1b0/0x4b0
+     [<ffffffff8120f91e>] local_apic_timer_interrupt+0x6e/0xf0
+     [<ffffffff81227ad3>] ? kvm_guest_apic_eoi_write+0x13/0xc0
+     [<ffffffff83c35086>] smp_apic_timer_interrupt+0x76/0xa0
+     [<ffffffff83c3416c>] apic_timer_interrupt+0x8c/0xa0
+     <EOI>
+     [<ffffffff83c3239c>] ? _raw_spin_unlock_irqrestore+0x2c/0x60
+     [<ffffffff82c8185d>] snd_timer_start1+0xdd/0x670
+     [<ffffffff82c87015>] snd_timer_continue+0x45/0x80
+     [<ffffffff82c88100>] snd_timer_user_ioctl+0x1030/0x2830
+     [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
+     [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+     [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
+     [<ffffffff815aa4f8>] ? handle_mm_fault+0xbc8/0x27f0
+     [<ffffffff815a9930>] ? __pmd_alloc+0x370/0x370
+     [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+     [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
+     [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
+     [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
+     [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
+     [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
+     [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
+     [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
+     [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
+     [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
+     [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
+     [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
+    Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00
+    RIP  [<ffffffff82c8bd9a>] snd_hrtimer_callback+0x1da/0x3f0
+     RSP <ffff88011aa87da8>
+    ---[ end trace 6aa380f756a21074 ]---
+
+The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a
+completely new/unused timer -- it will have ->sticks == 0, which causes a
+divide by 0 in snd_hrtimer_callback().
+
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -839,6 +839,7 @@ int snd_timer_new(struct snd_card *card,
+ 	timer->tmr_subdevice = tid->subdevice;
+ 	if (id)
+ 		strlcpy(timer->id, id, sizeof(timer->id));
++	timer->sticks = 1;
+ 	INIT_LIST_HEAD(&timer->device_list);
+ 	INIT_LIST_HEAD(&timer->open_list_head);
+ 	INIT_LIST_HEAD(&timer->active_list_head);
diff --git a/queue-3.16/alsa-timer-fix-null-pointer-dereference-in-read-ioctl-race.patch b/queue-3.16/alsa-timer-fix-null-pointer-dereference-in-read-ioctl-race.patch
new file mode 100644
index 0000000..8c14103
--- /dev/null
+++ b/queue-3.16/alsa-timer-fix-null-pointer-dereference-in-read-ioctl-race.patch
@@ -0,0 +1,91 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Sun, 28 Aug 2016 10:13:07 +0200
+Subject: ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
+
+commit 11749e086b2766cccf6217a527ef5c5604ba069c upstream.
+
+I got this with syzkaller:
+
+    ==================================================================
+    BUG: KASAN: null-ptr-deref on address 0000000000000020
+    Read of size 32 by task syz-executor/22519
+    CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2
+    014
+     0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90
+     ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80
+     ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68
+    Call Trace:
+     [<ffffffff81f9f141>] dump_stack+0x83/0xb2
+     [<ffffffff8161fe3f>] kasan_report_error+0x41f/0x4c0
+     [<ffffffff8161ff74>] kasan_report+0x34/0x40
+     [<ffffffff82c84b54>] ? snd_timer_user_read+0x554/0x790
+     [<ffffffff8161e79e>] check_memory_region+0x13e/0x1a0
+     [<ffffffff8161e9c1>] kasan_check_read+0x11/0x20
+     [<ffffffff82c84b54>] snd_timer_user_read+0x554/0x790
+     [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
+     [<ffffffff817d0831>] ? proc_fault_inject_write+0x1c1/0x250
+     [<ffffffff817d0670>] ? next_tgid+0x2a0/0x2a0
+     [<ffffffff8127c278>] ? do_group_exit+0x108/0x330
+     [<ffffffff8174653a>] ? fsnotify+0x72a/0xca0
+     [<ffffffff81674dfe>] __vfs_read+0x10e/0x550
+     [<ffffffff82c84600>] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0
+     [<ffffffff81674cf0>] ? do_sendfile+0xc50/0xc50
+     [<ffffffff81745e10>] ? __fsnotify_update_child_dentry_flags+0x60/0x60
+     [<ffffffff8143fec6>] ? kcov_ioctl+0x56/0x190
+     [<ffffffff81e5ada2>] ? common_file_perm+0x2e2/0x380
+     [<ffffffff81746b0e>] ? __fsnotify_parent+0x5e/0x2b0
+     [<ffffffff81d93536>] ? security_file_permission+0x86/0x1e0
+     [<ffffffff816728f5>] ? rw_verify_area+0xe5/0x2b0
+     [<ffffffff81675355>] vfs_read+0x115/0x330
+     [<ffffffff81676371>] SyS_read+0xd1/0x1a0
+     [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
+     [<ffffffff82001c2c>] ? __this_cpu_preempt_check+0x1c/0x20
+     [<ffffffff8150455a>] ? __context_tracking_exit.part.4+0x3a/0x1e0
+     [<ffffffff816762a0>] ? vfs_write+0x4b0/0x4b0
+     [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
+     [<ffffffff810052fc>] ? syscall_return_slowpath+0x16c/0x1d0
+     [<ffffffff83c3276a>] entry_SYSCALL64_slow_path+0x25/0x25
+    ==================================================================
+
+There are a couple of problems that I can see:
+
+ - ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets
+   tu->queue/tu->tqueue to NULL on memory allocation failure, so read()
+   would get a NULL pointer dereference like the above splat
+
+ - the same ioctl() can free tu->queue/to->tqueue which means read()
+   could potentially see (and dereference) the freed pointer
+
+We can fix both by taking the ioctl_lock mutex when dereferencing
+->queue/->tqueue, since that's always held over all the ioctl() code.
+
+Just looking at the code I find it likely that there are more problems
+here such as tu->qhead pointing outside the buffer if the size is
+changed concurrently using SNDRV_TIMER_IOCTL_PARAMS.
+
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/timer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1985,6 +1985,7 @@ static ssize_t snd_timer_user_read(struc
+ 		tu->qused--;
+ 		spin_unlock_irq(&tu->qlock);
+ 
++		mutex_lock(&tu->ioctl_lock);
+ 		if (tu->tread) {
+ 			if (copy_to_user(buffer, &tu->tqueue[qhead],
+ 					 sizeof(struct snd_timer_tread)))
+@@ -1994,6 +1995,7 @@ static ssize_t snd_timer_user_read(struc
+ 					 sizeof(struct snd_timer_read)))
+ 				err = -EFAULT;
+ 		}
++		mutex_unlock(&tu->ioctl_lock);
+ 
+ 		spin_lock_irq(&tu->qlock);
+ 		if (err < 0)
diff --git a/queue-3.16/alsa-timer-fix-null-pointer-dereference-on-memory-allocation.patch b/queue-3.16/alsa-timer-fix-null-pointer-dereference-on-memory-allocation.patch
new file mode 100644
index 0000000..0d83b54
--- /dev/null
+++ b/queue-3.16/alsa-timer-fix-null-pointer-dereference-on-memory-allocation.patch
@@ -0,0 +1,107 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 29 Aug 2016 00:33:51 +0200
+Subject: ALSA: timer: fix NULL pointer dereference on memory allocation
+ failure
+
+commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 upstream.
+
+I hit this with syzkaller:
+
+    kasan: CONFIG_KASAN_INLINE enabled
+    kasan: GPF could be caused by NULL-ptr deref or user memory access
+    general protection fault: 0000 [#1] PREEMPT SMP KASAN
+    CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+    task: ffff88011278d600 task.stack: ffff8801120c0000
+    RIP: 0010:[<ffffffff82c8ba07>]  [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
+    RSP: 0018:ffff8801120c7a60  EFLAGS: 00010006
+    RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007
+    RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048
+    RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790
+    R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980
+    R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286
+    FS:  00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0
+    Stack:
+     ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0
+     ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000
+     ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0
+    Call Trace:
+     [<ffffffff82c81ab1>] snd_timer_start1+0x331/0x670
+     [<ffffffff82c85bfd>] snd_timer_start+0x5d/0xa0
+     [<ffffffff82c8795e>] snd_timer_user_ioctl+0x88e/0x2830
+     [<ffffffff8159f3a0>] ? __follow_pte.isra.49+0x430/0x430
+     [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+     [<ffffffff815a26fa>] ? do_wp_page+0x3aa/0x1c90
+     [<ffffffff8132762f>] ? put_prev_entity+0x108f/0x21a0
+     [<ffffffff82c870d0>] ? snd_timer_pause+0x80/0x80
+     [<ffffffff816b0733>] do_vfs_ioctl+0x193/0x1050
+     [<ffffffff813510af>] ? cpuacct_account_field+0x12f/0x1a0
+     [<ffffffff816b05a0>] ? ioctl_preallocate+0x200/0x200
+     [<ffffffff81002f2f>] ? syscall_trace_enter+0x3cf/0xdb0
+     [<ffffffff815045ba>] ? __context_tracking_exit.part.4+0x9a/0x1e0
+     [<ffffffff81002b60>] ? exit_to_usermode_loop+0x190/0x190
+     [<ffffffff82001a97>] ? check_preemption_disabled+0x37/0x1e0
+     [<ffffffff81d93889>] ? security_file_ioctl+0x89/0xb0
+     [<ffffffff816b167f>] SyS_ioctl+0x8f/0xc0
+     [<ffffffff816b15f0>] ? do_vfs_ioctl+0x1050/0x1050
+     [<ffffffff81005524>] do_syscall_64+0x1c4/0x4e0
+     [<ffffffff83c32b2a>] entry_SYSCALL64_slow_path+0x25/0x25
+    Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46
+    RIP  [<ffffffff82c8ba07>] snd_hrtimer_start+0x77/0x100
+     RSP <ffff8801120c7a60>
+    ---[ end trace 5955b08db7f2b029 ]---
+
+This can happen if snd_hrtimer_open() fails to allocate memory and
+returns an error, which is currently not checked by snd_timer_open():
+
+    ioctl(SNDRV_TIMER_IOCTL_SELECT)
+     - snd_timer_user_tselect()
+	- snd_timer_close()
+	   - snd_hrtimer_close()
+	      - (struct snd_timer *) t->private_data = NULL
+        - snd_timer_open()
+           - snd_hrtimer_open()
+              - kzalloc() fails; t->private_data is still NULL
+
+    ioctl(SNDRV_TIMER_IOCTL_START)
+     - snd_timer_user_start()
+	- snd_timer_start()
+	   - snd_timer_start1()
+	      - snd_hrtimer_start()
+		- t->private_data == NULL // boom
+
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/timer.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -296,8 +296,21 @@ int snd_timer_open(struct snd_timer_inst
+ 		get_device(&timer->card->card_dev);
+ 	timeri->slave_class = tid->dev_sclass;
+ 	timeri->slave_id = slave_id;
+-	if (list_empty(&timer->open_list_head) && timer->hw.open)
+-		timer->hw.open(timer);
++
++	if (list_empty(&timer->open_list_head) && timer->hw.open) {
++		int err = timer->hw.open(timer);
++		if (err) {
++			kfree(timeri->owner);
++			kfree(timeri);
++
++			if (timer->card)
++				put_device(&timer->card->card_dev);
++			module_put(timer->module);
++			mutex_unlock(&register_mutex);
++			return err;
++		}
++	}
++
+ 	list_add_tail(&timeri->open_list, &timer->open_list_head);
+ 	snd_timer_check_master(timeri);
+ 	mutex_unlock(&register_mutex);
diff --git a/queue-3.16/alsa-timer-fix-zero-division-by-continue-of-uninitialized-instance.patch b/queue-3.16/alsa-timer-fix-zero-division-by-continue-of-uninitialized-instance.patch
new file mode 100644
index 0000000..45a39f5
--- /dev/null
+++ b/queue-3.16/alsa-timer-fix-zero-division-by-continue-of-uninitialized-instance.patch
@@ -0,0 +1,91 @@
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 7 Sep 2016 15:45:31 +0200
+Subject: ALSA: timer: Fix zero-division by continue of uninitialized instance
+
+commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b upstream.
+
+When a user timer instance is continued without the explicit start
+beforehand, the system gets eventually zero-division error like:
+
+  divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
+  CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+   task: ffff88003c9b2280 task.stack: ffff880027280000
+   RIP: 0010:[<ffffffff858e1a6c>]  [<     inline     >] ktime_divns include/linux/ktime.h:195
+   RIP: 0010:[<ffffffff858e1a6c>]  [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
+  Call Trace:
+   <IRQ>
+   [<     inline     >] __run_hrtimer kernel/time/hrtimer.c:1238
+   [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
+   [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
+   [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
+   [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
+   [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
+   <EOI>
+   .....
+
+Although a similar issue was spotted and a fix patch was merged in
+commit [6b760bb2c63a: ALSA: timer: fix division by zero after
+SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
+iceberg.
+
+In this patch, we fix the issue a bit more drastically.  Basically the
+continue of an uninitialized timer is supposed to be a fresh start, so
+we do it for user timers.  For the direct snd_timer_continue() call,
+there is no way to pass the initial tick value, so we kick out for the
+uninitialized case.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 3.16:
+ - Adjust context
+ - In _snd_timer_stop(), check the value of 'event' instead of 'stop']
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/core/timer.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -35,6 +35,9 @@
+ #include <sound/initval.h>
+ #include <linux/kmod.h>
+ 
++/* internal flags */
++#define SNDRV_TIMER_IFLG_PAUSED		0x00010000
++
+ #if IS_ENABLED(CONFIG_SND_HRTIMER)
+ #define DEFAULT_TIMER_LIMIT 4
+ #elif IS_ENABLED(CONFIG_SND_RTCTIMER)
+@@ -569,6 +572,10 @@ static int _snd_timer_stop(struct snd_ti
+ 		}
+ 	}
+ 	timeri->flags &= ~(SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START);
++	if (event == SNDRV_TIMER_EVENT_STOP)
++		timeri->flags &= ~SNDRV_TIMER_IFLG_PAUSED;
++	else
++		timeri->flags |= SNDRV_TIMER_IFLG_PAUSED;
+ 	spin_unlock_irqrestore(&timer->lock, flags);
+       __end:
+ 	if (event != SNDRV_TIMER_EVENT_RESOLUTION)
+@@ -611,6 +618,10 @@ int snd_timer_continue(struct snd_timer_
+ 
+ 	if (timeri == NULL)
+ 		return result;
++	/* timer can continue only after pause */
++	if (!(timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
++		return -EINVAL;
++
+ 	if (timeri->flags & SNDRV_TIMER_IFLG_SLAVE)
+ 		return snd_timer_start_slave(timeri);
+ 	timer = timeri->timer;
+@@ -1844,6 +1855,9 @@ static int snd_timer_user_continue(struc
+ 	tu = file->private_data;
+ 	if (!tu->timeri)
+ 		return -EBADFD;
++	/* start timer instead of continue if it's not used before */
++	if (!(tu->timeri->flags & SNDRV_TIMER_IFLG_PAUSED))
++		return snd_timer_user_start(file);
+ 	tu->timeri->lost = 0;
+ 	return (err = snd_timer_continue(tu->timeri)) < 0 ? err : 0;
+ }
diff --git a/queue-3.16/arc-call-trace_hardirqs_on-before-enabling-irqs.patch b/queue-3.16/arc-call-trace_hardirqs_on-before-enabling-irqs.patch
new file mode 100644
index 0000000..133b1a8
--- /dev/null
+++ b/queue-3.16/arc-call-trace_hardirqs_on-before-enabling-irqs.patch
@@ -0,0 +1,60 @@
+From: Daniel Mentz <danielmentz@google.com>
+Date: Thu, 4 Aug 2016 17:56:53 -0700
+Subject: ARC: Call trace_hardirqs_on() before enabling irqs
+
+commit 18b43e89d295cc65151c505c643c98fb2c320e59 upstream.
+
+trace_hardirqs_on_caller() in lockdep.c expects to be called before, not
+after interrupts are actually enabled.
+
+The following comment in kernel/locking/lockdep.c substantiates this
+claim:
+
+"
+/*
+ * We're enabling irqs and according to our state above irqs weren't
+ * already enabled, yet we find the hardware thinks they are in fact
+ * enabled.. someone messed up their IRQ state tracing.
+ */
+"
+
+An example can be found in include/linux/irqflags.h:
+
+	do { trace_hardirqs_on(); raw_local_irq_enable(); } while (0)
+
+Without this change, we hit the following DEBUG_LOCKS_WARN_ON.
+
+[    7.760000] ------------[ cut here ]------------
+[    7.760000] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:2711 resume_user_mode_begin+0x48/0xf0
+[    7.770000] DEBUG_LOCKS_WARN_ON(!irqs_disabled())
+[    7.780000] Modules linked in:
+[    7.780000] CPU: 0 PID: 1 Comm: init Not tainted 4.7.0-00003-gc668bb9-dirty #366
+[    7.790000]
+[    7.790000] Stack Trace:
+[    7.790000]   arc_unwind_core.constprop.1+0xa4/0x118
+[    7.800000]   warn_slowpath_fmt+0x72/0x158
+[    7.800000]   resume_user_mode_begin+0x48/0xf0
+[    7.810000] ---[ end trace 6f6a7a8fae20d2f0 ]---
+
+Signed-off-by: Daniel Mentz <danielmentz@google.com>
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arc/include/asm/irqflags.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/irqflags.h
++++ b/arch/arc/include/asm/irqflags.h
+@@ -179,10 +179,10 @@ static inline void arch_unmask_irq(unsig
+ .endm
+ 
+ .macro IRQ_ENABLE  scratch
++	TRACE_ASM_IRQ_ENABLE
+ 	lr	\scratch, [status32]
+ 	or	\scratch, \scratch, (STATUS_E1_MASK | STATUS_E2_MASK)
+ 	flag	\scratch
+-	TRACE_ASM_IRQ_ENABLE
+ .endm
+ 
+ #endif	/* __ASSEMBLY__ */
diff --git a/queue-3.16/arc-mm-don-t-loose-pte_special-in-pte_modify.patch b/queue-3.16/arc-mm-don-t-loose-pte_special-in-pte_modify.patch
new file mode 100644
index 0000000..1e8f745
--- /dev/null
+++ b/queue-3.16/arc-mm-don-t-loose-pte_special-in-pte_modify.patch
@@ -0,0 +1,44 @@
+From: Vineet Gupta <vgupta@synopsys.com>
+Date: Thu, 28 Jul 2016 11:35:50 -0700
+Subject: ARC: mm: don't loose PTE_SPECIAL in pte_modify()
+
+commit 3925a16ae980c79d1a8fd182d7f9487da1edd4dc upstream.
+
+LTP madvise05 was generating mm splat
+
+| [ARCLinux]# /sd/ltp/testcases/bin/madvise05
+| BUG: Bad page map in process madvise05  pte:80e08211 pmd:9f7d4000
+| page:9fdcfc90 count:1 mapcount:-1 mapping:  (null) index:0x0 flags: 0x404(referenced|reserved)
+| page dumped because: bad pte
+| addr:200b8000 vm_flags:00000070 anon_vma:  (null) mapping:  (null) index:1005c
+| file:  (null) fault:  (null) mmap:  (null) readpage:  (null)
+| CPU: 2 PID: 6707 Comm: madvise05
+
+And for newer kernels, the system was rendered unusable afterwards.
+
+The problem was mprotect->pte_modify() clearing PTE_SPECIAL (which is
+set to identify the special zero page wired to the pte).
+When pte was finally unmapped, special casing for zero page was not
+done, and instead it was treated as a "normal" page, tripping on the
+map counts etc.
+
+This fixes ARC STAR 9001053308
+
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+[bwh: Backported to 3.16: _PAGE_DIRTY is called _PAGE_MODIFIED]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arc/include/asm/pgtable.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arc/include/asm/pgtable.h
++++ b/arch/arc/include/asm/pgtable.h
+@@ -98,7 +98,7 @@
+ #define ___DEF (_PAGE_PRESENT | _PAGE_DEF_CACHEABLE)
+ 
+ /* Set of bits not changed in pte_modify */
+-#define _PAGE_CHG_MASK	(PAGE_MASK | _PAGE_ACCESSED | _PAGE_MODIFIED)
++#define _PAGE_CHG_MASK	(PAGE_MASK | _PAGE_ACCESSED | _PAGE_MODIFIED | _PAGE_SPECIAL)
+ 
+ /* More Abbrevaited helpers */
+ #define PAGE_U_NONE     __pgprot(___DEF)
diff --git a/queue-3.16/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch b/queue-3.16/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch
new file mode 100644
index 0000000..7271b1b
--- /dev/null
+++ b/queue-3.16/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch
@@ -0,0 +1,65 @@
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Date: Fri, 19 Aug 2016 12:10:02 -0700
+Subject: ARC: uaccess: get_user to zero out dest in cause of fault
+
+commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream.
+
+Al reported potential issue with ARC get_user() as it wasn't clearing
+out destination pointer in case of fault due to bad address etc.
+
+Verified using following
+
+| {
+|  	u32 bogus1 = 0xdeadbeef;
+|	u64 bogus2 = 0xdead;
+|	int rc1, rc2;
+|
+|  	pr_info("Orig values %x %llx\n", bogus1, bogus2);
+|	rc1 = get_user(bogus1, (u32 __user *)0x40000000);
+|	rc2 = get_user(bogus2, (u64 __user *)0x50000000);
+|	pr_info("access %d %d, new values %x %llx\n",
+|		rc1, rc2, bogus1, bogus2);
+| }
+
+| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
+| Orig values deadbeef dead
+| access -14 -14, new values 0 0
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arc/include/asm/uaccess.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/include/asm/uaccess.h
++++ b/arch/arc/include/asm/uaccess.h
+@@ -83,7 +83,10 @@
+ 	"2:	;nop\n"				\
+ 	"	.section .fixup, \"ax\"\n"	\
+ 	"	.align 4\n"			\
+-	"3:	mov %0, %3\n"			\
++	"3:	# return -EFAULT\n"		\
++	"	mov %0, %3\n"			\
++	"	# zero out dst ptr\n"		\
++	"	mov %1,  0\n"			\
+ 	"	j   2b\n"			\
+ 	"	.previous\n"			\
+ 	"	.section __ex_table, \"a\"\n"	\
+@@ -101,7 +104,11 @@
+ 	"2:	;nop\n"				\
+ 	"	.section .fixup, \"ax\"\n"	\
+ 	"	.align 4\n"			\
+-	"3:	mov %0, %3\n"			\
++	"3:	# return -EFAULT\n"		\
++	"	mov %0, %3\n"			\
++	"	# zero out dst ptr\n"		\
++	"	mov %1,  0\n"			\
++	"	mov %R1, 0\n"			\
+ 	"	j   2b\n"			\
+ 	"	.previous\n"			\
+ 	"	.section __ex_table, \"a\"\n"	\
diff --git a/queue-3.16/arm-8561-3-dma-mapping-don-t-use-outer_flush_range-when-the-l2c-is.patch b/queue-3.16/arm-8561-3-dma-mapping-don-t-use-outer_flush_range-when-the-l2c-is.patch
new file mode 100644
index 0000000..ce428c8
--- /dev/null
+++ b/queue-3.16/arm-8561-3-dma-mapping-don-t-use-outer_flush_range-when-the-l2c-is.patch
@@ -0,0 +1,224 @@
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Date: Fri, 15 Apr 2016 11:15:18 +0100
+Subject: ARM: 8561/3: dma-mapping: Don't use outer_flush_range when the L2C is
+ coherent
+
+commit f12708965069410691e47d1d216ec7ad1516bfd2 upstream.
+
+When a L2 cache controller is used in a system that provides hardware
+coherency, the entire outer cache operations are useless, and can be
+skipped.  Moreover, on some systems, it is harmful as it causes
+deadlocks between the Marvell coherency mechanism, the Marvell PCIe
+controller and the Cortex-A9.
+
+In the current kernel implementation, the outer cache flush range
+operation is triggered by the dma_alloc function.
+This operation can be take place during runtime and in some
+circumstances may lead to the PCIe/PL310 deadlock on Armada 375/38x
+SoCs.
+
+This patch extends the __dma_clear_buffer() function to receive a
+boolean argument related to the coherency of the system. The same
+things is done for the calling functions.
+
+Reported-by: Nadav Haklai <nadavh@marvell.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+[bwh: Backported to 3.16:
+ - Drop changes to struct arm_dm_alloc_args, cma_allocator_alloc()
+ - Pass the new parameter to __alloc_from_contiguous() from __dma_alloc()
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/mm/dma-mapping.c | 62 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 42 insertions(+), 20 deletions(-)
+
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -39,6 +39,9 @@
+ 
+ #include "mm.h"
+ 
++#define NORMAL	    0
++#define COHERENT    1
++
+ /*
+  * The DMA API is built upon the notion of "buffer ownership".  A buffer
+  * is either exclusively owned by the CPU (and therefore may be accessed
+@@ -219,7 +222,7 @@ static u64 get_coherent_dma_mask(struct
+ 	return mask;
+ }
+ 
+-static void __dma_clear_buffer(struct page *page, size_t size)
++static void __dma_clear_buffer(struct page *page, size_t size, int coherent_flag)
+ {
+ 	/*
+ 	 * Ensure that the allocated pages are zeroed, and that any data
+@@ -231,17 +234,21 @@ static void __dma_clear_buffer(struct pa
+ 		while (size > 0) {
+ 			void *ptr = kmap_atomic(page);
+ 			memset(ptr, 0, PAGE_SIZE);
+-			dmac_flush_range(ptr, ptr + PAGE_SIZE);
++			if (coherent_flag != COHERENT)
++				dmac_flush_range(ptr, ptr + PAGE_SIZE);
+ 			kunmap_atomic(ptr);
+ 			page++;
+ 			size -= PAGE_SIZE;
+ 		}
+-		outer_flush_range(base, end);
++		if (coherent_flag != COHERENT)
++			outer_flush_range(base, end);
+ 	} else {
+ 		void *ptr = page_address(page);
+ 		memset(ptr, 0, size);
+-		dmac_flush_range(ptr, ptr + size);
+-		outer_flush_range(__pa(ptr), __pa(ptr) + size);
++		if (coherent_flag != COHERENT) {
++			dmac_flush_range(ptr, ptr + size);
++			outer_flush_range(__pa(ptr), __pa(ptr) + size);
++		}
+ 	}
+ }
+ 
+@@ -249,7 +256,8 @@ static void __dma_clear_buffer(struct pa
+  * Allocate a DMA buffer for 'dev' of size 'size' using the
+  * specified gfp mask.  Note that 'size' must be page aligned.
+  */
+-static struct page *__dma_alloc_buffer(struct device *dev, size_t size, gfp_t gfp)
++static struct page *__dma_alloc_buffer(struct device *dev, size_t size,
++				       gfp_t gfp, int coherent_flag)
+ {
+ 	unsigned long order = get_order(size);
+ 	struct page *page, *p, *e;
+@@ -265,7 +273,7 @@ static struct page *__dma_alloc_buffer(s
+ 	for (p = page + (size >> PAGE_SHIFT), e = page + (1 << order); p < e; p++)
+ 		__free_page(p);
+ 
+-	__dma_clear_buffer(page, size);
++	__dma_clear_buffer(page, size, coherent_flag);
+ 
+ 	return page;
+ }
+@@ -287,7 +295,7 @@ static void __dma_free_buffer(struct pag
+ 
+ static void *__alloc_from_contiguous(struct device *dev, size_t size,
+ 				     pgprot_t prot, struct page **ret_page,
+-				     const void *caller);
++				     const void *caller, int coherent_flag);
+ 
+ static void *__alloc_remap_buffer(struct device *dev, size_t size, gfp_t gfp,
+ 				 pgprot_t prot, struct page **ret_page,
+@@ -389,10 +397,13 @@ static int __init atomic_pool_init(void)
+ 	pages = kzalloc(nr_pages * sizeof(struct page *), GFP_KERNEL);
+ 	if (!pages)
+ 		goto no_pages;
+-
++	/*
++	 * The atomic pool is only used for non-coherent allocations
++	 * so we must pass NORMAL for coherent_flag.
++	 */
+ 	if (dev_get_cma_area(NULL))
+ 		ptr = __alloc_from_contiguous(NULL, pool->size, prot, &page,
+-					      atomic_pool_init);
++					      atomic_pool_init, NORMAL);
+ 	else
+ 		ptr = __alloc_remap_buffer(NULL, pool->size, gfp, prot, &page,
+ 					   atomic_pool_init);
+@@ -505,7 +516,11 @@ static void *__alloc_remap_buffer(struct
+ {
+ 	struct page *page;
+ 	void *ptr;
+-	page = __dma_alloc_buffer(dev, size, gfp);
++	/*
++	 * __alloc_remap_buffer is only called when the device is
++	 * non-coherent
++	 */
++	page = __dma_alloc_buffer(dev, size, gfp, NORMAL);
+ 	if (!page)
+ 		return NULL;
+ 
+@@ -597,7 +612,7 @@ static int __free_from_pool(void *start,
+ 
+ static void *__alloc_from_contiguous(struct device *dev, size_t size,
+ 				     pgprot_t prot, struct page **ret_page,
+-				     const void *caller)
++				     const void *caller, int coherent_flag)
+ {
+ 	unsigned long order = get_order(size);
+ 	size_t count = size >> PAGE_SHIFT;
+@@ -608,7 +623,7 @@ static void *__alloc_from_contiguous(str
+ 	if (!page)
+ 		return NULL;
+ 
+-	__dma_clear_buffer(page, size);
++	__dma_clear_buffer(page, size, coherent_flag);
+ 
+ 	if (PageHighMem(page)) {
+ 		ptr = __dma_alloc_remap(page, size, GFP_KERNEL, prot, caller);
+@@ -651,7 +666,7 @@ static inline pgprot_t __get_dma_pgprot(
+ #define __get_dma_pgprot(attrs, prot)	__pgprot(0)
+ #define __alloc_remap_buffer(dev, size, gfp, prot, ret, c)	NULL
+ #define __alloc_from_pool(size, ret_page)			NULL
+-#define __alloc_from_contiguous(dev, size, prot, ret, c)	NULL
++#define __alloc_from_contiguous(dev, size, prot, ret, c, coherent_flag)	NULL
+ #define __free_from_pool(cpu_addr, size)			0
+ #define __free_from_contiguous(dev, page, cpu_addr, size)	do { } while (0)
+ #define __dma_free_remap(cpu_addr, size)			do { } while (0)
+@@ -662,7 +677,8 @@ static void *__alloc_simple_buffer(struc
+ 				   struct page **ret_page)
+ {
+ 	struct page *page;
+-	page = __dma_alloc_buffer(dev, size, gfp);
++	/* __alloc_simple_buffer is only called when the device is coherent */
++	page = __dma_alloc_buffer(dev, size, gfp, COHERENT);
+ 	if (!page)
+ 		return NULL;
+ 
+@@ -713,7 +729,8 @@ static void *__dma_alloc(struct device *
+ 	else if (!dev_get_cma_area(dev))
+ 		addr = __alloc_remap_buffer(dev, size, gfp, prot, &page, caller);
+ 	else
+-		addr = __alloc_from_contiguous(dev, size, prot, &page, caller);
++		addr = __alloc_from_contiguous(dev, size, prot, &page, caller,
++					       NORMAL);
+ 
+ 	if (addr)
+ 		*handle = pfn_to_dma(dev, page_to_pfn(page));
+@@ -1172,7 +1189,8 @@ static inline void __free_iova(struct dm
+ }
+ 
+ static struct page **__iommu_alloc_buffer(struct device *dev, size_t size,
+-					  gfp_t gfp, struct dma_attrs *attrs)
++					  gfp_t gfp, struct dma_attrs *attrs,
++					  int coherent_flag)
+ {
+ 	struct page **pages;
+ 	int count = size >> PAGE_SHIFT;
+@@ -1195,7 +1213,7 @@ static struct page **__iommu_alloc_buffe
+ 		if (!page)
+ 			goto error;
+ 
+-		__dma_clear_buffer(page, size);
++		__dma_clear_buffer(page, size, coherent_flag);
+ 
+ 		for (i = 0; i < count; i++)
+ 			pages[i] = page + i;
+@@ -1224,7 +1242,7 @@ static struct page **__iommu_alloc_buffe
+ 				pages[i + j] = pages[i] + j;
+ 		}
+ 
+-		__dma_clear_buffer(pages[i], PAGE_SIZE << order);
++		__dma_clear_buffer(pages[i], PAGE_SIZE << order, coherent_flag);
+ 		i += 1 << order;
+ 		count -= 1 << order;
+ 	}
+@@ -1427,7 +1445,8 @@ static void *arm_iommu_alloc_attrs(struc
+ 	 */
+ 	gfp &= ~(__GFP_COMP);
+ 
+-	pages = __iommu_alloc_buffer(dev, size, gfp, attrs);
++	/* For now always consider we are in a non-coherent case */
++	pages = __iommu_alloc_buffer(dev, size, gfp, attrs, NORMAL);
+ 	if (!pages)
+ 		return NULL;
+ 
diff --git a/queue-3.16/arm-8617-1-dma-fix-dma_max_pfn.patch b/queue-3.16/arm-8617-1-dma-fix-dma_max_pfn.patch
new file mode 100644
index 0000000..42443bd
--- /dev/null
+++ b/queue-3.16/arm-8617-1-dma-fix-dma_max_pfn.patch
@@ -0,0 +1,54 @@
+From: Roger Quadros <rogerq@ti.com>
+Date: Thu, 29 Sep 2016 08:32:55 +0100
+Subject: ARM: 8617/1: dma: fix dma_max_pfn()
+
+commit d248220f0465b818887baa9829e691fe662b2c5e upstream.
+
+Since commit 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation"),
+dma_to_pfn() already returns the PFN with the physical memory start offset
+so we don't need to add it again.
+
+This fixes USB mass storage lock-up problem on systems that can't do DMA
+over the entire physical memory range (e.g.) Keystone 2 systems with 4GB RAM
+can only do DMA over the first 2GB. [K2E-EVM].
+
+What happens there is that without this patch SCSI layer sets a wrong
+bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass
+storage device. dma_max_pfn() evaluates to 0x8fffff and bounce_limit
+is set to 0x8fffff000 whereas maximum DMA'ble physical memory on Keystone 2
+is 0x87fffffff. This results in non DMA'ble pages being given to the
+USB controller and hence the lock-up.
+
+NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as 0.
+This should have really been 0x780000 as on K2e, LOWMEM_START is 0x80000000
+and HIGHMEM_START is 0x800000000. DMA zone is 2GB so dma_max_pfn should be
+0x87ffff. The incorrect dma_pfn_offset for the USB storage device is because
+USB devices are not correctly inheriting the dma_pfn_offset from the
+USB host controller. This will be fixed by a separate patch.
+
+Fixes: 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation")
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Olof Johansson <olof@lixom.net>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/include/asm/dma-mapping.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/dma-mapping.h
++++ b/arch/arm/include/asm/dma-mapping.h
+@@ -117,7 +117,7 @@ static inline dma_addr_t virt_to_dma(str
+ /* The ARM override for dma_max_pfn() */
+ static inline unsigned long dma_max_pfn(struct device *dev)
+ {
+-	return PHYS_PFN_OFFSET + dma_to_pfn(dev, *dev->dma_mask);
++	return dma_to_pfn(dev, *dev->dma_mask);
+ }
+ #define dma_max_pfn(dev) dma_max_pfn(dev)
+ 
diff --git a/queue-3.16/arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch b/queue-3.16/arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch
new file mode 100644
index 0000000..3dfebcc
--- /dev/null
+++ b/queue-3.16/arm-8618-1-decompressor-reset-ttbcr-fields-to-use-ttbr0-on-armv7.patch
@@ -0,0 +1,38 @@
+From: Srinivas Ramana <sramana@codeaurora.org>
+Date: Fri, 30 Sep 2016 15:03:31 +0100
+Subject: ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
+
+commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 upstream.
+
+If the bootloader uses the long descriptor format and jumps to
+kernel decompressor code, TTBCR may not be in a right state.
+Before enabling the MMU, it is required to clear the TTBCR.PD0
+field to use TTBR0 for translation table walks.
+
+The commit dbece45894d3a ("ARM: 7501/1: decompressor:
+reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but
+doesn't consider all the bits for the size of TTBCR.N.
+
+Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to
+indicate the use of TTBR0 and the correct base address width.
+
+Fixes: dbece45894d3 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores")
+Acked-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/boot/compressed/head.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/compressed/head.S
++++ b/arch/arm/boot/compressed/head.S
+@@ -726,7 +726,7 @@ __armv7_mmu_cache_on:
+ 		orrne	r0, r0, #1		@ MMU enabled
+ 		movne	r1, #0xfffffffd		@ domain 0 = client
+ 		bic     r6, r6, #1 << 31        @ 32-bit translation system
+-		bic     r6, r6, #3 << 0         @ use only ttbr0
++		bic     r6, r6, #(7 << 0) | (1 << 4)	@ use only ttbr0
+ 		mcrne	p15, 0, r3, c2, c0, 0	@ load page table pointer
+ 		mcrne	p15, 0, r1, c3, c0, 0	@ load domain access control
+ 		mcrne   p15, 0, r6, c2, c0, 2   @ load ttb control
diff --git a/queue-3.16/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch b/queue-3.16/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch
new file mode 100644
index 0000000..5ee8236
--- /dev/null
+++ b/queue-3.16/arm-am43xx-hwmod-fix-rstst-register-offset-for-pruss.patch
@@ -0,0 +1,40 @@
+From: Keerthy <j-keerthy@ti.com>
+Date: Mon, 20 Jun 2016 09:22:25 +0530
+Subject: ARM: AM43XX: hwmod: Fix RSTST register offset for pruss
+
+commit b00ccf5b684992829610d162e78a7836933a1b19 upstream.
+
+pruss hwmod RSTST register wrongly points to PWRSTCTRL register in case of
+am43xx. Fix the RSTST register offset value.
+
+This can lead to setting of wrong power state values for PER domain.
+
+Fixes: 1c7e224d ("ARM: OMAP2+: hwmod: AM335x: runtime register update")
+Signed-off-by: Keerthy <j-keerthy@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c | 1 +
+ arch/arm/mach-omap2/prcm43xx.h                          | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_33xx_43xx_ipblock_data.c
+@@ -1460,6 +1460,7 @@ static void omap_hwmod_am43xx_rst(void)
+ {
+ 	RSTCTRL(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTCTRL_OFFSET);
+ 	RSTCTRL(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTCTRL_OFFSET);
++	RSTST(am33xx_pruss_hwmod, AM43XX_RM_PER_RSTST_OFFSET);
+ 	RSTST(am33xx_gfx_hwmod, AM43XX_RM_GFX_RSTST_OFFSET);
+ }
+ 
+--- a/arch/arm/mach-omap2/prcm43xx.h
++++ b/arch/arm/mach-omap2/prcm43xx.h
+@@ -32,6 +32,7 @@
+ 
+ /* RM RSTST offsets */
+ #define AM43XX_RM_GFX_RSTST_OFFSET			0x0014
++#define AM43XX_RM_PER_RSTST_OFFSET			0x0014
+ #define AM43XX_RM_WKUP_RSTST_OFFSET			0x0014
+ 
+ /* CM instances */
diff --git a/queue-3.16/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch b/queue-3.16/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch
new file mode 100644
index 0000000..6ed32e0
--- /dev/null
+++ b/queue-3.16/arm-kirkwood-ib62x0-fix-size-of-u-boot-environment-partition.patch
@@ -0,0 +1,36 @@
+From: Simon Baatz <gmbnomis@gmail.com>
+Date: Fri, 12 Aug 2016 19:12:50 +0200
+Subject: ARM: kirkwood: ib62x0: fix size of u-boot environment partition
+
+commit a778937888867aac17a33887d1c429120790fbc2 upstream.
+
+Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment
+partition") split the "u-boot" partition into "u-boot" and "u-boot
+environment".  However, instead of the size of the environment, an offset
+was given, resulting in overlapping partitions.
+
+Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
+Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition")
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Gregory Clement <gregory.clement@free-electrons.com>
+Cc: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
+Cc: Luka Perkov <luka@openwrt.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/kirkwood-ib62x0.dts
++++ b/arch/arm/boot/dts/kirkwood-ib62x0.dts
+@@ -113,7 +113,7 @@
+ 
+ 	partition@e0000 {
+ 		label = "u-boot environment";
+-		reg = <0xe0000 0x100000>;
++		reg = <0xe0000 0x20000>;
+ 	};
+ 
+ 	partition@100000 {
diff --git a/queue-3.16/arm-mvebu-fix-hw-i-o-coherency-related-deadlocks.patch b/queue-3.16/arm-mvebu-fix-hw-i-o-coherency-related-deadlocks.patch
new file mode 100644
index 0000000..7553c4b
--- /dev/null
+++ b/queue-3.16/arm-mvebu-fix-hw-i-o-coherency-related-deadlocks.patch
@@ -0,0 +1,69 @@
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Thu, 16 Jun 2016 15:42:25 +0200
+Subject: ARM: mvebu: fix HW I/O coherency related deadlocks
+
+commit c5379ba8fccd99d5f99632c789f0393d84a57805 upstream.
+
+Until now, our understanding for HW I/O coherency to work on the
+Cortex-A9 based Marvell SoC was that only the PCIe regions should be
+mapped strongly-ordered. However, we were still encountering some
+deadlocks, especially when testing the CESA crypto engine. After
+checking with the HW designers, it was concluded that all the MMIO
+registers should be mapped as strongly ordered for the HW I/O coherency
+mechanism to work properly.
+
+This fixes some easy to reproduce deadlocks with the CESA crypto engine
+driver (dmcrypt on a sufficiently large disk partition).
+
+Tested-by: Terry Stockert <stockert@inkblotadmirer.me>
+Tested-by: Romain Perier <romain.perier@free-electrons.com>
+Cc: Terry Stockert <stockert@inkblotadmirer.me>
+Cc: Romain Perier <romain.perier@free-electrons.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/mach-mvebu/coherency.c | 22 ++++++++--------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+--- a/arch/arm/mach-mvebu/coherency.c
++++ b/arch/arm/mach-mvebu/coherency.c
+@@ -315,22 +315,16 @@ static void __init armada_370_coherency_
+ }
+ 
+ /*
+- * This ioremap hook is used on Armada 375/38x to ensure that PCIe
+- * memory areas are mapped as MT_UNCACHED instead of MT_DEVICE. This
+- * is needed as a workaround for a deadlock issue between the PCIe
+- * interface and the cache controller.
++ * This ioremap hook is used on Armada 375/38x to ensure that all MMIO
++ * areas are mapped as MT_UNCACHED instead of MT_DEVICE. This is
++ * needed for the HW I/O coherency mechanism to work properly without
++ * deadlock.
+  */
+ static void __iomem *
+-armada_pcie_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
+-			      unsigned int mtype, void *caller)
++armada_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
++			 unsigned int mtype, void *caller)
+ {
+-	struct resource pcie_mem;
+-
+-	mvebu_mbus_get_pcie_mem_aperture(&pcie_mem);
+-
+-	if (pcie_mem.start <= phys_addr && (phys_addr + size) <= pcie_mem.end)
+-		mtype = MT_UNCACHED;
+-
++	mtype = MT_UNCACHED;
+ 	return __arm_ioremap_caller(phys_addr, size, mtype, caller);
+ }
+ 
+@@ -339,7 +333,7 @@ static void __init armada_375_380_cohere
+ 	struct device_node *cache_dn;
+ 
+ 	coherency_cpu_base = of_iomap(np, 0);
+-	arch_ioremap_caller = armada_pcie_wa_ioremap_caller;
++	arch_ioremap_caller = armada_wa_ioremap_caller;
+ 
+ 	/*
+ 	 * We should switch the PL310 to I/O coherency mode only if
diff --git a/queue-3.16/arm-oabi-compat-add-missing-access-checks.patch b/queue-3.16/arm-oabi-compat-add-missing-access-checks.patch
new file mode 100644
index 0000000..0094770
--- /dev/null
+++ b/queue-3.16/arm-oabi-compat-add-missing-access-checks.patch
@@ -0,0 +1,45 @@
+From: Dave Weinstein <olorin@google.com>
+Date: Thu, 28 Jul 2016 11:55:41 -0700
+Subject: arm: oabi compat: add missing access checks
+
+commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream.
+
+Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop().
+This fixes CVE-2016-3857, a local privilege escalation under
+CONFIG_OABI_COMPAT.
+
+Reported-by: Chiachih Wu <wuchiachih@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Dave Weinstein <olorin@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/kernel/sys_oabi-compat.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/sys_oabi-compat.c
++++ b/arch/arm/kernel/sys_oabi-compat.c
+@@ -279,8 +279,12 @@ asmlinkage long sys_oabi_epoll_wait(int
+ 	mm_segment_t fs;
+ 	long ret, err, i;
+ 
+-	if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event)))
++	if (maxevents <= 0 ||
++			maxevents > (INT_MAX/sizeof(*kbuf)) ||
++			maxevents > (INT_MAX/sizeof(*events)))
+ 		return -EINVAL;
++	if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents))
++		return -EFAULT;
+ 	kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL);
+ 	if (!kbuf)
+ 		return -ENOMEM;
+@@ -317,6 +321,8 @@ asmlinkage long sys_oabi_semtimedop(int
+ 
+ 	if (nsops < 1 || nsops > SEMOPM)
+ 		return -EINVAL;
++	if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops))
++		return -EFAULT;
+ 	sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL);
+ 	if (!sops)
+ 		return -ENOMEM;
diff --git a/queue-3.16/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch b/queue-3.16/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch
new file mode 100644
index 0000000..00f57f1
--- /dev/null
+++ b/queue-3.16/arm-omap3-hwmod-data-add-sysc-information-for-dsi.patch
@@ -0,0 +1,44 @@
+From: Sebastian Reichel <sre@kernel.org>
+Date: Fri, 24 Jun 2016 03:59:33 +0200
+Subject: ARM: OMAP3: hwmod data: Add sysc information for DSI
+
+commit b46211d6dcfb81a8af66b8684a42d629183670d4 upstream.
+
+Add missing sysconfig/sysstatus information
+to OMAP3 hwmod. The information has been
+checked against OMAP34xx and OMAP36xx TRM.
+
+Without this change DSI block is not reset
+during boot, which is required for working
+Nokia N950 display.
+
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
++++ b/arch/arm/mach-omap2/omap_hwmod_3xxx_data.c
+@@ -724,8 +724,20 @@ static struct omap_hwmod omap3xxx_dss_di
+  * display serial interface controller
+  */
+ 
++static struct omap_hwmod_class_sysconfig omap3xxx_dsi_sysc = {
++	.rev_offs	= 0x0000,
++	.sysc_offs	= 0x0010,
++	.syss_offs	= 0x0014,
++	.sysc_flags	= (SYSC_HAS_AUTOIDLE | SYSC_HAS_CLOCKACTIVITY |
++			   SYSC_HAS_ENAWAKEUP | SYSC_HAS_SIDLEMODE |
++			   SYSC_HAS_SOFTRESET | SYSS_HAS_RESET_STATUS),
++	.idlemodes	= (SIDLE_FORCE | SIDLE_NO | SIDLE_SMART),
++	.sysc_fields	= &omap_hwmod_sysc_type1,
++};
++
+ static struct omap_hwmod_class omap3xxx_dsi_hwmod_class = {
+ 	.name = "dsi",
++	.sysc	= &omap3xxx_dsi_sysc,
+ };
+ 
+ static struct omap_hwmod_irq_info omap3xxx_dsi1_irqs[] = {
diff --git a/queue-3.16/arm-sa1100-clear-reset-status-prior-to-reboot.patch b/queue-3.16/arm-sa1100-clear-reset-status-prior-to-reboot.patch
new file mode 100644
index 0000000..867c0af
--- /dev/null
+++ b/queue-3.16/arm-sa1100-clear-reset-status-prior-to-reboot.patch
@@ -0,0 +1,36 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 19 Aug 2016 16:34:45 +0100
+Subject: ARM: sa1100: clear reset status prior to reboot
+
+commit da60626e7d02a4f385cae80e450afc8b07035368 upstream.
+
+Clear the current reset status prior to rebooting the platform.  This
+adds the bit missing from 04fef228fb00 ("[ARM] pxa: introduce
+reset_status and clear_reset_status for driver's usage").
+
+Fixes: 04fef228fb00 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/mach-sa1100/generic.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm/mach-sa1100/generic.c
++++ b/arch/arm/mach-sa1100/generic.c
+@@ -31,6 +31,7 @@
+ 
+ #include <mach/hardware.h>
+ #include <mach/irqs.h>
++#include <mach/reset.h>
+ 
+ #include "generic.h"
+ 
+@@ -91,6 +92,8 @@ static void sa1100_power_off(void)
+ 
+ void sa11x0_restart(enum reboot_mode mode, const char *cmd)
+ {
++	clear_reset_status(RESET_STATUS_ALL);
++
+ 	if (mode == REBOOT_SOFT) {
+ 		/* Jump into ROM at address 0 */
+ 		soft_restart(0);
diff --git a/queue-3.16/arm-sa1111-fix-pcmcia-suspend-resume.patch b/queue-3.16/arm-sa1111-fix-pcmcia-suspend-resume.patch
new file mode 100644
index 0000000..83dda1d
--- /dev/null
+++ b/queue-3.16/arm-sa1111-fix-pcmcia-suspend-resume.patch
@@ -0,0 +1,108 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 6 Sep 2016 14:34:05 +0100
+Subject: ARM: sa1111: fix pcmcia suspend/resume
+
+commit 06dfe5cc0cc684e735cb0232fdb756d30780b05d upstream.
+
+SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for
+the PCMCIA socket class.  PCMCIA used to handle suspend/resume via the
+socket hosting device, which happened at normal device suspend/resume
+time.
+
+However, the referenced commit changed this: much of the resume now
+happens much earlier, in the noirq resume handler of dev_pm_ops.
+
+However, on SA1111, the PCMCIA device is not accessible as the SA1111
+has not been resumed at _noirq time.  It's slightly worse than that,
+because the SA1111 has already been put to sleep at _noirq time, so
+suspend doesn't work properly.
+
+Fix this by converting the core SA1111 code to use dev_pm_ops as well,
+and performing its own suspend/resume at noirq time.
+
+This fixes these errors in the kernel log:
+
+pcmcia_socket pcmcia_socket0: time out after reset
+pcmcia_socket pcmcia_socket1: time out after reset
+
+and the resulting lack of PCMCIA cards after a S2RAM cycle.
+
+Fixes: d7646f7632549 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/common/sa1111.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/arch/arm/common/sa1111.c
++++ b/arch/arm/common/sa1111.c
+@@ -872,9 +872,9 @@ struct sa1111_save_data {
+ 
+ #ifdef CONFIG_PM
+ 
+-static int sa1111_suspend(struct platform_device *dev, pm_message_t state)
++static int sa1111_suspend_noirq(struct device *dev)
+ {
+-	struct sa1111 *sachip = platform_get_drvdata(dev);
++	struct sa1111 *sachip = dev_get_drvdata(dev);
+ 	struct sa1111_save_data *save;
+ 	unsigned long flags;
+ 	unsigned int val;
+@@ -937,9 +937,9 @@ static int sa1111_suspend(struct platfor
+  *	restored by their respective drivers, and must be called
+  *	via LDM after this function.
+  */
+-static int sa1111_resume(struct platform_device *dev)
++static int sa1111_resume_noirq(struct device *dev)
+ {
+-	struct sa1111 *sachip = platform_get_drvdata(dev);
++	struct sa1111 *sachip = dev_get_drvdata(dev);
+ 	struct sa1111_save_data *save;
+ 	unsigned long flags, id;
+ 	void __iomem *base;
+@@ -955,7 +955,7 @@ static int sa1111_resume(struct platform
+ 	id = sa1111_readl(sachip->base + SA1111_SKID);
+ 	if ((id & SKID_ID_MASK) != SKID_SA1111_ID) {
+ 		__sa1111_remove(sachip);
+-		platform_set_drvdata(dev, NULL);
++		dev_set_drvdata(dev, NULL);
+ 		kfree(save);
+ 		return 0;
+ 	}
+@@ -1006,8 +1006,8 @@ static int sa1111_resume(struct platform
+ }
+ 
+ #else
+-#define sa1111_suspend NULL
+-#define sa1111_resume  NULL
++#define sa1111_suspend_noirq NULL
++#define sa1111_resume_noirq  NULL
+ #endif
+ 
+ static int sa1111_probe(struct platform_device *pdev)
+@@ -1041,6 +1041,11 @@ static int sa1111_remove(struct platform
+ 	return 0;
+ }
+ 
++static struct dev_pm_ops sa1111_pm_ops = {
++	.suspend_noirq = sa1111_suspend_noirq,
++	.resume_noirq = sa1111_resume_noirq,
++};
++
+ /*
+  *	Not sure if this should be on the system bus or not yet.
+  *	We really want some way to register a system device at
+@@ -1053,11 +1058,10 @@ static int sa1111_remove(struct platform
+ static struct platform_driver sa1111_device_driver = {
+ 	.probe		= sa1111_probe,
+ 	.remove		= sa1111_remove,
+-	.suspend	= sa1111_suspend,
+-	.resume		= sa1111_resume,
+ 	.driver		= {
+ 		.name	= "sa1111",
+ 		.owner	= THIS_MODULE,
++		.pm	= &sa1111_pm_ops,
+ 	},
+ };
+ 
diff --git a/queue-3.16/arm64-debug-unmask-pstate.d-earlier.patch b/queue-3.16/arm64-debug-unmask-pstate.d-earlier.patch
new file mode 100644
index 0000000..626fbb8
--- /dev/null
+++ b/queue-3.16/arm64-debug-unmask-pstate.d-earlier.patch
@@ -0,0 +1,85 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 19 Jul 2016 15:07:37 +0100
+Subject: arm64: debug: unmask PSTATE.D earlier
+
+commit 2ce39ad15182604beb6c8fa8bed5e46b59fd1082 upstream.
+
+Clearing PSTATE.D is one of the requirements for generating a debug
+exception. The arm64 booting protocol requires that PSTATE.D is set,
+since many of the debug registers (for example, the hw_breakpoint
+registers) are UNKNOWN out of reset and could potentially generate
+spurious, fatal debug exceptions in early boot code if PSTATE.D was
+clear. Once the debug registers have been safely initialised, PSTATE.D
+is cleared, however this is currently broken for two reasons:
+
+(1) The boot CPU clears PSTATE.D in a postcore_initcall and secondary
+    CPUs clear PSTATE.D in secondary_start_kernel. Since the initcall
+    runs after SMP (and the scheduler) have been initialised, there is
+    no guarantee that it is actually running on the boot CPU. In this
+    case, the boot CPU is left with PSTATE.D set and is not capable of
+    generating debug exceptions.
+
+(2) In a preemptible kernel, we may explicitly schedule on the IRQ
+    return path to EL1. If an IRQ occurs with PSTATE.D set in the idle
+    thread, then we may schedule the kthread_init thread, run the
+    postcore_initcall to clear PSTATE.D and then context switch back
+    to the idle thread before returning from the IRQ. The exception
+    return path will then restore PSTATE.D from the stack, and set it
+    again.
+
+This patch fixes the problem by moving the clearing of PSTATE.D earlier
+to proc.S. This has the desirable effect of clearing it in one place for
+all CPUs, long before we have to worry about the scheduler or any
+exception handling. We ensure that the previous reset of MDSCR_EL1 has
+completed before unmasking the exception, so that any spurious
+exceptions resulting from UNKNOWN debug registers are not generated.
+
+Without this patch applied, the kprobes selftests have been seen to fail
+under KVM, where we end up attempting to step the OOL instruction buffer
+with PSTATE.D set and therefore fail to complete the step.
+
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Catalin Marinas <catalin.marinas@arm.com>
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Tested-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm64/kernel/debug-monitors.c | 1 -
+ arch/arm64/kernel/smp.c            | 1 -
+ arch/arm64/mm/proc.S               | 2 ++
+ 3 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/debug-monitors.c
++++ b/arch/arm64/kernel/debug-monitors.c
+@@ -159,7 +159,6 @@ static int debug_monitors_init(void)
+ 	/* Clear the OS lock. */
+ 	on_each_cpu(clear_os_lock, NULL, 1);
+ 	isb();
+-	local_dbg_enable();
+ 
+ 	/* Register hotplug handler. */
+ 	__register_cpu_notifier(&os_lock_nb);
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -174,7 +174,6 @@ asmlinkage void secondary_start_kernel(v
+ 	set_cpu_online(cpu, true);
+ 	complete(&cpu_running);
+ 
+-	local_dbg_enable();
+ 	local_irq_enable();
+ 	local_async_enable();
+ 
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -189,6 +189,8 @@ ENTRY(__cpu_setup)
+ 	msr	cpacr_el1, x0			// Enable FP/ASIMD
+ 	mov	x0, #1 << 12			// Reset mdscr_el1 and disable
+ 	msr	mdscr_el1, x0			// access to the DCC from EL0
++	isb					// Unmask debug exceptions now,
++	enable_dbg				// since this is per-cpu
+ 	reset_pmuserenr_el0 x0			// Disable PMU access from EL0
+ 	/*
+ 	 * Memory region attributes for LPAE:
diff --git a/queue-3.16/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch b/queue-3.16/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch
new file mode 100644
index 0000000..60e6405
--- /dev/null
+++ b/queue-3.16/arm64-define-at_vector_size_arch-for-arch_dlinfo.patch
@@ -0,0 +1,48 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Mon, 25 Jul 2016 16:59:52 +0100
+Subject: arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
+
+commit 3146bc64d12377a74dbda12b96ea32da3774ae07 upstream.
+
+AT_VECTOR_SIZE_ARCH should be defined with the maximum number of
+NEW_AUX_ENT entries that ARCH_DLINFO can contain, but it wasn't defined
+for arm64 at all even though ARCH_DLINFO will contain one NEW_AUX_ENT
+for the VDSO address.
+
+This shouldn't be a problem as AT_VECTOR_SIZE_BASE includes space for
+AT_BASE_PLATFORM which arm64 doesn't use, but lets define it now and add
+the comment above ARCH_DLINFO as found in several other architectures to
+remind future modifiers of ARCH_DLINFO to keep AT_VECTOR_SIZE_ARCH up to
+date.
+
+Fixes: f668cd1673aa ("arm64: ELF definitions")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will.deacon@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm64/include/asm/elf.h         | 1 +
+ arch/arm64/include/uapi/asm/auxvec.h | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/arch/arm64/include/asm/elf.h
++++ b/arch/arm64/include/asm/elf.h
+@@ -137,6 +137,7 @@ extern unsigned long randomize_et_dyn(un
+ 
+ #define SET_PERSONALITY(ex)		clear_thread_flag(TIF_32BIT);
+ 
++/* update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT entries changes */
+ #define ARCH_DLINFO							\
+ do {									\
+ 	NEW_AUX_ENT(AT_SYSINFO_EHDR,					\
+--- a/arch/arm64/include/uapi/asm/auxvec.h
++++ b/arch/arm64/include/uapi/asm/auxvec.h
+@@ -19,4 +19,6 @@
+ /* vDSO location */
+ #define AT_SYSINFO_EHDR	33
+ 
++#define AT_VECTOR_SIZE_ARCH 1 /* entries in ARCH_DLINFO */
++
+ #endif
diff --git a/queue-3.16/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch b/queue-3.16/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch
new file mode 100644
index 0000000..1d24561
--- /dev/null
+++ b/queue-3.16/arm64-spinlocks-implement-smp_mb__before_spinlock-as-smp_mb.patch
@@ -0,0 +1,43 @@
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 5 Sep 2016 11:56:05 +0100
+Subject: arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
+
+commit 872c63fbf9e153146b07f0cece4da0d70b283eeb upstream.
+
+smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
+to a full barrier, such that prior stores are ordered with respect to
+loads and stores occuring inside the critical section.
+
+Unfortunately, the core code defines the barrier as smp_wmb(), which
+is insufficient to provide the required ordering guarantees when used in
+conjunction with our load-acquire-based spinlock implementation.
+
+This patch overrides the arm64 definition of smp_mb__before_spinlock()
+to map to a full smp_mb().
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Reported-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm64/include/asm/spinlock.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm64/include/asm/spinlock.h
++++ b/arch/arm64/include/asm/spinlock.h
+@@ -231,4 +231,14 @@ static inline int arch_read_trylock(arch
+ #define arch_read_relax(lock)	cpu_relax()
+ #define arch_write_relax(lock)	cpu_relax()
+ 
++/*
++ * Accesses appearing in program order before a spin_lock() operation
++ * can be reordered with accesses inside the critical section, by virtue
++ * of arch_spin_lock being constructed using acquire semantics.
++ *
++ * In cases where this is problematic (e.g. try_to_wake_up), an
++ * smp_mb__before_spinlock() can restore the required ordering.
++ */
++#define smp_mb__before_spinlock()	smp_mb()
++
+ #endif /* __ASM_SPINLOCK_H */
diff --git a/queue-3.16/asm-generic-make-copy_from_user-zero-the-destination-properly.patch b/queue-3.16/asm-generic-make-copy_from_user-zero-the-destination-properly.patch
new file mode 100644
index 0000000..4c744ba
--- /dev/null
+++ b/queue-3.16/asm-generic-make-copy_from_user-zero-the-destination-properly.patch
@@ -0,0 +1,38 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 16:36:37 -0400
+Subject: asm-generic: make copy_from_user() zero the destination properly
+
+commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.
+
+... in all cases, including the failing access_ok()
+
+Note that some architectures using asm-generic/uaccess.h have
+__copy_from_user() not zeroing the tail on failure halfway
+through.  This variant works either way.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/asm-generic/uaccess.h | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -255,11 +255,13 @@ extern int __get_user_bad(void) __attrib
+ static inline long copy_from_user(void *to,
+ 		const void __user * from, unsigned long n)
+ {
++	unsigned long res = n;
+ 	might_fault();
+-	if (access_ok(VERIFY_READ, from, n))
+-		return __copy_from_user(to, from, n);
+-	else
+-		return n;
++	if (likely(access_ok(VERIFY_READ, from, n)))
++		res = __copy_from_user(to, from, n);
++	if (unlikely(res))
++		memset(to + (n - res), 0, res);
++	return res;
+ }
+ 
+ static inline long copy_to_user(void __user *to,
diff --git a/queue-3.16/asm-generic-make-get_user-clear-the-destination-on-errors.patch b/queue-3.16/asm-generic-make-get_user-clear-the-destination-on-errors.patch
new file mode 100644
index 0000000..fb2cc1a
--- /dev/null
+++ b/queue-3.16/asm-generic-make-get_user-clear-the-destination-on-errors.patch
@@ -0,0 +1,39 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 23:19:01 -0400
+Subject: asm-generic: make get_user() clear the destination on errors
+
+commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.
+
+both for access_ok() failures and for faults halfway through
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/asm-generic/uaccess.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -228,14 +228,18 @@ extern int __put_user_bad(void) __attrib
+ 	might_fault();						\
+ 	access_ok(VERIFY_READ, ptr, sizeof(*ptr)) ?		\
+ 		__get_user(x, ptr) :				\
+-		-EFAULT;					\
++		((x) = (__typeof__(*(ptr)))0,-EFAULT);		\
+ })
+ 
+ #ifndef __get_user_fn
+ static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
+ {
+-	size = __copy_from_user(x, ptr, size);
+-	return size ? -EFAULT : size;
++	size_t n = __copy_from_user(x, ptr, size);
++	if (unlikely(n)) {
++		memset(x + (size - n), 0, n);
++		return -EFAULT;
++	}
++	return 0;
+ }
+ 
+ #define __get_user_fn(sz, u, k)	__get_user_fn(sz, u, k)
diff --git a/queue-3.16/asoc-omap-mcpdm-fix-irq-resource-handling.patch b/queue-3.16/asoc-omap-mcpdm-fix-irq-resource-handling.patch
new file mode 100644
index 0000000..413a14b
--- /dev/null
+++ b/queue-3.16/asoc-omap-mcpdm-fix-irq-resource-handling.patch
@@ -0,0 +1,41 @@
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Tue, 23 Aug 2016 10:27:19 +0300
+Subject: ASoC: omap-mcpdm: Fix irq resource handling
+
+commit a8719670687c46ed2e904c0d05fa4cd7e4950cd1 upstream.
+
+Fixes: ddd17531ad908 ("ASoC: omap-mcpdm: Clean up with devm_* function")
+
+Managed irq request will not doing any good in ASoC probe level as it is
+not going to free up the irq when the driver is unbound from the sound
+card.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Reported-by: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ sound/soc/omap/omap-mcpdm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/omap/omap-mcpdm.c
++++ b/sound/soc/omap/omap-mcpdm.c
+@@ -390,8 +390,8 @@ static int omap_mcpdm_probe(struct snd_s
+ 	pm_runtime_get_sync(mcpdm->dev);
+ 	omap_mcpdm_write(mcpdm, MCPDM_REG_CTRL, 0x00);
+ 
+-	ret = devm_request_irq(mcpdm->dev, mcpdm->irq, omap_mcpdm_irq_handler,
+-				0, "McPDM", (void *)mcpdm);
++	ret = request_irq(mcpdm->irq, omap_mcpdm_irq_handler, 0, "McPDM",
++			  (void *)mcpdm);
+ 
+ 	pm_runtime_put_sync(mcpdm->dev);
+ 
+@@ -416,6 +416,7 @@ static int omap_mcpdm_remove(struct snd_
+ {
+ 	struct omap_mcpdm *mcpdm = snd_soc_dai_get_drvdata(dai);
+ 
++	free_irq(mcpdm->irq, (void *)mcpdm);
+ 	pm_runtime_disable(mcpdm->dev);
+ 
+ 	return 0;
diff --git a/queue-3.16/ath9k-fix-programming-of-mincca-power-threshold.patch b/queue-3.16/ath9k-fix-programming-of-mincca-power-threshold.patch
new file mode 100644
index 0000000..56f5881
--- /dev/null
+++ b/queue-3.16/ath9k-fix-programming-of-mincca-power-threshold.patch
@@ -0,0 +1,32 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 29 Jun 2016 19:29:30 +0300
+Subject: ath9k: Fix programming of minCCA power threshold
+
+commit aaab50fcea78ae3414c3afc25aae8d0603df34d0 upstream.
+
+The function ar9003_hw_apply_minccapwr_thresh takes as second parameter not
+a pointer to the channel but a boolean value describing whether the channel
+is 2.4GHz or not. This broke (according to the origin commit) the ETSI
+regulatory compliance on 5GHz channels.
+
+Fixes: 3533bf6b15a0 ("ath9k: Fix regulatory compliance")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Cc: Simon Wunderlich <sw@simonwunderlich.de>
+Cc: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -4169,7 +4169,7 @@ static void ath9k_hw_ar9300_set_board_va
+ 	if (!AR_SREV_9330(ah) && !AR_SREV_9340(ah) && !AR_SREV_9531(ah))
+ 		ar9003_hw_internal_regulator_apply(ah);
+ 	ar9003_hw_apply_tuning_caps(ah);
+-	ar9003_hw_apply_minccapwr_thresh(ah, chan);
++	ar9003_hw_apply_minccapwr_thresh(ah, is2ghz);
+ 	ar9003_hw_txend_to_xpa_off_apply(ah, is2ghz);
+ 	ar9003_hw_thermometer_apply(ah);
+ 	ar9003_hw_thermo_cal_apply(ah);
diff --git a/queue-3.16/avr32-fix-copy_from_user.patch b/queue-3.16/avr32-fix-copy_from_user.patch
new file mode 100644
index 0000000..acabcc2
--- /dev/null
+++ b/queue-3.16/avr32-fix-copy_from_user.patch
@@ -0,0 +1,72 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:28:23 -0400
+Subject: avr32: fix copy_from_user()
+
+commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.
+
+really ugly, but apparently avr32 compilers turns access_ok() into
+something so bad that they want it in assembler.  Left that way,
+zeroing added in inline wrapper.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
+ arch/avr32/kernel/avr32_ksyms.c  |  2 +-
+ arch/avr32/lib/copy_user.S       |  4 ++--
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/arch/avr32/include/asm/uaccess.h
++++ b/arch/avr32/include/asm/uaccess.h
+@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void
+ 
+ extern __kernel_size_t copy_to_user(void __user *to, const void *from,
+ 				    __kernel_size_t n);
+-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
+ 				      __kernel_size_t n);
+ 
+ static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
+@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro
+ {
+ 	return __copy_user(to, (const void __force *)from, n);
+ }
++static inline __kernel_size_t copy_from_user(void *to,
++					       const void __user *from,
++					       __kernel_size_t n)
++{
++	size_t res = ___copy_from_user(to, from, n);
++	if (unlikely(res))
++		memset(to + (n - res), 0, res);
++	return res;
++}
+ 
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+--- a/arch/avr32/kernel/avr32_ksyms.c
++++ b/arch/avr32/kernel/avr32_ksyms.c
+@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
+ /*
+  * Userspace access stuff.
+  */
+-EXPORT_SYMBOL(copy_from_user);
++EXPORT_SYMBOL(___copy_from_user);
+ EXPORT_SYMBOL(copy_to_user);
+ EXPORT_SYMBOL(__copy_user);
+ EXPORT_SYMBOL(strncpy_from_user);
+--- a/arch/avr32/lib/copy_user.S
++++ b/arch/avr32/lib/copy_user.S
+@@ -25,11 +25,11 @@
+ 	.align	1
+ 	.global	copy_from_user
+ 	.type	copy_from_user, @function
+-copy_from_user:
++___copy_from_user:
+ 	branch_if_kernel r8, __copy_user
+ 	ret_if_privileged r8, r11, r10, r10
+ 	rjmp	__copy_user
+-	.size	copy_from_user, . - copy_from_user
++	.size	___copy_from_user, . - ___copy_from_user
+ 
+ 	.global	copy_to_user
+ 	.type	copy_to_user, @function
diff --git a/queue-3.16/avr32-fix-undefined-reference-to-___copy_from_user.patch b/queue-3.16/avr32-fix-undefined-reference-to-___copy_from_user.patch
new file mode 100644
index 0000000..7a1fdce
--- /dev/null
+++ b/queue-3.16/avr32-fix-undefined-reference-to-___copy_from_user.patch
@@ -0,0 +1,44 @@
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sat, 17 Sep 2016 07:52:49 -0700
+Subject: avr32: fix 'undefined reference to `___copy_from_user'
+
+commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 upstream.
+
+avr32 builds fail with:
+
+arch/avr32/kernel/built-in.o: In function `arch_ptrace':
+(.text+0x650): undefined reference to `___copy_from_user'
+arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined
+reference to `___copy_from_user'
+kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax':
+(.text+0x5dd8): undefined reference to `___copy_from_user'
+kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin':
+sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user'
+kernel/built-in.o: In function `ptrace_has_cap':
+ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user'
+kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to
+`___copy_from_user' follow
+
+Fixes: 8630c32275ba ("avr32: fix copy_from_user()")
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Havard Skinnemoen <hskinnemoen@gmail.com>
+Acked-by: Hans-Christian Noren Egtvedt <egtvedt@samfundet.no>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/avr32/lib/copy_user.S | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/avr32/lib/copy_user.S
++++ b/arch/avr32/lib/copy_user.S
+@@ -23,8 +23,8 @@
+ 	 */
+ 	.text
+ 	.align	1
+-	.global	copy_from_user
+-	.type	copy_from_user, @function
++	.global	___copy_from_user
++	.type	___copy_from_user, @function
+ ___copy_from_user:
+ 	branch_if_kernel r8, __copy_user
+ 	ret_if_privileged r8, r11, r10, r10
diff --git a/queue-3.16/avr32-off-by-one-in-at32_init_pio.patch b/queue-3.16/avr32-off-by-one-in-at32_init_pio.patch
new file mode 100644
index 0000000..003437c
--- /dev/null
+++ b/queue-3.16/avr32-off-by-one-in-at32_init_pio.patch
@@ -0,0 +1,27 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 13 Jul 2016 13:08:55 +0300
+Subject: avr32: off by one in at32_init_pio()
+
+commit 55f1cf83d5cf885c75267269729805852039c834 upstream.
+
+The pio_dev[] array has MAX_NR_PIO_DEVICES elements so the > should be
+>=.
+
+Fixes: 5f97f7f9400d ('[PATCH] avr32 architecture')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/avr32/mach-at32ap/pio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/avr32/mach-at32ap/pio.c
++++ b/arch/avr32/mach-at32ap/pio.c
+@@ -435,7 +435,7 @@ void __init at32_init_pio(struct platfor
+ 	struct resource *regs;
+ 	struct pio_device *pio;
+ 
+-	if (pdev->id > MAX_NR_PIO_DEVICES) {
++	if (pdev->id >= MAX_NR_PIO_DEVICES) {
+ 		dev_err(&pdev->dev, "only %d PIO devices supported\n",
+ 			MAX_NR_PIO_DEVICES);
+ 		return;
diff --git a/queue-3.16/balloon-check-the-number-of-available-pages-in-leak-balloon.patch b/queue-3.16/balloon-check-the-number-of-available-pages-in-leak-balloon.patch
new file mode 100644
index 0000000..8b5640a
--- /dev/null
+++ b/queue-3.16/balloon-check-the-number-of-available-pages-in-leak-balloon.patch
@@ -0,0 +1,36 @@
+From: Konstantin Neumoin <kneumoin@virtuozzo.com>
+Date: Mon, 11 Jul 2016 15:28:59 +0300
+Subject: balloon: check the number of available pages in leak balloon
+
+commit 37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711 upstream.
+
+The balloon has a special mechanism that is subscribed to the oom
+notification which leads to deflation for a fixed number of pages.
+The number is always fixed even when the balloon is fully deflated.
+But leak_balloon did not expect that the pages to deflate will be more
+than taken, and raise a "BUG" in balloon_page_dequeue when page list
+will be empty.
+
+So, the simplest solution would be to check that the number of releases
+pages is less or equal to the number taken pages.
+
+Signed-off-by: Konstantin Neumoin <kneumoin@virtuozzo.com>
+Signed-off-by: Denis V. Lunev <den@openvz.org>
+CC: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/virtio/virtio_balloon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -177,6 +177,8 @@ static void leak_balloon(struct virtio_b
+ 	num = min(num, ARRAY_SIZE(vb->pfns));
+ 
+ 	mutex_lock(&vb->balloon_lock);
++	/* We can't release more pages than taken */
++	num = min(num, (size_t)vb->num_pages);
+ 	for (vb->num_pfns = 0; vb->num_pfns < num;
+ 	     vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) {
+ 		page = balloon_page_dequeue(vb_dev_info);
diff --git a/queue-3.16/batman-adv-add-missing-refcnt-for-last_candidate.patch b/queue-3.16/batman-adv-add-missing-refcnt-for-last_candidate.patch
new file mode 100644
index 0000000..c507c4b
--- /dev/null
+++ b/queue-3.16/batman-adv-add-missing-refcnt-for-last_candidate.patch
@@ -0,0 +1,77 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 6 Aug 2016 15:50:52 +0200
+Subject: batman-adv: Add missing refcnt for last_candidate
+
+commit 936523441bb64cdc9a5b263e8fd2782e70313a57 upstream.
+
+batadv_find_router dereferences last_bonding_candidate from
+orig_node without making sure that it has a valid reference. This reference
+has to be retrieved by increasing the reference counter while holding
+neigh_list_lock. The lock is required to avoid that
+batadv_last_bonding_replace removes the current last_bonding_candidate,
+reduces the reference counter and maybe destroys the object in this
+process.
+
+Fixes: f3b3d9018975 ("batman-adv: add bonding again")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[bwh: Backported to 3.16:
+ - s/kref_get/atomic_inc/
+ - s/_put/_free_ref/]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/routing.c | 28 +++++++++++++++++++++++++++-
+ 1 file changed, 27 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -425,6 +425,29 @@ static int batadv_check_unicast_packet(s
+ }
+ 
+ /**
++ * batadv_last_bonding_get - Get last_bonding_candidate of orig_node
++ * @orig_node: originator node whose last bonding candidate should be retrieved
++ *
++ * Return: last bonding candidate of router or NULL if not found
++ *
++ * The object is returned with refcounter increased by 1.
++ */
++static struct batadv_orig_ifinfo *
++batadv_last_bonding_get(struct batadv_orig_node *orig_node)
++{
++	struct batadv_orig_ifinfo *last_bonding_candidate;
++
++	spin_lock_bh(&orig_node->neigh_list_lock);
++	last_bonding_candidate = orig_node->last_bonding_candidate;
++
++	if (last_bonding_candidate)
++		atomic_inc(&last_bonding_candidate->refcount);
++	spin_unlock_bh(&orig_node->neigh_list_lock);
++
++	return last_bonding_candidate;
++}
++
++/**
+  * batadv_last_bonding_replace - Replace last_bonding_candidate of orig_node
+  * @orig_node: originator node whose bonding candidates should be replaced
+  * @new_candidate: new bonding candidate or NULL
+@@ -492,7 +515,7 @@ batadv_find_router(struct batadv_priv *b
+ 	 * router - obviously there are no other candidates.
+ 	 */
+ 	rcu_read_lock();
+-	last_candidate = orig_node->last_bonding_candidate;
++	last_candidate = batadv_last_bonding_get(orig_node);
+ 	if (last_candidate)
+ 		last_cand_router = rcu_dereference(last_candidate->router);
+ 
+@@ -584,6 +607,9 @@ next:
+ 		batadv_orig_ifinfo_free_ref(next_candidate);
+ 	}
+ 
++	if (last_candidate)
++		batadv_orig_ifinfo_free_ref(last_candidate);
++
+ 	return router;
+ }
+ 
diff --git a/queue-3.16/batman-adv-avoid-nullptr-dereference-in-bla-after-vlan_insert_tag.patch b/queue-3.16/batman-adv-avoid-nullptr-dereference-in-bla-after-vlan_insert_tag.patch
new file mode 100644
index 0000000..d35c2af
--- /dev/null
+++ b/queue-3.16/batman-adv-avoid-nullptr-dereference-in-bla-after-vlan_insert_tag.patch
@@ -0,0 +1,35 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 2 Jul 2016 09:52:13 +0200
+Subject: batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
+
+commit 10c78f5854d361ded4736c1831948e0a5f67b932 upstream.
+
+vlan_insert_tag can return NULL on errors. The bridge loop avoidance code
+therefore has to check the return value of vlan_insert_tag for NULL before
+it can safely operate on this pointer.
+
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -338,9 +338,12 @@ static void batadv_bla_send_claim(struct
+ 		break;
+ 	}
+ 
+-	if (vid & BATADV_VLAN_HAS_TAG)
++	if (vid & BATADV_VLAN_HAS_TAG) {
+ 		skb = vlan_insert_tag(skb, htons(ETH_P_8021Q),
+ 				      vid & VLAN_VID_MASK);
++		if (!skb)
++			goto out;
++	}
+ 
+ 	skb_reset_mac_header(skb);
+ 	skb->protocol = eth_type_trans(skb, soft_iface);
diff --git a/queue-3.16/batman-adv-avoid-nullptr-dereference-in-dat-after-vlan_insert_tag.patch b/queue-3.16/batman-adv-avoid-nullptr-dereference-in-dat-after-vlan_insert_tag.patch
new file mode 100644
index 0000000..5ad42ff
--- /dev/null
+++ b/queue-3.16/batman-adv-avoid-nullptr-dereference-in-dat-after-vlan_insert_tag.patch
@@ -0,0 +1,49 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sat, 2 Jul 2016 09:52:14 +0200
+Subject: batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
+
+commit 60154a1e0495ffb8343a95cefe1e874634572fa8 upstream.
+
+vlan_insert_tag can return NULL on errors. The distributed arp table code
+therefore has to check the return value of vlan_insert_tag for NULL before
+it can safely operate on this pointer.
+
+Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/distributed-arp-table.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -959,9 +959,12 @@ bool batadv_dat_snoop_outgoing_arp_reque
+ 		if (!skb_new)
+ 			goto out;
+ 
+-		if (vid & BATADV_VLAN_HAS_TAG)
++		if (vid & BATADV_VLAN_HAS_TAG) {
+ 			skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
+ 						  vid & VLAN_VID_MASK);
++			if (!skb_new)
++				goto out;
++		}
+ 
+ 		skb_reset_mac_header(skb_new);
+ 		skb_new->protocol = eth_type_trans(skb_new,
+@@ -1039,9 +1042,12 @@ bool batadv_dat_snoop_incoming_arp_reque
+ 	 */
+ 	skb_reset_mac_header(skb_new);
+ 
+-	if (vid & BATADV_VLAN_HAS_TAG)
++	if (vid & BATADV_VLAN_HAS_TAG) {
+ 		skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
+ 					  vid & VLAN_VID_MASK);
++		if (!skb_new)
++			goto out;
++	}
+ 
+ 	/* To preserve backwards compatibility, the node has choose the outgoing
+ 	 * format based on the incoming request packet type. The assumption is
diff --git a/queue-3.16/batman-adv-fix-kerneldoc-member-names-in-for-main-structs.patch b/queue-3.16/batman-adv-fix-kerneldoc-member-names-in-for-main-structs.patch
new file mode 100644
index 0000000..b9a4958
--- /dev/null
+++ b/queue-3.16/batman-adv-fix-kerneldoc-member-names-in-for-main-structs.patch
@@ -0,0 +1,67 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 6 Sep 2015 21:38:46 +0200
+Subject: batman-adv: Fix kerneldoc member names in for main structs
+
+commit 006a199d5d1d4e1666b0d8b4f51b5a978ddc6aab upstream.
+
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/types.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -202,12 +202,12 @@ struct batadv_orig_bat_iv {
+  * @primary_addr: hosts primary interface address
+  * @ifinfo_list: list for routers per outgoing interface
+  * @last_bonding_candidate: pointer to last ifinfo of last used router
+- * @batadv_dat_addr_t:  address of the orig node in the distributed hash
++ * @dat_addr: address of the orig node in the distributed hash
+  * @last_seen: time when last packet from this node was received
+  * @bcast_seqno_reset: time when the broadcast seqno window was reset
+  * @mcast_handler_lock: synchronizes mcast-capability and -flag changes
+  * @mcast_flags: multicast flags announced by the orig node
+- * @mcast_want_all_unsnoop_node: a list node for the
++ * @mcast_want_all_unsnoopables_node: a list node for the
+  *  mcast.want_all_unsnoopables list
+  * @mcast_want_all_ipv4_node: a list node for the mcast.want_all_ipv4 list
+  * @mcast_want_all_ipv6_node: a list node for the mcast.want_all_ipv6 list
+@@ -390,7 +390,7 @@ struct batadv_neigh_ifinfo {
+ 
+ /**
+  * struct batadv_bcast_duplist_entry - structure for LAN broadcast suppression
+- * @orig[ETH_ALEN]: mac address of orig node orginating the broadcast
++ * @orig: mac address of orig node orginating the broadcast
+  * @crc: crc32 checksum of broadcast payload
+  * @entrytime: time when the broadcast packet was received
+  */
+@@ -538,7 +538,7 @@ struct batadv_priv_tt {
+ 
+ /**
+  * struct batadv_priv_bla - per mesh interface bridge loope avoidance data
+- * @num_requests; number of bla requests in flight
++ * @num_requests: number of bla requests in flight
+  * @claim_hash: hash table containing mesh nodes this host has claimed
+  * @backbone_hash: hash table containing all detected backbone gateways
+  * @bcast_duplist: recently received broadcast packets array (for broadcast
+@@ -760,7 +760,7 @@ struct batadv_softif_vlan {
+  * @dat: distributed arp table data
+  * @mcast: multicast data
+  * @network_coding: bool indicating whether network coding is enabled
+- * @batadv_priv_nc: network coding data
++ * @nc: network coding data
+  */
+ struct batadv_priv {
+ 	atomic_t mesh_state;
+@@ -892,7 +892,7 @@ struct batadv_bla_backbone_gw {
+  * struct batadv_bla_claim - claimed non-mesh client structure
+  * @addr: mac address of claimed non-mesh client
+  * @vid: vlan id this client was detected on
+- * @batadv_bla_backbone_gw: pointer to backbone gw claiming this client
++ * @backbone_gw: pointer to backbone gw claiming this client
+  * @lasttime: last time we heard of claim (locals only)
+  * @hash_entry: hlist node for batadv_priv_bla::claim_hash
+  * @refcount: number of contexts the object is used
diff --git a/queue-3.16/batman-adv-fix-non-atomic-bla_claim-backbone_gw-access.patch b/queue-3.16/batman-adv-fix-non-atomic-bla_claim-backbone_gw-access.patch
new file mode 100644
index 0000000..df834d8
--- /dev/null
+++ b/queue-3.16/batman-adv-fix-non-atomic-bla_claim-backbone_gw-access.patch
@@ -0,0 +1,289 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Fri, 1 Jul 2016 15:49:43 +0200
+Subject: batman-adv: Fix non-atomic bla_claim::backbone_gw access
+
+commit 3db0decf1185357d6ab2256d0dede1ca9efda03d upstream.
+
+The pointer batadv_bla_claim::backbone_gw can be changed at any time.
+Therefore, access to it must be protected to ensure that two function
+accessing the same backbone_gw are actually accessing the same. This is
+especially important when the crc_lock is used or when the backbone_gw of a
+claim is exchanged.
+
+Not doing so leads to invalid memory access and/or reference leaks.
+
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Fixes: 5a1dd8a4773d ("batman-adv: lock crc access in bridge loop avoidance")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[bwh: Backported to 3.16:
+ - s/kref_get/atomic_inc/
+ - s/_put/_free_ref/
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 111 ++++++++++++++++++++++++++-------
+ net/batman-adv/types.h                 |   2 +
+ 2 files changed, 90 insertions(+), 23 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -115,7 +115,18 @@ batadv_backbone_gw_free_ref(struct batad
+ /* finally deinitialize the claim */
+ static void batadv_claim_release(struct batadv_bla_claim *claim)
+ {
+-	batadv_backbone_gw_free_ref(claim->backbone_gw);
++	struct batadv_bla_backbone_gw *old_backbone_gw;
++	spin_lock_bh(&claim->backbone_lock);
++	old_backbone_gw = claim->backbone_gw;
++	claim->backbone_gw = NULL;
++	spin_unlock_bh(&claim->backbone_lock);
++
++	spin_lock_bh(&old_backbone_gw->crc_lock);
++	old_backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
++	spin_unlock_bh(&old_backbone_gw->crc_lock);
++
++	batadv_backbone_gw_free_ref(old_backbone_gw);
++
+ 	kfree_rcu(claim, rcu);
+ }
+ 
+@@ -563,8 +574,10 @@ static void batadv_bla_add_claim(struct
+ 				 const uint8_t *mac, const unsigned short vid,
+ 				 struct batadv_bla_backbone_gw *backbone_gw)
+ {
++	struct batadv_bla_backbone_gw *old_backbone_gw;
+ 	struct batadv_bla_claim *claim;
+ 	struct batadv_bla_claim search_claim;
++	bool remove_crc = false;
+ 	int hash_added;
+ 
+ 	ether_addr_copy(search_claim.addr, mac);
+@@ -578,8 +591,10 @@ static void batadv_bla_add_claim(struct
+ 			return;
+ 
+ 		ether_addr_copy(claim->addr, mac);
++		spin_lock_init(&claim->backbone_lock);
+ 		claim->vid = vid;
+ 		claim->lasttime = jiffies;
++		atomic_inc(&backbone_gw->refcount);
+ 		claim->backbone_gw = backbone_gw;
+ 
+ 		atomic_set(&claim->refcount, 2);
+@@ -606,15 +621,26 @@ static void batadv_bla_add_claim(struct
+ 			   "bla_add_claim(): changing ownership for %pM, vid %d\n",
+ 			   mac, BATADV_PRINT_VID(vid));
+ 
+-		spin_lock_bh(&claim->backbone_gw->crc_lock);
+-		claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+-		spin_unlock_bh(&claim->backbone_gw->crc_lock);
+-		batadv_backbone_gw_free_ref(claim->backbone_gw);
++		remove_crc = true;
+ 	}
+-	/* set (new) backbone gw */
++
++	/* replace backbone_gw atomically and adjust reference counters */
++	spin_lock_bh(&claim->backbone_lock);
++	old_backbone_gw = claim->backbone_gw;
+ 	atomic_inc(&backbone_gw->refcount);
+ 	claim->backbone_gw = backbone_gw;
++	spin_unlock_bh(&claim->backbone_lock);
++
++	if (remove_crc) {
++		/* remove claim address from old backbone_gw */
++		spin_lock_bh(&old_backbone_gw->crc_lock);
++		old_backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
++		spin_unlock_bh(&old_backbone_gw->crc_lock);
++	}
+ 
++	batadv_backbone_gw_free_ref(old_backbone_gw);
++
++	/* add claim address to new backbone_gw */
+ 	spin_lock_bh(&backbone_gw->crc_lock);
+ 	backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+ 	spin_unlock_bh(&backbone_gw->crc_lock);
+@@ -624,6 +650,26 @@ claim_free_ref:
+ 	batadv_claim_free_ref(claim);
+ }
+ 
++/**
++ * batadv_bla_claim_get_backbone_gw - Get valid reference for backbone_gw of
++ *  claim
++ * @claim: claim whose backbone_gw should be returned
++ *
++ * Return: valid reference to claim::backbone_gw
++ */
++static struct batadv_bla_backbone_gw *
++batadv_bla_claim_get_backbone_gw(struct batadv_bla_claim *claim)
++{
++	struct batadv_bla_backbone_gw *backbone_gw;
++
++	spin_lock_bh(&claim->backbone_lock);
++	backbone_gw = claim->backbone_gw;
++	atomic_inc(&backbone_gw->refcount);
++	spin_unlock_bh(&claim->backbone_lock);
++
++	return backbone_gw;
++}
++
+ /* Delete a claim from the claim hash which has the
+  * given mac address and vid.
+  */
+@@ -645,10 +691,6 @@ static void batadv_bla_del_claim(struct
+ 			   batadv_choose_claim, claim);
+ 	batadv_claim_free_ref(claim); /* reference from the hash is gone */
+ 
+-	spin_lock_bh(&claim->backbone_gw->crc_lock);
+-	claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
+-	spin_unlock_bh(&claim->backbone_gw->crc_lock);
+-
+ 	/* don't need the reference from hash_find() anymore */
+ 	batadv_claim_free_ref(claim);
+ }
+@@ -1059,6 +1101,7 @@ static void batadv_bla_purge_claims(stru
+ 				    struct batadv_hard_iface *primary_if,
+ 				    int now)
+ {
++	struct batadv_bla_backbone_gw *backbone_gw;
+ 	struct batadv_bla_claim *claim;
+ 	struct hlist_head *head;
+ 	struct batadv_hashtable *hash;
+@@ -1073,14 +1116,17 @@ static void batadv_bla_purge_claims(stru
+ 
+ 		rcu_read_lock();
+ 		hlist_for_each_entry_rcu(claim, head, hash_entry) {
++			backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
+ 			if (now)
+ 				goto purge_now;
+-			if (!batadv_compare_eth(claim->backbone_gw->orig,
++
++			if (!batadv_compare_eth(backbone_gw->orig,
+ 						primary_if->net_dev->dev_addr))
+-				continue;
++				goto skip;
++
+ 			if (!batadv_has_timed_out(claim->lasttime,
+ 						  BATADV_BLA_CLAIM_TIMEOUT))
+-				continue;
++				goto skip;
+ 
+ 			batadv_dbg(BATADV_DBG_BLA, bat_priv,
+ 				   "bla_purge_claims(): %pM, vid %d, time out\n",
+@@ -1088,8 +1134,10 @@ static void batadv_bla_purge_claims(stru
+ 
+ purge_now:
+ 			batadv_handle_unclaim(bat_priv, primary_if,
+-					      claim->backbone_gw->orig,
++					      backbone_gw->orig,
+ 					      claim->addr, claim->vid);
++skip:
++			batadv_backbone_gw_free_ref(backbone_gw);
+ 		}
+ 		rcu_read_unlock();
+ 	}
+@@ -1476,9 +1524,11 @@ void batadv_bla_free(struct batadv_priv
+ int batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ 		  unsigned short vid, bool is_bcast)
+ {
++	struct batadv_bla_backbone_gw *backbone_gw;
+ 	struct ethhdr *ethhdr;
+ 	struct batadv_bla_claim search_claim, *claim = NULL;
+ 	struct batadv_hard_iface *primary_if;
++	bool own_claim;
+ 	int ret;
+ 
+ 	ethhdr = eth_hdr(skb);
+@@ -1511,8 +1561,12 @@ int batadv_bla_rx(struct batadv_priv *ba
+ 	}
+ 
+ 	/* if it is our own claim ... */
+-	if (batadv_compare_eth(claim->backbone_gw->orig,
+-			       primary_if->net_dev->dev_addr)) {
++	backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
++	own_claim = batadv_compare_eth(backbone_gw->orig,
++				       primary_if->net_dev->dev_addr);
++	batadv_backbone_gw_free_ref(backbone_gw);
++
++	if (own_claim) {
+ 		/* ... allow it in any case */
+ 		claim->lasttime = jiffies;
+ 		goto allow;
+@@ -1575,7 +1629,9 @@ int batadv_bla_tx(struct batadv_priv *ba
+ {
+ 	struct ethhdr *ethhdr;
+ 	struct batadv_bla_claim search_claim, *claim = NULL;
++	struct batadv_bla_backbone_gw *backbone_gw;
+ 	struct batadv_hard_iface *primary_if;
++	bool client_roamed;
+ 	int ret = 0;
+ 
+ 	primary_if = batadv_primary_if_get_selected(bat_priv);
+@@ -1605,8 +1661,12 @@ int batadv_bla_tx(struct batadv_priv *ba
+ 		goto allow;
+ 
+ 	/* check if we are responsible. */
+-	if (batadv_compare_eth(claim->backbone_gw->orig,
+-			       primary_if->net_dev->dev_addr)) {
++	backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
++	client_roamed = batadv_compare_eth(backbone_gw->orig,
++					   primary_if->net_dev->dev_addr);
++	batadv_backbone_gw_free_ref(backbone_gw);
++
++	if (client_roamed) {
+ 		/* if yes, the client has roamed and we have
+ 		 * to unclaim it.
+ 		 */
+@@ -1647,6 +1707,7 @@ int batadv_bla_claim_table_seq_print_tex
+ 	struct net_device *net_dev = (struct net_device *)seq->private;
+ 	struct batadv_priv *bat_priv = netdev_priv(net_dev);
+ 	struct batadv_hashtable *hash = bat_priv->bla.claim_hash;
++	struct batadv_bla_backbone_gw *backbone_gw;
+ 	struct batadv_bla_claim *claim;
+ 	struct batadv_hard_iface *primary_if;
+ 	struct hlist_head *head;
+@@ -1671,17 +1732,21 @@ int batadv_bla_claim_table_seq_print_tex
+ 
+ 		rcu_read_lock();
+ 		hlist_for_each_entry_rcu(claim, head, hash_entry) {
+-			is_own = batadv_compare_eth(claim->backbone_gw->orig,
++			backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
++
++			is_own = batadv_compare_eth(backbone_gw->orig,
+ 						    primary_addr);
+ 
+-			spin_lock_bh(&claim->backbone_gw->crc_lock);
+-			backbone_crc = claim->backbone_gw->crc;
+-			spin_unlock_bh(&claim->backbone_gw->crc_lock);
++			spin_lock_bh(&backbone_gw->crc_lock);
++			backbone_crc = backbone_gw->crc;
++			spin_unlock_bh(&backbone_gw->crc_lock);
+ 			seq_printf(seq, " * %pM on %5d by %pM [%c] (%#.4x)\n",
+ 				   claim->addr, BATADV_PRINT_VID(claim->vid),
+-				   claim->backbone_gw->orig,
++				   backbone_gw->orig,
+ 				   (is_own ? 'x' : ' '),
+ 				   backbone_crc);
++
++			batadv_backbone_gw_free_ref(backbone_gw);
+ 		}
+ 		rcu_read_unlock();
+ 	}
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -895,6 +895,7 @@ struct batadv_bla_backbone_gw {
+  * @addr: mac address of claimed non-mesh client
+  * @vid: vlan id this client was detected on
+  * @backbone_gw: pointer to backbone gw claiming this client
++ * @backbone_lock: lock protecting backbone_gw pointer
+  * @lasttime: last time we heard of claim (locals only)
+  * @hash_entry: hlist node for batadv_priv_bla::claim_hash
+  * @refcount: number of contexts the object is used
+@@ -904,6 +905,7 @@ struct batadv_bla_claim {
+ 	uint8_t addr[ETH_ALEN];
+ 	unsigned short vid;
+ 	struct batadv_bla_backbone_gw *backbone_gw;
++	spinlock_t backbone_lock; /* protects backbone_gw */
+ 	unsigned long lasttime;
+ 	struct hlist_node hash_entry;
+ 	struct rcu_head rcu;
diff --git a/queue-3.16/batman-adv-fix-orig_node_vlan-leak-on-orig_node_release.patch b/queue-3.16/batman-adv-fix-orig_node_vlan-leak-on-orig_node_release.patch
new file mode 100644
index 0000000..68b6e3b
--- /dev/null
+++ b/queue-3.16/batman-adv-fix-orig_node_vlan-leak-on-orig_node_release.patch
@@ -0,0 +1,46 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 30 Jun 2016 20:10:46 +0200
+Subject: batman-adv: Fix orig_node_vlan leak on orig_node_release
+
+commit 33fbb1f3db87ce53da925b3e034b4dd446d483f8 upstream.
+
+batadv_orig_node_new uses batadv_orig_node_vlan_new to allocate a new
+batadv_orig_node_vlan and add it to batadv_orig_node::vlan_list. References
+to this list have also to be cleaned when the batadv_orig_node is removed.
+
+Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[bwh: Backported to 3.16:
+ - vlan_list is a list not an hlist
+ - s/_put/_free_ref/]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/originator.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/batman-adv/originator.c
++++ b/net/batman-adv/originator.c
+@@ -529,6 +529,7 @@ static void batadv_orig_node_release(str
+ 	struct hlist_node *node_tmp;
+ 	struct batadv_neigh_node *neigh_node;
+ 	struct batadv_orig_ifinfo *orig_ifinfo;
++	struct batadv_orig_node_vlan *vlan, *vlan_tmp;
+ 
+ 	spin_lock_bh(&orig_node->neigh_list_lock);
+ 
+@@ -546,6 +547,13 @@ static void batadv_orig_node_release(str
+ 	}
+ 	spin_unlock_bh(&orig_node->neigh_list_lock);
+ 
++	spin_lock_bh(&orig_node->vlan_list_lock);
++	list_for_each_entry_safe(vlan, vlan_tmp, &orig_node->vlan_list, list) {
++		list_del_rcu(&vlan->list);
++		batadv_orig_node_vlan_free_ref(vlan);
++	}
++	spin_unlock_bh(&orig_node->vlan_list_lock);
++
+ 	/* Free nc_nodes */
+ 	batadv_nc_purge_orig(orig_node->bat_priv, orig_node, NULL);
+ 
diff --git a/queue-3.16/batman-adv-fix-reference-leak-in-batadv_find_router.patch b/queue-3.16/batman-adv-fix-reference-leak-in-batadv_find_router.patch
new file mode 100644
index 0000000..ca1c4a9
--- /dev/null
+++ b/queue-3.16/batman-adv-fix-reference-leak-in-batadv_find_router.patch
@@ -0,0 +1,120 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 30 Jun 2016 20:11:34 +0200
+Subject: batman-adv: Fix reference leak in batadv_find_router
+
+commit 15c2ed753cd9e3e746472deab8151337a5b6da56 upstream.
+
+The replacement of last_bonding_candidate in batadv_orig_node has to be an
+atomic operation. Otherwise it is possible that the reference counter of a
+batadv_orig_ifinfo is reduced which was no longer the
+last_bonding_candidate when the new candidate is added. This can either
+lead to an invalid memory access or to reference leaks which make it
+impossible to an interface which was added to batman-adv.
+
+Fixes: f3b3d9018975 ("batman-adv: add bonding again")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[bwh: Backported to 3.16:
+ - s/kref_get/atomic_inc/
+ - s/_put/_free_ref/]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/routing.c | 52 ++++++++++++++++++++++++++++++++++++------------
+ net/batman-adv/types.h   |  4 +++-
+ 2 files changed, 42 insertions(+), 14 deletions(-)
+
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -425,6 +425,29 @@ static int batadv_check_unicast_packet(s
+ }
+ 
+ /**
++ * batadv_last_bonding_replace - Replace last_bonding_candidate of orig_node
++ * @orig_node: originator node whose bonding candidates should be replaced
++ * @new_candidate: new bonding candidate or NULL
++ */
++static void
++batadv_last_bonding_replace(struct batadv_orig_node *orig_node,
++			    struct batadv_orig_ifinfo *new_candidate)
++{
++	struct batadv_orig_ifinfo *old_candidate;
++
++	spin_lock_bh(&orig_node->neigh_list_lock);
++	old_candidate = orig_node->last_bonding_candidate;
++
++	if (new_candidate)
++		atomic_inc(&new_candidate->refcount);
++	orig_node->last_bonding_candidate = new_candidate;
++	spin_unlock_bh(&orig_node->neigh_list_lock);
++
++	if (old_candidate)
++		batadv_orig_ifinfo_free_ref(old_candidate);
++}
++
++/**
+  * batadv_find_router - find a suitable router for this originator
+  * @bat_priv: the bat priv with all the soft interface information
+  * @orig_node: the destination node
+@@ -529,10 +552,6 @@ next:
+ 	}
+ 	rcu_read_unlock();
+ 
+-	/* last_bonding_candidate is reset below, remove the old reference. */
+-	if (orig_node->last_bonding_candidate)
+-		batadv_orig_ifinfo_free_ref(orig_node->last_bonding_candidate);
+-
+ 	/* After finding candidates, handle the three cases:
+ 	 * 1) there is a next candidate, use that
+ 	 * 2) there is no next candidate, use the first of the list
+@@ -541,21 +560,28 @@ next:
+ 	if (next_candidate) {
+ 		batadv_neigh_node_free_ref(router);
+ 
+-		/* remove references to first candidate, we don't need it. */
+-		if (first_candidate) {
+-			batadv_neigh_node_free_ref(first_candidate_router);
+-			batadv_orig_ifinfo_free_ref(first_candidate);
+-		}
++		atomic_inc(&next_candidate_router->refcount);
+ 		router = next_candidate_router;
+-		orig_node->last_bonding_candidate = next_candidate;
++		batadv_last_bonding_replace(orig_node, next_candidate);
+ 	} else if (first_candidate) {
+ 		batadv_neigh_node_free_ref(router);
+ 
+-		/* refcounting has already been done in the loop above. */
++		atomic_inc(&first_candidate_router->refcount);
+ 		router = first_candidate_router;
+-		orig_node->last_bonding_candidate = first_candidate;
++		batadv_last_bonding_replace(orig_node, first_candidate);
+ 	} else {
+-		orig_node->last_bonding_candidate = NULL;
++		batadv_last_bonding_replace(orig_node, NULL);
++	}
++
++	/* cleanup of candidates */
++	if (first_candidate) {
++		batadv_neigh_node_free_ref(first_candidate_router);
++		batadv_orig_ifinfo_free_ref(first_candidate);
++	}
++
++	if (next_candidate) {
++		batadv_neigh_node_free_ref(next_candidate_router);
++		batadv_orig_ifinfo_free_ref(next_candidate);
+ 	}
+ 
+ 	return router;
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -272,7 +272,9 @@ struct batadv_orig_node {
+ 	DECLARE_BITMAP(bcast_bits, BATADV_TQ_LOCAL_WINDOW_SIZE);
+ 	uint32_t last_bcast_seqno;
+ 	struct hlist_head neigh_list;
+-	/* neigh_list_lock protects: neigh_list and router */
++	/* neigh_list_lock protects: neigh_list, ifinfo_list,
++	 * last_bonding_candidate and router
++	 */
+ 	spinlock_t neigh_list_lock;
+ 	struct hlist_node hash_entry;
+ 	struct batadv_priv *bat_priv;
diff --git a/queue-3.16/batman-adv-fix-speedy-join-in-gateway-client-mode.patch b/queue-3.16/batman-adv-fix-speedy-join-in-gateway-client-mode.patch
new file mode 100644
index 0000000..36faf06
--- /dev/null
+++ b/queue-3.16/batman-adv-fix-speedy-join-in-gateway-client-mode.patch
@@ -0,0 +1,39 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 12 Jun 2016 10:43:19 +0200
+Subject: batman-adv: Fix speedy join in gateway client mode
+
+commit d1fe176ca51fa3cb35f70c1d876d9a090e9befce upstream.
+
+Speedy join only works when the received packet is either broadcast or an
+4addr unicast packet. Thus packets converted from broadcast to unicast via
+the gateway handling code have to be converted to 4addr packets to allow
+the receiving gateway server to add the sender address as temporary entry
+to the translation table.
+
+Not doing it will make the batman-adv gateway server drop the DHCP response
+in many situations because it doesn't yet have the TT entry for the
+destination of the DHCP response.
+
+Fixes: 371351731e9c ("batman-adv: change interface_rx to get orig node")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/send.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/send.c
++++ b/net/batman-adv/send.c
+@@ -363,8 +363,8 @@ int batadv_send_skb_via_gw(struct batadv
+ 	struct batadv_orig_node *orig_node;
+ 
+ 	orig_node = batadv_gw_get_selected_orig(bat_priv);
+-	return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST, 0,
+-				       orig_node, vid);
++	return batadv_send_skb_unicast(bat_priv, skb, BATADV_UNICAST_4ADDR,
++				       BATADV_P_DATA, orig_node, vid);
+ }
+ 
+ void batadv_schedule_bat_ogm(struct batadv_hard_iface *hard_iface)
diff --git a/queue-3.16/batman-adv-free-last_bonding_candidate-on-release-of-orig_node.patch b/queue-3.16/batman-adv-free-last_bonding_candidate-on-release-of-orig_node.patch
new file mode 100644
index 0000000..00d1738
--- /dev/null
+++ b/queue-3.16/batman-adv-free-last_bonding_candidate-on-release-of-orig_node.patch
@@ -0,0 +1,48 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 30 Jun 2016 21:41:13 +0200
+Subject: batman-adv: Free last_bonding_candidate on release of orig_node
+
+commit cbef1e102003edb236c6b2319ab269ccef963731 upstream.
+
+The orig_ifinfo reference counter for last_bonding_candidate in
+batadv_orig_node has to be reduced when an originator node is released.
+Otherwise the orig_ifinfo is leaked and the reference counter the netdevice
+is not reduced correctly.
+
+Fixes: f3b3d9018975 ("batman-adv: add bonding again")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+[bwh: Backported to 3.16:
+ - s/_put/_free_ref/
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/originator.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/batman-adv/originator.c
++++ b/net/batman-adv/originator.c
+@@ -530,6 +530,7 @@ static void batadv_orig_node_release(str
+ 	struct batadv_neigh_node *neigh_node;
+ 	struct batadv_orig_ifinfo *orig_ifinfo;
+ 	struct batadv_orig_node_vlan *vlan, *vlan_tmp;
++	struct batadv_orig_ifinfo *last_candidate;
+ 
+ 	spin_lock_bh(&orig_node->neigh_list_lock);
+ 
+@@ -545,8 +546,14 @@ static void batadv_orig_node_release(str
+ 		hlist_del_rcu(&orig_ifinfo->list);
+ 		batadv_orig_ifinfo_free_ref(orig_ifinfo);
+ 	}
++
++	last_candidate = orig_node->last_bonding_candidate;
++	orig_node->last_bonding_candidate = NULL;
+ 	spin_unlock_bh(&orig_node->neigh_list_lock);
+ 
++	if (last_candidate)
++		batadv_orig_ifinfo_free_ref(last_candidate);
++
+ 	spin_lock_bh(&orig_node->vlan_list_lock);
+ 	list_for_each_entry_safe(vlan, vlan_tmp, &orig_node->vlan_list, list) {
+ 		list_del_rcu(&vlan->list);
diff --git a/queue-3.16/batman-adv-lock-crc-access-in-bridge-loop-avoidance.patch b/queue-3.16/batman-adv-lock-crc-access-in-bridge-loop-avoidance.patch
new file mode 100644
index 0000000..fc09ba2
--- /dev/null
+++ b/queue-3.16/batman-adv-lock-crc-access-in-bridge-loop-avoidance.patch
@@ -0,0 +1,181 @@
+From: Simon Wunderlich <sw@simonwunderlich.de>
+Date: Fri, 11 Sep 2015 18:04:13 +0200
+Subject: batman-adv: lock crc access in bridge loop avoidance
+
+commit 5a1dd8a4773d4c24e925cc6154826d555a85c370 upstream.
+
+We have found some networks in which nodes were constantly requesting
+other nodes BLA claim tables to synchronize, just to ask for that again
+once completed. The reason was that the crc checksum of the asked nodes
+were out of sync due to missing locking and multiple writes to the same
+crc checksum when adding/removing entries. Therefore the asked nodes
+constantly reported the wrong crc, which caused repeating requests.
+
+To avoid multiple functions changing a backbone gateways crc entry at
+the same time, lock it using a spinlock.
+
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Tested-by: Alfons Name <AlfonsName@web.de>
+Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
+Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 35 +++++++++++++++++++++++++++++-----
+ net/batman-adv/types.h                 |  2 ++
+ 2 files changed, 32 insertions(+), 5 deletions(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -242,7 +242,9 @@ batadv_bla_del_backbone_claims(struct ba
+ 	}
+ 
+ 	/* all claims gone, intialize CRC */
++	spin_lock_bh(&backbone_gw->crc_lock);
+ 	backbone_gw->crc = BATADV_BLA_CRC_INIT;
++	spin_unlock_bh(&backbone_gw->crc_lock);
+ }
+ 
+ /**
+@@ -392,6 +394,7 @@ batadv_bla_get_backbone_gw(struct batadv
+ 	entry->lasttime = jiffies;
+ 	entry->crc = BATADV_BLA_CRC_INIT;
+ 	entry->bat_priv = bat_priv;
++	spin_lock_init(&entry->crc_lock);
+ 	atomic_set(&entry->request_sent, 0);
+ 	atomic_set(&entry->wait_periods, 0);
+ 	ether_addr_copy(entry->orig, orig);
+@@ -540,7 +543,9 @@ static void batadv_bla_send_announce(str
+ 	__be16 crc;
+ 
+ 	memcpy(mac, batadv_announce_mac, 4);
++	spin_lock_bh(&backbone_gw->crc_lock);
+ 	crc = htons(backbone_gw->crc);
++	spin_unlock_bh(&backbone_gw->crc_lock);
+ 	memcpy(&mac[4], &crc, 2);
+ 
+ 	batadv_bla_send_claim(bat_priv, mac, backbone_gw->vid,
+@@ -601,14 +606,18 @@ static void batadv_bla_add_claim(struct
+ 			   "bla_add_claim(): changing ownership for %pM, vid %d\n",
+ 			   mac, BATADV_PRINT_VID(vid));
+ 
++		spin_lock_bh(&claim->backbone_gw->crc_lock);
+ 		claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
++		spin_unlock_bh(&claim->backbone_gw->crc_lock);
+ 		batadv_backbone_gw_free_ref(claim->backbone_gw);
+ 	}
+ 	/* set (new) backbone gw */
+ 	atomic_inc(&backbone_gw->refcount);
+ 	claim->backbone_gw = backbone_gw;
+ 
++	spin_lock_bh(&backbone_gw->crc_lock);
+ 	backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
++	spin_unlock_bh(&backbone_gw->crc_lock);
+ 	backbone_gw->lasttime = jiffies;
+ 
+ claim_free_ref:
+@@ -636,7 +645,9 @@ static void batadv_bla_del_claim(struct
+ 			   batadv_choose_claim, claim);
+ 	batadv_claim_free_ref(claim); /* reference from the hash is gone */
+ 
++	spin_lock_bh(&claim->backbone_gw->crc_lock);
+ 	claim->backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
++	spin_unlock_bh(&claim->backbone_gw->crc_lock);
+ 
+ 	/* don't need the reference from hash_find() anymore */
+ 	batadv_claim_free_ref(claim);
+@@ -648,7 +659,7 @@ static int batadv_handle_announce(struct
+ 				  unsigned short vid)
+ {
+ 	struct batadv_bla_backbone_gw *backbone_gw;
+-	uint16_t crc;
++	uint16_t backbone_crc, crc;
+ 
+ 	if (memcmp(an_addr, batadv_announce_mac, 4) != 0)
+ 		return 0;
+@@ -668,12 +679,16 @@ static int batadv_handle_announce(struct
+ 		   "handle_announce(): ANNOUNCE vid %d (sent by %pM)... CRC = %#.4x\n",
+ 		   BATADV_PRINT_VID(vid), backbone_gw->orig, crc);
+ 
+-	if (backbone_gw->crc != crc) {
++	spin_lock_bh(&backbone_gw->crc_lock);
++	backbone_crc = backbone_gw->crc;
++	spin_unlock_bh(&backbone_gw->crc_lock);
++
++	if (backbone_crc != crc) {
+ 		batadv_dbg(BATADV_DBG_BLA, backbone_gw->bat_priv,
+ 			   "handle_announce(): CRC FAILED for %pM/%d (my = %#.4x, sent = %#.4x)\n",
+ 			   backbone_gw->orig,
+ 			   BATADV_PRINT_VID(backbone_gw->vid),
+-			   backbone_gw->crc, crc);
++			   backbone_crc, crc);
+ 
+ 		batadv_bla_send_request(backbone_gw);
+ 	} else {
+@@ -1635,6 +1650,7 @@ int batadv_bla_claim_table_seq_print_tex
+ 	struct batadv_bla_claim *claim;
+ 	struct batadv_hard_iface *primary_if;
+ 	struct hlist_head *head;
++	u16 backbone_crc;
+ 	uint32_t i;
+ 	bool is_own;
+ 	uint8_t *primary_addr;
+@@ -1657,11 +1673,15 @@ int batadv_bla_claim_table_seq_print_tex
+ 		hlist_for_each_entry_rcu(claim, head, hash_entry) {
+ 			is_own = batadv_compare_eth(claim->backbone_gw->orig,
+ 						    primary_addr);
++
++			spin_lock_bh(&claim->backbone_gw->crc_lock);
++			backbone_crc = claim->backbone_gw->crc;
++			spin_unlock_bh(&claim->backbone_gw->crc_lock);
+ 			seq_printf(seq, " * %pM on %5d by %pM [%c] (%#.4x)\n",
+ 				   claim->addr, BATADV_PRINT_VID(claim->vid),
+ 				   claim->backbone_gw->orig,
+ 				   (is_own ? 'x' : ' '),
+-				   claim->backbone_gw->crc);
++				   backbone_crc);
+ 		}
+ 		rcu_read_unlock();
+ 	}
+@@ -1680,6 +1700,7 @@ int batadv_bla_backbone_table_seq_print_
+ 	struct batadv_hard_iface *primary_if;
+ 	struct hlist_head *head;
+ 	int secs, msecs;
++	u16 backbone_crc;
+ 	uint32_t i;
+ 	bool is_own;
+ 	uint8_t *primary_addr;
+@@ -1710,10 +1731,14 @@ int batadv_bla_backbone_table_seq_print_
+ 			if (is_own)
+ 				continue;
+ 
++			spin_lock_bh(&backbone_gw->crc_lock);
++			backbone_crc = backbone_gw->crc;
++			spin_unlock_bh(&backbone_gw->crc_lock);
++
+ 			seq_printf(seq, " * %pM on %5d %4i.%03is (%#.4x)\n",
+ 				   backbone_gw->orig,
+ 				   BATADV_PRINT_VID(backbone_gw->vid), secs,
+-				   msecs, backbone_gw->crc);
++				   msecs, backbone_crc);
+ 		}
+ 		rcu_read_unlock();
+ 	}
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -871,6 +871,7 @@ struct batadv_socket_packet {
+  *  backbone gateway - no bcast traffic is formwared until the situation was
+  *  resolved
+  * @crc: crc16 checksum over all claims
++ * @crc_lock: lock protecting crc
+  * @refcount: number of contexts the object is used
+  * @rcu: struct used for freeing in an RCU-safe manner
+  */
+@@ -884,6 +885,7 @@ struct batadv_bla_backbone_gw {
+ 	atomic_t wait_periods;
+ 	atomic_t request_sent;
+ 	uint16_t crc;
++	spinlock_t crc_lock; /* protects crc */
+ 	atomic_t refcount;
+ 	struct rcu_head rcu;
+ };
diff --git a/queue-3.16/bcache-register_bcache-call-blkdev_put-when-cache_alloc-fails.patch b/queue-3.16/bcache-register_bcache-call-blkdev_put-when-cache_alloc-fails.patch
new file mode 100644
index 0000000..8fa3800
--- /dev/null
+++ b/queue-3.16/bcache-register_bcache-call-blkdev_put-when-cache_alloc-fails.patch
@@ -0,0 +1,55 @@
+From: Eric Wheeler <git@linux.ewheeler.net>
+Date: Fri, 17 Jun 2016 15:01:54 -0700
+Subject: bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
+
+commit d9dc1702b297ec4a6bb9c0326a70641b322ba886 upstream.
+
+register_cache() is supposed to return an error string on error so that
+register_bcache() will will blkdev_put and cleanup other user counters,
+but it does not set 'char *err' when cache_alloc() fails (eg, due to
+memory pressure) and thus register_bcache() performs no cleanup.
+
+register_bcache() <----------\  <- no jump to err_close, no blkdev_put()
+   |                         |
+   +->register_cache()       |  <- fails to set char *err
+         |                   |
+         +->cache_alloc() ---/  <- returns error
+
+This patch sets `char *err` for this failure case so that register_cache()
+will cause register_bcache() to correctly jump to err_close and do
+cleanup.  This was tested under OOM conditions that triggered the bug.
+
+Signed-off-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/md/bcache/super.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1854,7 +1854,7 @@ static int register_cache(struct cache_s
+ 				  struct block_device *bdev, struct cache *ca)
+ {
+ 	char name[BDEVNAME_SIZE];
+-	const char *err = NULL;
++	const char *err = NULL; /* must be set for any error case */
+ 	int ret = 0;
+ 
+ 	memcpy(&ca->sb, sb, sizeof(struct cache_sb));
+@@ -1871,8 +1871,13 @@ static int register_cache(struct cache_s
+ 		ca->discard = CACHE_DISCARD(&ca->sb);
+ 
+ 	ret = cache_alloc(sb, ca);
+-	if (ret != 0)
++	if (ret != 0) {
++		if (ret == -ENOMEM)
++			err = "cache_alloc(): -ENOMEM";
++		else
++			err = "cache_alloc(): unknown error";
+ 		goto err;
++	}
+ 
+ 	if (kobject_add(&ca->kobj, &part_to_dev(bdev->bd_part)->kobj, "bcache")) {
+ 		err = "error calling kobject_add";
diff --git a/queue-3.16/bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a.patch b/queue-3.16/bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a.patch
new file mode 100644
index 0000000..91d7c0e
--- /dev/null
+++ b/queue-3.16/bcache-reserve_prio-is-too-small-by-one-when-prio_buckets-is-a.patch
@@ -0,0 +1,67 @@
+From: Kent Overstreet <kent.overstreet@gmail.com>
+Date: Wed, 17 Aug 2016 18:21:24 -0700
+Subject: bcache: RESERVE_PRIO is too small by one when prio_buckets() is a
+ power of two.
+
+commit acc9cf8c66c66b2cbbdb4a375537edee72be64df upstream.
+
+This patch fixes a cachedev registration-time allocation deadlock.
+This can deadlock on boot if your initrd auto-registeres bcache devices:
+
+Allocator thread:
+[  720.727614] INFO: task bcache_allocato:3833 blocked for more than 120 seconds.
+[  720.732361]  [<ffffffff816eeac7>] schedule+0x37/0x90
+[  720.732963]  [<ffffffffa05192b8>] bch_bucket_alloc+0x188/0x360 [bcache]
+[  720.733538]  [<ffffffff810e6950>] ? prepare_to_wait_event+0xf0/0xf0
+[  720.734137]  [<ffffffffa05302bd>] bch_prio_write+0x19d/0x340 [bcache]
+[  720.734715]  [<ffffffffa05190bf>] bch_allocator_thread+0x3ff/0x470 [bcache]
+[  720.735311]  [<ffffffff816ee41c>] ? __schedule+0x2dc/0x950
+[  720.735884]  [<ffffffffa0518cc0>] ? invalidate_buckets+0x980/0x980 [bcache]
+
+Registration thread:
+[  720.710403] INFO: task bash:3531 blocked for more than 120 seconds.
+[  720.715226]  [<ffffffff816eeac7>] schedule+0x37/0x90
+[  720.715805]  [<ffffffffa05235cd>] __bch_btree_map_nodes+0x12d/0x150 [bcache]
+[  720.716409]  [<ffffffffa0522d30>] ? bch_btree_insert_check_key+0x1c0/0x1c0 [bcache]
+[  720.717008]  [<ffffffffa05236e4>] bch_btree_insert+0xf4/0x170 [bcache]
+[  720.717586]  [<ffffffff810e6950>] ? prepare_to_wait_event+0xf0/0xf0
+[  720.718191]  [<ffffffffa0527d9a>] bch_journal_replay+0x14a/0x290 [bcache]
+[  720.718766]  [<ffffffff810cc90d>] ? ttwu_do_activate.constprop.94+0x5d/0x70
+[  720.719369]  [<ffffffff810cf684>] ? try_to_wake_up+0x1d4/0x350
+[  720.719968]  [<ffffffffa05317d0>] run_cache_set+0x580/0x8e0 [bcache]
+[  720.720553]  [<ffffffffa053302e>] register_bcache+0xe2e/0x13b0 [bcache]
+[  720.721153]  [<ffffffff81354cef>] kobj_attr_store+0xf/0x20
+[  720.721730]  [<ffffffff812a2dad>] sysfs_kf_write+0x3d/0x50
+[  720.722327]  [<ffffffff812a225a>] kernfs_fop_write+0x12a/0x180
+[  720.722904]  [<ffffffff81225177>] __vfs_write+0x37/0x110
+[  720.723503]  [<ffffffff81228048>] ? __sb_start_write+0x58/0x110
+[  720.724100]  [<ffffffff812cedb3>] ? security_file_permission+0x23/0xa0
+[  720.724675]  [<ffffffff812258a9>] vfs_write+0xa9/0x1b0
+[  720.725275]  [<ffffffff8102479c>] ? do_audit_syscall_entry+0x6c/0x70
+[  720.725849]  [<ffffffff81226755>] SyS_write+0x55/0xd0
+[  720.726451]  [<ffffffff8106a390>] ? do_page_fault+0x30/0x80
+[  720.727045]  [<ffffffff816f2cae>] system_call_fastpath+0x12/0x71
+
+The fifo code in upstream bcache can't use the last element in the buffer,
+which was the cause of the bug: if you asked for a power of two size,
+it'd give you a fifo that could hold one less than what you asked for
+rather than allocating a buffer twice as big.
+
+Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
+Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/md/bcache/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1829,7 +1829,7 @@ static int cache_alloc(struct cache_sb *
+ 	free = roundup_pow_of_two(ca->sb.nbuckets) >> 10;
+ 
+ 	if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) ||
+-	    !init_fifo(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
++	    !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) ||
+ 	    !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) ||
+ 	    !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) ||
+ 	    !init_fifo(&ca->free_inc,	free << 2, GFP_KERNEL) ||
diff --git a/queue-3.16/blackfin-fix-copy_from_user.patch b/queue-3.16/blackfin-fix-copy_from_user.patch
new file mode 100644
index 0000000..e9b2961
--- /dev/null
+++ b/queue-3.16/blackfin-fix-copy_from_user.patch
@@ -0,0 +1,31 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:16:58 -0400
+Subject: blackfin: fix copy_from_user()
+
+commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/blackfin/include/asm/uaccess.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/blackfin/include/asm/uaccess.h
++++ b/arch/blackfin/include/asm/uaccess.h
+@@ -177,11 +177,12 @@ static inline int bad_user_access_length
+ static inline unsigned long __must_check
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+-	if (access_ok(VERIFY_READ, from, n))
++	if (likely(access_ok(VERIFY_READ, from, n))) {
+ 		memcpy(to, (const void __force *)from, n);
+-	else
+-		return n;
+-	return 0;
++		return 0;
++	}
++	memset(to, 0, n);
++	return n;
+ }
+ 
+ static inline unsigned long __must_check
diff --git a/queue-3.16/block-fix-bdi-vs-gendisk-lifetime-mismatch.patch b/queue-3.16/block-fix-bdi-vs-gendisk-lifetime-mismatch.patch
new file mode 100644
index 0000000..c1f30c4
--- /dev/null
+++ b/queue-3.16/block-fix-bdi-vs-gendisk-lifetime-mismatch.patch
@@ -0,0 +1,110 @@
+From: Dan Williams <dan.j.williams@intel.com>
+Date: Sun, 31 Jul 2016 11:15:13 -0700
+Subject: block: fix bdi vs gendisk lifetime mismatch
+
+commit df08c32ce3be5be138c1dbfcba203314a3a7cd6f upstream.
+
+The name for a bdi of a gendisk is derived from the gendisk's devt.
+However, since the gendisk is destroyed before the bdi it leaves a
+window where a new gendisk could dynamically reuse the same devt while a
+bdi with the same name is still live.  Arrange for the bdi to hold a
+reference against its "owner" disk device while it is registered.
+Otherwise we can hit sysfs duplicate name collisions like the following:
+
+ WARNING: CPU: 10 PID: 2078 at fs/sysfs/dir.c:31 sysfs_warn_dup+0x64/0x80
+ sysfs: cannot create duplicate filename '/devices/virtual/bdi/259:1'
+
+ Hardware name: HP ProLiant DL580 Gen8, BIOS P79 05/06/2015
+  0000000000000286 0000000002c04ad5 ffff88006f24f970 ffffffff8134caec
+  ffff88006f24f9c0 0000000000000000 ffff88006f24f9b0 ffffffff8108c351
+  0000001f0000000c ffff88105d236000 ffff88105d1031e0 ffff8800357427f8
+ Call Trace:
+  [<ffffffff8134caec>] dump_stack+0x63/0x87
+  [<ffffffff8108c351>] __warn+0xd1/0xf0
+  [<ffffffff8108c3cf>] warn_slowpath_fmt+0x5f/0x80
+  [<ffffffff812a0d34>] sysfs_warn_dup+0x64/0x80
+  [<ffffffff812a0e1e>] sysfs_create_dir_ns+0x7e/0x90
+  [<ffffffff8134faaa>] kobject_add_internal+0xaa/0x320
+  [<ffffffff81358d4e>] ? vsnprintf+0x34e/0x4d0
+  [<ffffffff8134ff55>] kobject_add+0x75/0xd0
+  [<ffffffff816e66b2>] ? mutex_lock+0x12/0x2f
+  [<ffffffff8148b0a5>] device_add+0x125/0x610
+  [<ffffffff8148b788>] device_create_groups_vargs+0xd8/0x100
+  [<ffffffff8148b7cc>] device_create_vargs+0x1c/0x20
+  [<ffffffff811b775c>] bdi_register+0x8c/0x180
+  [<ffffffff811b7877>] bdi_register_dev+0x27/0x30
+  [<ffffffff813317f5>] add_disk+0x175/0x4a0
+
+Reported-by: Yi Zhang <yizhan@redhat.com>
+Tested-by: Yi Zhang <yizhan@redhat.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+
+Fixed up missing 0 return in bdi_register_owner().
+
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -611,7 +611,7 @@ void add_disk(struct gendisk *disk)
+ 
+ 	/* Register BDI before referencing it from bdev */
+ 	bdi = &disk->queue->backing_dev_info;
+-	bdi_register_dev(bdi, disk_devt(disk));
++	bdi_register_owner(bdi, disk_to_dev(disk));
+ 
+ 	blk_register_region(disk_devt(disk), disk->minors, NULL,
+ 			    exact_match, exact_lock, disk);
+--- a/include/linux/backing-dev.h
++++ b/include/linux/backing-dev.h
+@@ -100,6 +100,7 @@ struct backing_dev_info {
+ 	struct list_head work_list;
+ 
+ 	struct device *dev;
++	struct device *owner;
+ 
+ 	struct timer_list laptop_mode_wb_timer;
+ 
+@@ -116,6 +117,7 @@ __printf(3, 4)
+ int bdi_register(struct backing_dev_info *bdi, struct device *parent,
+ 		const char *fmt, ...);
+ int bdi_register_dev(struct backing_dev_info *bdi, dev_t dev);
++int bdi_register_owner(struct backing_dev_info *bdi, struct device *owner);
+ void bdi_unregister(struct backing_dev_info *bdi);
+ int __must_check bdi_setup_and_register(struct backing_dev_info *, char *, unsigned int);
+ void bdi_start_writeback(struct backing_dev_info *bdi, long nr_pages,
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -350,6 +350,20 @@ int bdi_register_dev(struct backing_dev_
+ }
+ EXPORT_SYMBOL(bdi_register_dev);
+ 
++int bdi_register_owner(struct backing_dev_info *bdi, struct device *owner)
++{
++	int rc;
++
++	rc = bdi_register(bdi, NULL, "%u:%u", MAJOR(owner->devt),
++			MINOR(owner->devt));
++	if (rc)
++		return rc;
++	bdi->owner = owner;
++	get_device(owner);
++	return 0;
++}
++EXPORT_SYMBOL(bdi_register_owner);
++
+ /*
+  * Remove bdi from the global list and shutdown any threads we have running
+  */
+@@ -418,6 +432,11 @@ void bdi_unregister(struct backing_dev_i
+ 
+ 		device_unregister(dev);
+ 	}
++
++	if (bdi->owner) {
++		put_device(bdi->owner);
++		bdi->owner = NULL;
++	}
+ }
+ EXPORT_SYMBOL(bdi_unregister);
+ 
diff --git a/queue-3.16/block-fix-use-after-free-in-seq-file.patch b/queue-3.16/block-fix-use-after-free-in-seq-file.patch
new file mode 100644
index 0000000..d650a70
--- /dev/null
+++ b/queue-3.16/block-fix-use-after-free-in-seq-file.patch
@@ -0,0 +1,108 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Fri, 29 Jul 2016 10:40:31 +0200
+Subject: block: fix use-after-free in seq file
+
+commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream.
+
+I got a KASAN report of use-after-free:
+
+    ==================================================================
+    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
+    Read of size 8 by task trinity-c1/315
+    =============================================================================
+    BUG kmalloc-32 (Not tainted): kasan: bad access detected
+    -----------------------------------------------------------------------------
+
+    Disabling lock debugging due to kernel taint
+    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
+            ___slab_alloc+0x4f1/0x520
+            __slab_alloc.isra.58+0x56/0x80
+            kmem_cache_alloc_trace+0x260/0x2a0
+            disk_seqf_start+0x66/0x110
+            traverse+0x176/0x860
+            seq_read+0x7e3/0x11a0
+            proc_reg_read+0xbc/0x180
+            do_loop_readv_writev+0x134/0x210
+            do_readv_writev+0x565/0x660
+            vfs_readv+0x67/0xa0
+            do_preadv+0x126/0x170
+            SyS_preadv+0xc/0x10
+            do_syscall_64+0x1a1/0x460
+            return_from_SYSCALL_64+0x0/0x6a
+    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
+            __slab_free+0x17a/0x2c0
+            kfree+0x20a/0x220
+            disk_seqf_stop+0x42/0x50
+            traverse+0x3b5/0x860
+            seq_read+0x7e3/0x11a0
+            proc_reg_read+0xbc/0x180
+            do_loop_readv_writev+0x134/0x210
+            do_readv_writev+0x565/0x660
+            vfs_readv+0x67/0xa0
+            do_preadv+0x126/0x170
+            SyS_preadv+0xc/0x10
+            do_syscall_64+0x1a1/0x460
+            return_from_SYSCALL_64+0x0/0x6a
+
+    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
+     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
+     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
+    Call Trace:
+     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
+     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
+     [<ffffffff814704ff>] object_err+0x2f/0x40
+     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
+     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
+     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
+     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
+     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
+     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
+     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
+     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
+     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
+     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
+     [<ffffffff814b8de6>] do_preadv+0x126/0x170
+     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10
+
+This problem can occur in the following situation:
+
+open()
+ - pread()
+    - .seq_start()
+       - iter = kmalloc() // succeeds
+       - seqf->private = iter
+    - .seq_stop()
+       - kfree(seqf->private)
+ - pread()
+    - .seq_start()
+       - iter = kmalloc() // fails
+    - .seq_stop()
+       - class_dev_iter_exit(seqf->private) // boom! old pointer
+
+As the comment in disk_seqf_stop() says, stop is called even if start
+failed, so we need to reinitialise the private pointer to NULL when seq
+iteration stops.
+
+An alternative would be to set the private pointer to NULL when the
+kmalloc() in disk_seqf_start() fails.
+
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ block/genhd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_fi
+ 	if (iter) {
+ 		class_dev_iter_exit(iter);
+ 		kfree(iter);
++		seqf->private = NULL;
+ 	}
+ }
+ 
diff --git a/queue-3.16/bluetooth-add-support-of-13d3-3490-ar3012-device.patch b/queue-3.16/bluetooth-add-support-of-13d3-3490-ar3012-device.patch
new file mode 100644
index 0000000..1fd7905
--- /dev/null
+++ b/queue-3.16/bluetooth-add-support-of-13d3-3490-ar3012-device.patch
@@ -0,0 +1,51 @@
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Tue, 12 Jul 2016 01:35:18 +0300
+Subject: Bluetooth: Add support of 13d3:3490 AR3012 device
+
+commit 12d868964f7352e8b18e755488f7265a93431de1 upstream.
+
+T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=05 Dev#= 5 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3490 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1600623
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -123,6 +123,7 @@ static const struct usb_device_id ath3k_
+ 	{ USB_DEVICE(0x13d3, 0x3472) },
+ 	{ USB_DEVICE(0x13d3, 0x3474) },
+ 	{ USB_DEVICE(0x13d3, 0x3487) },
++	{ USB_DEVICE(0x13d3, 0x3490) },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE02C) },
+@@ -190,6 +191,7 @@ static const struct usb_device_id ath3k_
+ 	{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU22 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -217,6 +217,7 @@ static const struct usb_device_id blackl
+ 	{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
diff --git a/queue-3.16/bluetooth-add-usb-id-13d3-3487-to-ath3k.patch b/queue-3.16/bluetooth-add-usb-id-13d3-3487-to-ath3k.patch
new file mode 100644
index 0000000..c97b370
--- /dev/null
+++ b/queue-3.16/bluetooth-add-usb-id-13d3-3487-to-ath3k.patch
@@ -0,0 +1,57 @@
+From: Lauro Costa <lauro@polilinux.com.br>
+Date: Mon, 9 May 2016 17:36:11 -0300
+Subject: Bluetooth: Add USB ID 13D3:3487 to ath3k
+
+commit 72f9f8b58bc743e6b6abdc68f60db98486c3ffcf upstream.
+
+Add hw id to ath3k usb device list and btusb blacklist
+
+T:  Bus=01 Lev=01 Prnt=01 Port=08 Cnt=02 Dev#=  4 Spd=12  MxCh= 0
+D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
+P:  Vendor=13d3 ProdID=3487 Rev=00.02
+C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+Requires these firmwares:
+ar3k/AthrBT_0x11020100.dfu and ar3k/ramps_0x11020100_40.dfu
+Firmwares are available in linux-firmware.
+
+Device found in a laptop ASUS model N552VW. It's an Atheros AR9462 chip.
+
+Signed-off-by: Lauro Costa <lauro@polilinux.com.br>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -122,6 +122,7 @@ static const struct usb_device_id ath3k_
+ 	{ USB_DEVICE(0x13d3, 0x3432) },
+ 	{ USB_DEVICE(0x13d3, 0x3472) },
+ 	{ USB_DEVICE(0x13d3, 0x3474) },
++	{ USB_DEVICE(0x13d3, 0x3487) },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE02C) },
+@@ -188,6 +189,7 @@ static const struct usb_device_id ath3k_
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU22 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -216,6 +216,7 @@ static const struct usb_device_id blackl
+ 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ 	{ USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
++	{ USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
+ 
+ 	/* Atheros AR5BBU12 with sflash firmware */
+ 	{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
diff --git a/queue-3.16/bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch b/queue-3.16/bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch
new file mode 100644
index 0000000..f194a35
--- /dev/null
+++ b/queue-3.16/bluetooth-fix-l2cap_sock_setsockopt-with-optname-bt_rcvmtu.patch
@@ -0,0 +1,32 @@
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?=
+ <amadeusz.slawinski@tieto.com>
+Date: Thu, 14 Jul 2016 10:50:23 +0200
+Subject: Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.
+
+When we retrieve imtu value from userspace we should use 16 bit pointer
+cast instead of 32 as it's defined that way in headers. Fixes setsockopt
+calls on big-endian platforms.
+
+Signed-off-by: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/bluetooth/l2cap_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -921,7 +921,7 @@ static int l2cap_sock_setsockopt(struct
+ 			break;
+ 		}
+ 
+-		if (get_user(opt, (u32 __user *) optval)) {
++		if (get_user(opt, (u16 __user *) optval)) {
+ 			err = -EFAULT;
+ 			break;
+ 		}
diff --git a/queue-3.16/bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch b/queue-3.16/bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch
new file mode 100644
index 0000000..2c0878a
--- /dev/null
+++ b/queue-3.16/bpf-mips-fix-off-by-one-in-ctx-offset-allocation.patch
@@ -0,0 +1,41 @@
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 14 Jul 2016 13:57:55 +0200
+Subject: bpf, mips: fix off-by-one in ctx offset allocation
+
+commit b4e76f7e6d3200462c6354a6ad4ae167459e61f8 upstream.
+
+Dan Carpenter reported [1] a static checker warning that ctx->offsets[]
+may be accessed off by one from build_body(), since it's allocated with
+fp->len * sizeof(*ctx.offsets) as length. The cBPF arm and ppc code
+doesn't have this issue as claimed, so only mips seems to be affected and
+should like most other JITs allocate with fp->len + 1. A few number of
+JITs (x86, sparc, arm64) handle this differently, where they only require
+fp->len array elements.
+
+  [1] http://www.spinics.net/lists/mips/msg64193.html
+
+Fixes: c6610de353da ("MIPS: net: Add BPF JIT")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: ast@kernel.org
+Cc: linux-mips@linux-mips.org
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/13814/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/net/bpf_jit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/net/bpf_jit.c
++++ b/arch/mips/net/bpf_jit.c
+@@ -1365,7 +1365,7 @@ void bpf_jit_compile(struct sk_filter *f
+ 
+ 	memset(&ctx, 0, sizeof(ctx));
+ 
+-	ctx.offsets = kcalloc(fp->len, sizeof(*ctx.offsets), GFP_KERNEL);
++	ctx.offsets = kcalloc(fp->len + 1, sizeof(*ctx.offsets), GFP_KERNEL);
+ 	if (ctx.offsets == NULL)
+ 		return;
+ 
diff --git a/queue-3.16/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-3.16/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch
new file mode 100644
index 0000000..6afd7e4
--- /dev/null
+++ b/queue-3.16/brcmfmac-fix-glob_skb-leak-in-brcmf_sdiod_recv_chain.patch
@@ -0,0 +1,35 @@
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 18 Jul 2016 16:24:34 -0700
+Subject: brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain
+
+commit 3bdae810721b33061d2e541bd78a70f86ca42af3 upstream.
+
+In case brcmf_sdiod_recv_chain() cannot complete a succeful call to
+brcmf_sdiod_buffrw, we would be leaking glom_skb and not free it as we
+should, fix this.
+
+Reported-by: coverity (CID 1164856)
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+@@ -708,8 +708,10 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 			return -ENOMEM;
+ 		err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+ 					 glom_skb);
+-		if (err)
++		if (err) {
++			brcmu_pkt_buf_free_skb(glom_skb);
+ 			goto done;
++		}
+ 
+ 		skb_queue_walk(pktq, skb) {
+ 			memcpy(skb->data, glom_skb->data, skb->len);
diff --git a/queue-3.16/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch b/queue-3.16/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch
new file mode 100644
index 0000000..e1ed652
--- /dev/null
+++ b/queue-3.16/brcmsmac-free-packet-if-dma_mapping_error-fails-in-dma_rxfill.patch
@@ -0,0 +1,34 @@
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 18 Jul 2016 16:24:35 -0700
+Subject: brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
+
+commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream.
+
+In case dma_mapping_error() returns an error in dma_rxfill, we would be
+leaking a packet that we allocated with brcmu_pkt_buf_get_skb().
+
+Reported-by: coverity (CID 1081819)
+Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/wireless/brcm80211/brcmsmac/dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
+@@ -1079,8 +1079,10 @@ bool dma_rxfill(struct dma_pub *pub)
+ 
+ 		pa = dma_map_single(di->dmadev, p->data, di->rxbufsize,
+ 				    DMA_FROM_DEVICE);
+-		if (dma_mapping_error(di->dmadev, pa))
++		if (dma_mapping_error(di->dmadev, pa)) {
++			brcmu_pkt_buf_free_skb(p);
+ 			return false;
++		}
+ 
+ 		/* save the free packet pointer */
+ 		di->rxp[rxout] = p;
diff --git a/queue-3.16/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch b/queue-3.16/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch
new file mode 100644
index 0000000..190584c
--- /dev/null
+++ b/queue-3.16/brcmsmac-initialize-power-in-brcms_c_stf_ss_algo_channel_get.patch
@@ -0,0 +1,33 @@
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 18 Jul 2016 16:24:37 -0700
+Subject: brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
+
+commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.
+
+wlc_phy_txpower_get_current() does a logical OR of power->flags, which
+presumes that power.flags was initiliazed earlier by the caller,
+unfortunately, this is not the case, so make sure we zero out the struct
+tx_power before calling into wlc_phy_txpower_get_current().
+
+Reported-by: coverity (CID 146011)
+Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/wireless/brcm80211/brcmsmac/stf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmsmac/stf.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/stf.c
+@@ -87,7 +87,7 @@ void
+ brcms_c_stf_ss_algo_channel_get(struct brcms_c_info *wlc, u16 *ss_algo_channel,
+ 			    u16 chanspec)
+ {
+-	struct tx_power power;
++	struct tx_power power = { };
+ 	u8 siso_mcs_id, cdd_mcs_id, stbc_mcs_id;
+ 
+ 	/* Clear previous settings */
diff --git a/queue-3.16/btrfs-add-missing-blk_finish_plug-in-btrfs_sync_log.patch b/queue-3.16/btrfs-add-missing-blk_finish_plug-in-btrfs_sync_log.patch
new file mode 100644
index 0000000..01019de
--- /dev/null
+++ b/queue-3.16/btrfs-add-missing-blk_finish_plug-in-btrfs_sync_log.patch
@@ -0,0 +1,26 @@
+From: Forrest Liu <forrestl@synology.com>
+Date: Fri, 30 Jan 2015 19:42:12 +0800
+Subject: Btrfs: add missing blk_finish_plug in btrfs_sync_log()
+
+commit 3da5ab56482f322a9736c484db8773899c5c731b upstream.
+
+Add missing blk_finish_plug in btrfs_sync_log()
+
+Signed-off-by: Forrest Liu <forrestl@synology.com>
+Reviewed-by: David Sterba <dsterba@suse.cz>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2600,6 +2600,7 @@ int btrfs_sync_log(struct btrfs_trans_ha
+ 	}
+ 
+ 	if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
++		blk_finish_plug(&plug);
+ 		mutex_unlock(&log_root_tree->log_mutex);
+ 		ret = root_log_ctx.log_ret;
+ 		goto out;
diff --git a/queue-3.16/btrfs-ensure-that-file-descriptor-used-with-subvol-ioctls-is-a-dir.patch b/queue-3.16/btrfs-ensure-that-file-descriptor-used-with-subvol-ioctls-is-a-dir.patch
new file mode 100644
index 0000000..fab7ffd
--- /dev/null
+++ b/queue-3.16/btrfs-ensure-that-file-descriptor-used-with-subvol-ioctls-is-a-dir.patch
@@ -0,0 +1,63 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Wed, 21 Sep 2016 08:31:29 -0400
+Subject: btrfs: ensure that file descriptor used with subvol ioctls is a dir
+
+commit 325c50e3cebb9208009083e841550f98a863bfa0 upstream.
+
+If the subvol/snapshot create/destroy ioctls are passed a regular file
+with execute permissions set, we'll eventually Oops while trying to do
+inode->i_op->lookup via lookup_one_len.
+
+This patch ensures that the file descriptor refers to a directory.
+
+Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules)
+Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl)
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/ioctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1649,6 +1649,9 @@ static noinline int btrfs_ioctl_snap_cre
+ 	int namelen;
+ 	int ret = 0;
+ 
++	if (!S_ISDIR(file_inode(file)->i_mode))
++		return -ENOTDIR;
++
+ 	ret = mnt_want_write_file(file);
+ 	if (ret)
+ 		goto out;
+@@ -1706,6 +1709,9 @@ static noinline int btrfs_ioctl_snap_cre
+ 	struct btrfs_ioctl_vol_args *vol_args;
+ 	int ret;
+ 
++	if (!S_ISDIR(file_inode(file)->i_mode))
++		return -ENOTDIR;
++
+ 	vol_args = memdup_user(arg, sizeof(*vol_args));
+ 	if (IS_ERR(vol_args))
+ 		return PTR_ERR(vol_args);
+@@ -1729,6 +1735,9 @@ static noinline int btrfs_ioctl_snap_cre
+ 	bool readonly = false;
+ 	struct btrfs_qgroup_inherit *inherit = NULL;
+ 
++	if (!S_ISDIR(file_inode(file)->i_mode))
++		return -ENOTDIR;
++
+ 	vol_args = memdup_user(arg, sizeof(*vol_args));
+ 	if (IS_ERR(vol_args))
+ 		return PTR_ERR(vol_args);
+@@ -2355,6 +2364,9 @@ static noinline int btrfs_ioctl_snap_des
+ 	int ret;
+ 	int err = 0;
+ 
++	if (!S_ISDIR(dir->i_mode))
++		return -ENOTDIR;
++
+ 	vol_args = memdup_user(arg, sizeof(*vol_args));
+ 	if (IS_ERR(vol_args))
+ 		return PTR_ERR(vol_args);
diff --git a/queue-3.16/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log.patch b/queue-3.16/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log.patch
new file mode 100644
index 0000000..9a69fd4
--- /dev/null
+++ b/queue-3.16/btrfs-remove-root_log_ctx-from-ctx-list-before-btrfs_sync_log.patch
@@ -0,0 +1,32 @@
+From: Chris Mason <clm@fb.com>
+Date: Tue, 6 Sep 2016 05:37:40 -0700
+Subject: Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log
+ returns
+
+commit cbd60aa7cd17d81a434234268c55192862147439 upstream.
+
+We use a btrfs_log_ctx structure to pass information into the
+tree log commit, and get error values out.  It gets added to a per
+log-transaction list which we walk when things go bad.
+
+Commit d1433debe added an optimization to skip waiting for the log
+commit, but didn't take root_log_ctx out of the list.  This
+patch makes sure we remove things before exiting.
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2601,6 +2601,7 @@ int btrfs_sync_log(struct btrfs_trans_ha
+ 
+ 	if (log_root_tree->log_transid_committed >= root_log_ctx.log_transid) {
+ 		blk_finish_plug(&plug);
++		list_del_init(&root_log_ctx.list);
+ 		mutex_unlock(&log_root_tree->log_mutex);
+ 		ret = root_log_ctx.log_ret;
+ 		goto out;
diff --git a/queue-3.16/can-dev-fix-deadlock-reported-after-bus-off.patch b/queue-3.16/can-dev-fix-deadlock-reported-after-bus-off.patch
new file mode 100644
index 0000000..8a0f1fb
--- /dev/null
+++ b/queue-3.16/can-dev-fix-deadlock-reported-after-bus-off.patch
@@ -0,0 +1,138 @@
+From: Sergei Miroshnichenko <sergeimir@emcraft.com>
+Date: Wed, 7 Sep 2016 16:51:12 +0300
+Subject: can: dev: fix deadlock reported after bus-off
+
+commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 upstream.
+
+A timer was used to restart after the bus-off state, leading to a
+relatively large can_restart() executed in an interrupt context,
+which in turn sets up pinctrl. When this happens during system boot,
+there is a high probability of grabbing the pinctrl_list_mutex,
+which is locked already by the probe() of other device, making the
+kernel suspect a deadlock condition [1].
+
+To resolve this issue, the restart_timer is replaced by a delayed
+work.
+
+[1] https://github.com/victronenergy/venus/issues/24
+
+Signed-off-by: Sergei Miroshnichenko <sergeimir@emcraft.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/can/dev.c   | 27 +++++++++++++++++----------
+ include/linux/can/dev.h |  3 ++-
+ 2 files changed, 19 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -21,6 +21,7 @@
+ #include <linux/slab.h>
+ #include <linux/netdevice.h>
+ #include <linux/if_arp.h>
++#include <linux/workqueue.h>
+ #include <linux/can.h>
+ #include <linux/can/dev.h>
+ #include <linux/can/skb.h>
+@@ -392,9 +393,8 @@ EXPORT_SYMBOL_GPL(can_free_echo_skb);
+ /*
+  * CAN device restart for bus-off recovery
+  */
+-static void can_restart(unsigned long data)
++static void can_restart(struct net_device *dev)
+ {
+-	struct net_device *dev = (struct net_device *)data;
+ 	struct can_priv *priv = netdev_priv(dev);
+ 	struct net_device_stats *stats = &dev->stats;
+ 	struct sk_buff *skb;
+@@ -434,6 +434,14 @@ restart:
+ 		netdev_err(dev, "Error %d during restart", err);
+ }
+ 
++static void can_restart_work(struct work_struct *work)
++{
++	struct delayed_work *dwork = to_delayed_work(work);
++	struct can_priv *priv = container_of(dwork, struct can_priv, restart_work);
++
++	can_restart(priv->dev);
++}
++
+ int can_restart_now(struct net_device *dev)
+ {
+ 	struct can_priv *priv = netdev_priv(dev);
+@@ -447,8 +455,8 @@ int can_restart_now(struct net_device *d
+ 	if (priv->state != CAN_STATE_BUS_OFF)
+ 		return -EBUSY;
+ 
+-	/* Runs as soon as possible in the timer context */
+-	mod_timer(&priv->restart_timer, jiffies);
++	cancel_delayed_work_sync(&priv->restart_work);
++	can_restart(dev);
+ 
+ 	return 0;
+ }
+@@ -470,8 +478,8 @@ void can_bus_off(struct net_device *dev)
+ 	priv->can_stats.bus_off++;
+ 
+ 	if (priv->restart_ms)
+-		mod_timer(&priv->restart_timer,
+-			  jiffies + (priv->restart_ms * HZ) / 1000);
++		schedule_delayed_work(&priv->restart_work,
++				      msecs_to_jiffies(priv->restart_ms));
+ }
+ EXPORT_SYMBOL_GPL(can_bus_off);
+ 
+@@ -578,6 +586,7 @@ struct net_device *alloc_candev(int size
+ 		return NULL;
+ 
+ 	priv = netdev_priv(dev);
++	priv->dev = dev;
+ 
+ 	if (echo_skb_max) {
+ 		priv->echo_skb_max = echo_skb_max;
+@@ -587,7 +596,7 @@ struct net_device *alloc_candev(int size
+ 
+ 	priv->state = CAN_STATE_STOPPED;
+ 
+-	init_timer(&priv->restart_timer);
++	INIT_DELAYED_WORK(&priv->restart_work, can_restart_work);
+ 
+ 	return dev;
+ }
+@@ -662,8 +671,6 @@ int open_candev(struct net_device *dev)
+ 	if (!netif_carrier_ok(dev))
+ 		netif_carrier_on(dev);
+ 
+-	setup_timer(&priv->restart_timer, can_restart, (unsigned long)dev);
+-
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(open_candev);
+@@ -678,7 +685,7 @@ void close_candev(struct net_device *dev
+ {
+ 	struct can_priv *priv = netdev_priv(dev);
+ 
+-	del_timer_sync(&priv->restart_timer);
++	cancel_delayed_work_sync(&priv->restart_work);
+ 	can_flush_echo_skb(dev);
+ }
+ EXPORT_SYMBOL_GPL(close_candev);
+--- a/include/linux/can/dev.h
++++ b/include/linux/can/dev.h
+@@ -31,6 +31,7 @@ enum can_mode {
+  * CAN common private data
+  */
+ struct can_priv {
++	struct net_device *dev;
+ 	struct can_device_stats can_stats;
+ 
+ 	struct can_bittiming bittiming, data_bittiming;
+@@ -43,7 +44,7 @@ struct can_priv {
+ 	u32 ctrlmode_supported;
+ 
+ 	int restart_ms;
+-	struct timer_list restart_timer;
++	struct delayed_work restart_work;
+ 
+ 	int (*do_set_bittiming)(struct net_device *dev);
+ 	int (*do_set_data_bittiming)(struct net_device *dev);
diff --git a/queue-3.16/can-flexcan-fix-resume-function.patch b/queue-3.16/can-flexcan-fix-resume-function.patch
new file mode 100644
index 0000000..e34e85f
--- /dev/null
+++ b/queue-3.16/can-flexcan-fix-resume-function.patch
@@ -0,0 +1,63 @@
+From: Fabio Estevam <fabio.estevam@nxp.com>
+Date: Wed, 17 Aug 2016 12:41:08 -0300
+Subject: can: flexcan: fix resume function
+
+commit 4de349e786a3a2d51bd02d56f3de151bbc3c3df9 upstream.
+
+On a imx6ul-pico board the following error is seen during system suspend:
+
+dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110
+PM: Device 2090000.flexcan failed to resume: error -110
+
+The reason for this suspend error is because when the CAN interface is not
+active the clocks are disabled and then flexcan_chip_enable() will
+always fail due to a timeout error.
+
+In order to fix this issue, only call flexcan_chip_enable/disable()
+when the CAN interface is active.
+
+Based on a patch from Dong Aisheng in the NXP kernel.
+
+Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/can/flexcan.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1248,11 +1248,10 @@ static int __maybe_unused flexcan_suspen
+ 	struct flexcan_priv *priv = netdev_priv(dev);
+ 	int err;
+ 
+-	err = flexcan_chip_disable(priv);
+-	if (err)
+-		return err;
+-
+ 	if (netif_running(dev)) {
++		err = flexcan_chip_disable(priv);
++		if (err)
++			return err;
+ 		netif_stop_queue(dev);
+ 		netif_device_detach(dev);
+ 	}
+@@ -1265,13 +1264,17 @@ static int __maybe_unused flexcan_resume
+ {
+ 	struct net_device *dev = dev_get_drvdata(device);
+ 	struct flexcan_priv *priv = netdev_priv(dev);
++	int err;
+ 
+ 	priv->can.state = CAN_STATE_ERROR_ACTIVE;
+ 	if (netif_running(dev)) {
+ 		netif_device_attach(dev);
+ 		netif_start_queue(dev);
++		err = flexcan_chip_enable(priv);
++		if (err)
++			return err;
+ 	}
+-	return flexcan_chip_enable(priv);
++	return 0;
+ }
+ 
+ static SIMPLE_DEV_PM_OPS(flexcan_pm_ops, flexcan_suspend, flexcan_resume);
diff --git a/queue-3.16/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch b/queue-3.16/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch
new file mode 100644
index 0000000..eaa6209
--- /dev/null
+++ b/queue-3.16/cdc-acm-fix-wrong-pipe-type-on-rx-interrupt-xfers.patch
@@ -0,0 +1,54 @@
+From: Gavin Li <git@thegavinli.com>
+Date: Fri, 12 Aug 2016 00:52:56 -0700
+Subject: cdc-acm: fix wrong pipe type on rx interrupt xfers
+
+commit add125054b8727103631dce116361668436ef6a7 upstream.
+
+This fixes the "BOGUS urb xfer" warning logged by usb_submit_urb().
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/usb/class/cdc-acm.c | 5 ++---
+ drivers/usb/class/cdc-acm.h | 1 -
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1336,7 +1336,6 @@ made_compressed_probe:
+ 	spin_lock_init(&acm->write_lock);
+ 	spin_lock_init(&acm->read_lock);
+ 	mutex_init(&acm->mutex);
+-	acm->rx_endpoint = usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress);
+ 	acm->is_int_ep = usb_endpoint_xfer_int(epread);
+ 	if (acm->is_int_ep)
+ 		acm->bInterval = epread->bInterval;
+@@ -1386,14 +1385,14 @@ made_compressed_probe:
+ 		urb->transfer_dma = rb->dma;
+ 		if (acm->is_int_ep) {
+ 			usb_fill_int_urb(urb, acm->dev,
+-					 acm->rx_endpoint,
++					 usb_rcvintpipe(usb_dev, epread->bEndpointAddress),
+ 					 rb->base,
+ 					 acm->readsize,
+ 					 acm_read_bulk_callback, rb,
+ 					 acm->bInterval);
+ 		} else {
+ 			usb_fill_bulk_urb(urb, acm->dev,
+-					  acm->rx_endpoint,
++					  usb_rcvbulkpipe(usb_dev, epread->bEndpointAddress),
+ 					  rb->base,
+ 					  acm->readsize,
+ 					  acm_read_bulk_callback, rb);
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -95,7 +95,6 @@ struct acm {
+ 	struct urb *read_urbs[ACM_NR];
+ 	struct acm_rb read_buffers[ACM_NR];
+ 	int rx_buflimit;
+-	int rx_endpoint;
+ 	spinlock_t read_lock;
+ 	int write_used;					/* number of non-empty write buffers */
+ 	int transmitting;
diff --git a/queue-3.16/ceph-correctly-return-nxio-errors-from-ceph_llseek.patch b/queue-3.16/ceph-correctly-return-nxio-errors-from-ceph_llseek.patch
new file mode 100644
index 0000000..46acf46
--- /dev/null
+++ b/queue-3.16/ceph-correctly-return-nxio-errors-from-ceph_llseek.patch
@@ -0,0 +1,62 @@
+From: Phil Turnbull <phil.turnbull@oracle.com>
+Date: Thu, 21 Jul 2016 13:43:09 -0400
+Subject: ceph: Correctly return NXIO errors from ceph_llseek
+
+commit 955818cd5b6c4b58ea574ace4573e7afa4c19c1e upstream.
+
+ceph_llseek does not correctly return NXIO errors because the 'out' path
+always returns 'offset'.
+
+Fixes: 06222e491e66 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Signed-off-by: Yan, Zheng <zyan@redhat.com>
+[bwh: Backported to 3.16; adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ceph/file.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -985,16 +985,14 @@ out_unlocked:
+ static loff_t ceph_llseek(struct file *file, loff_t offset, int whence)
+ {
+ 	struct inode *inode = file->f_mapping->host;
+-	int ret;
++	loff_t ret;
+ 
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	if (whence == SEEK_END || whence == SEEK_DATA || whence == SEEK_HOLE) {
+ 		ret = ceph_do_getattr(inode, CEPH_STAT_CAP_SIZE);
+-		if (ret < 0) {
+-			offset = ret;
++		if (ret < 0)
+ 			goto out;
+-		}
+ 	}
+ 
+ 	switch (whence) {
+@@ -1009,7 +1007,7 @@ static loff_t ceph_llseek(struct file *f
+ 		 * write() or lseek() might have altered it
+ 		 */
+ 		if (offset == 0) {
+-			offset = file->f_pos;
++			ret = file->f_pos;
+ 			goto out;
+ 		}
+ 		offset += file->f_pos;
+@@ -1029,11 +1027,11 @@ static loff_t ceph_llseek(struct file *f
+ 		break;
+ 	}
+ 
+-	offset = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
++	ret = vfs_setpos(file, offset, inode->i_sb->s_maxbytes);
+ 
+ out:
+ 	mutex_unlock(&inode->i_mutex);
+-	return offset;
++	return ret;
+ }
+ 
+ static inline void ceph_zero_partial_page(
diff --git a/queue-3.16/cifs-check-for-existing-directory-when-opening-file-with-o_creat.patch b/queue-3.16/cifs-check-for-existing-directory-when-opening-file-with-o_creat.patch
new file mode 100644
index 0000000..59fec9a
--- /dev/null
+++ b/queue-3.16/cifs-check-for-existing-directory-when-opening-file-with-o_creat.patch
@@ -0,0 +1,70 @@
+From: Sachin Prabhu <sprabhu@redhat.com>
+Date: Thu, 7 Jul 2016 21:28:27 +0100
+Subject: cifs: Check for existing directory when opening file with O_CREAT
+
+commit 8d9535b6efd86e6c07da59f97e68f44efb7fe080 upstream.
+
+When opening a file with O_CREAT flag, check to see if the file opened
+is an existing directory.
+
+This prevents the directory from being opened which subsequently causes
+a crash when the close function for directories cifs_closedir() is called
+which frees up the file->private_data memory while the file is still
+listed on the open file list for the tcon.
+
+Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Reported-by: Xiaoli Feng <xifeng@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/cifs/dir.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -229,6 +229,13 @@ cifs_do_create(struct inode *inode, stru
+ 				goto cifs_create_get_file_info;
+ 			}
+ 
++			if (S_ISDIR(newinode->i_mode)) {
++				CIFSSMBClose(xid, tcon, fid->netfid);
++				iput(newinode);
++				rc = -EISDIR;
++				goto out;
++			}
++
+ 			if (!S_ISREG(newinode->i_mode)) {
+ 				/*
+ 				 * The server may allow us to open things like
+@@ -399,10 +406,14 @@ cifs_create_set_dentry:
+ 	if (rc != 0) {
+ 		cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n",
+ 			 rc);
+-		if (server->ops->close)
+-			server->ops->close(xid, tcon, fid);
+-		goto out;
++		goto out_err;
+ 	}
++
++	if (S_ISDIR(newinode->i_mode)) {
++		rc = -EISDIR;
++		goto out_err;
++	}
++
+ 	d_drop(direntry);
+ 	d_add(direntry, newinode);
+ 
+@@ -410,6 +421,13 @@ out:
+ 	kfree(buf);
+ 	kfree(full_path);
+ 	return rc;
++
++out_err:
++	if (server->ops->close)
++		server->ops->close(xid, tcon, fid);
++	if (newinode)
++		iput(newinode);
++	goto out;
+ }
+ 
+ int
diff --git a/queue-3.16/cifs-fix-a-possible-invalid-memory-access-in-smb2_query_symlink.patch b/queue-3.16/cifs-fix-a-possible-invalid-memory-access-in-smb2_query_symlink.patch
new file mode 100644
index 0000000..e0823e1
--- /dev/null
+++ b/queue-3.16/cifs-fix-a-possible-invalid-memory-access-in-smb2_query_symlink.patch
@@ -0,0 +1,77 @@
+From: Pavel Shilovsky <pshilovsky@samba.org>
+Date: Sun, 24 Jul 2016 10:37:38 +0300
+Subject: CIFS: Fix a possible invalid memory access in smb2_query_symlink()
+
+commit 7893242e2465aea6f2cbc2639da8fa5ce96e8cc2 upstream.
+
+During following a symbolic link we received err_buf from SMB2_open().
+While the validity of SMB2 error response is checked previously
+in smb2_check_message() a symbolic link payload is not checked at all.
+Fix it by adding such checks.
+
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/cifs/smb2ops.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -858,6 +858,9 @@ smb2_new_lease_key(struct cifs_fid *fid)
+ 	get_random_bytes(fid->lease_key, SMB2_LEASE_KEY_SIZE);
+ }
+ 
++#define SMB2_SYMLINK_STRUCT_SIZE \
++	(sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
++
+ static int
+ smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
+ 		   const char *full_path, char **target_path,
+@@ -870,7 +873,10 @@ smb2_query_symlink(const unsigned int xi
+ 	struct cifs_fid fid;
+ 	struct smb2_err_rsp *err_buf = NULL;
+ 	struct smb2_symlink_err_rsp *symlink;
+-	unsigned int sub_len, sub_offset;
++	unsigned int sub_len;
++	unsigned int sub_offset;
++	unsigned int print_len;
++	unsigned int print_offset;
+ 
+ 	cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+ 
+@@ -891,11 +897,33 @@ smb2_query_symlink(const unsigned int xi
+ 		kfree(utf16_path);
+ 		return -ENOENT;
+ 	}
++
++	if (le32_to_cpu(err_buf->ByteCount) < sizeof(struct smb2_symlink_err_rsp) ||
++	    get_rfc1002_length(err_buf) + 4 < SMB2_SYMLINK_STRUCT_SIZE) {
++		kfree(utf16_path);
++		return -ENOENT;
++	}
++
+ 	/* open must fail on symlink - reset rc */
+ 	rc = 0;
+ 	symlink = (struct smb2_symlink_err_rsp *)err_buf->ErrorData;
+ 	sub_len = le16_to_cpu(symlink->SubstituteNameLength);
+ 	sub_offset = le16_to_cpu(symlink->SubstituteNameOffset);
++	print_len = le16_to_cpu(symlink->PrintNameLength);
++	print_offset = le16_to_cpu(symlink->PrintNameOffset);
++
++	if (get_rfc1002_length(err_buf) + 4 <
++			SMB2_SYMLINK_STRUCT_SIZE + sub_offset + sub_len) {
++		kfree(utf16_path);
++		return -ENOENT;
++	}
++
++	if (get_rfc1002_length(err_buf) + 4 <
++			SMB2_SYMLINK_STRUCT_SIZE + print_offset + print_len) {
++		kfree(utf16_path);
++		return -ENOENT;
++	}
++
+ 	*target_path = cifs_strndup_from_utf16(
+ 				(char *)symlink->PathBuffer + sub_offset,
+ 				sub_len, true, cifs_sb->local_nls);
diff --git a/queue-3.16/cifs-fix-crash-due-to-race-in-hmac-md5-handling.patch b/queue-3.16/cifs-fix-crash-due-to-race-in-hmac-md5-handling.patch
new file mode 100644
index 0000000..9edd726
--- /dev/null
+++ b/queue-3.16/cifs-fix-crash-due-to-race-in-hmac-md5-handling.patch
@@ -0,0 +1,128 @@
+From: Rabin Vincent <rabinv@axis.com>
+Date: Tue, 19 Jul 2016 09:26:21 +0200
+Subject: cifs: fix crash due to race in hmac(md5) handling
+
+commit bd975d1eead2558b76e1079e861eacf1f678b73b upstream.
+
+The secmech hmac(md5) structures are present in the TCP_Server_Info
+struct and can be shared among multiple CIFS sessions.  However, the
+server mutex is not currently held when these structures are allocated
+and used, which can lead to a kernel crashes, as in the scenario below:
+
+mount.cifs(8) #1				mount.cifs(8) #2
+
+Is secmech.sdeschmaccmd5 allocated?
+// false
+
+						Is secmech.sdeschmaccmd5 allocated?
+						// false
+
+secmech.hmacmd = crypto_alloc_shash..
+secmech.sdeschmaccmd5 = kzalloc..
+sdeschmaccmd5->shash.tfm = &secmec.hmacmd;
+
+						secmech.sdeschmaccmd5 = kzalloc
+						// sdeschmaccmd5->shash.tfm
+						// not yet assigned
+
+crypto_shash_update()
+ deref NULL sdeschmaccmd5->shash.tfm
+
+ Unable to handle kernel paging request at virtual address 00000030
+ epc   : 8027ba34 crypto_shash_update+0x38/0x158
+ ra    : 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84
+ Call Trace:
+  crypto_shash_update+0x38/0x158
+  setup_ntlmv2_rsp+0x4bc/0xa84
+  build_ntlmssp_auth_blob+0xbc/0x34c
+  sess_auth_rawntlmssp_authenticate+0xac/0x248
+  CIFS_SessSetup+0xf0/0x178
+  cifs_setup_session+0x4c/0x84
+  cifs_get_smb_ses+0x2c8/0x314
+  cifs_mount+0x38c/0x76c
+  cifs_do_mount+0x98/0x440
+  mount_fs+0x20/0xc0
+  vfs_kern_mount+0x58/0x138
+  do_mount+0x1e8/0xccc
+  SyS_mount+0x88/0xd4
+  syscall_common+0x30/0x54
+
+Fix this by locking the srv_mutex around the code which uses these
+hmac(md5) structures.  All the other secmech algos already have similar
+locking.
+
+Fixes: 95dc8dd14e2e84cc ("Limit allocation of crypto mechanisms to dialect which requires")
+Signed-off-by: Rabin Vincent <rabinv@axis.com>
+Acked-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/cifs/cifsencrypt.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/cifsencrypt.c
++++ b/fs/cifs/cifsencrypt.c
+@@ -727,24 +727,26 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+ 
+ 	memcpy(ses->auth_key.response + baselen, tiblob, tilen);
+ 
++	mutex_lock(&ses->server->srv_mutex);
++
+ 	rc = crypto_hmacmd5_alloc(ses->server);
+ 	if (rc) {
+ 		cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc);
+-		goto setup_ntlmv2_rsp_ret;
++		goto unlock;
+ 	}
+ 
+ 	/* calculate ntlmv2_hash */
+ 	rc = calc_ntlmv2_hash(ses, ntlmv2_hash, nls_cp);
+ 	if (rc) {
+ 		cifs_dbg(VFS, "could not get v2 hash rc %d\n", rc);
+-		goto setup_ntlmv2_rsp_ret;
++		goto unlock;
+ 	}
+ 
+ 	/* calculate first part of the client response (CR1) */
+ 	rc = CalcNTLMv2_response(ses, ntlmv2_hash);
+ 	if (rc) {
+ 		cifs_dbg(VFS, "Could not calculate CR1 rc: %d\n", rc);
+-		goto setup_ntlmv2_rsp_ret;
++		goto unlock;
+ 	}
+ 
+ 	/* now calculate the session key for NTLMv2 */
+@@ -753,13 +755,13 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+ 	if (rc) {
+ 		cifs_dbg(VFS, "%s: Could not set NTLMV2 Hash as a key\n",
+ 			 __func__);
+-		goto setup_ntlmv2_rsp_ret;
++		goto unlock;
+ 	}
+ 
+ 	rc = crypto_shash_init(&ses->server->secmech.sdeschmacmd5->shash);
+ 	if (rc) {
+ 		cifs_dbg(VFS, "%s: Could not init hmacmd5\n", __func__);
+-		goto setup_ntlmv2_rsp_ret;
++		goto unlock;
+ 	}
+ 
+ 	rc = crypto_shash_update(&ses->server->secmech.sdeschmacmd5->shash,
+@@ -767,7 +769,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+ 		CIFS_HMAC_MD5_HASH_SIZE);
+ 	if (rc) {
+ 		cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
+-		goto setup_ntlmv2_rsp_ret;
++		goto unlock;
+ 	}
+ 
+ 	rc = crypto_shash_final(&ses->server->secmech.sdeschmacmd5->shash,
+@@ -775,6 +777,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, c
+ 	if (rc)
+ 		cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__);
+ 
++unlock:
++	mutex_unlock(&ses->server->srv_mutex);
+ setup_ntlmv2_rsp_ret:
+ 	kfree(tiblob);
+ 
diff --git a/queue-3.16/clocksource-drivers-sun4i-clear-interrupts-after-stopping-timer-in.patch b/queue-3.16/clocksource-drivers-sun4i-clear-interrupts-after-stopping-timer-in.patch
new file mode 100644
index 0000000..d586059
--- /dev/null
+++ b/queue-3.16/clocksource-drivers-sun4i-clear-interrupts-after-stopping-timer-in.patch
@@ -0,0 +1,59 @@
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Thu, 25 Aug 2016 14:26:59 +0800
+Subject: clocksource/drivers/sun4i: Clear interrupts after stopping timer in
+ probe function
+
+commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e upstream.
+
+The bootloader (U-boot) sometimes uses this timer for various delays.
+It uses it as a ongoing counter, and does comparisons on the current
+counter value. The timer counter is never stopped.
+
+In some cases when the user interacts with the bootloader, or lets
+it idle for some time before loading Linux, the timer may expire,
+and an interrupt will be pending. This results in an unexpected
+interrupt when the timer interrupt is enabled by the kernel, at
+which point the event_handler isn't set yet. This results in a NULL
+pointer dereference exception, panic, and no way to reboot.
+
+Clear any pending interrupts after we stop the timer in the probe
+function to avoid this.
+
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/clocksource/sun4i_timer.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/clocksource/sun4i_timer.c
++++ b/drivers/clocksource/sun4i_timer.c
+@@ -120,12 +120,16 @@ static struct clock_event_device sun4i_c
+ 	.set_next_event = sun4i_clkevt_next_event,
+ };
+ 
++static void sun4i_timer_clear_interrupt(void)
++{
++	writel(TIMER_IRQ_EN(0), timer_base + TIMER_IRQ_ST_REG);
++}
+ 
+ static irqreturn_t sun4i_timer_interrupt(int irq, void *dev_id)
+ {
+ 	struct clock_event_device *evt = (struct clock_event_device *)dev_id;
+ 
+-	writel(0x1, timer_base + TIMER_IRQ_ST_REG);
++	sun4i_timer_clear_interrupt();
+ 	evt->event_handler(evt);
+ 
+ 	return IRQ_HANDLED;
+@@ -182,6 +186,9 @@ static void __init sun4i_timer_init(stru
+ 	/* Make sure timer is stopped before playing with interrupts */
+ 	sun4i_clkevt_time_stop(0);
+ 
++	/* clear timer0 interrupt */
++	sun4i_timer_clear_interrupt();
++
+ 	sun4i_clockevent.cpumask = cpu_possible_mask;
+ 	sun4i_clockevent.irq = irq;
+ 
diff --git a/queue-3.16/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the.patch b/queue-3.16/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the.patch
new file mode 100644
index 0000000..5773212
--- /dev/null
+++ b/queue-3.16/cpuset-make-sure-new-tasks-conform-to-the-current-config-of-the.patch
@@ -0,0 +1,51 @@
+From: Zefan Li <lizefan@huawei.com>
+Date: Tue, 9 Aug 2016 11:25:01 +0800
+Subject: cpuset: make sure new tasks conform to the current config of the
+ cpuset
+
+commit 06f4e94898918bcad00cdd4d349313a439d6911e upstream.
+
+A new task inherits cpus_allowed and mems_allowed masks from its parent,
+but if someone changes cpuset's config by writing to cpuset.cpus/cpuset.mems
+before this new task is inserted into the cgroup's task list, the new task
+won't be updated accordingly.
+
+Signed-off-by: Zefan Li <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ kernel/cpuset.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -1963,6 +1963,20 @@ static void cpuset_css_free(struct cgrou
+ 	kfree(cs);
+ }
+ 
++/*
++ * Make sure the new task conform to the current state of its parent,
++ * which could have been changed by cpuset just after it inherits the
++ * state from the parent and before it sits on the cgroup's task list.
++ */
++void cpuset_fork(struct task_struct *task)
++{
++	if (task_css_is_root(task, cpuset_cgrp_id))
++		return;
++
++	set_cpus_allowed_ptr(task, &current->cpus_allowed);
++	task->mems_allowed = current->mems_allowed;
++}
++
+ struct cgroup_subsys cpuset_cgrp_subsys = {
+ 	.css_alloc = cpuset_css_alloc,
+ 	.css_online = cpuset_css_online,
+@@ -1971,6 +1985,7 @@ struct cgroup_subsys cpuset_cgrp_subsys
+ 	.can_attach = cpuset_can_attach,
+ 	.cancel_attach = cpuset_cancel_attach,
+ 	.attach = cpuset_attach,
++	.fork		= cpuset_fork,
+ 	.base_cftypes = files,
+ 	.early_init = 1,
+ };
diff --git a/queue-3.16/cris-buggered-copy_from_user-copy_to_user-clear_user.patch b/queue-3.16/cris-buggered-copy_from_user-copy_to_user-clear_user.patch
new file mode 100644
index 0000000..888747e
--- /dev/null
+++ b/queue-3.16/cris-buggered-copy_from_user-copy_to_user-clear_user.patch
@@ -0,0 +1,128 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 19:34:00 -0400
+Subject: cris: buggered copy_from_user/copy_to_user/clear_user
+
+commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.
+
+* copy_from_user() on access_ok() failure ought to zero the destination
+* none of those primitives should skip the access_ok() check in case of
+small constant size.
+
+Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/cris/include/asm/uaccess.h | 71 +++++++++++++++++++----------------------
+ 1 file changed, 32 insertions(+), 39 deletions(-)
+
+--- a/arch/cris/include/asm/uaccess.h
++++ b/arch/cris/include/asm/uaccess.h
+@@ -176,30 +176,6 @@ extern unsigned long __copy_user(void __
+ extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
+ extern unsigned long __do_clear_user(void __user *to, unsigned long n);
+ 
+-static inline unsigned long
+-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
+-{
+-	if (access_ok(VERIFY_WRITE, to, n))
+-		return __copy_user(to,from,n);
+-	return n;
+-}
+-
+-static inline unsigned long
+-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
+-{
+-	if (access_ok(VERIFY_READ, from, n))
+-		return __copy_user_zeroing(to,from,n);
+-	return n;
+-}
+-
+-static inline unsigned long
+-__generic_clear_user(void __user *to, unsigned long n)
+-{
+-	if (access_ok(VERIFY_WRITE, to, n))
+-		return __do_clear_user(to,n);
+-	return n;
+-}
+-
+ static inline long
+ __strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+@@ -262,7 +238,7 @@ __constant_copy_from_user(void *to, cons
+ 	else if (n == 24)
+ 		__asm_copy_from_user_24(to, from, ret);
+ 	else
+-		ret = __generic_copy_from_user(to, from, n);
++		ret = __copy_user_zeroing(to, from, n);
+ 
+ 	return ret;
+ }
+@@ -312,7 +288,7 @@ __constant_copy_to_user(void __user *to,
+ 	else if (n == 24)
+ 		__asm_copy_to_user_24(to, from, ret);
+ 	else
+-		ret = __generic_copy_to_user(to, from, n);
++		ret = __copy_user(to, from, n);
+ 
+ 	return ret;
+ }
+@@ -344,26 +320,43 @@ __constant_clear_user(void __user *to, u
+ 	else if (n == 24)
+ 		__asm_clear_24(to, ret);
+ 	else
+-		ret = __generic_clear_user(to, n);
++		ret = __do_clear_user(to, n);
+ 
+ 	return ret;
+ }
+ 
+ 
+-#define clear_user(to, n)			\
+-(__builtin_constant_p(n) ?			\
+- __constant_clear_user(to, n) :			\
+- __generic_clear_user(to, n))
+-
+-#define copy_from_user(to, from, n)		\
+-(__builtin_constant_p(n) ?			\
+- __constant_copy_from_user(to, from, n) :	\
+- __generic_copy_from_user(to, from, n))
+-
+-#define copy_to_user(to, from, n)		\
+-(__builtin_constant_p(n) ?			\
+- __constant_copy_to_user(to, from, n) :		\
+- __generic_copy_to_user(to, from, n))
++static inline size_t clear_user(void __user *to, size_t n)
++{
++	if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++		return n;
++	if (__builtin_constant_p(n))
++		return __constant_clear_user(to, n);
++	else
++		return __do_clear_user(to, n);
++}
++
++static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
++{
++	if (unlikely(!access_ok(VERIFY_READ, from, n))) {
++		memset(to, 0, n);
++		return n;
++	}
++	if (__builtin_constant_p(n))
++		return __constant_copy_from_user(to, from, n);
++	else
++		return __copy_user_zeroing(to, from, n);
++}
++
++static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
++{
++	if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++		return n;
++	if (__builtin_constant_p(n))
++		return __constant_copy_to_user(to, from, n);
++	else
++		return __copy_user(to, from, n);
++}
+ 
+ /* We let the __ versions of copy_from/to_user inline, because they're often
+  * used in fast paths and have only a small space overhead.
diff --git a/queue-3.16/crypto-arm64-aes-ctr-fix-null-dereference-in-tail-processing.patch b/queue-3.16/crypto-arm64-aes-ctr-fix-null-dereference-in-tail-processing.patch
new file mode 100644
index 0000000..2c9c1b1
--- /dev/null
+++ b/queue-3.16/crypto-arm64-aes-ctr-fix-null-dereference-in-tail-processing.patch
@@ -0,0 +1,39 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Tue, 13 Sep 2016 09:48:53 +0100
+Subject: crypto: arm64/aes-ctr - fix NULL dereference in tail processing
+
+commit 2db34e78f126c6001d79d3b66ab1abb482dc7caa upstream.
+
+The AES-CTR glue code avoids calling into the blkcipher API for the
+tail portion of the walk, by comparing the remainder of walk.nbytes
+modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight
+into the tail processing block if they are equal. This tail processing
+block checks whether nbytes != 0, and does nothing otherwise.
+
+However, in case of an allocation failure in the blkcipher layer, we
+may enter this code with walk.nbytes == 0, while nbytes > 0. In this
+case, we should not dereference the source and destination pointers,
+since they may be NULL. So instead of checking for nbytes != 0, check
+for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in
+non-error conditions.
+
+Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions")
+Reported-by: xiakaixu <xiakaixu@huawei.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm64/crypto/aes-glue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/crypto/aes-glue.c
++++ b/arch/arm64/crypto/aes-glue.c
+@@ -205,7 +205,7 @@ static int ctr_encrypt(struct blkcipher_
+ 		err = blkcipher_walk_done(desc, &walk,
+ 					  walk.nbytes % AES_BLOCK_SIZE);
+ 	}
+-	if (nbytes) {
++	if (walk.nbytes % AES_BLOCK_SIZE) {
+ 		u8 *tdst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE;
+ 		u8 *tsrc = walk.src.virt.addr + blocks * AES_BLOCK_SIZE;
+ 		u8 __aligned(8) tail[AES_BLOCK_SIZE];
diff --git a/queue-3.16/crypto-caam-fix-non-hmac-hashes.patch b/queue-3.16/crypto-caam-fix-non-hmac-hashes.patch
new file mode 100644
index 0000000..1637d59
--- /dev/null
+++ b/queue-3.16/crypto-caam-fix-non-hmac-hashes.patch
@@ -0,0 +1,32 @@
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 9 Aug 2016 08:27:17 +0100
+Subject: crypto: caam - fix non-hmac hashes
+
+commit a0118c8b2be9297aed8e915c60b4013326b256d4 upstream.
+
+Since 6de62f15b581 ("crypto: algif_hash - Require setkey before
+accept(2)"), the AF_ALG interface requires userspace to provide a key
+to any algorithm that has a setkey method.  However, the non-HMAC
+algorithms are not keyed, so setting a key is unnecessary.
+
+Fix this by removing the setkey method from the non-keyed hash
+algorithms.
+
+Fixes: 6de62f15b581 ("crypto: algif_hash - Require setkey before accept(2)")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/crypto/caam/caamhash.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/caam/caamhash.c
++++ b/drivers/crypto/caam/caamhash.c
+@@ -1778,6 +1778,7 @@ caam_hash_alloc(struct caam_hash_templat
+ 			 template->name);
+ 		snprintf(alg->cra_driver_name, CRYPTO_MAX_ALG_NAME, "%s",
+ 			 template->driver_name);
++		t_alg->ahash_alg.setkey = NULL;
+ 	}
+ 	alg->cra_module = THIS_MODULE;
+ 	alg->cra_init = caam_hash_cra_init;
diff --git a/queue-3.16/crypto-cryptd-initialize-child-shash_desc-on-import.patch b/queue-3.16/crypto-cryptd-initialize-child-shash_desc-on-import.patch
new file mode 100644
index 0000000..d6fd1af
--- /dev/null
+++ b/queue-3.16/crypto-cryptd-initialize-child-shash_desc-on-import.patch
@@ -0,0 +1,36 @@
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Thu, 1 Sep 2016 14:25:43 +0100
+Subject: crypto: cryptd - initialize child shash_desc on import
+
+commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e upstream.
+
+When calling .import() on a cryptd ahash_request, the structure members
+that describe the child transform in the shash_desc need to be initialized
+like they are when calling .init()
+
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ crypto/cryptd.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/crypto/cryptd.c
++++ b/crypto/cryptd.c
+@@ -565,9 +565,14 @@ static int cryptd_hash_export(struct aha
+ 
+ static int cryptd_hash_import(struct ahash_request *req, const void *in)
+ {
+-	struct cryptd_hash_request_ctx *rctx = ahash_request_ctx(req);
++	struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
++	struct cryptd_hash_ctx *ctx = crypto_ahash_ctx(tfm);
++	struct shash_desc *desc = cryptd_shash_desc(req);
+ 
+-	return crypto_shash_import(&rctx->desc, in);
++	desc->tfm = ctx->child;
++	desc->flags = req->base.flags;
++
++	return crypto_shash_import(desc, in);
+ }
+ 
+ static int cryptd_create_hash(struct crypto_template *tmpl, struct rtattr **tb,
diff --git a/queue-3.16/crypto-gcm-filter-out-async-ghash-if-necessary.patch b/queue-3.16/crypto-gcm-filter-out-async-ghash-if-necessary.patch
new file mode 100644
index 0000000..58bb3a7
--- /dev/null
+++ b/queue-3.16/crypto-gcm-filter-out-async-ghash-if-necessary.patch
@@ -0,0 +1,33 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 15 Jun 2016 22:27:05 +0800
+Subject: crypto: gcm - Filter out async ghash if necessary
+
+commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3 upstream.
+
+As it is if you ask for a sync gcm you may actually end up with
+an async one because it does not filter out async implementations
+of ghash.
+
+This patch fixes this by adding the necessary filter when looking
+for ghash.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ crypto/gcm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/crypto/gcm.c
++++ b/crypto/gcm.c
+@@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gc
+ 
+ 	ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type,
+ 				    CRYPTO_ALG_TYPE_HASH,
+-				    CRYPTO_ALG_TYPE_AHASH_MASK);
++				    CRYPTO_ALG_TYPE_AHASH_MASK |
++				    crypto_requires_sync(algt->type,
++							 algt->mask));
+ 	if (IS_ERR(ghash_alg))
+ 		return ERR_CAST(ghash_alg);
+ 
diff --git a/queue-3.16/crypto-nx-off-by-one-bug-in-nx_of_update_msc.patch b/queue-3.16/crypto-nx-off-by-one-bug-in-nx_of_update_msc.patch
new file mode 100644
index 0000000..80d70f0
--- /dev/null
+++ b/queue-3.16/crypto-nx-off-by-one-bug-in-nx_of_update_msc.patch
@@ -0,0 +1,32 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 15 Jul 2016 14:09:13 +0300
+Subject: crypto: nx - off by one bug in nx_of_update_msc()
+
+commit e514cc0a492a3f39ef71b31590a7ef67537ee04b upstream.
+
+The props->ap[] array is defined like this:
+
+	struct alg_props ap[NX_MAX_FC][NX_MAX_MODE][3];
+
+So we can see that if msc->fc and msc->mode are == to NX_MAX_FC or
+NX_MAX_MODE then we're off by one.
+
+Fixes: ae0222b7289d ('powerpc/crypto: nx driver code supporting nx encryption')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/crypto/nx/nx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/nx/nx.c
++++ b/drivers/crypto/nx/nx.c
+@@ -330,7 +330,7 @@ static void nx_of_update_msc(struct devi
+ 		     ((bytes_so_far + sizeof(struct msc_triplet)) <= lenp) &&
+ 		     i < msc->triplets;
+ 		     i++) {
+-			if (msc->fc > NX_MAX_FC || msc->mode > NX_MAX_MODE) {
++			if (msc->fc >= NX_MAX_FC || msc->mode >= NX_MAX_MODE) {
+ 				dev_err(dev, "unknown function code/mode "
+ 					"combo: %d/%d (ignored)\n", msc->fc,
+ 					msc->mode);
diff --git a/queue-3.16/crypto-scatterwalk-fix-test-in-scatterwalk_done.patch b/queue-3.16/crypto-scatterwalk-fix-test-in-scatterwalk_done.patch
new file mode 100644
index 0000000..193b4e8
--- /dev/null
+++ b/queue-3.16/crypto-scatterwalk-fix-test-in-scatterwalk_done.patch
@@ -0,0 +1,35 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 12 Jul 2016 13:17:57 +0800
+Subject: crypto: scatterwalk - Fix test in scatterwalk_done
+
+commit 5f070e81bee35f1b7bd1477bb223a873ff657803 upstream.
+
+When there is more data to be processed, the current test in
+scatterwalk_done may prevent us from calling pagedone even when
+we should.
+
+In particular, if we're on an SG entry spanning multiple pages
+where the last page is not a full page, we will incorrectly skip
+calling pagedone on the second last page.
+
+This patch fixes this by adding a separate test for whether we've
+reached the end of a page.
+
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ crypto/scatterwalk.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/scatterwalk.c
++++ b/crypto/scatterwalk.c
+@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct
+ 
+ void scatterwalk_done(struct scatter_walk *walk, int out, int more)
+ {
+-	if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
++	if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
++	    !(walk->offset & (PAGE_SIZE - 1)))
+ 		scatterwalk_pagedone(walk, out, more);
+ }
+ EXPORT_SYMBOL_GPL(scatterwalk_done);
diff --git a/queue-3.16/crypto-skcipher-fix-blkcipher-walk-oom-crash.patch b/queue-3.16/crypto-skcipher-fix-blkcipher-walk-oom-crash.patch
new file mode 100644
index 0000000..8787618
--- /dev/null
+++ b/queue-3.16/crypto-skcipher-fix-blkcipher-walk-oom-crash.patch
@@ -0,0 +1,43 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 13 Sep 2016 14:43:29 +0800
+Subject: crypto: skcipher - Fix blkcipher walk OOM crash
+
+commit acdb04d0b36769b3e05990c488dc74d8b7ac8060 upstream.
+
+When we need to allocate a temporary blkcipher_walk_next and it
+fails, the code is supposed to take the slow path of processing
+the data block by block.  However, due to an unrelated change
+we instead end up dereferencing the NULL pointer.
+
+This patch fixes it by moving the unrelated bsize setting out
+of the way so that we enter the slow path as inteded.
+
+Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
+Reported-by: xiakaixu <xiakaixu@huawei.com>
+Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ crypto/blkcipher.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/blkcipher.c
++++ b/crypto/blkcipher.c
+@@ -233,6 +233,8 @@ static int blkcipher_walk_next(struct bl
+ 		return blkcipher_walk_done(desc, walk, -EINVAL);
+ 	}
+ 
++	bsize = min(walk->walk_blocksize, n);
++
+ 	walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
+ 			 BLKCIPHER_WALK_DIFF);
+ 	if (!scatterwalk_aligned(&walk->in, walk->alignmask) ||
+@@ -245,7 +247,6 @@ static int blkcipher_walk_next(struct bl
+ 		}
+ 	}
+ 
+-	bsize = min(walk->walk_blocksize, n);
+ 	n = scatterwalk_clamp(&walk->in, n);
+ 	n = scatterwalk_clamp(&walk->out, n);
+ 
diff --git a/queue-3.16/dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch b/queue-3.16/dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch
new file mode 100644
index 0000000..756b5fa
--- /dev/null
+++ b/queue-3.16/dm-crypt-fix-free-of-bad-values-after-tfm-allocation-failure.patch
@@ -0,0 +1,30 @@
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 30 Aug 2016 09:51:44 -0700
+Subject: dm crypt: fix free of bad values after tfm allocation failure
+
+commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd upstream.
+
+If crypt_alloc_tfms() had to allocate multiple tfms and it failed before
+the last allocation, then it would call crypt_free_tfms() and could free
+pointers from uninitialized memory -- due to the crypt_free_tfms() check
+for non-zero cc->tfms[i].  Fix by allocating zeroed memory.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/md/dm-crypt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -1400,7 +1400,7 @@ static int crypt_alloc_tfms(struct crypt
+ 	unsigned i;
+ 	int err;
+ 
+-	cc->tfms = kmalloc(cc->tfms_count * sizeof(struct crypto_ablkcipher *),
++	cc->tfms = kzalloc(cc->tfms_count * sizeof(struct crypto_ablkcipher *),
+ 			   GFP_KERNEL);
+ 	if (!cc->tfms)
+ 		return -ENOMEM;
diff --git a/queue-3.16/dm-flakey-error-read-bios-during-the-down_interval.patch b/queue-3.16/dm-flakey-error-read-bios-during-the-down_interval.patch
new file mode 100644
index 0000000..07e3dc0
--- /dev/null
+++ b/queue-3.16/dm-flakey-error-read-bios-during-the-down_interval.patch
@@ -0,0 +1,64 @@
+From: Mike Snitzer <snitzer@redhat.com>
+Date: Fri, 29 Jul 2016 13:19:55 -0400
+Subject: dm flakey: error READ bios during the down_interval
+
+commit 99f3c90d0d85708e7401a81ce3314e50bf7f2819 upstream.
+
+When the corrupt_bio_byte feature was introduced it caused READ bios to
+no longer be errored with -EIO during the down_interval.  This had to do
+with the complexity of needing to submit READs if the corrupt_bio_byte
+feature was used.
+
+Fix it so READ bios are properly errored with -EIO; doing so early in
+flakey_map() as long as there isn't a match for the corrupt_bio_byte
+feature.
+
+Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature")
+Reported-by: Akira Hayakawa <ruby.wktk@gmail.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/md/dm-flakey.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -287,10 +287,16 @@ static int flakey_map(struct dm_target *
+ 		pb->bio_submitted = true;
+ 
+ 		/*
+-		 * Map reads as normal.
++		 * Map reads as normal only if corrupt_bio_byte set.
+ 		 */
+-		if (bio_data_dir(bio) == READ)
+-			goto map_bio;
++		if (bio_data_dir(bio) == READ) {
++			/* If flags were specified, only corrupt those that match. */
++			if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw == READ) &&
++			    all_corrupt_bio_flags_match(bio, fc))
++				goto map_bio;
++			else
++				return -EIO;
++		}
+ 
+ 		/*
+ 		 * Drop writes?
+@@ -328,12 +334,13 @@ static int flakey_end_io(struct dm_targe
+ 
+ 	/*
+ 	 * Corrupt successful READs while in down state.
+-	 * If flags were specified, only corrupt those that match.
+ 	 */
+-	if (fc->corrupt_bio_byte && !error && pb->bio_submitted &&
+-	    (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
+-	    all_corrupt_bio_flags_match(bio, fc))
+-		corrupt_bio_data(bio, fc);
++	if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
++		if (fc->corrupt_bio_byte)
++			corrupt_bio_data(bio, fc);
++		else
++			return -EIO;
++	}
+ 
+ 	return error;
+ }
diff --git a/queue-3.16/documentation-module-signing.txt-note-need-for-version-info-if.patch b/queue-3.16/documentation-module-signing.txt-note-need-for-version-info-if.patch
new file mode 100644
index 0000000..f9057ca
--- /dev/null
+++ b/queue-3.16/documentation-module-signing.txt-note-need-for-version-info-if.patch
@@ -0,0 +1,30 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 28 Apr 2016 09:24:05 +0930
+Subject: Documentation/module-signing.txt: Note need for version info if
+ reusing a key
+
+commit b8612e517c3c9809e1200b72c474dbfd969e5a83 upstream.
+
+Signing a module should only make it trusted by the specific kernel it
+was built for, not anything else.  If a module signing key is used for
+multiple ABI-incompatible kernels, the modules need to include enough
+version information to distinguish them.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+---
+ Documentation/module-signing.txt | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/Documentation/module-signing.txt
++++ b/Documentation/module-signing.txt
+@@ -239,3 +239,9 @@ Since the private key is used to sign mo
+ the private key to sign modules and compromise the operating system.  The
+ private key must be either destroyed or moved to a secure location and not kept
+ in the root node of the kernel source tree.
++
++If you use the same private key to sign modules for multiple kernel
++configurations, you must ensure that the module version information is
++sufficient to prevent loading a module into a different kernel.  Either
++set CONFIG_MODVERSIONS=y or ensure that each configuration has a different
++kernel release string by changing EXTRAVERSION or CONFIG_LOCALVERSION.
diff --git a/queue-3.16/drm-edid-add-6-bpc-quirk-for-display-aeo-model-0.patch b/queue-3.16/drm-edid-add-6-bpc-quirk-for-display-aeo-model-0.patch
new file mode 100644
index 0000000..e0f576e
--- /dev/null
+++ b/queue-3.16/drm-edid-add-6-bpc-quirk-for-display-aeo-model-0.patch
@@ -0,0 +1,79 @@
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Wed, 6 Jul 2016 12:05:44 +0200
+Subject: drm/edid: Add 6 bpc quirk for display AEO model 0.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit e10aec652f31ec61d6a0b4d00d8ef8d2b66fa0fd upstream.
+
+Bugzilla https://bugzilla.kernel.org/show_bug.cgi?id=105331
+reports that the "AEO model 0" display is driven with 8 bpc
+without dithering by default, which looks bad because that
+panel is apparently a 6 bpc DP panel with faulty EDID.
+
+A fix for this was made by commit 013dd9e03872
+("drm/i915/dp: fall back to 18 bpp when sink capability is unknown").
+
+That commit triggers new regressions in precision for DP->DVI and
+DP->VGA displays. A patch is out to revert that commit, but it will
+revert video output for the AEO model 0 panel to 8 bpc without
+dithering.
+
+The EDID 1.3 of that panel, as decoded from the xrandr output
+attached to that bugzilla bug report, is somewhat faulty, and beyond
+other problems also sets the "DFP 1.x compliant TMDS" bit, which
+according to DFP spec means to drive the panel with 8 bpc and
+no dithering in absence of other colorimetry information.
+
+Try to make the original bug reporter happy despite the
+faulty EDID by adding a quirk to mark that panel as 6 bpc,
+so 6 bpc output with dithering creates a nice picture.
+
+Tested by injecting the edid from the fdo bug into a DP connector
+via drm_kms_helper.edid_firmware and verifying the 6 bpc + dithering
+is selected.
+
+This patch should be backported to stable.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/drm_edid.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -72,6 +72,8 @@
+ #define EDID_QUIRK_FORCE_8BPC			(1 << 8)
+ /* Force 12bpc */
+ #define EDID_QUIRK_FORCE_12BPC			(1 << 9)
++/* Force 6bpc */
++#define EDID_QUIRK_FORCE_6BPC			(1 << 10)
+ 
+ struct detailed_mode_closure {
+ 	struct drm_connector *connector;
+@@ -98,6 +100,9 @@ static struct edid_quirk {
+ 	/* Unknown Acer */
+ 	{ "ACR", 2423, EDID_QUIRK_FIRST_DETAILED_PREFERRED },
+ 
++	/* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
++	{ "AEO", 0, EDID_QUIRK_FORCE_6BPC },
++
+ 	/* Belinea 10 15 55 */
+ 	{ "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
+ 	{ "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
+@@ -3667,6 +3672,9 @@ int drm_add_edid_modes(struct drm_connec
+ 
+ 	drm_add_display_info(edid, &connector->display_info, connector);
+ 
++	if (quirks & EDID_QUIRK_FORCE_6BPC)
++		connector->display_info.bpc = 6;
++
+ 	if (quirks & EDID_QUIRK_FORCE_8BPC)
+ 		connector->display_info.bpc = 8;
+ 
diff --git a/queue-3.16/drm-i915-dp-revert-drm-i915-dp-fall-back-to-18-bpp-when-sink.patch b/queue-3.16/drm-i915-dp-revert-drm-i915-dp-fall-back-to-18-bpp-when-sink.patch
new file mode 100644
index 0000000..f2fb237
--- /dev/null
+++ b/queue-3.16/drm-i915-dp-revert-drm-i915-dp-fall-back-to-18-bpp-when-sink.patch
@@ -0,0 +1,77 @@
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Wed, 6 Jul 2016 12:05:45 +0200
+Subject: drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink
+ capability is unknown"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 196f954e250943df414efd3d632254c29be38e59 upstream.
+
+This reverts commit 013dd9e03872
+("drm/i915/dp: fall back to 18 bpp when sink capability is unknown")
+
+This commit introduced a regression into stable kernels,
+as it reduces output color depth to 6 bpc for any video
+sink connected to a Displayport connector if that sink
+doesn't report a specific color depth via EDID, or if
+our EDID parser doesn't actually recognize the proper
+bpc from EDID.
+
+Affected are active DisplayPort->VGA converters and
+active DisplayPort->DVI converters. Both should be
+able to handle 8 bpc, but are degraded to 6 bpc with
+this patch.
+
+The reverted commit was meant to fix
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105331
+
+A followup patch implements a fix for that specific bug,
+which is caused by a faulty EDID of the affected DP panel
+by adding a new EDID quirk for that panel.
+
+DP 18 bpp fallback handling and other improvements to
+DP sink bpc detection will be handled for future
+kernels in a separate series of patches.
+
+Please backport to stable.
+
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/i915/intel_display.c | 20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -9475,21 +9475,11 @@ connected_sink_compute_bpp(struct intel_
+ 		pipe_config->pipe_bpp = connector->base.display_info.bpc*3;
+ 	}
+ 
+-	/* Clamp bpp to default limit on screens without EDID 1.4 */
+-	if (connector->base.display_info.bpc == 0) {
+-		int type = connector->base.connector_type;
+-		int clamp_bpp = 24;
+-
+-		/* Fall back to 18 bpp when DP sink capability is unknown. */
+-		if (type == DRM_MODE_CONNECTOR_DisplayPort ||
+-		    type == DRM_MODE_CONNECTOR_eDP)
+-			clamp_bpp = 18;
+-
+-		if (bpp > clamp_bpp) {
+-			DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of %d\n",
+-				      bpp, clamp_bpp);
+-			pipe_config->pipe_bpp = clamp_bpp;
+-		}
++	/* Clamp bpp to 8 on screens without EDID 1.4 */
++	if (connector->base.display_info.bpc == 0 && bpp > 24) {
++		DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit of 24\n",
++			      bpp);
++		pipe_config->pipe_bpp = 24;
+ 	}
+ }
+ 
diff --git a/queue-3.16/drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch b/queue-3.16/drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch
new file mode 100644
index 0000000..a488c7d
--- /dev/null
+++ b/queue-3.16/drm-msm-fix-use-of-copy_from_user-while-holding-spinlock.patch
@@ -0,0 +1,75 @@
+From: Rob Clark <robdclark@gmail.com>
+Date: Mon, 22 Aug 2016 15:15:23 -0400
+Subject: drm/msm: fix use of copy_from_user() while holding spinlock
+
+commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 upstream.
+
+Use instead __copy_from_user_inatomic() and fallback to slow-path where
+we drop and re-aquire the lock in case of fault.
+
+Reported-by: Vaishali Thakkar <vaishali.thakkar@oracle.com>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -55,6 +55,14 @@ static struct msm_gem_submit *submit_cre
+ 	return submit;
+ }
+ 
++static inline unsigned long __must_check
++copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
++{
++	if (access_ok(VERIFY_READ, from, n))
++		return __copy_from_user_inatomic(to, from, n);
++	return -EFAULT;
++}
++
+ static int submit_lookup_objects(struct msm_gem_submit *submit,
+ 		struct drm_msm_gem_submit *args, struct drm_file *file)
+ {
+@@ -62,6 +70,7 @@ static int submit_lookup_objects(struct
+ 	int ret = 0;
+ 
+ 	spin_lock(&file->table_lock);
++	pagefault_disable();
+ 
+ 	for (i = 0; i < args->nr_bos; i++) {
+ 		struct drm_msm_gem_submit_bo submit_bo;
+@@ -70,10 +79,15 @@ static int submit_lookup_objects(struct
+ 		void __user *userptr =
+ 			to_user_ptr(args->bos + (i * sizeof(submit_bo)));
+ 
+-		ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo));
+-		if (ret) {
+-			ret = -EFAULT;
+-			goto out_unlock;
++		ret = copy_from_user_inatomic(&submit_bo, userptr, sizeof(submit_bo));
++		if (unlikely(ret)) {
++			pagefault_enable();
++			spin_unlock(&file->table_lock);
++			ret = copy_from_user(&submit_bo, userptr, sizeof(submit_bo));
++			if (ret)
++				goto out;
++			spin_lock(&file->table_lock);
++			pagefault_disable();
+ 		}
+ 
+ 		if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
+@@ -113,9 +127,12 @@ static int submit_lookup_objects(struct
+ 	}
+ 
+ out_unlock:
+-	submit->nr_bos = i;
++	pagefault_enable();
+ 	spin_unlock(&file->table_lock);
+ 
++out:
++	submit->nr_bos = i;
++
+ 	return ret;
+ }
+ 
diff --git a/queue-3.16/drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch b/queue-3.16/drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch
new file mode 100644
index 0000000..45c52bf
--- /dev/null
+++ b/queue-3.16/drm-msm-protect-against-faults-from-copy_from_user-in-submit-ioctl.patch
@@ -0,0 +1,78 @@
+From: Rob Clark <robdclark@gmail.com>
+Date: Mon, 22 Aug 2016 15:28:38 -0400
+Subject: drm/msm: protect against faults from copy_from_user() in submit ioctl
+
+commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 upstream.
+
+An evil userspace could try to cause deadlock by passing an unfaulted-in
+GEM bo as submit->bos (or submit->cmds) table.  Which will trigger
+msm_gem_fault() while we already hold struct_mutex.  See:
+
+https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c
+
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/msm/msm_drv.h        | 6 ++++++
+ drivers/gpu/drm/msm/msm_gem.c        | 9 +++++++++
+ drivers/gpu/drm/msm/msm_gem_submit.c | 3 +++
+ 3 files changed, 18 insertions(+)
+
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -124,6 +124,12 @@ struct msm_drm_private {
+ 		 */
+ 		struct drm_mm mm;
+ 	} vram;
++
++	/* task holding struct_mutex.. currently only used in submit path
++	 * to detect and reject faults from copy_from_user() for submit
++	 * ioctl.
++	 */
++	struct task_struct *struct_mutex_task;
+ };
+ 
+ struct msm_format {
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -188,11 +188,20 @@ int msm_gem_fault(struct vm_area_struct
+ {
+ 	struct drm_gem_object *obj = vma->vm_private_data;
+ 	struct drm_device *dev = obj->dev;
++	struct msm_drm_private *priv = dev->dev_private;
+ 	struct page **pages;
+ 	unsigned long pfn;
+ 	pgoff_t pgoff;
+ 	int ret;
+ 
++	/* This should only happen if userspace tries to pass a mmap'd
++	 * but unfaulted gem bo vaddr into submit ioctl, triggering
++	 * a page fault while struct_mutex is already held.  This is
++	 * not a valid use-case so just bail.
++	 */
++	if (priv->struct_mutex_task == current)
++		return VM_FAULT_SIGBUS;
++
+ 	/* Make sure we don't parallel update on a fault, nor move or remove
+ 	 * something from beneath our feet
+ 	 */
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -360,6 +360,8 @@ int msm_ioctl_gem_submit(struct drm_devi
+ 	if (ret)
+ 		return ret;
+ 
++	priv->struct_mutex_task = current;
++
+ 	submit = submit_create(dev, gpu, args->nr_bos);
+ 	if (!submit) {
+ 		ret = -ENOMEM;
+@@ -442,6 +444,7 @@ out:
+ 	if (submit)
+ 		submit_cleanup(submit, !!ret);
+ out_unlock:
++	priv->struct_mutex_task = NULL;
+ 	mutex_unlock(&dev->struct_mutex);
+ 	return ret;
+ }
diff --git a/queue-3.16/drm-msm-use-mutex_lock_interruptible-for-submit-ioctl.patch b/queue-3.16/drm-msm-use-mutex_lock_interruptible-for-submit-ioctl.patch
new file mode 100644
index 0000000..414d346
--- /dev/null
+++ b/queue-3.16/drm-msm-use-mutex_lock_interruptible-for-submit-ioctl.patch
@@ -0,0 +1,39 @@
+From: Rob Clark <robdclark@gmail.com>
+Date: Tue, 17 May 2016 15:43:35 -0400
+Subject: drm/msm: use mutex_lock_interruptible for submit ioctl
+
+commit b5b4c264df4d270819676b290cef9a11d04c35f0 upstream.
+
+Be kinder to things that do lots of signal handling (ie. Xorg)
+
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -339,12 +339,14 @@ int msm_ioctl_gem_submit(struct drm_devi
+ 	if (args->nr_cmds > MAX_CMDS)
+ 		return -EINVAL;
+ 
+-	mutex_lock(&dev->struct_mutex);
++	ret = mutex_lock_interruptible(&dev->struct_mutex);
++	if (ret)
++		return ret;
+ 
+ 	submit = submit_create(dev, gpu, args->nr_bos);
+ 	if (!submit) {
+ 		ret = -ENOMEM;
+-		goto out;
++		goto out_unlock;
+ 	}
+ 
+ 	ret = submit_lookup_objects(submit, args, file);
+@@ -422,6 +424,7 @@ int msm_ioctl_gem_submit(struct drm_devi
+ out:
+ 	if (submit)
+ 		submit_cleanup(submit, !!ret);
++out_unlock:
+ 	mutex_unlock(&dev->struct_mutex);
+ 	return ret;
+ }
diff --git a/queue-3.16/drm-nouveau-acpi-check-for-function-0x1b-before-using-it.patch b/queue-3.16/drm-nouveau-acpi-check-for-function-0x1b-before-using-it.patch
new file mode 100644
index 0000000..c3a4355
--- /dev/null
+++ b/queue-3.16/drm-nouveau-acpi-check-for-function-0x1b-before-using-it.patch
@@ -0,0 +1,94 @@
+From: Peter Wu <peter@lekensteyn.nl>
+Date: Fri, 15 Jul 2016 15:12:17 +0200
+Subject: drm/nouveau/acpi: check for function 0x1B before using it
+
+commit cba97805cb69d5b1a1d3bb108872c73b5bf0e205 upstream.
+
+Do not unconditionally invoke function 0x1B without checking for its
+availability, it leads to an infinite loop on some firmware.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=104791
+Fixes: 5addcf0a5f0fad ("nouveau: add runtime PM support (v0.9)")
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Acked-by: Dave Airlie <airlied@redhat.com
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/nouveau/nouveau_acpi.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
+@@ -45,6 +45,7 @@
+ static struct nouveau_dsm_priv {
+ 	bool dsm_detected;
+ 	bool optimus_detected;
++	bool optimus_flags_detected;
+ 	acpi_handle dhandle;
+ 	acpi_handle other_handle;
+ 	acpi_handle rom_handle;
+@@ -213,7 +214,8 @@ static struct vga_switcheroo_handler nou
+ };
+ 
+ static void nouveau_dsm_pci_probe(struct pci_dev *pdev, acpi_handle *dhandle_out,
+-				  bool *has_mux, bool *has_opt)
++				  bool *has_mux, bool *has_opt,
++				  bool *has_opt_flags)
+ {
+ 	acpi_handle dhandle;
+ 	bool supports_mux;
+@@ -238,6 +240,7 @@ static void nouveau_dsm_pci_probe(struct
+ 	*dhandle_out = dhandle;
+ 	*has_mux = supports_mux;
+ 	*has_opt = !!optimus_funcs;
++	*has_opt_flags = optimus_funcs & (1 << NOUVEAU_DSM_OPTIMUS_FLAGS);
+ 
+ 	if (optimus_funcs) {
+ 		uint32_t result;
+@@ -258,6 +261,7 @@ static bool nouveau_dsm_detect(void)
+ 	acpi_handle dhandle = NULL;
+ 	bool has_mux = false;
+ 	bool has_optimus = false;
++	bool has_optimus_flags = false;
+ 	int vga_count = 0;
+ 	bool guid_valid;
+ 	bool ret = false;
+@@ -272,13 +276,15 @@ static bool nouveau_dsm_detect(void)
+ 	while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) {
+ 		vga_count++;
+ 
+-		nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
++		nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus,
++				      &has_optimus_flags);
+ 	}
+ 
+ 	while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_3D << 8, pdev)) != NULL) {
+ 		vga_count++;
+ 
+-		nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
++		nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus,
++				      &has_optimus_flags);
+ 	}
+ 
+ 	/* find the optimus DSM or the old v1 DSM */
+@@ -289,6 +295,7 @@ static bool nouveau_dsm_detect(void)
+ 		printk(KERN_INFO "VGA switcheroo: detected Optimus DSM method %s handle\n",
+ 			acpi_method_name);
+ 		nouveau_dsm_priv.optimus_detected = true;
++		nouveau_dsm_priv.optimus_flags_detected = has_optimus_flags;
+ 		ret = true;
+ 	} else if (vga_count == 2 && has_mux && guid_valid) {
+ 		nouveau_dsm_priv.dhandle = dhandle;
+@@ -332,8 +339,9 @@ void nouveau_switcheroo_optimus_dsm(void
+ 	if (!nouveau_dsm_priv.optimus_detected)
+ 		return;
+ 
+-	nouveau_optimus_dsm(nouveau_dsm_priv.dhandle, NOUVEAU_DSM_OPTIMUS_FLAGS,
+-			    0x3, &result);
++	if (nouveau_dsm_priv.optimus_flags_detected)
++		nouveau_optimus_dsm(nouveau_dsm_priv.dhandle, NOUVEAU_DSM_OPTIMUS_FLAGS,
++				    0x3, &result);
+ 
+ 	nouveau_optimus_dsm(nouveau_dsm_priv.dhandle, NOUVEAU_DSM_OPTIMUS_CAPS,
+ 		NOUVEAU_DSM_OPTIMUS_SET_POWERDOWN, &result);
diff --git a/queue-3.16/drm-nouveau-acpi-ensure-matching-acpi-handle-and-supported-functions.patch b/queue-3.16/drm-nouveau-acpi-ensure-matching-acpi-handle-and-supported-functions.patch
new file mode 100644
index 0000000..cf90184
--- /dev/null
+++ b/queue-3.16/drm-nouveau-acpi-ensure-matching-acpi-handle-and-supported-functions.patch
@@ -0,0 +1,150 @@
+From: Peter Wu <peter@lekensteyn.nl>
+Date: Fri, 15 Jul 2016 15:12:15 +0200
+Subject: drm/nouveau/acpi: ensure matching ACPI handle and supported functions
+
+commit df42194a9ac2678bf086c2c5372e125e742b0ee7 upstream.
+
+Ensure that the returned set of supported DSM functions (MUX, Optimus)
+match the ACPI handle that is set in nouveau_dsm_pci_probe.
+
+As there are no machines with a MUX function on just one PCI device and
+an Optimus on another, there should not be a functional impact. This
+change however makes this implicit assumption more obvious.
+
+Convert int to bool and rename has_dsm to has_mux while at it. Let the
+caller set nouveau_dsm_priv.dhandle as needed.
+
+ v2: pass dhandle to the caller.
+
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Acked-by: Dave Airlie <airlied@redhat.com
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/nouveau/nouveau_acpi.c | 58 +++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 32 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
+@@ -58,9 +58,6 @@ bool nouveau_is_v1_dsm(void) {
+ 	return nouveau_dsm_priv.dsm_detected;
+ }
+ 
+-#define NOUVEAU_DSM_HAS_MUX 0x1
+-#define NOUVEAU_DSM_HAS_OPT 0x2
+-
+ #ifdef CONFIG_VGA_SWITCHEROO
+ static const char nouveau_dsm_muid[] = {
+ 	0xA0, 0xA0, 0x95, 0x9D, 0x60, 0x00, 0x48, 0x4D,
+@@ -213,27 +210,34 @@ static struct vga_switcheroo_handler nou
+ 	.get_client_id = nouveau_dsm_get_client_id,
+ };
+ 
+-static int nouveau_dsm_pci_probe(struct pci_dev *pdev)
++static void nouveau_dsm_pci_probe(struct pci_dev *pdev, acpi_handle *dhandle_out,
++				  bool *has_mux, bool *has_opt)
+ {
+ 	acpi_handle dhandle;
+-	int retval = 0;
++	bool supports_mux;
++	bool supports_opt;
+ 
+ 	dhandle = ACPI_HANDLE(&pdev->dev);
+ 	if (!dhandle)
+-		return false;
++		return;
+ 
+ 	if (!acpi_has_method(dhandle, "_DSM")) {
+ 		nouveau_dsm_priv.other_handle = dhandle;
+-		return false;
++		return;
+ 	}
+-	if (acpi_check_dsm(dhandle, nouveau_dsm_muid, 0x00000102,
+-			   1 << NOUVEAU_DSM_POWER))
+-		retval |= NOUVEAU_DSM_HAS_MUX;
++	supports_mux = acpi_check_dsm(dhandle, nouveau_dsm_muid, 0x00000102,
++				      1 << NOUVEAU_DSM_POWER);
++	supports_opt = nouveau_check_optimus_dsm(dhandle);
++
++	/* Does not look like a Nvidia device. */
++	if (!supports_mux && !supports_opt)
++		return;
+ 
+-	if (nouveau_check_optimus_dsm(dhandle))
+-		retval |= NOUVEAU_DSM_HAS_OPT;
++	*dhandle_out = dhandle;
++	*has_mux = supports_mux;
++	*has_opt = supports_opt;
+ 
+-	if (retval & NOUVEAU_DSM_HAS_OPT) {
++	if (supports_opt) {
+ 		uint32_t result;
+ 		nouveau_optimus_dsm(dhandle, NOUVEAU_DSM_OPTIMUS_CAPS, 0,
+ 				    &result);
+@@ -242,10 +246,6 @@ static int nouveau_dsm_pci_probe(struct
+ 			 (result & OPTIMUS_DYNAMIC_PWR_CAP) ? "dynamic power, " : "",
+ 			 (result & OPTIMUS_HDA_CODEC_MASK) ? "hda bios codec supported" : "");
+ 	}
+-	if (retval)
+-		nouveau_dsm_priv.dhandle = dhandle;
+-
+-	return retval;
+ }
+ 
+ static bool nouveau_dsm_detect(void)
+@@ -253,11 +253,11 @@ static bool nouveau_dsm_detect(void)
+ 	char acpi_method_name[255] = { 0 };
+ 	struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
+ 	struct pci_dev *pdev = NULL;
+-	int has_dsm = 0;
+-	int has_optimus = 0;
++	acpi_handle dhandle = NULL;
++	bool has_mux = false;
++	bool has_optimus = false;
+ 	int vga_count = 0;
+ 	bool guid_valid;
+-	int retval;
+ 	bool ret = false;
+ 
+ 	/* lookup the MXM GUID */
+@@ -270,32 +270,26 @@ static bool nouveau_dsm_detect(void)
+ 	while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) {
+ 		vga_count++;
+ 
+-		retval = nouveau_dsm_pci_probe(pdev);
+-		if (retval & NOUVEAU_DSM_HAS_MUX)
+-			has_dsm |= 1;
+-		if (retval & NOUVEAU_DSM_HAS_OPT)
+-			has_optimus = 1;
++		nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
+ 	}
+ 
+ 	while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_3D << 8, pdev)) != NULL) {
+ 		vga_count++;
+ 
+-		retval = nouveau_dsm_pci_probe(pdev);
+-		if (retval & NOUVEAU_DSM_HAS_MUX)
+-			has_dsm |= 1;
+-		if (retval & NOUVEAU_DSM_HAS_OPT)
+-			has_optimus = 1;
++		nouveau_dsm_pci_probe(pdev, &dhandle, &has_mux, &has_optimus);
+ 	}
+ 
+ 	/* find the optimus DSM or the old v1 DSM */
+-	if (has_optimus == 1) {
++	if (has_optimus) {
++		nouveau_dsm_priv.dhandle = dhandle;
+ 		acpi_get_name(nouveau_dsm_priv.dhandle, ACPI_FULL_PATHNAME,
+ 			&buffer);
+ 		printk(KERN_INFO "VGA switcheroo: detected Optimus DSM method %s handle\n",
+ 			acpi_method_name);
+ 		nouveau_dsm_priv.optimus_detected = true;
+ 		ret = true;
+-	} else if (vga_count == 2 && has_dsm && guid_valid) {
++	} else if (vga_count == 2 && has_mux && guid_valid) {
++		nouveau_dsm_priv.dhandle = dhandle;
+ 		acpi_get_name(nouveau_dsm_priv.dhandle, ACPI_FULL_PATHNAME,
+ 			&buffer);
+ 		printk(KERN_INFO "VGA switcheroo: detected DSM switching method %s handle\n",
diff --git a/queue-3.16/drm-nouveau-acpi-return-supported-dsm-functions.patch b/queue-3.16/drm-nouveau-acpi-return-supported-dsm-functions.patch
new file mode 100644
index 0000000..cbec6ae
--- /dev/null
+++ b/queue-3.16/drm-nouveau-acpi-return-supported-dsm-functions.patch
@@ -0,0 +1,71 @@
+From: Peter Wu <peter@lekensteyn.nl>
+Date: Fri, 15 Jul 2016 15:12:16 +0200
+Subject: drm/nouveau/acpi: return supported DSM functions
+
+commit a12e78dd3e727094e449ee4e3b752ea9b6f8db01 upstream.
+
+Return the set of supported functions to the caller. No functional
+changes.
+
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Acked-by: Dave Airlie <airlied@redhat.com
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/nouveau/nouveau_acpi.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
+@@ -108,7 +108,7 @@ static int nouveau_optimus_dsm(acpi_hand
+  * requirements on the fourth parameter, so a private implementation
+  * instead of using acpi_check_dsm().
+  */
+-static int nouveau_check_optimus_dsm(acpi_handle handle)
++static int nouveau_dsm_get_optimus_functions(acpi_handle handle)
+ {
+ 	int result;
+ 
+@@ -123,7 +123,9 @@ static int nouveau_check_optimus_dsm(acp
+ 	 * ACPI Spec v4 9.14.1: if bit 0 is zero, no function is supported.
+ 	 * If the n-th bit is enabled, function n is supported
+ 	 */
+-	return result & 1 && result & (1 << NOUVEAU_DSM_OPTIMUS_CAPS);
++	if (result & 1 && result & (1 << NOUVEAU_DSM_OPTIMUS_CAPS))
++		return result;
++	return 0;
+ }
+ 
+ static int nouveau_dsm(acpi_handle handle, int func, int arg)
+@@ -215,7 +217,7 @@ static void nouveau_dsm_pci_probe(struct
+ {
+ 	acpi_handle dhandle;
+ 	bool supports_mux;
+-	bool supports_opt;
++	int optimus_funcs;
+ 
+ 	dhandle = ACPI_HANDLE(&pdev->dev);
+ 	if (!dhandle)
+@@ -227,17 +229,17 @@ static void nouveau_dsm_pci_probe(struct
+ 	}
+ 	supports_mux = acpi_check_dsm(dhandle, nouveau_dsm_muid, 0x00000102,
+ 				      1 << NOUVEAU_DSM_POWER);
+-	supports_opt = nouveau_check_optimus_dsm(dhandle);
++	optimus_funcs = nouveau_dsm_get_optimus_functions(dhandle);
+ 
+ 	/* Does not look like a Nvidia device. */
+-	if (!supports_mux && !supports_opt)
++	if (!supports_mux && !optimus_funcs)
+ 		return;
+ 
+ 	*dhandle_out = dhandle;
+ 	*has_mux = supports_mux;
+-	*has_opt = supports_opt;
++	*has_opt = !!optimus_funcs;
+ 
+-	if (supports_opt) {
++	if (optimus_funcs) {
+ 		uint32_t result;
+ 		nouveau_optimus_dsm(dhandle, NOUVEAU_DSM_OPTIMUS_CAPS, 0,
+ 				    &result);
diff --git a/queue-3.16/drm-nouveau-don-t-leak-runtime-pm-ref-on-driver-unload.patch b/queue-3.16/drm-nouveau-don-t-leak-runtime-pm-ref-on-driver-unload.patch
new file mode 100644
index 0000000..bfccc01
--- /dev/null
+++ b/queue-3.16/drm-nouveau-don-t-leak-runtime-pm-ref-on-driver-unload.patch
@@ -0,0 +1,43 @@
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 8 Jun 2016 18:47:27 +0200
+Subject: drm/nouveau: Don't leak runtime pm ref on driver unload
+
+commit c1b16b45607976c76a3c41b8a319172b8b83f996 upstream.
+
+nouveau_drm_load() calls pm_runtime_put() if nouveau_runtime_pm != 0,
+but nouveau_drm_unload() calls pm_runtime_get_sync() unconditionally.
+We therefore leak a runtime pm ref whenever nouveau is loaded with
+runpm=0 and then unloaded. The GPU will subsequently never runtime
+suspend even if nouveau is loaded again with runpm=1.
+
+Fix by taking the runtime pm ref under the same condition that it was
+released on driver load.
+
+Fixes: 5addcf0a5f0f ("nouveau: add runtime PM support (v0.9)")
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Reported-by: Karol Herbst <karolherbst@gmail.com>
+Tested-by: Karol Herbst <karolherbst@gmail.com>
+Tested-by: Peter Wu <peter@lekensteyn.nl>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/1544b82007037601fbc510b1a50edc56c529e75f.1465392124.git.lukas@wunner.de
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -472,7 +472,10 @@ nouveau_drm_unload(struct drm_device *de
+ {
+ 	struct nouveau_drm *drm = nouveau_drm(dev);
+ 
+-	pm_runtime_get_sync(dev->dev);
++	if (nouveau_runtime_pm != 0) {
++		pm_runtime_get_sync(dev->dev);
++	}
++
+ 	nouveau_fbcon_fini(dev);
+ 	nouveau_accel_fini(drm);
+ 	nouveau_hwmon_fini(dev);
diff --git a/queue-3.16/drm-nouveau-fbcon-fix-font-width-not-divisible-by-8.patch b/queue-3.16/drm-nouveau-fbcon-fix-font-width-not-divisible-by-8.patch
new file mode 100644
index 0000000..9c90aef
--- /dev/null
+++ b/queue-3.16/drm-nouveau-fbcon-fix-font-width-not-divisible-by-8.patch
@@ -0,0 +1,72 @@
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 28 Jul 2016 18:56:13 -0400
+Subject: drm/nouveau/fbcon: fix font width not divisible by 8
+
+commit 28668f43b8e421634e1623f72a879812288dd06b upstream.
+
+The patch f045f459d925 ("drm/nouveau/fbcon: fix out-of-bounds memory accesses")
+tries to fix some out of memory accesses. Unfortunatelly, the patch breaks the
+display when using fonts with width that is not divisiable by 8.
+
+The monochrome bitmap for each character is stored in memory by lines from top
+to bottom. Each line is padded to a full byte.
+
+For example, for 22x11 font, each line is padded to 16 bits, so each
+character is consuming 44 bytes total, that is 11 32-bit words. The patch
+f045f459d925 changed the logic to "dsize = ALIGN(image->width *
+image->height, 32) >> 5", that is just 8 words - this is incorrect and it
+causes display corruption.
+
+This patch adds the necesary padding of lines to 8 bytes.
+
+This patch should be backported to stable kernels where f045f459d925 was
+backported.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Fixes: f045f459d925 ("drm/nouveau/fbcon: fix out-of-bounds memory accesses")
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/nouveau/nv04_fbcon.c | 4 ++--
+ drivers/gpu/drm/nouveau/nv50_fbcon.c | 2 +-
+ drivers/gpu/drm/nouveau/nvc0_fbcon.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nv04_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c
+@@ -109,11 +109,11 @@ nv04_fbcon_imageblit(struct fb_info *inf
+ 			 ((image->dx + image->width) & 0xffff));
+ 	OUT_RING(chan, bg);
+ 	OUT_RING(chan, fg);
+-	OUT_RING(chan, (image->height << 16) | image->width);
++	OUT_RING(chan, (image->height << 16) | ALIGN(image->width, 8));
+ 	OUT_RING(chan, (image->height << 16) | image->width);
+ 	OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff));
+ 
+-	dsize = ALIGN(image->width * image->height, 32) >> 5;
++	dsize = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
+ 	while (dsize) {
+ 		int iter_len = dsize > 128 ? 128 : dsize;
+ 
+--- a/drivers/gpu/drm/nouveau/nv50_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nv50_fbcon.c
+@@ -125,7 +125,7 @@ nv50_fbcon_imageblit(struct fb_info *inf
+ 	OUT_RING(chan, 0);
+ 	OUT_RING(chan, image->dy);
+ 
+-	dwords = ALIGN(image->width * image->height, 32) >> 5;
++	dwords = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
+ 	while (dwords) {
+ 		int push = dwords > 2047 ? 2047 : dwords;
+ 
+--- a/drivers/gpu/drm/nouveau/nvc0_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nvc0_fbcon.c
+@@ -125,7 +125,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf
+ 	OUT_RING  (chan, 0);
+ 	OUT_RING  (chan, image->dy);
+ 
+-	dwords = ALIGN(image->width * image->height, 32) >> 5;
++	dwords = ALIGN(ALIGN(image->width, 8) * image->height, 32) >> 5;
+ 	while (dwords) {
+ 		int push = dwords > 2047 ? 2047 : dwords;
+ 
diff --git a/queue-3.16/drm-radeon-add-a-delay-after-atpx-dgpu-power-off.patch b/queue-3.16/drm-radeon-add-a-delay-after-atpx-dgpu-power-off.patch
new file mode 100644
index 0000000..e26c1f7
--- /dev/null
+++ b/queue-3.16/drm-radeon-add-a-delay-after-atpx-dgpu-power-off.patch
@@ -0,0 +1,42 @@
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 1 Jun 2016 12:58:36 -0400
+Subject: drm/radeon: add a delay after ATPX dGPU power off
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit d814b24fb74cb9797d70cb8053961447c5879a5c upstream.
+
+ATPX dGPU power control requires a 200ms delay between
+power off and on.  This should fix dGPU failures on
+resume from power off.
+
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/radeon_atpx_handler.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c
++++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c
+@@ -10,6 +10,7 @@
+ #include <linux/slab.h>
+ #include <linux/acpi.h>
+ #include <linux/pci.h>
++#include <linux/delay.h>
+ 
+ #include "radeon_acpi.h"
+ 
+@@ -256,6 +257,10 @@ static int radeon_atpx_set_discrete_stat
+ 		if (!info)
+ 			return -EIO;
+ 		kfree(info);
++
++		/* 200ms delay is required after off */
++		if (state == 0)
++			msleep(200);
+ 	}
+ 	return 0;
+ }
diff --git a/queue-3.16/drm-radeon-don-t-leak-runtime-pm-ref-on-driver-load.patch b/queue-3.16/drm-radeon-don-t-leak-runtime-pm-ref-on-driver-load.patch
new file mode 100644
index 0000000..6e1b2a8
--- /dev/null
+++ b/queue-3.16/drm-radeon-don-t-leak-runtime-pm-ref-on-driver-load.patch
@@ -0,0 +1,47 @@
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 8 Jun 2016 18:47:27 +0200
+Subject: drm/radeon: Don't leak runtime pm ref on driver load
+
+commit b875194679b0f88ffdb2e2d68435572296628551 upstream.
+
+radeon_device_init() returns an error if either of the two calls to
+radeon_init() fail. One level up in the call stack,
+radeon_driver_load_kms() will then skip runtime pm initialization and
+call radeon_driver_unload_kms(), which acquires a runtime pm ref that
+is leaked.
+
+Balance by releasing a runtime pm ref in the error path of
+radeon_device_init().
+
+Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)")
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/fa5bb977c1fe00474acedae5b03232dbf0b49410.1465392124.git.lukas@wunner.de
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/radeon_device.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_device.c
++++ b/drivers/gpu/drm/radeon/radeon_device.c
+@@ -30,6 +30,7 @@
+ #include <drm/drmP.h>
+ #include <drm/drm_crtc_helper.h>
+ #include <drm/radeon_drm.h>
++#include <linux/pm_runtime.h>
+ #include <linux/vgaarb.h>
+ #include <linux/vga_switcheroo.h>
+ #include <linux/efi.h>
+@@ -1465,6 +1466,9 @@ int radeon_device_init(struct radeon_dev
+ 	return 0;
+ 
+ failed:
++	/* balance pm_runtime_get_sync() in radeon_driver_unload_kms() */
++	if (radeon_is_px(ddev))
++		pm_runtime_put_noidle(ddev->dev);
+ 	if (runtime)
+ 		vga_switcheroo_fini_domain_pm_ops(rdev->dev);
+ 	return r;
diff --git a/queue-3.16/drm-radeon-don-t-leak-runtime-pm-ref-on-driver-unload.patch b/queue-3.16/drm-radeon-don-t-leak-runtime-pm-ref-on-driver-unload.patch
new file mode 100644
index 0000000..8c8f4ea
--- /dev/null
+++ b/queue-3.16/drm-radeon-don-t-leak-runtime-pm-ref-on-driver-unload.patch
@@ -0,0 +1,40 @@
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 8 Jun 2016 18:47:27 +0200
+Subject: drm/radeon: Don't leak runtime pm ref on driver unload
+
+commit 19de659cb7216eb1c04889bd1a248593f296e19f upstream.
+
+radeon_driver_load_kms() calls pm_runtime_put_autosuspend() if
+radeon_is_px(dev), but radeon_driver_unload_kms() calls
+pm_runtime_get_sync() unconditionally. We therefore leak a runtime pm
+ref whenever radeon is unloaded on a non-PX machine or if runpm=0. The
+GPU will subsequently never runtime suspend after loading radeon again.
+
+Fix by taking the runtime pm ref under the same condition that it was
+released on driver load.
+
+Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)")
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: http://patchwork.freedesktop.org/patch/msgid/aaf71106c042126817aeca8b8e54ed468ab61ef7.1465392124.git.lukas@wunner.de
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/radeon_kms.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_kms.c
++++ b/drivers/gpu/drm/radeon/radeon_kms.c
+@@ -61,7 +61,9 @@ int radeon_driver_unload_kms(struct drm_
+ 	if (rdev->rmmio == NULL)
+ 		goto done_free;
+ 
+-	pm_runtime_get_sync(dev->dev);
++	if (radeon_is_px(dev)) {
++		pm_runtime_get_sync(dev->dev);
++	}
+ 
+ 	radeon_acpi_fini(rdev);
+ 	
diff --git a/queue-3.16/drm-radeon-fix-firmware-info-version-checks.patch b/queue-3.16/drm-radeon-fix-firmware-info-version-checks.patch
new file mode 100644
index 0000000..8654b0f
--- /dev/null
+++ b/queue-3.16/drm-radeon-fix-firmware-info-version-checks.patch
@@ -0,0 +1,34 @@
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 27 Jul 2016 15:28:56 -0400
+Subject: drm/radeon: fix firmware info version checks
+
+commit 3edc38a0facef45ee22af8afdce3737f421f36ab upstream.
+
+Some of the checks didn't handle frev 2 tables properly.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -1128,7 +1128,7 @@ bool radeon_atom_get_clock_info(struct d
+ 		    le16_to_cpu(firmware_info->info.usReferenceClock);
+ 		p1pll->reference_div = 0;
+ 
+-		if (crev < 2)
++		if ((frev < 2) && (crev < 2))
+ 			p1pll->pll_out_min =
+ 				le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
+ 		else
+@@ -1137,7 +1137,7 @@ bool radeon_atom_get_clock_info(struct d
+ 		p1pll->pll_out_max =
+ 		    le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
+ 
+-		if (crev >= 4) {
++		if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
+ 			p1pll->lcd_pll_out_min =
+ 				le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
+ 			if (p1pll->lcd_pll_out_min == 0)
diff --git a/queue-3.16/drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch b/queue-3.16/drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch
new file mode 100644
index 0000000..751d435
--- /dev/null
+++ b/queue-3.16/drm-radeon-fix-radeon_move_blit-on-32bit-systems.patch
@@ -0,0 +1,32 @@
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Wed, 17 Aug 2016 09:46:42 +0200
+Subject: drm/radeon: fix radeon_move_blit on 32bit systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 upstream.
+
+This bug seems to be present for a very long time.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/radeon_ttm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_ttm.c
++++ b/drivers/gpu/drm/radeon/radeon_ttm.c
+@@ -232,8 +232,8 @@ static int radeon_move_blit(struct ttm_b
+ 
+ 	rdev = radeon_get_rdev(bo->bdev);
+ 	ridx = radeon_copy_ring_index(rdev);
+-	old_start = old_mem->start << PAGE_SHIFT;
+-	new_start = new_mem->start << PAGE_SHIFT;
++	old_start = (u64)old_mem->start << PAGE_SHIFT;
++	new_start = (u64)new_mem->start << PAGE_SHIFT;
+ 
+ 	switch (old_mem->mem_type) {
+ 	case TTM_PL_VRAM:
diff --git a/queue-3.16/drm-radeon-poll-for-both-connect-disconnect-on-analog-connectors.patch b/queue-3.16/drm-radeon-poll-for-both-connect-disconnect-on-analog-connectors.patch
new file mode 100644
index 0000000..40f611c
--- /dev/null
+++ b/queue-3.16/drm-radeon-poll-for-both-connect-disconnect-on-analog-connectors.patch
@@ -0,0 +1,83 @@
+From: Lyude <cpaul@redhat.com>
+Date: Fri, 24 Jun 2016 17:54:31 -0400
+Subject: drm/radeon: Poll for both connect/disconnect on analog connectors
+
+commit 14ff8d48f2235295dfb3117693008e367b49cdb5 upstream.
+
+DRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not
+disconnections. Because of this, we end up losing hotplug polling for
+analog connectors once they get connected.
+
+Easy way to reproduce:
+ - Grab a machine with a radeon GPU and a VGA port
+ - Plug a monitor into the VGA port, wait for it to update the connector
+   from disconnected to connected
+ - Disconnect the monitor on VGA, a hotplug event is never sent for the
+   removal of the connector.
+
+Originally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good
+idea since doing VGA polling can sometimes result in having to mess with
+the DAC voltages to figure out whether or not there's actually something
+there since VGA doesn't have HPD. Doing this would have the potential of
+showing visible artifacts on the screen every time we ran a poll while a
+VGA display was connected. Luckily, radeon_vga_detect() only resorts to
+this sort of polling if the poll is forced, and DRM's polling helper
+doesn't force it's polls.
+
+Additionally, this removes some assignments to connector->polled that
+weren't actually doing anything.
+
+Signed-off-by: Lyude <cpaul@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/radeon_connectors.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_connectors.c
++++ b/drivers/gpu/drm/radeon/radeon_connectors.c
+@@ -1835,7 +1835,6 @@ radeon_add_atom_connector(struct drm_dev
+ 						      1);
+ 			/* no HPD on analog connectors */
+ 			radeon_connector->hpd.hpd = RADEON_HPD_NONE;
+-			connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ 			connector->interlace_allowed = true;
+ 			connector->doublescan_allowed = true;
+ 			break;
+@@ -2060,8 +2059,10 @@ radeon_add_atom_connector(struct drm_dev
+ 	}
+ 
+ 	if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
+-		if (i2c_bus->valid)
+-			connector->polled = DRM_CONNECTOR_POLL_CONNECT;
++		if (i2c_bus->valid) {
++			connector->polled = DRM_CONNECTOR_POLL_CONNECT |
++			                    DRM_CONNECTOR_POLL_DISCONNECT;
++		}
+ 	} else
+ 		connector->polled = DRM_CONNECTOR_POLL_HPD;
+ 
+@@ -2137,7 +2138,6 @@ radeon_add_legacy_connector(struct drm_d
+ 					      1);
+ 		/* no HPD on analog connectors */
+ 		radeon_connector->hpd.hpd = RADEON_HPD_NONE;
+-		connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ 		connector->interlace_allowed = true;
+ 		connector->doublescan_allowed = true;
+ 		break;
+@@ -2222,10 +2222,13 @@ radeon_add_legacy_connector(struct drm_d
+ 	}
+ 
+ 	if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
+-		if (i2c_bus->valid)
+-			connector->polled = DRM_CONNECTOR_POLL_CONNECT;
++		if (i2c_bus->valid) {
++			connector->polled = DRM_CONNECTOR_POLL_CONNECT |
++			                    DRM_CONNECTOR_POLL_DISCONNECT;
++		}
+ 	} else
+ 		connector->polled = DRM_CONNECTOR_POLL_HPD;
++
+ 	connector->display_info.subpixel_order = subpixel_order;
+ 	drm_sysfs_connector_add(connector);
+ }
diff --git a/queue-3.16/drm-radeon-si-dpm-add-workaround-for-for-jet-parts.patch b/queue-3.16/drm-radeon-si-dpm-add-workaround-for-for-jet-parts.patch
new file mode 100644
index 0000000..401d6f0
--- /dev/null
+++ b/queue-3.16/drm-radeon-si-dpm-add-workaround-for-for-jet-parts.patch
@@ -0,0 +1,32 @@
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 26 Sep 2016 15:32:50 -0400
+Subject: drm/radeon/si/dpm: add workaround for for Jet parts
+
+commit 670bb4fd21c966d0d2a59ad4a99bb4889f9a2987 upstream.
+
+Add clock quirks for Jet parts.
+
+Reviewed-by: Sonny Jiang <sonny.jiang@amd.com>
+Tested-by: Sonny Jiang <sonny.jiang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/si_dpm.c
++++ b/drivers/gpu/drm/radeon/si_dpm.c
+@@ -3022,6 +3022,12 @@ static void si_apply_state_adjust_rules(
+ 	if (rdev->pdev->device == 0x6811 &&
+ 	    rdev->pdev->revision == 0x81)
+ 		max_mclk = 120000;
++	/* limit sclk/mclk on Jet parts for stability */
++	if (rdev->pdev->device == 0x6665 &&
++	    rdev->pdev->revision == 0xc3) {
++		max_sclk = 75000;
++		max_mclk = 80000;
++	}
+ 
+ 	/* XXX validate the min clocks required for display */
+ 
diff --git a/queue-3.16/drm-radeon-support-backlight-control-for-uniphy3.patch b/queue-3.16/drm-radeon-support-backlight-control-for-uniphy3.patch
new file mode 100644
index 0000000..7604884
--- /dev/null
+++ b/queue-3.16/drm-radeon-support-backlight-control-for-uniphy3.patch
@@ -0,0 +1,24 @@
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Fri, 8 Jul 2016 17:27:04 -0400
+Subject: drm/radeon: support backlight control for UNIPHY3
+
+commit d3200be6c423afa1c34f7e39e9f6d04dd5b0af9d upstream.
+
+Same interface as other UNIPHY blocks
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/radeon/atombios_encoders.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/radeon/atombios_encoders.c
++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
+@@ -119,6 +119,7 @@ atombios_set_backlight_level(struct rade
+ 		case ENCODER_OBJECT_ID_INTERNAL_KLDSCP_LVTMA:
+ 		case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1:
+ 		case ENCODER_OBJECT_ID_INTERNAL_UNIPHY2:
++		case ENCODER_OBJECT_ID_INTERNAL_UNIPHY3:
+ 			if (dig->backlight_level == 0)
+ 				atombios_dig_transmitter_setup(encoder, ATOM_TRANSMITTER_ACTION_LCD_BLOFF, 0, 0);
+ 			else {
diff --git a/queue-3.16/drm-reject-page_flip-for-driver_modeset.patch b/queue-3.16/drm-reject-page_flip-for-driver_modeset.patch
new file mode 100644
index 0000000..d7b3877
--- /dev/null
+++ b/queue-3.16/drm-reject-page_flip-for-driver_modeset.patch
@@ -0,0 +1,33 @@
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Sat, 20 Aug 2016 12:22:11 +0200
+Subject: drm: Reject page_flip for !DRIVER_MODESET
+
+commit 6f00975c619064a18c23fd3aced325ae165a73b9 upstream.
+
+Somehow this one slipped through, which means drivers without modeset
+support can be oopsed (since those also don't call
+drm_mode_config_init, which means the crtc lookup will chase an
+uninitalized idr).
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpu/drm/drm_crtc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_crtc.c
++++ b/drivers/gpu/drm/drm_crtc.c
+@@ -4236,6 +4236,9 @@ int drm_mode_page_flip_ioctl(struct drm_
+ 	unsigned long flags;
+ 	int ret = -EINVAL;
+ 
++	if (!drm_core_check_feature(dev, DRIVER_MODESET))
++		return -EINVAL;
++
+ 	if (page_flip->flags & ~DRM_MODE_PAGE_FLIP_FLAGS ||
+ 	    page_flip->reserved != 0)
+ 		return -EINVAL;
diff --git a/queue-3.16/efi-libstub-allocate-headspace-in-efi_get_memory_map.patch b/queue-3.16/efi-libstub-allocate-headspace-in-efi_get_memory_map.patch
new file mode 100644
index 0000000..9ad35f5
--- /dev/null
+++ b/queue-3.16/efi-libstub-allocate-headspace-in-efi_get_memory_map.patch
@@ -0,0 +1,285 @@
+From: Jeffrey Hugo <jhugo@codeaurora.org>
+Date: Mon, 29 Aug 2016 14:38:51 -0600
+Subject: efi/libstub: Allocate headspace in efi_get_memory_map()
+
+commit dadb57abc37499f565b23933dbf49b435c3ba8af upstream.
+
+efi_get_memory_map() allocates a buffer to store the memory map that it
+retrieves.  This buffer may need to be reused by the client after
+ExitBootServices() is called, at which point allocations are not longer
+permitted.  To support this usecase, provide the allocated buffer size back
+to the client, and allocate some additional headroom to account for any
+reasonable growth in the map that is likely to happen between the call to
+efi_get_memory_map() and the client reusing the buffer.
+
+Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Leif Lindholm <leif.lindholm@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+[bwh: Backported to 3.16:
+ - Adjust filenames, context
+ - In allocate_new_fdt_and_exit_boot(), only fill memory_map
+ - Drop changes to efi_random_alloc()]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -1266,7 +1266,7 @@ static efi_status_t exit_boot(struct boo
+ 			      void *handle, bool is64)
+ {
+ 	struct efi_info *efi = &boot_params->efi_info;
+-	unsigned long map_sz, key, desc_size;
++	unsigned long map_sz, key, desc_size, buff_size;
+ 	efi_memory_desc_t *mem_map;
+ 	struct setup_data *e820ext;
+ 	const char *signature;
+@@ -1277,14 +1277,20 @@ static efi_status_t exit_boot(struct boo
+ 	bool called_exit = false;
+ 	u8 nr_entries;
+ 	int i;
++	struct efi_boot_memmap map;
+ 
+-	nr_desc = 0;
+-	e820ext = NULL;
+-	e820ext_size = 0;
++	nr_desc =	0;
++	e820ext =	NULL;
++	e820ext_size =	0;
++	map.map =	&mem_map;
++	map.map_size =	&map_sz;
++	map.desc_size =	&desc_size;
++	map.desc_ver =	&desc_version;
++	map.key_ptr =	&key;
++	map.buff_size =	&buff_size;
+ 
+ get_map:
+-	status = efi_get_memory_map(sys_table, &mem_map, &map_sz, &desc_size,
+-				    &desc_version, &key);
++	status = efi_get_memory_map(sys_table, &map);
+ 
+ 	if (status != EFI_SUCCESS)
+ 		return status;
+--- a/drivers/firmware/efi/efi-stub-helper.c
++++ b/drivers/firmware/efi/efi-stub-helper.c
+@@ -15,6 +15,8 @@
+ #define EFI_ERROR	(~0UL)
+ 
+ 
++#define EFI_MMAP_NR_SLACK_SLOTS	8
++
+ struct file_info {
+ 	efi_file_handle_t *handle;
+ 	u64 size;
+@@ -41,49 +43,62 @@ static void efi_printk(efi_system_table_
+ #define pr_efi_err(sys_table, msg) efi_printk(sys_table, "EFI stub: ERROR: "msg)
+ 
+ 
++static inline bool mmap_has_headroom(unsigned long buff_size,
++				     unsigned long map_size,
++				     unsigned long desc_size)
++{
++	unsigned long slack = buff_size - map_size;
++
++	return slack / desc_size >= EFI_MMAP_NR_SLACK_SLOTS;
++}
++
+ static efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg,
+-				       efi_memory_desc_t **map,
+-				       unsigned long *map_size,
+-				       unsigned long *desc_size,
+-				       u32 *desc_ver,
+-				       unsigned long *key_ptr)
++				       struct efi_boot_memmap *map)
+ {
+ 	efi_memory_desc_t *m = NULL;
+ 	efi_status_t status;
+ 	unsigned long key;
+ 	u32 desc_version;
+ 
+-	*map_size = sizeof(*m) * 32;
++	*map->desc_size =	sizeof(*m);
++	*map->map_size =	*map->desc_size * 32;
++	*map->buff_size =	*map->map_size;
+ again:
+-	/*
+-	 * Add an additional efi_memory_desc_t because we're doing an
+-	 * allocation which may be in a new descriptor region.
+-	 */
+-	*map_size += sizeof(*m);
+ 	status = efi_call_early(allocate_pool, EFI_LOADER_DATA,
+-				*map_size, (void **)&m);
++				*map->map_size, (void **)&m);
+ 	if (status != EFI_SUCCESS)
+ 		goto fail;
+ 
+-	*desc_size = 0;
++	*map->desc_size = 0;
+ 	key = 0;
+-	status = efi_call_early(get_memory_map, map_size, m,
+-				&key, desc_size, &desc_version);
+-	if (status == EFI_BUFFER_TOO_SMALL) {
++	status = efi_call_early(get_memory_map, map->map_size, m,
++				&key, map->desc_size, &desc_version);
++	if (status == EFI_BUFFER_TOO_SMALL ||
++	    !mmap_has_headroom(*map->buff_size, *map->map_size,
++			       *map->desc_size)) {
+ 		efi_call_early(free_pool, m);
++		/*
++		 * Make sure there is some entries of headroom so that the
++		 * buffer can be reused for a new map after allocations are
++		 * no longer permitted.  Its unlikely that the map will grow to
++		 * exceed this headroom once we are ready to trigger
++		 * ExitBootServices()
++		 */
++		*map->map_size += *map->desc_size * EFI_MMAP_NR_SLACK_SLOTS;
++		*map->buff_size = *map->map_size;
+ 		goto again;
+ 	}
+ 
+ 	if (status != EFI_SUCCESS)
+ 		efi_call_early(free_pool, m);
+ 
+-	if (key_ptr && status == EFI_SUCCESS)
+-		*key_ptr = key;
+-	if (desc_ver && status == EFI_SUCCESS)
+-		*desc_ver = desc_version;
++	if (map->key_ptr && status == EFI_SUCCESS)
++		*map->key_ptr = key;
++	if (map->desc_ver && status == EFI_SUCCESS)
++		*map->desc_ver = desc_version;
+ 
+ fail:
+-	*map = m;
++	*map->map = m;
+ 	return status;
+ }
+ 
+@@ -91,13 +106,20 @@ fail:
+ static unsigned long __init get_dram_base(efi_system_table_t *sys_table_arg)
+ {
+ 	efi_status_t status;
+-	unsigned long map_size;
++	unsigned long map_size, buff_size;
+ 	unsigned long membase  = EFI_ERROR;
+ 	struct efi_memory_map map;
+ 	efi_memory_desc_t *md;
++	struct efi_boot_memmap boot_map;
+ 
+-	status = efi_get_memory_map(sys_table_arg, (efi_memory_desc_t **)&map.map,
+-				    &map_size, &map.desc_size, NULL, NULL);
++	boot_map.map =		(efi_memory_desc_t **)&map.map;
++	boot_map.map_size =	&map_size;
++	boot_map.desc_size =	&map.desc_size;
++	boot_map.desc_ver =	NULL;
++	boot_map.key_ptr =	NULL;
++	boot_map.buff_size =	&buff_size;
++
++	status = efi_get_memory_map(sys_table_arg, &boot_map);
+ 	if (status != EFI_SUCCESS)
+ 		return membase;
+ 
+@@ -120,15 +142,22 @@ static efi_status_t efi_high_alloc(efi_s
+ 			       unsigned long size, unsigned long align,
+ 			       unsigned long *addr, unsigned long max)
+ {
+-	unsigned long map_size, desc_size;
++	unsigned long map_size, desc_size, buff_size;
+ 	efi_memory_desc_t *map;
+ 	efi_status_t status;
+ 	unsigned long nr_pages;
+ 	u64 max_addr = 0;
+ 	int i;
++	struct efi_boot_memmap boot_map;
++
++	boot_map.map =		&map;
++	boot_map.map_size =	&map_size;
++	boot_map.desc_size =	&desc_size;
++	boot_map.desc_ver =	NULL;
++	boot_map.key_ptr =	NULL;
++	boot_map.buff_size =	&buff_size;
+ 
+-	status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
+-				    NULL, NULL);
++	status = efi_get_memory_map(sys_table_arg, &boot_map);
+ 	if (status != EFI_SUCCESS)
+ 		goto fail;
+ 
+@@ -206,14 +235,21 @@ static efi_status_t efi_low_alloc(efi_sy
+ 			      unsigned long size, unsigned long align,
+ 			      unsigned long *addr)
+ {
+-	unsigned long map_size, desc_size;
++	unsigned long map_size, desc_size, buff_size;
+ 	efi_memory_desc_t *map;
+ 	efi_status_t status;
+ 	unsigned long nr_pages;
+ 	int i;
++	struct efi_boot_memmap boot_map;
++
++	boot_map.map =		&map;
++	boot_map.map_size =	&map_size;
++	boot_map.desc_size =	&desc_size;
++	boot_map.desc_ver =	NULL;
++	boot_map.key_ptr =	NULL;
++	boot_map.buff_size =	&buff_size;
+ 
+-	status = efi_get_memory_map(sys_table_arg, &map, &map_size, &desc_size,
+-				    NULL, NULL);
++	status = efi_get_memory_map(sys_table_arg, &boot_map);
+ 	if (status != EFI_SUCCESS)
+ 		goto fail;
+ 
+--- a/drivers/firmware/efi/fdt.c
++++ b/drivers/firmware/efi/fdt.c
+@@ -178,12 +178,20 @@ efi_status_t allocate_new_fdt_and_exit_b
+ 					    unsigned long fdt_addr,
+ 					    unsigned long fdt_size)
+ {
+-	unsigned long map_size, desc_size;
++	unsigned long map_size, desc_size, buff_size;
+ 	u32 desc_ver;
+ 	unsigned long mmap_key;
+ 	efi_memory_desc_t *memory_map;
+ 	unsigned long new_fdt_size;
+ 	efi_status_t status;
++	struct efi_boot_memmap map;
++
++	map.map =	&memory_map;
++	map.map_size =	&map_size;
++	map.desc_size =	&desc_size;
++	map.desc_ver =	&desc_ver;
++	map.key_ptr =	&mmap_key;
++	map.buff_size =	&buff_size;
+ 
+ 	/*
+ 	 * Estimate size of new FDT, and allocate memory for it. We
+@@ -204,8 +212,7 @@ efi_status_t allocate_new_fdt_and_exit_b
+ 		 * we can get the memory map key  needed for
+ 		 * exit_boot_services().
+ 		 */
+-		status = efi_get_memory_map(sys_table, &memory_map, &map_size,
+-					    &desc_size, &desc_ver, &mmap_key);
++		status = efi_get_memory_map(sys_table, &map);
+ 		if (status != EFI_SUCCESS)
+ 			goto fail_free_new_fdt;
+ 
+--- a/include/linux/efi.h
++++ b/include/linux/efi.h
+@@ -117,6 +117,15 @@ typedef struct {
+ 	u32 imagesize;
+ } efi_capsule_header_t;
+ 
++struct efi_boot_memmap {
++	efi_memory_desc_t	**map;
++	unsigned long		*map_size;
++	unsigned long		*desc_size;
++	u32			*desc_ver;
++	unsigned long		*key_ptr;
++	unsigned long		*buff_size;
++};
++
+ /*
+  * Allocation types for calls to boottime->allocate_pages.
+  */
diff --git a/queue-3.16/em28xx-i2c-rt_mutex_trylock-returns-zero-on-failure.patch b/queue-3.16/em28xx-i2c-rt_mutex_trylock-returns-zero-on-failure.patch
new file mode 100644
index 0000000..3d3136b
--- /dev/null
+++ b/queue-3.16/em28xx-i2c-rt_mutex_trylock-returns-zero-on-failure.patch
@@ -0,0 +1,32 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 9 May 2016 05:22:55 -0300
+Subject: [media] em28xx-i2c: rt_mutex_trylock() returns zero on failure
+
+commit e44c153b30c9a0580fc2b5a93f3c6d593def2278 upstream.
+
+The code is checking for negative returns but it should be checking for
+zero.
+
+Fixes: aab3125c43d8 ('[media] em28xx: add support for registering multiple i2c buses')
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/media/usb/em28xx/em28xx-i2c.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/em28xx/em28xx-i2c.c
++++ b/drivers/media/usb/em28xx/em28xx-i2c.c
+@@ -501,9 +501,8 @@ static int em28xx_i2c_xfer(struct i2c_ad
+ 	int addr, rc, i;
+ 	u8 reg;
+ 
+-	rc = rt_mutex_trylock(&dev->i2c_bus_lock);
+-	if (rc < 0)
+-		return rc;
++	if (!rt_mutex_trylock(&dev->i2c_bus_lock))
++		return -EAGAIN;
+ 
+ 	/* Switch I2C bus if needed */
+ 	if (bus != dev->cur_i2c_bus &&
diff --git a/queue-3.16/ext4-check-for-extents-that-wrap-around.patch b/queue-3.16/ext4-check-for-extents-that-wrap-around.patch
new file mode 100644
index 0000000..da9ded7
--- /dev/null
+++ b/queue-3.16/ext4-check-for-extents-that-wrap-around.patch
@@ -0,0 +1,51 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 30 Jun 2016 11:53:46 -0400
+Subject: ext4: check for extents that wrap around
+
+commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.
+
+An extent with lblock = 4294967295 and len = 1 will pass the
+ext4_valid_extent() test:
+
+	ext4_lblk_t last = lblock + len - 1;
+
+	if (len == 0 || lblock > last)
+		return 0;
+
+since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
+the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
+
+We can simplify it by removing the - 1 altogether and changing the test
+to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
+lblock and it fails, and if len > 0 then lblock + len > lblock in order
+to pass (i.e. it doesn't overflow).
+
+Fixes: 5946d0893 ("ext4: check for overlapping extents in ext4_valid_extent_entries()")
+Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
+Cc: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/extents.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -359,9 +359,13 @@ static int ext4_valid_extent(struct inod
+ 	ext4_fsblk_t block = ext4_ext_pblock(ext);
+ 	int len = ext4_ext_get_actual_len(ext);
+ 	ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
+-	ext4_lblk_t last = lblock + len - 1;
+ 
+-	if (len == 0 || lblock > last)
++	/*
++	 * We allow neither:
++	 *  - zero length
++	 *  - overflow/wrap-around
++	 */
++	if (lblock + len <= lblock)
+ 		return 0;
+ 	return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
+ }
diff --git a/queue-3.16/ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch b/queue-3.16/ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch
new file mode 100644
index 0000000..4f0ab8d
--- /dev/null
+++ b/queue-3.16/ext4-don-t-call-ext4_should_journal_data-on-the-journal-inode.patch
@@ -0,0 +1,40 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 4 Jul 2016 11:03:00 -0400
+Subject: ext4: don't call ext4_should_journal_data() on the journal inode
+
+commit 6a7fd522a7c94cdef0a3b08acf8e6702056e635c upstream.
+
+If ext4_fill_super() fails early, it's possible for ext4_evict_inode()
+to call ext4_should_journal_data() before superblock options and flags
+are fully set up.  In that case, the iput() on the journal inode can
+end up causing a BUG().
+
+Work around this problem by reordering the tests so we only call
+ext4_should_journal_data() after we know it's not the journal inode.
+
+Fixes: 2d859db3e4 ("ext4: fix data corruption in inodes with journalled data")
+Fixes: 2b405bfa84 ("ext4: fix data=journal fast mount/umount hang")
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -207,9 +207,9 @@ void ext4_evict_inode(struct inode *inod
+ 		 * Note that directories do not have this problem because they
+ 		 * don't use page cache.
+ 		 */
+-		if (ext4_should_journal_data(inode) &&
+-		    (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
+-		    inode->i_ino != EXT4_JOURNAL_INO) {
++		if (inode->i_ino != EXT4_JOURNAL_INO &&
++		    ext4_should_journal_data(inode) &&
++		    (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
+ 			journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
+ 			tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
+ 
diff --git a/queue-3.16/ext4-fix-deadlock-during-page-writeback.patch b/queue-3.16/ext4-fix-deadlock-during-page-writeback.patch
new file mode 100644
index 0000000..64bd516
--- /dev/null
+++ b/queue-3.16/ext4-fix-deadlock-during-page-writeback.patch
@@ -0,0 +1,74 @@
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 4 Jul 2016 10:14:01 -0400
+Subject: ext4: fix deadlock during page writeback
+
+commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 upstream.
+
+Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a
+deadlock in ext4_writepages() which was previously much harder to hit.
+After this commit xfstest generic/130 reproduces the deadlock on small
+filesystems.
+
+The problem happens when ext4_do_update_inode() sets LARGE_FILE feature
+and marks current inode handle as synchronous. That subsequently results
+in ext4_journal_stop() called from ext4_writepages() to block waiting for
+transaction commit while still holding page locks, reference to io_end,
+and some prepared bio in mpd structure each of which can possibly block
+transaction commit from completing and thus results in deadlock.
+
+Fix the problem by releasing page locks, io_end reference, and
+submitting prepared bio before calling ext4_journal_stop().
+
+[ Changed to defer the call to ext4_journal_stop() only if the handle
+  is synchronous.  --tytso ]
+
+Reported-and-tested-by: Eryu Guan <eguan@redhat.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/inode.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -2610,13 +2610,36 @@ retry:
+ 				done = true;
+ 			}
+ 		}
+-		ext4_journal_stop(handle);
++		/*
++		 * Caution: If the handle is synchronous,
++		 * ext4_journal_stop() can wait for transaction commit
++		 * to finish which may depend on writeback of pages to
++		 * complete or on page lock to be released.  In that
++		 * case, we have to wait until after after we have
++		 * submitted all the IO, released page locks we hold,
++		 * and dropped io_end reference (for extent conversion
++		 * to be able to complete) before stopping the handle.
++		 */
++		if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
++			ext4_journal_stop(handle);
++			handle = NULL;
++		}
+ 		/* Submit prepared bio */
+ 		ext4_io_submit(&mpd.io_submit);
+ 		/* Unlock pages we didn't use */
+ 		mpage_release_unused_pages(&mpd, give_up_on_write);
+-		/* Drop our io_end reference we got from init */
+-		ext4_put_io_end(mpd.io_submit.io_end);
++		/*
++		 * Drop our io_end reference we got from init. We have
++		 * to be careful and use deferred io_end finishing if
++		 * we are still holding the transaction as we can
++		 * release the last reference to io_end which may end
++		 * up doing unwritten extent conversion.
++		 */
++		if (handle) {
++			ext4_put_io_end_defer(mpd.io_submit.io_end);
++			ext4_journal_stop(handle);
++		} else
++			ext4_put_io_end(mpd.io_submit.io_end);
+ 
+ 		if (ret == -ENOSPC && sbi->s_journal) {
+ 			/*
diff --git a/queue-3.16/ext4-fix-reference-counting-bug-on-block-allocation-error.patch b/queue-3.16/ext4-fix-reference-counting-bug-on-block-allocation-error.patch
new file mode 100644
index 0000000..9248a15
--- /dev/null
+++ b/queue-3.16/ext4-fix-reference-counting-bug-on-block-allocation-error.patch
@@ -0,0 +1,71 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 14 Jul 2016 23:02:47 -0400
+Subject: ext4: fix reference counting bug on block allocation error
+
+commit 554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e upstream.
+
+If we hit this error when mounted with errors=continue or
+errors=remount-ro:
+
+    EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:2940: comm ext4.exe: Allocating blocks 5090-6081 which overlap fs metadata
+
+then ext4_mb_new_blocks() will call ext4_mb_release_context() and try to
+continue. However, ext4_mb_release_context() is the wrong thing to call
+here since we are still actually using the allocation context.
+
+Instead, just error out. We could retry the allocation, but there is a
+possibility of getting stuck in an infinite loop instead, so this seems
+safer.
+
+[ Fixed up so we don't return EAGAIN to userspace. --tytso ]
+
+Fixes: 8556e8f3b6 ("ext4: Don't allow new groups to be added during block allocation")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+[bwh: Backported to 3.16: use EIO instead of EFSCORRUPTED]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/mballoc.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -2911,7 +2911,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
+ 		ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
+ 			   "fs metadata", block, block+len);
+ 		/* File system mounted not to panic on error
+-		 * Fix the bitmap and repeat the block allocation
++		 * Fix the bitmap and return EFSCORRUPTED
+ 		 * We leak some of the blocks here.
+ 		 */
+ 		ext4_lock_group(sb, ac->ac_b_ex.fe_group);
+@@ -2920,7 +2920,7 @@ ext4_mb_mark_diskspace_used(struct ext4_
+ 		ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
+ 		err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
+ 		if (!err)
+-			err = -EAGAIN;
++			err = -EIO;
+ 		goto out_err;
+ 	}
+ 
+@@ -4489,18 +4489,7 @@ repeat:
+ 	}
+ 	if (likely(ac->ac_status == AC_STATUS_FOUND)) {
+ 		*errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
+-		if (*errp == -EAGAIN) {
+-			/*
+-			 * drop the reference that we took
+-			 * in ext4_mb_use_best_found
+-			 */
+-			ext4_mb_release_context(ac);
+-			ac->ac_b_ex.fe_group = 0;
+-			ac->ac_b_ex.fe_start = 0;
+-			ac->ac_b_ex.fe_len = 0;
+-			ac->ac_status = AC_STATUS_CONTINUE;
+-			goto repeat;
+-		} else if (*errp) {
++		if (*errp) {
+ 			ext4_discard_allocated_blocks(ac);
+ 			goto errout;
+ 		} else {
diff --git a/queue-3.16/ext4-short-cut-orphan-cleanup-on-error.patch b/queue-3.16/ext4-short-cut-orphan-cleanup-on-error.patch
new file mode 100644
index 0000000..80bca58
--- /dev/null
+++ b/queue-3.16/ext4-short-cut-orphan-cleanup-on-error.patch
@@ -0,0 +1,56 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 14 Jul 2016 23:21:35 -0400
+Subject: ext4: short-cut orphan cleanup on error
+
+commit c65d5c6c81a1f27dec5f627f67840726fcd146de upstream.
+
+If we encounter a filesystem error during orphan cleanup, we should stop.
+Otherwise, we may end up in an infinite loop where the same inode is
+processed again and again.
+
+    EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
+    EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters
+    Aborting journal on device loop0-8.
+    EXT4-fs (loop0): Remounting filesystem read-only
+    EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted
+    EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
+    EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
+    EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure
+    EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted
+    EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted
+    EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has aborted
+    EXT4-fs (loop0): Inode 16 (00000000618192a0): orphan list check failed!
+    [...]
+    EXT4-fs (loop0): Inode 16 (0000000061819748): orphan list check failed!
+    [...]
+    EXT4-fs (loop0): Inode 16 (0000000061819bf0): orphan list check failed!
+    [...]
+
+See-also: c9eb13a9105 ("ext4: fix hang when processing corrupted orphaned inode list")
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/super.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2228,6 +2228,16 @@ static void ext4_orphan_cleanup(struct s
+ 	while (es->s_last_orphan) {
+ 		struct inode *inode;
+ 
++		/*
++		 * We may have encountered an error during cleanup; if
++		 * so, skip the rest.
++		 */
++		if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
++			jbd_debug(1, "Skipping orphan recovery on fs with errors.\n");
++			es->s_last_orphan = 0;
++			break;
++		}
++
+ 		inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
+ 		if (IS_ERR(inode)) {
+ 			es->s_last_orphan = 0;
diff --git a/queue-3.16/ext4-validate-s_reserved_gdt_blocks-on-mount.patch b/queue-3.16/ext4-validate-s_reserved_gdt_blocks-on-mount.patch
new file mode 100644
index 0000000..3fb155d
--- /dev/null
+++ b/queue-3.16/ext4-validate-s_reserved_gdt_blocks-on-mount.patch
@@ -0,0 +1,53 @@
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 5 Jul 2016 20:01:52 -0400
+Subject: ext4: validate s_reserved_gdt_blocks on mount
+
+commit 5b9554dc5bf008ae7f68a52e3d7e76c0920938a2 upstream.
+
+If s_reserved_gdt_blocks is extremely large, it's possible for
+ext4_init_block_bitmap(), which is called when ext4 sets up an
+uninitialized block bitmap, to corrupt random kernel memory.  Add the
+same checks which e2fsck has --- it must never be larger than
+blocksize / sizeof(__u32) --- and then add a backup check in
+ext4_init_block_bitmap() in case the superblock gets modified after
+the file system is mounted.
+
+Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[bwh: Backported to 3.16:
+ - Use EIO instead of EFSCORRUPTED
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/balloc.c | 3 +++
+ fs/ext4/super.c  | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -209,6 +209,9 @@ static int ext4_init_block_bitmap(struct
+ 	memset(bh->b_data, 0, sb->s_blocksize);
+ 
+ 	bit_max = ext4_num_base_meta_clusters(sb, block_group);
++	if ((bit_max >> 3) >= bh->b_size)
++		return -EIO;
++
+ 	for (bit = 0; bit < bit_max; bit++)
+ 		ext4_set_bit(bit, bh->b_data);
+ 
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3644,6 +3644,13 @@ static int ext4_fill_super(struct super_
+ 		goto failed_mount;
+ 	}
+ 
++	if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) {
++		ext4_msg(sb, KERN_ERR,
++			 "Number of reserved GDT blocks insanely large: %d",
++			 le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks));
++		goto failed_mount;
++	}
++
+ 	if (sb->s_blocksize != blocksize) {
+ 		/* Validate the filesystem blocksize */
+ 		if (!sb_set_blocksize(sb, blocksize)) {
diff --git a/queue-3.16/ext4-validate-that-metadata-blocks-do-not-overlap-superblock.patch b/queue-3.16/ext4-validate-that-metadata-blocks-do-not-overlap-superblock.patch
new file mode 100644
index 0000000..dc7aba6
--- /dev/null
+++ b/queue-3.16/ext4-validate-that-metadata-blocks-do-not-overlap-superblock.patch
@@ -0,0 +1,74 @@
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 1 Aug 2016 00:51:02 -0400
+Subject: ext4: validate that metadata blocks do not overlap superblock
+
+commit 829fa70dddadf9dd041d62b82cd7cea63943899d upstream.
+
+A number of fuzzing failures seem to be caused by allocation bitmaps
+or other metadata blocks being pointed at the superblock.
+
+This can cause kernel BUG or WARNings once the superblock is
+overwritten, so validate the group descriptor blocks to make sure this
+doesn't happen.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/ext4/super.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2077,6 +2077,7 @@ void ext4_group_desc_csum_set(struct sup
+ 
+ /* Called at mount-time, super-block is locked */
+ static int ext4_check_descriptors(struct super_block *sb,
++				  ext4_fsblk_t sb_block,
+ 				  ext4_group_t *first_not_zeroed)
+ {
+ 	struct ext4_sb_info *sbi = EXT4_SB(sb);
+@@ -2107,6 +2108,11 @@ static int ext4_check_descriptors(struct
+ 			grp = i;
+ 
+ 		block_bitmap = ext4_block_bitmap(sb, gdp);
++		if (block_bitmap == sb_block) {
++			ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
++				 "Block bitmap for group %u overlaps "
++				 "superblock", i);
++		}
+ 		if (block_bitmap < first_block || block_bitmap > last_block) {
+ 			ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ 			       "Block bitmap for group %u not in group "
+@@ -2114,6 +2120,11 @@ static int ext4_check_descriptors(struct
+ 			return 0;
+ 		}
+ 		inode_bitmap = ext4_inode_bitmap(sb, gdp);
++		if (inode_bitmap == sb_block) {
++			ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
++				 "Inode bitmap for group %u overlaps "
++				 "superblock", i);
++		}
+ 		if (inode_bitmap < first_block || inode_bitmap > last_block) {
+ 			ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+ 			       "Inode bitmap for group %u not in group "
+@@ -2121,6 +2132,11 @@ static int ext4_check_descriptors(struct
+ 			return 0;
+ 		}
+ 		inode_table = ext4_inode_table(sb, gdp);
++		if (inode_table == sb_block) {
++			ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
++				 "Inode table for group %u overlaps "
++				 "superblock", i);
++		}
+ 		if (inode_table < first_block ||
+ 		    inode_table + sbi->s_itb_per_group - 1 > last_block) {
+ 			ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: "
+@@ -3902,7 +3918,7 @@ static int ext4_fill_super(struct super_
+ 			goto failed_mount2;
+ 		}
+ 	}
+-	if (!ext4_check_descriptors(sb, &first_not_zeroed)) {
++	if (!ext4_check_descriptors(sb, logical_sb_block, &first_not_zeroed)) {
+ 		ext4_msg(sb, KERN_ERR, "group descriptors corrupted!");
+ 		goto failed_mount2;
+ 	}
diff --git a/queue-3.16/fanotify-fix-list-corruption-in-fanotify_get_response.patch b/queue-3.16/fanotify-fix-list-corruption-in-fanotify_get_response.patch
new file mode 100644
index 0000000..8ec3ed2
--- /dev/null
+++ b/queue-3.16/fanotify-fix-list-corruption-in-fanotify_get_response.patch
@@ -0,0 +1,164 @@
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 19 Sep 2016 14:44:30 -0700
+Subject: fanotify: fix list corruption in fanotify_get_response()
+
+commit 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 upstream.
+
+fanotify_get_response() calls fsnotify_remove_event() when it finds that
+group is being released from fanotify_release() (bypass_perm is set).
+
+However the event it removes need not be only in the group's notification
+queue but it can have already moved to access_list (userspace read the
+event before closing the fanotify instance fd) which is protected by a
+different lock.  Thus when fsnotify_remove_event() races with
+fanotify_release() operating on access_list, the list can get corrupted.
+
+Fix the problem by moving all the logic removing permission events from
+the lists to one place - fanotify_release().
+
+Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
+Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reported-by: Miklos Szeredi <mszeredi@redhat.com>
+Tested-by: Miklos Szeredi <mszeredi@redhat.com>
+Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/notify/fanotify/fanotify.c      | 13 +------------
+ fs/notify/fanotify/fanotify_user.c | 36 ++++++++++++++++++++++++------------
+ fs/notify/notification.c           | 15 ---------------
+ include/linux/fsnotify_backend.h   |  3 ---
+ 4 files changed, 25 insertions(+), 42 deletions(-)
+
+--- a/fs/notify/fanotify/fanotify.c
++++ b/fs/notify/fanotify/fanotify.c
+@@ -67,18 +67,7 @@ static int fanotify_get_response(struct
+ 
+ 	pr_debug("%s: group=%p event=%p\n", __func__, group, event);
+ 
+-	wait_event(group->fanotify_data.access_waitq, event->response ||
+-				atomic_read(&group->fanotify_data.bypass_perm));
+-
+-	if (!event->response) {	/* bypass_perm set */
+-		/*
+-		 * Event was canceled because group is being destroyed. Remove
+-		 * it from group's event list because we are responsible for
+-		 * freeing the permission event.
+-		 */
+-		fsnotify_remove_event(group, &event->fae.fse);
+-		return 0;
+-	}
++	wait_event(group->fanotify_data.access_waitq, event->response);
+ 
+ 	/* userspace responded, convert to something usable */
+ 	switch (event->response) {
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -358,16 +358,20 @@ static int fanotify_release(struct inode
+ 
+ #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+ 	struct fanotify_perm_event_info *event, *next;
++	struct fsnotify_event *fsn_event;
+ 
+ 	/*
+-	 * There may be still new events arriving in the notification queue
+-	 * but since userspace cannot use fanotify fd anymore, no event can
+-	 * enter or leave access_list by now.
++	 * Stop new events from arriving in the notification queue. since
++	 * userspace cannot use fanotify fd anymore, no event can enter or
++	 * leave access_list by now either.
+ 	 */
+-	spin_lock(&group->fanotify_data.access_lock);
+-
+-	atomic_inc(&group->fanotify_data.bypass_perm);
++	fsnotify_group_stop_queueing(group);
+ 
++	/*
++	 * Process all permission events on access_list and notification queue
++	 * and simulate reply from userspace.
++	 */
++	spin_lock(&group->fanotify_data.access_lock);
+ 	list_for_each_entry_safe(event, next, &group->fanotify_data.access_list,
+ 				 fae.fse.list) {
+ 		pr_debug("%s: found group=%p event=%p\n", __func__, group,
+@@ -379,12 +383,21 @@ static int fanotify_release(struct inode
+ 	spin_unlock(&group->fanotify_data.access_lock);
+ 
+ 	/*
+-	 * Since bypass_perm is set, newly queued events will not wait for
+-	 * access response. Wake up the already sleeping ones now.
+-	 * synchronize_srcu() in fsnotify_destroy_group() will wait for all
+-	 * processes sleeping in fanotify_handle_event() waiting for access
+-	 * response and thus also for all permission events to be freed.
++	 * Destroy all non-permission events. For permission events just
++	 * dequeue them and set the response. They will be freed once the
++	 * response is consumed and fanotify_get_response() returns.
+ 	 */
++	mutex_lock(&group->notification_mutex);
++	while (!fsnotify_notify_queue_is_empty(group)) {
++		fsn_event = fsnotify_remove_first_event(group);
++		if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
++			fsnotify_destroy_event(group, fsn_event);
++		else
++			FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
++	}
++	mutex_unlock(&group->notification_mutex);
++
++	/* Response for all permission events it set, wakeup waiters */
+ 	wake_up(&group->fanotify_data.access_waitq);
+ #endif
+ 
+@@ -742,7 +755,6 @@ SYSCALL_DEFINE2(fanotify_init, unsigned
+ 	spin_lock_init(&group->fanotify_data.access_lock);
+ 	init_waitqueue_head(&group->fanotify_data.access_waitq);
+ 	INIT_LIST_HEAD(&group->fanotify_data.access_list);
+-	atomic_set(&group->fanotify_data.bypass_perm, 0);
+ #endif
+ 	switch (flags & FAN_ALL_CLASS_BITS) {
+ 	case FAN_CLASS_NOTIF:
+--- a/fs/notify/notification.c
++++ b/fs/notify/notification.c
+@@ -132,21 +132,6 @@ queue:
+ }
+ 
+ /*
+- * Remove @event from group's notification queue. It is the responsibility of
+- * the caller to destroy the event.
+- */
+-void fsnotify_remove_event(struct fsnotify_group *group,
+-			   struct fsnotify_event *event)
+-{
+-	mutex_lock(&group->notification_mutex);
+-	if (!list_empty(&event->list)) {
+-		list_del_init(&event->list);
+-		group->q_len--;
+-	}
+-	mutex_unlock(&group->notification_mutex);
+-}
+-
+-/*
+  * Remove and return the first event from the notification list.  It is the
+  * responsibility of the caller to destroy the obtained event
+  */
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -182,7 +182,6 @@ struct fsnotify_group {
+ 			spinlock_t access_lock;
+ 			struct list_head access_list;
+ 			wait_queue_head_t access_waitq;
+-			atomic_t bypass_perm;
+ #endif /* CONFIG_FANOTIFY_ACCESS_PERMISSIONS */
+ 			int f_flags;
+ 			unsigned int max_marks;
+@@ -329,8 +328,6 @@ extern int fsnotify_add_notify_event(str
+ 				     struct fsnotify_event *event,
+ 				     int (*merge)(struct list_head *,
+ 						  struct fsnotify_event *));
+-/* Remove passed event from groups notification queue */
+-extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
+ /* true if the group notification queue is empty */
+ extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
+ /* return, but do not dequeue the first event on the notification queue */
diff --git a/queue-3.16/fix-fault_in_multipages_...-on-architectures-with-no-op-access_ok.patch b/queue-3.16/fix-fault_in_multipages_...-on-architectures-with-no-op-access_ok.patch
new file mode 100644
index 0000000..b4f9b5c
--- /dev/null
+++ b/queue-3.16/fix-fault_in_multipages_...-on-architectures-with-no-op-access_ok.patch
@@ -0,0 +1,116 @@
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Tue, 20 Sep 2016 20:07:42 +0100
+Subject: fix fault_in_multipages_...() on architectures with no-op access_ok()
+
+commit e23d4159b109167126e5bcd7f3775c95de7fee47 upstream.
+
+Switching iov_iter fault-in to multipages variants has exposed an old
+bug in underlying fault_in_multipages_...(); they break if the range
+passed to them wraps around.  Normally access_ok() done by callers will
+prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
+such a range and they should not point to any valid objects).
+
+However, on architectures where userland and kernel live in different
+MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
+with a wraparound can reach fault_in_multipages_...().
+
+Since any wraparound means EFAULT there, the fix is trivial - turn
+those
+
+    while (uaddr <= end)
+	    ...
+into
+
+    if (unlikely(uaddr > end))
+	    return -EFAULT;
+    do
+	    ...
+    while (uaddr <= end);
+
+Reported-by: Jan Stancek <jstancek@redhat.com>
+Tested-by: Jan Stancek <jstancek@redhat.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/pagemap.h | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/include/linux/pagemap.h
++++ b/include/linux/pagemap.h
+@@ -599,56 +599,56 @@ static inline int fault_in_pages_readabl
+  */
+ static inline int fault_in_multipages_writeable(char __user *uaddr, int size)
+ {
+-	int ret = 0;
+ 	char __user *end = uaddr + size - 1;
+ 
+ 	if (unlikely(size == 0))
+-		return ret;
++		return 0;
+ 
++	if (unlikely(uaddr > end))
++		return -EFAULT;
+ 	/*
+ 	 * Writing zeroes into userspace here is OK, because we know that if
+ 	 * the zero gets there, we'll be overwriting it.
+ 	 */
+-	while (uaddr <= end) {
+-		ret = __put_user(0, uaddr);
+-		if (ret != 0)
+-			return ret;
++	do {
++		if (unlikely(__put_user(0, uaddr) != 0))
++			return -EFAULT;
+ 		uaddr += PAGE_SIZE;
+-	}
++	} while (uaddr <= end);
+ 
+ 	/* Check whether the range spilled into the next page. */
+ 	if (((unsigned long)uaddr & PAGE_MASK) ==
+ 			((unsigned long)end & PAGE_MASK))
+-		ret = __put_user(0, end);
++		return __put_user(0, end);
+ 
+-	return ret;
++	return 0;
+ }
+ 
+ static inline int fault_in_multipages_readable(const char __user *uaddr,
+ 					       int size)
+ {
+ 	volatile char c;
+-	int ret = 0;
+ 	const char __user *end = uaddr + size - 1;
+ 
+ 	if (unlikely(size == 0))
+-		return ret;
++		return 0;
++
++	if (unlikely(uaddr > end))
++		return -EFAULT;
+ 
+-	while (uaddr <= end) {
+-		ret = __get_user(c, uaddr);
+-		if (ret != 0)
+-			return ret;
++	do {
++		if (unlikely(__get_user(c, uaddr) != 0))
++			return -EFAULT;
+ 		uaddr += PAGE_SIZE;
+-	}
++	} while (uaddr <= end);
+ 
+ 	/* Check whether the range spilled into the next page. */
+ 	if (((unsigned long)uaddr & PAGE_MASK) ==
+ 			((unsigned long)end & PAGE_MASK)) {
+-		ret = __get_user(c, end);
+-		(void)c;
++		return __get_user(c, end);
+ 	}
+ 
+-	return ret;
++	return 0;
+ }
+ 
+ int add_to_page_cache_locked(struct page *page, struct address_space *mapping,
diff --git a/queue-3.16/fix-minor-infoleak-in-get_user_ex.patch b/queue-3.16/fix-minor-infoleak-in-get_user_ex.patch
new file mode 100644
index 0000000..6fcb41d
--- /dev/null
+++ b/queue-3.16/fix-minor-infoleak-in-get_user_ex.patch
@@ -0,0 +1,34 @@
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu, 15 Sep 2016 02:35:29 +0100
+Subject: fix minor infoleak in get_user_ex()
+
+commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.
+
+get_user_ex(x, ptr) should zero x on failure.  It's not a lot of a leak
+(at most we are leaking uninitialized 64bit value off the kernel stack,
+and in a fairly constrained situation, at that), but the fix is trivial,
+so...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[ This sat in different branch from the uaccess fixes since mid-August ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/include/asm/uaccess.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -391,7 +391,11 @@ do {									\
+ #define __get_user_asm_ex(x, addr, itype, rtype, ltype)			\
+ 	asm volatile("1:	mov"itype" %1,%"rtype"0\n"		\
+ 		     "2:\n"						\
+-		     _ASM_EXTABLE_EX(1b, 2b)				\
++		     ".section .fixup,\"ax\"\n"				\
++                     "3:xor"itype" %"rtype"0,%"rtype"0\n"		\
++		     "  jmp 2b\n"					\
++		     ".previous\n"					\
++		     _ASM_EXTABLE_EX(1b, 3b)				\
+ 		     : ltype(x) : "m" (__m(addr)))
+ 
+ #define __put_user_nocheck(x, ptr, size)			\
diff --git a/queue-3.16/frv-fix-clear_user.patch b/queue-3.16/frv-fix-clear_user.patch
new file mode 100644
index 0000000..b2e59f6
--- /dev/null
+++ b/queue-3.16/frv-fix-clear_user.patch
@@ -0,0 +1,46 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 20:54:02 -0400
+Subject: frv: fix clear_user()
+
+commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.
+
+It should check access_ok().  Otherwise a bunch of places turn into
+trivially exploitable rootholes.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/frv/include/asm/uaccess.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/frv/include/asm/uaccess.h
++++ b/arch/frv/include/asm/uaccess.h
+@@ -263,19 +263,25 @@ do {							\
+ extern long __memset_user(void *dst, unsigned long count);
+ extern long __memcpy_user(void *dst, const void *src, unsigned long count);
+ 
+-#define clear_user(dst,count)			__memset_user(____force(dst), (count))
++#define __clear_user(dst,count)			__memset_user(____force(dst), (count))
+ #define __copy_from_user_inatomic(to, from, n)	__memcpy_user((to), ____force(from), (n))
+ #define __copy_to_user_inatomic(to, from, n)	__memcpy_user(____force(to), (from), (n))
+ 
+ #else
+ 
+-#define clear_user(dst,count)			(memset(____force(dst), 0, (count)), 0)
++#define __clear_user(dst,count)			(memset(____force(dst), 0, (count)), 0)
+ #define __copy_from_user_inatomic(to, from, n)	(memcpy((to), ____force(from), (n)), 0)
+ #define __copy_to_user_inatomic(to, from, n)	(memcpy(____force(to), (from), (n)), 0)
+ 
+ #endif
+ 
+-#define __clear_user clear_user
++static inline unsigned long __must_check
++clear_user(void __user *to, unsigned long n)
++{
++	if (likely(__access_ok(to, n)))
++		n = __clear_user(to, n);
++	return n;
++}
+ 
+ static inline unsigned long __must_check
+ __copy_to_user(void __user *to, const void *from, unsigned long n)
diff --git a/queue-3.16/fs-seq_file-fix-out-of-bounds-read.patch b/queue-3.16/fs-seq_file-fix-out-of-bounds-read.patch
new file mode 100644
index 0000000..f008e63
--- /dev/null
+++ b/queue-3.16/fs-seq_file-fix-out-of-bounds-read.patch
@@ -0,0 +1,106 @@
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Thu, 25 Aug 2016 15:17:11 -0700
+Subject: fs/seq_file: fix out-of-bounds read
+
+commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 upstream.
+
+seq_read() is a nasty piece of work, not to mention buggy.
+
+It has (I think) an old bug which allows unprivileged userspace to read
+beyond the end of m->buf.
+
+I was getting these:
+
+    BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
+    Read of size 2713 by task trinity-c2/1329
+    CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+    Call Trace:
+      kasan_object_err+0x1c/0x80
+      kasan_report_error+0x2cb/0x7e0
+      kasan_report+0x4e/0x80
+      check_memory_region+0x13e/0x1a0
+      kasan_check_read+0x11/0x20
+      seq_read+0xcd2/0x1480
+      proc_reg_read+0x10b/0x260
+      do_loop_readv_writev.part.5+0x140/0x2c0
+      do_readv_writev+0x589/0x860
+      vfs_readv+0x7b/0xd0
+      do_readv+0xd8/0x2c0
+      SyS_readv+0xb/0x10
+      do_syscall_64+0x1b3/0x4b0
+      entry_SYSCALL64_slow_path+0x25/0x25
+    Object at ffff880116889100, in cache kmalloc-4096 size: 4096
+    Allocated:
+    PID = 1329
+      save_stack_trace+0x26/0x80
+      save_stack+0x46/0xd0
+      kasan_kmalloc+0xad/0xe0
+      __kmalloc+0x1aa/0x4a0
+      seq_buf_alloc+0x35/0x40
+      seq_read+0x7d8/0x1480
+      proc_reg_read+0x10b/0x260
+      do_loop_readv_writev.part.5+0x140/0x2c0
+      do_readv_writev+0x589/0x860
+      vfs_readv+0x7b/0xd0
+      do_readv+0xd8/0x2c0
+      SyS_readv+0xb/0x10
+      do_syscall_64+0x1b3/0x4b0
+      return_from_SYSCALL_64+0x0/0x6a
+    Freed:
+    PID = 0
+    (stack is not available)
+    Memory state around the buggy address:
+     ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+     ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+    >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+		       ^
+     ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+     ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+    ==================================================================
+    Disabling lock debugging due to kernel taint
+
+This seems to be the same thing that Dave Jones was seeing here:
+
+  https://lkml.org/lkml/2016/8/12/334
+
+There are multiple issues here:
+
+  1) If we enter the function with a non-empty buffer, there is an attempt
+     to flush it. But it was not clearing m->from after doing so, which
+     means that if we try to do this flush twice in a row without any call
+     to traverse() in between, we are going to be reading from the wrong
+     place -- the splat above, fixed by this patch.
+
+  2) If there's a short write to userspace because of page faults, the
+     buffer may already contain multiple lines (i.e. pos has advanced by
+     more than 1), but we don't save the progress that was made so the
+     next call will output what we've already returned previously. Since
+     that is a much less serious issue (and I have a headache after
+     staring at seq_read() for the past 8 hours), I'll leave that for now.
+
+Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Reported-by: Dave Jones <davej@codemonkey.org.uk>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/seq_file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -219,8 +219,10 @@ ssize_t seq_read(struct file *file, char
+ 		size -= n;
+ 		buf += n;
+ 		copied += n;
+-		if (!m->count)
++		if (!m->count) {
++			m->from = 0;
+ 			m->index++;
++		}
+ 		if (!size)
+ 			goto Done;
+ 	}
diff --git a/queue-3.16/fsnotify-add-a-way-to-stop-queueing-events-on-group-shutdown.patch b/queue-3.16/fsnotify-add-a-way-to-stop-queueing-events-on-group-shutdown.patch
new file mode 100644
index 0000000..7b48c09
--- /dev/null
+++ b/queue-3.16/fsnotify-add-a-way-to-stop-queueing-events-on-group-shutdown.patch
@@ -0,0 +1,101 @@
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 19 Sep 2016 14:44:27 -0700
+Subject: fsnotify: add a way to stop queueing events on group shutdown
+
+commit 12703dbfeb15402260e7554d32a34ac40c233990 upstream.
+
+Implement a function that can be called when a group is being shutdown
+to stop queueing new events to the group.  Fanotify will use this.
+
+Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events")
+Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/notify/group.c                | 19 +++++++++++++++++++
+ fs/notify/notification.c         |  8 +++++++-
+ include/linux/fsnotify_backend.h |  3 +++
+ 3 files changed, 29 insertions(+), 1 deletion(-)
+
+--- a/fs/notify/group.c
++++ b/fs/notify/group.c
+@@ -40,6 +40,17 @@ void fsnotify_final_destroy_group(struct
+ }
+ 
+ /*
++ * Stop queueing new events for this group. Once this function returns
++ * fsnotify_add_event() will not add any new events to the group's queue.
++ */
++void fsnotify_group_stop_queueing(struct fsnotify_group *group)
++{
++	mutex_lock(&group->notification_mutex);
++	group->shutdown = true;
++	mutex_unlock(&group->notification_mutex);
++}
++
++/*
+  * Trying to get rid of a group. Remove all marks, flush all events and release
+  * the group reference.
+  * Note that another thread calling fsnotify_clear_marks_by_group() may still
+@@ -47,6 +58,14 @@ void fsnotify_final_destroy_group(struct
+  */
+ void fsnotify_destroy_group(struct fsnotify_group *group)
+ {
++	/*
++	 * Stop queueing new events. The code below is careful enough to not
++	 * require this but fanotify needs to stop queuing events even before
++	 * fsnotify_destroy_group() is called and this makes the other callers
++	 * of fsnotify_destroy_group() to see the same behavior.
++	 */
++	fsnotify_group_stop_queueing(group);
++
+ 	/* clear all inode marks for this group */
+ 	fsnotify_clear_marks_by_group(group);
+ 
+--- a/fs/notify/notification.c
++++ b/fs/notify/notification.c
+@@ -82,7 +82,8 @@ void fsnotify_destroy_event(struct fsnot
+  * Add an event to the group notification queue.  The group can later pull this
+  * event off the queue to deal with.  The function returns 0 if the event was
+  * added to the queue, 1 if the event was merged with some other queued event,
+- * 2 if the queue of events has overflown.
++ * 2 if the event was not queued - either the queue of events has overflown
++ * or the group is shutting down.
+  */
+ int fsnotify_add_notify_event(struct fsnotify_group *group,
+ 			      struct fsnotify_event *event,
+@@ -96,6 +97,11 @@ int fsnotify_add_notify_event(struct fsn
+ 
+ 	mutex_lock(&group->notification_mutex);
+ 
++	if (group->shutdown) {
++		mutex_unlock(&group->notification_mutex);
++		return 2;
++	}
++
+ 	if (group->q_len >= group->max_events) {
+ 		ret = 2;
+ 		/* Queue overflow event only if it isn't already queued */
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -150,6 +150,7 @@ struct fsnotify_group {
+ 	#define FS_PRIO_1	1 /* fanotify content based access control */
+ 	#define FS_PRIO_2	2 /* fanotify pre-content access */
+ 	unsigned int priority;
++	bool shutdown;		/* group is being shut down, don't queue more events */
+ 
+ 	/* stores all fastpath marks assoc with this group so they can be cleaned on unregister */
+ 	struct mutex mark_mutex;	/* protect marks_list */
+@@ -314,6 +315,8 @@ extern struct fsnotify_group *fsnotify_a
+ extern void fsnotify_get_group(struct fsnotify_group *group);
+ /* drop reference on a group from fsnotify_alloc_group */
+ extern void fsnotify_put_group(struct fsnotify_group *group);
++/* group destruction begins, stop queuing new events */
++extern void fsnotify_group_stop_queueing(struct fsnotify_group *group);
+ /* destroy group */
+ extern void fsnotify_destroy_group(struct fsnotify_group *group);
+ /* fasync handler function */
diff --git a/queue-3.16/ftrace-recordmcount-work-around-for-addition-of-metag-magic-but-not.patch b/queue-3.16/ftrace-recordmcount-work-around-for-addition-of-metag-magic-but-not.patch
new file mode 100644
index 0000000..25384dd
--- /dev/null
+++ b/queue-3.16/ftrace-recordmcount-work-around-for-addition-of-metag-magic-but-not.patch
@@ -0,0 +1,58 @@
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 8 Jul 2016 12:18:50 -0700
+Subject: ftrace/recordmcount: Work around for addition of metag magic but not
+ relocations
+
+commit b2e1c26f0b62531636509fbcb6dab65617ed8331 upstream.
+
+glibc recently did a sync up (94e73c95d9b5 "elf.h: Sync with the gabi
+webpage") that added a #define for EM_METAG but did not add relocations
+
+This triggers build errors:
+
+scripts/recordmcount.c: In function 'do_file':
+scripts/recordmcount.c:466:28: error: 'R_METAG_ADDR32' undeclared (first use in this function)
+  case EM_METAG:  reltype = R_METAG_ADDR32;
+                            ^~~~~~~~~~~~~~
+scripts/recordmcount.c:466:28: note: each undeclared identifier is reported only once for each function it appears in
+scripts/recordmcount.c:468:20: error: 'R_METAG_NONE' undeclared (first use in this function)
+     rel_type_nop = R_METAG_NONE;
+                    ^~~~~~~~~~~~
+
+Work around this change with some more #ifdefery for the relocations.
+
+Fedora Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1354034
+
+Link: http://lkml.kernel.org/r/1468005530-14757-1-git-send-email-labbott@redhat.com
+
+Cc: James Hogan <james.hogan@imgtec.com>
+Fixes: 00512bdd4573 ("metag: ftrace support")
+Reported-by: Ross Burton <ross.burton@intel.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ scripts/recordmcount.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/scripts/recordmcount.c
++++ b/scripts/recordmcount.c
+@@ -33,10 +33,17 @@
+ #include <string.h>
+ #include <unistd.h>
+ 
++/*
++ * glibc synced up and added the metag number but didn't add the relocations.
++ * Work around this in a crude manner for now.
++ */
+ #ifndef EM_METAG
+-/* Remove this when these make it to the standard system elf.h. */
+ #define EM_METAG      174
++#endif
++#ifndef R_METAG_ADDR32
+ #define R_METAG_ADDR32                   2
++#endif
++#ifndef R_METAG_NONE
+ #define R_METAG_NONE                     3
+ #endif
+ 
diff --git a/queue-3.16/fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch b/queue-3.16/fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch
new file mode 100644
index 0000000..5b2ccd4
--- /dev/null
+++ b/queue-3.16/fuse-fix-wrong-assignment-of-flags-in-fuse_send_init.patch
@@ -0,0 +1,27 @@
+From: Wei Fang <fangwei1@huawei.com>
+Date: Mon, 25 Jul 2016 21:17:04 +0800
+Subject: fuse: fix wrong assignment of ->flags in fuse_send_init()
+
+commit 9446385f05c9af25fed53dbed3cc75763730be52 upstream.
+
+FUSE_HAS_IOCTL_DIR should be assigned to ->flags, it may be a typo.
+
+Signed-off-by: Wei Fang <fangwei1@huawei.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 69fe05c90ed5 ("fuse: add missing INIT flags")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/fuse/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -933,7 +933,7 @@ static void fuse_send_init(struct fuse_c
+ 	arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |
+ 		FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |
+ 		FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |
+-		FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
++		FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
+ 		FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO |
+ 		FUSE_WRITEBACK_CACHE | FUSE_NO_OPEN_SUPPORT;
+ 	req->in.h.opcode = FUSE_INIT;
diff --git a/queue-3.16/fuse-fsync-did-not-return-io-errors.patch b/queue-3.16/fuse-fsync-did-not-return-io-errors.patch
new file mode 100644
index 0000000..90f978f
--- /dev/null
+++ b/queue-3.16/fuse-fsync-did-not-return-io-errors.patch
@@ -0,0 +1,42 @@
+From: Alexey Kuznetsov <kuznet@parallels.com>
+Date: Tue, 19 Jul 2016 12:48:01 -0700
+Subject: fuse: fsync() did not return IO errors
+
+commit ac7f052b9e1534c8248f814b6f0068ad8d4a06d2 upstream.
+
+Due to implementation of fuse writeback filemap_write_and_wait_range() does
+not catch errors. We have to do this directly after fuse_sync_writes()
+
+Signed-off-by: Alexey Kuznetsov <kuznet@virtuozzo.com>
+Signed-off-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 4d99ff8f12eb ("fuse: Turn writeback cache on")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/fuse/file.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -499,6 +499,21 @@ int fuse_fsync_common(struct file *file,
+ 		goto out;
+ 
+ 	fuse_sync_writes(inode);
++
++	/*
++	 * Due to implementation of fuse writeback
++	 * filemap_write_and_wait_range() does not catch errors.
++	 * We have to do this directly after fuse_sync_writes()
++	 */
++	if (test_bit(AS_ENOSPC, &file->f_mapping->flags) &&
++	    test_and_clear_bit(AS_ENOSPC, &file->f_mapping->flags))
++		err = -ENOSPC;
++	if (test_bit(AS_EIO, &file->f_mapping->flags) &&
++	    test_and_clear_bit(AS_EIO, &file->f_mapping->flags))
++		err = -EIO;
++	if (err)
++		goto out;
++
+ 	err = sync_inode_metadata(inode, 1);
+ 	if (err)
+ 		goto out;
diff --git a/queue-3.16/fuse-fuse_flush-must-check-mapping-flags-for-errors.patch b/queue-3.16/fuse-fuse_flush-must-check-mapping-flags-for-errors.patch
new file mode 100644
index 0000000..3d37cd2
--- /dev/null
+++ b/queue-3.16/fuse-fuse_flush-must-check-mapping-flags-for-errors.patch
@@ -0,0 +1,37 @@
+From: Maxim Patlasov <mpatlasov@virtuozzo.com>
+Date: Tue, 19 Jul 2016 18:12:26 -0700
+Subject: fuse: fuse_flush must check mapping->flags for errors
+
+commit 9ebce595f63a407c5cec98f98f9da8459b73740a upstream.
+
+fuse_flush() calls write_inode_now() that triggers writeback, but actual
+writeback will happen later, on fuse_sync_writes(). If an error happens,
+fuse_writepage_end() will set error bit in mapping->flags. So, we have to
+check mapping->flags after fuse_sync_writes().
+
+Signed-off-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Fixes: 4d99ff8f12eb ("fuse: Turn writeback cache on")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/fuse/file.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -454,6 +454,15 @@ static int fuse_flush(struct file *file,
+ 	fuse_sync_writes(inode);
+ 	mutex_unlock(&inode->i_mutex);
+ 
++	if (test_bit(AS_ENOSPC, &file->f_mapping->flags) &&
++	    test_and_clear_bit(AS_ENOSPC, &file->f_mapping->flags))
++		err = -ENOSPC;
++	if (test_bit(AS_EIO, &file->f_mapping->flags) &&
++	    test_and_clear_bit(AS_EIO, &file->f_mapping->flags))
++		err = -EIO;
++	if (err)
++		return err;
++
+ 	req = fuse_get_req_nofail_nopages(fc, file);
+ 	memset(&inarg, 0, sizeof(inarg));
+ 	inarg.fh = ff->fh;
diff --git a/queue-3.16/gpio-fix-of-build-problem-on-um.patch b/queue-3.16/gpio-fix-of-build-problem-on-um.patch
new file mode 100644
index 0000000..bee44a1
--- /dev/null
+++ b/queue-3.16/gpio-fix-of-build-problem-on-um.patch
@@ -0,0 +1,40 @@
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Aug 2016 09:58:25 +0200
+Subject: gpio: Fix OF build problem on UM
+
+commit 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 upstream.
+
+The UserMode (UM) Linux build was failing in gpiolib-of as it requires
+ioremap()/iounmap() to exist, which is absent from UM. The non-existence
+of IO memory is negatively defined as CONFIG_NO_IOMEM which means we
+need to depend on HAS_IOMEM.
+
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpio/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/Kconfig
++++ b/drivers/gpio/Kconfig
+@@ -50,6 +50,7 @@ config GPIO_DEVRES
+ config OF_GPIO
+ 	def_bool y
+ 	depends on OF
++	depends on HAS_IOMEM
+ 
+ config GPIO_ACPI
+ 	def_bool y
+--- a/arch/mips/kvm/kvm_mips.c
++++ b/arch/mips/kvm/kvm_mips.c
+@@ -1211,7 +1211,7 @@ int __init kvm_mips_init(void)
+ 	 */
+ 	kvm_mips_gfn_to_pfn = gfn_to_pfn;
+ 	kvm_mips_release_pfn_clean = kvm_release_pfn_clean;
+-	kvm_mips_is_error_pfn = is_error_pfn;
++	kvm_mips_is_error_pfn = is_error_noslot_pfn;
+ 
+ 	pr_info("KVM/MIPS Initialized\n");
+ 	return 0;
diff --git a/queue-3.16/gpio-intel-mid-remove-potentially-harmful-code.patch b/queue-3.16/gpio-intel-mid-remove-potentially-harmful-code.patch
new file mode 100644
index 0000000..c119b0a
--- /dev/null
+++ b/queue-3.16/gpio-intel-mid-remove-potentially-harmful-code.patch
@@ -0,0 +1,83 @@
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 6 Jul 2016 12:50:12 +0300
+Subject: gpio: intel-mid: Remove potentially harmful code
+
+commit 3dbd3212f81b2b410a34a922055e2da792864829 upstream.
+
+The commit d56d6b3d7d69 ("gpio: langwell: add Intel Merrifield support")
+doesn't look at all as a proper support for Intel Merrifield and I dare to say
+that it distorts the behaviour of the hardware.
+
+The register map is different on Intel Merrifield, i.e. only 6 out of 8
+register have the same purpose but none of them has same location in the
+address space. The current case potentially harmful to existing hardware since
+it's poking registers on wrong offsets and may set some pin to be GPIO output
+when connected hardware doesn't expect such.
+
+Besides the above GPIO and pinctrl on Intel Merrifield have been located in
+different IP blocks. The functionality has been extended as well, i.e. added
+support of level interrupts, special registers for wake capable sources and
+thus, in my opinion, requires a completele separate driver.
+
+If someone wondering the existing gpio-intel-mid.c would be converted to actual
+pinctrl (which by the fact it is now), though I wouldn't be a volunteer to do
+that.
+
+Fixes: d56d6b3d7d69 ("gpio: langwell: add Intel Merrifield support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpio/gpio-intel-mid.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+--- a/drivers/gpio/gpio-intel-mid.c
++++ b/drivers/gpio/gpio-intel-mid.c
+@@ -17,7 +17,6 @@
+  * Moorestown platform Langwell chip.
+  * Medfield platform Penwell chip.
+  * Clovertrail platform Cloverview chip.
+- * Merrifield platform Tangier chip.
+  */
+ 
+ #include <linux/module.h>
+@@ -66,10 +65,6 @@ enum GPIO_REG {
+ /* intel_mid gpio driver data */
+ struct intel_mid_gpio_ddata {
+ 	u16 ngpio;		/* number of gpio pins */
+-	u32 gplr_offset;	/* offset of first GPLR register from base */
+-	u32 flis_base;		/* base address of FLIS registers */
+-	u32 flis_len;		/* length of FLIS registers */
+-	u32 (*get_flis_offset)(int gpio);
+ 	u32 chip_irq_type;	/* chip interrupt type */
+ };
+ 
+@@ -284,15 +279,6 @@ static const struct intel_mid_gpio_ddata
+ 	.chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE,
+ };
+ 
+-static const struct intel_mid_gpio_ddata gpio_tangier = {
+-	.ngpio = 192,
+-	.gplr_offset = 4,
+-	.flis_base = 0xff0c0000,
+-	.flis_len = 0x8000,
+-	.get_flis_offset = NULL,
+-	.chip_irq_type = INTEL_MID_IRQ_TYPE_EDGE,
+-};
+-
+ static const struct pci_device_id intel_gpio_ids[] = {
+ 	{
+ 		/* Lincroft */
+@@ -319,11 +305,6 @@ static const struct pci_device_id intel_
+ 		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x08f7),
+ 		.driver_data = (kernel_ulong_t)&gpio_cloverview_core,
+ 	},
+-	{
+-		/* Tangier */
+-		PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x1199),
+-		.driver_data = (kernel_ulong_t)&gpio_tangier,
+-	},
+ 	{ 0 }
+ };
+ MODULE_DEVICE_TABLE(pci, intel_gpio_ids);
diff --git a/queue-3.16/gpio-pca953x-fix-nbank-calculation-for-pca9536.patch b/queue-3.16/gpio-pca953x-fix-nbank-calculation-for-pca9536.patch
new file mode 100644
index 0000000..54da4c4
--- /dev/null
+++ b/queue-3.16/gpio-pca953x-fix-nbank-calculation-for-pca9536.patch
@@ -0,0 +1,30 @@
+From: Vignesh R <vigneshr@ti.com>
+Date: Thu, 9 Jun 2016 11:02:04 +0530
+Subject: gpio: pca953x: Fix NBANK calculation for PCA9536
+
+commit a246b8198f776a16d1d3a3bbfc2d437bad766b29 upstream.
+
+NBANK() macro assumes that ngpios is a multiple of 8(BANK_SZ) and
+hence results in 0 banks for PCA9536 which has just 4 gpios. This is
+wrong as PCA9356 has 1 bank with 4 gpios. This results in uninitialized
+PCA953X_INVERT register. Fix this by using DIV_ROUND_UP macro in
+NBANK().
+
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/gpio/gpio-pca953x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -76,7 +76,7 @@ MODULE_DEVICE_TABLE(i2c, pca953x_id);
+ #define MAX_BANK 5
+ #define BANK_SZ 8
+ 
+-#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ)
++#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ)
+ 
+ struct pca953x_chip {
+ 	unsigned gpio_start;
diff --git a/queue-3.16/hexagon-fix-strncpy_from_user-error-return.patch b/queue-3.16/hexagon-fix-strncpy_from_user-error-return.patch
new file mode 100644
index 0000000..8e78689
--- /dev/null
+++ b/queue-3.16/hexagon-fix-strncpy_from_user-error-return.patch
@@ -0,0 +1,28 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 21:16:49 -0400
+Subject: hexagon: fix strncpy_from_user() error return
+
+commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.
+
+It's -EFAULT, not -1 (and contrary to the comment in there,
+__strnlen_user() can return 0 - on faults).
+
+Acked-by: Richard Kuo <rkuo@codeaurora.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/hexagon/include/asm/uaccess.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/hexagon/include/asm/uaccess.h
++++ b/arch/hexagon/include/asm/uaccess.h
+@@ -102,7 +102,8 @@ static inline long hexagon_strncpy_from_
+ {
+ 	long res = __strnlen_user(src, n);
+ 
+-	/* return from strnlen can't be zero -- that would be rubbish. */
++	if (unlikely(!res))
++		return -EFAULT;
+ 
+ 	if (res > n) {
+ 		copy_from_user(dst, src, n);
diff --git a/queue-3.16/hid-uhid-fix-timeout-when-probe-races-with-io.patch b/queue-3.16/hid-uhid-fix-timeout-when-probe-races-with-io.patch
new file mode 100644
index 0000000..a515610
--- /dev/null
+++ b/queue-3.16/hid-uhid-fix-timeout-when-probe-races-with-io.patch
@@ -0,0 +1,113 @@
+From: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Date: Wed, 18 May 2016 13:11:09 -0700
+Subject: HID: uhid: fix timeout when probe races with IO
+
+commit 67f8ecc550b5bda03335f845dc869b8501d25fd0 upstream.
+
+Many devices use userspace bluetooth stacks like BlueZ or Bluedroid in combination
+with uhid. If any of these stacks is used with a HID device for which the driver
+performs a HID request as part .probe (or technically another HID operation),
+this results in a deadlock situation. The deadlock results in a 5 second timeout
+for I/O operations in HID drivers, so isn't fatal, but none of the I/O operations
+have a chance of succeeding.
+
+The root cause for the problem is that uhid only allows for one request to be
+processed at a time per uhid instance and locks out other operations. This means
+that if a user space is creating a new HID device through 'UHID_CREATE', which
+ultimately triggers '.probe' through the HID layer. Then any HID request e.g. a
+read for calibration data would trigger a HID operation on uhid again, but it
+won't go out to userspace, because it is still stuck in UHID_CREATE.
+In addition bluetooth stacks are typically single threaded, so they wouldn't be
+able to handle any requests while waiting on uhid.
+
+Lucikly the UHID spec is somewhat flexible and allows for fixing the issue,
+without breaking user space. The idea which the patch implements as discussed
+with David Herrmann is to decouple adding of a hid device (which triggers .probe)
+from UHID_CREATE. The work will kick off roughly once UHID_CREATE completed (or
+else will wait a tiny bit of time in .probe for a lock). A HID driver has to call
+HID to call 'hid_hw_start()' as part of .probe once it is ready for I/O, which
+triggers UHID_START to user space. Any HID operations should function now within
+.probe and won't deadlock because userspace is stuck on UHID_CREATE.
+
+We verified this patch on Bluedroid with Android 6.0 and on desktop Linux with
+BlueZ stacks. Prior to the patch they had the deadlock issue.
+
+[jkosina@suse.cz: reword subject]
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hid/uhid.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -49,10 +49,26 @@ struct uhid_device {
+ 	atomic_t report_done;
+ 	atomic_t report_id;
+ 	struct uhid_event report_buf;
++	struct work_struct worker;
+ };
+ 
+ static struct miscdevice uhid_misc;
+ 
++static void uhid_device_add_worker(struct work_struct *work)
++{
++	struct uhid_device *uhid = container_of(work, struct uhid_device, worker);
++	int ret;
++
++	ret = hid_add_device(uhid->hid);
++	if (ret) {
++		hid_err(uhid->hid, "Cannot register HID device: error %d\n", ret);
++
++		hid_destroy_device(uhid->hid);
++		uhid->hid = NULL;
++		uhid->running = false;
++	}
++}
++
+ static void uhid_queue(struct uhid_device *uhid, struct uhid_event *ev)
+ {
+ 	__u8 newhead;
+@@ -471,18 +487,14 @@ static int uhid_dev_create2(struct uhid_
+ 	uhid->hid = hid;
+ 	uhid->running = true;
+ 
+-	ret = hid_add_device(hid);
+-	if (ret) {
+-		hid_err(hid, "Cannot register HID device\n");
+-		goto err_hid;
+-	}
++	/* Adding of a HID device is done through a worker, to allow HID drivers
++	 * which use feature requests during .probe to work, without they would
++	 * be blocked on devlock, which is held by uhid_char_write.
++	 */
++	schedule_work(&uhid->worker);
+ 
+ 	return 0;
+ 
+-err_hid:
+-	hid_destroy_device(hid);
+-	uhid->hid = NULL;
+-	uhid->running = false;
+ err_free:
+ 	kfree(uhid->rd_data);
+ 	return ret;
+@@ -499,6 +511,8 @@ static int uhid_dev_destroy(struct uhid_
+ 	atomic_set(&uhid->report_done, 1);
+ 	wake_up_interruptible(&uhid->report_wait);
+ 
++	cancel_work_sync(&uhid->worker);
++
+ 	hid_destroy_device(uhid->hid);
+ 	kfree(uhid->rd_data);
+ 
+@@ -567,6 +581,7 @@ static int uhid_char_open(struct inode *
+ 	init_waitqueue_head(&uhid->report_wait);
+ 	uhid->running = false;
+ 	atomic_set(&uhid->report_done, 1);
++	INIT_WORK(&uhid->worker, uhid_device_add_worker);
+ 
+ 	file->private_data = uhid;
+ 	nonseekable_open(inode, file);
diff --git a/queue-3.16/hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch b/queue-3.16/hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch
new file mode 100644
index 0000000..0d046c6
--- /dev/null
+++ b/queue-3.16/hostfs-freeing-an-err_ptr-in-hostfs_fill_sb_common.patch
@@ -0,0 +1,33 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 13 Jul 2016 13:12:34 +0300
+Subject: hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
+
+commit 8a545f185145e3c09348cd74326268ecfc6715a3 upstream.
+
+We can't pass error pointers to kfree() or it causes an oops.
+
+Fixes: 52b209f7b848 ('get rid of hostfs_read_inode()')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/hostfs/hostfs_kern.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/hostfs/hostfs_kern.c
++++ b/fs/hostfs/hostfs_kern.c
+@@ -942,10 +942,11 @@ static int hostfs_fill_sb_common(struct
+ 
+ 	if (S_ISLNK(root_inode->i_mode)) {
+ 		char *name = follow_link(host_root_path);
+-		if (IS_ERR(name))
++		if (IS_ERR(name)) {
+ 			err = PTR_ERR(name);
+-		else
+-			err = read_name(root_inode, name);
++			goto out_put;
++		}
++		err = read_name(root_inode, name);
+ 		kfree(name);
+ 		if (err)
+ 			goto out_put;
diff --git a/queue-3.16/hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch b/queue-3.16/hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch
new file mode 100644
index 0000000..521f3b4
--- /dev/null
+++ b/queue-3.16/hp-wmi-fix-wifi-cannot-be-hard-unblocked.patch
@@ -0,0 +1,43 @@
+From: Alex Hung <alex.hung@canonical.com>
+Date: Mon, 13 Jun 2016 19:44:00 +0800
+Subject: hp-wmi: Fix wifi cannot be hard-unblocked
+
+commit fc8a601e1175ae351f662506030f9939cb7fdbfe upstream.
+
+Several users reported wifi cannot be unblocked as discussed in [1].
+This patch removes the use of the 2009 flag by BIOS but uses the actual
+WMI function calls - it will be skipped if WMI reports unsupported.
+
+[1] https://bugzilla.kernel.org/show_bug.cgi?id=69131
+
+Signed-off-by: Alex Hung <alex.hung@canonical.com>
+Tested-by: Evgenii Shatokhin <eugene.shatokhin@yandex.ru>
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/platform/x86/hp-wmi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -723,6 +723,11 @@ static int __init hp_wmi_rfkill_setup(st
+ 	if (err)
+ 		return err;
+ 
++	err = hp_wmi_perform_query(HPWMI_WIRELESS_QUERY, 1, &wireless,
++				   sizeof(wireless), 0);
++	if (err)
++		return err;
++
+ 	if (wireless & 0x1) {
+ 		wifi_rfkill = rfkill_alloc("hp-wifi", &device->dev,
+ 					   RFKILL_TYPE_WLAN,
+@@ -910,7 +915,7 @@ static int __init hp_wmi_bios_setup(stru
+ 	gps_rfkill = NULL;
+ 	rfkill2_count = 0;
+ 
+-	if (hp_wmi_bios_2009_later() || hp_wmi_rfkill_setup(device))
++	if (hp_wmi_rfkill_setup(device))
+ 		hp_wmi_rfkill2_setup(device);
+ 
+ 	err = device_create_file(&device->dev, &dev_attr_display);
diff --git a/queue-3.16/hwmon-adt7411-set-bit-3-in-cfg1-register.patch b/queue-3.16/hwmon-adt7411-set-bit-3-in-cfg1-register.patch
new file mode 100644
index 0000000..4b251fa
--- /dev/null
+++ b/queue-3.16/hwmon-adt7411-set-bit-3-in-cfg1-register.patch
@@ -0,0 +1,39 @@
+From: Michael Walle <michael@walle.cc>
+Date: Tue, 19 Jul 2016 16:43:26 +0200
+Subject: hwmon: (adt7411) set bit 3 in CFG1 register
+
+commit b53893aae441a034bf4dbbad42fe218561d7d81f upstream.
+
+According to the datasheet you should only write 1 to this bit. If it is
+not set, at least AIN3 will return bad values on newer silicon revisions.
+
+Fixes: d84ca5b345c2 ("hwmon: Add driver for ADT7411 voltage and temperature sensor")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/hwmon/adt7411.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/adt7411.c
++++ b/drivers/hwmon/adt7411.c
+@@ -30,6 +30,7 @@
+ 
+ #define ADT7411_REG_CFG1			0x18
+ #define ADT7411_CFG1_START_MONITOR		(1 << 0)
++#define ADT7411_CFG1_RESERVED_BIT3		(1 << 3)
+ 
+ #define ADT7411_REG_CFG2			0x19
+ #define ADT7411_CFG2_DISABLE_AVG		(1 << 5)
+@@ -292,8 +293,10 @@ static int adt7411_probe(struct i2c_clie
+ 	mutex_init(&data->device_lock);
+ 	mutex_init(&data->update_lock);
+ 
++	/* According to the datasheet, we must only write 1 to bit 3 */
+ 	ret = adt7411_modify_bit(client, ADT7411_REG_CFG1,
+-				 ADT7411_CFG1_START_MONITOR, 1);
++				 ADT7411_CFG1_RESERVED_BIT3
++				 | ADT7411_CFG1_START_MONITOR, 1);
+ 	if (ret < 0)
+ 		return ret;
+ 
diff --git a/queue-3.16/hwrng-omap-fix-assumption-that-runtime_get_sync-will-always.patch b/queue-3.16/hwrng-omap-fix-assumption-that-runtime_get_sync-will-always.patch
new file mode 100644
index 0000000..99aecf0
--- /dev/null
+++ b/queue-3.16/hwrng-omap-fix-assumption-that-runtime_get_sync-will-always.patch
@@ -0,0 +1,71 @@
+From: Nishanth Menon <nm@ti.com>
+Date: Fri, 24 Jun 2016 11:50:39 -0500
+Subject: hwrng: omap - Fix assumption that runtime_get_sync will always
+ succeed
+
+commit 61dc0a446e5d08f2de8a24b45f69a1e302bb1b1b upstream.
+
+pm_runtime_get_sync does return a error value that must be checked for
+error conditions, else, due to various reasons, the device maynot be
+enabled and the system will crash due to lack of clock to the hardware
+module.
+
+Before:
+12.562784] [00000000] *pgd=fe193835
+12.562792] Internal error: : 1406 [#1] SMP ARM
+[...]
+12.562864] CPU: 1 PID: 241 Comm: modprobe Not tainted 4.7.0-rc4-next-20160624 #2
+12.562867] Hardware name: Generic DRA74X (Flattened Device Tree)
+12.562872] task: ed51f140 ti: ed44c000 task.ti: ed44c000
+12.562886] PC is at omap4_rng_init+0x20/0x84 [omap_rng]
+12.562899] LR is at set_current_rng+0xc0/0x154 [rng_core]
+[...]
+
+After the proper checks:
+[   94.366705] omap_rng 48090000.rng: _od_fail_runtime_resume: FIXME:
+missing hwmod/omap_dev info
+[   94.375767] omap_rng 48090000.rng: Failed to runtime_get device -19
+[   94.382351] omap_rng 48090000.rng: initialization failed.
+
+Fixes: 665d92fa85b5 ("hwrng: OMAP: convert to use runtime PM")
+Cc: Paul Walmsley <paul@pwsan.com>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/char/hw_random/omap-rng.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/hw_random/omap-rng.c
++++ b/drivers/char/hw_random/omap-rng.c
+@@ -384,7 +384,12 @@ static int omap_rng_probe(struct platfor
+ 	}
+ 
+ 	pm_runtime_enable(&pdev->dev);
+-	pm_runtime_get_sync(&pdev->dev);
++	ret = pm_runtime_get_sync(&pdev->dev);
++	if (ret) {
++		dev_err(&pdev->dev, "Failed to runtime_get device: %d\n", ret);
++		pm_runtime_put_noidle(&pdev->dev);
++		goto err_ioremap;
++	}
+ 
+ 	ret = (dev->of_node) ? of_get_omap_rng_device_details(priv, pdev) :
+ 				get_omap_rng_device_details(priv);
+@@ -437,8 +442,15 @@ static int omap_rng_suspend(struct devic
+ static int omap_rng_resume(struct device *dev)
+ {
+ 	struct omap_rng_dev *priv = dev_get_drvdata(dev);
++	int ret;
++
++	ret = pm_runtime_get_sync(dev);
++	if (ret) {
++		dev_err(dev, "Failed to runtime_get device: %d\n", ret);
++		pm_runtime_put_noidle(dev);
++		return ret;
++	}
+ 
+-	pm_runtime_get_sync(dev);
+ 	priv->pdata->init(priv);
+ 
+ 	return 0;
diff --git a/queue-3.16/i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch b/queue-3.16/i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch
new file mode 100644
index 0000000..30b8f1d
--- /dev/null
+++ b/queue-3.16/i2c-efm32-fix-a-failure-path-in-efm32_i2c_probe.patch
@@ -0,0 +1,34 @@
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Sat, 16 Jul 2016 02:36:38 +0300
+Subject: i2c: efm32: fix a failure path in efm32_i2c_probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 7dd91d52a813f99a95d20f539b777e9e6198b931 upstream.
+
+There is the only failure path in efm32_i2c_probe(),
+where clk_disable_unprepare() is missed.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Fixes: 1b5b23718b84 ("i2c: efm32: new bus driver")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/i2c/busses/i2c-efm32.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-efm32.c
++++ b/drivers/i2c/busses/i2c-efm32.c
+@@ -427,7 +427,7 @@ static int efm32_i2c_probe(struct platfo
+ 	ret = request_irq(ddata->irq, efm32_i2c_irq, 0, DRIVER_NAME, ddata);
+ 	if (ret < 0) {
+ 		dev_err(&pdev->dev, "failed to request irq (%d)\n", ret);
+-		return ret;
++		goto err_disable_clk;
+ 	}
+ 
+ 	ret = i2c_add_adapter(&ddata->adapter);
diff --git a/queue-3.16/i2c-eg20t-fix-race-between-i2c-init-and-interrupt-enable.patch b/queue-3.16/i2c-eg20t-fix-race-between-i2c-init-and-interrupt-enable.patch
new file mode 100644
index 0000000..4cb47ea
--- /dev/null
+++ b/queue-3.16/i2c-eg20t-fix-race-between-i2c-init-and-interrupt-enable.patch
@@ -0,0 +1,60 @@
+From: "Yadi.hu" <yadi.hu@windriver.com>
+Date: Sun, 18 Sep 2016 18:52:31 +0800
+Subject: i2c-eg20t: fix race between i2c init and interrupt enable
+
+commit 371a015344b6e270e7e3632107d9554ec6d27a6b upstream.
+
+the eg20t driver call request_irq() function before the pch_base_address,
+base address of i2c controller's register, is assigned an effective value.
+
+there is one possible scenario that an interrupt which isn't inside eg20t
+arrives immediately after request_irq() is executed when i2c controller
+shares an interrupt number with others. since the interrupt handler
+pch_i2c_handler() has already active as shared action, it will be called
+and read its own register to determine if this interrupt is from itself.
+
+At that moment, since base address of i2c registers is not remapped
+in kernel space yet,so the INT handler will access an illegal address
+and then a error occurs.
+
+Signed-off-by: Yadi.hu <yadi.hu@windriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/i2c/busses/i2c-eg20t.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-eg20t.c
++++ b/drivers/i2c/busses/i2c-eg20t.c
+@@ -777,13 +777,6 @@ static int pch_i2c_probe(struct pci_dev
+ 	/* Set the number of I2C channel instance */
+ 	adap_info->ch_num = id->driver_data;
+ 
+-	ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
+-		  KBUILD_MODNAME, adap_info);
+-	if (ret) {
+-		pch_pci_err(pdev, "request_irq FAILED\n");
+-		goto err_request_irq;
+-	}
+-
+ 	for (i = 0; i < adap_info->ch_num; i++) {
+ 		pch_adap = &adap_info->pch_data[i].pch_adapter;
+ 		adap_info->pch_i2c_suspended = false;
+@@ -800,6 +793,17 @@ static int pch_i2c_probe(struct pci_dev
+ 		adap_info->pch_data[i].pch_base_address = base_addr + 0x100 * i;
+ 
+ 		pch_adap->dev.parent = &pdev->dev;
++	}
++
++	ret = request_irq(pdev->irq, pch_i2c_handler, IRQF_SHARED,
++		  KBUILD_MODNAME, adap_info);
++	if (ret) {
++		pch_pci_err(pdev, "request_irq FAILED\n");
++		goto err_request_irq;
++	}
++
++	for (i = 0; i < adap_info->ch_num; i++) {
++		pch_adap = &adap_info->pch_data[i].pch_adapter;
+ 
+ 		pch_i2c_init(&adap_info->pch_data[i]);
+ 
diff --git a/queue-3.16/i2c-mux-pca954x-retry-updating-the-mux-selection-on-failure.patch b/queue-3.16/i2c-mux-pca954x-retry-updating-the-mux-selection-on-failure.patch
new file mode 100644
index 0000000..18a2f52
--- /dev/null
+++ b/queue-3.16/i2c-mux-pca954x-retry-updating-the-mux-selection-on-failure.patch
@@ -0,0 +1,28 @@
+From: Peter Rosin <peda@axentia.se>
+Date: Wed, 14 Sep 2016 15:24:12 +0200
+Subject: i2c: mux: pca954x: retry updating the mux selection on failure
+
+commit 463e8f845cbf1c01e4cc8aeef1703212991d8e1e upstream.
+
+The cached value of the last selected channel prevents retries on the
+next call, even on failure to update the selected channel. Fix that.
+
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/i2c/muxes/i2c-mux-pca954x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/muxes/i2c-mux-pca954x.c
++++ b/drivers/i2c/muxes/i2c-mux-pca954x.c
+@@ -161,7 +161,7 @@ static int pca954x_select_chan(struct i2
+ 	/* Only select the channel if its different from the last channel */
+ 	if (data->last_chan != regval) {
+ 		ret = pca954x_reg_write(adap, client, regval);
+-		data->last_chan = regval;
++		data->last_chan = ret ? 0 : regval;
+ 	}
+ 
+ 	return ret;
diff --git a/queue-3.16/i2c-qup-skip-qup_i2c_suspend-if-the-device-is-already-runtime.patch b/queue-3.16/i2c-qup-skip-qup_i2c_suspend-if-the-device-is-already-runtime.patch
new file mode 100644
index 0000000..77acbd3
--- /dev/null
+++ b/queue-3.16/i2c-qup-skip-qup_i2c_suspend-if-the-device-is-already-runtime.patch
@@ -0,0 +1,49 @@
+From: Sudeep Holla <Sudeep.Holla@arm.com>
+Date: Thu, 25 Aug 2016 12:23:39 +0100
+Subject: i2c: qup: skip qup_i2c_suspend if the device is already runtime
+ suspended
+
+commit 331dcf421c34d227784d07943eb01e4023a42b0a upstream.
+
+If the i2c device is already runtime suspended, if qup_i2c_suspend is
+executed during suspend-to-idle or suspend-to-ram it will result in the
+following splat:
+
+WARNING: CPU: 3 PID: 1593 at drivers/clk/clk.c:476 clk_core_unprepare+0x80/0x90
+Modules linked in:
+
+CPU: 3 PID: 1593 Comm: bash Tainted: G        W       4.8.0-rc3 #14
+Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
+PC is at clk_core_unprepare+0x80/0x90
+LR is at clk_unprepare+0x28/0x40
+pc : [<ffff0000086eecf0>] lr : [<ffff0000086f0c58>] pstate: 60000145
+Call trace:
+ clk_core_unprepare+0x80/0x90
+ qup_i2c_disable_clocks+0x2c/0x68
+ qup_i2c_suspend+0x10/0x20
+ platform_pm_suspend+0x24/0x68
+ ...
+
+This patch fixes the issue by executing qup_i2c_pm_suspend_runtime
+conditionally in qup_i2c_suspend.
+
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Andy Gross <andy.gross@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/i2c/busses/i2c-qup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qup.c
++++ b/drivers/i2c/busses/i2c-qup.c
+@@ -724,7 +724,8 @@ static int qup_i2c_pm_resume_runtime(str
+ #ifdef CONFIG_PM_SLEEP
+ static int qup_i2c_suspend(struct device *device)
+ {
+-	qup_i2c_pm_suspend_runtime(device);
++	if (!pm_runtime_suspended(device))
++		return qup_i2c_pm_suspend_runtime(device);
+ 	return 0;
+ }
+ 
diff --git a/queue-3.16/ia64-copy_from_user-should-zero-the-destination-on-access_ok.patch b/queue-3.16/ia64-copy_from_user-should-zero-the-destination-on-access_ok.patch
new file mode 100644
index 0000000..9ff1bd7
--- /dev/null
+++ b/queue-3.16/ia64-copy_from_user-should-zero-the-destination-on-access_ok.patch
@@ -0,0 +1,40 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 21:31:41 -0400
+Subject: ia64: copy_from_user() should zero the destination on access_ok()
+ failure
+
+commit a5e541f796f17228793694d64b507f5f57db4cd7 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: Backported to 3.16: no calls to check_object_size()]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/arch/ia64/include/asm/uaccess.h
++++ b/arch/ia64/include/asm/uaccess.h
+@@ -262,17 +262,15 @@ __copy_from_user (void *to, const void _
+ 	__cu_len;									\
+ })
+ 
+-#define copy_from_user(to, from, n)							\
+-({											\
+-	void *__cu_to = (to);								\
+-	const void __user *__cu_from = (from);						\
+-	long __cu_len = (n);								\
+-											\
+-	__chk_user_ptr(__cu_from);							\
+-	if (__access_ok(__cu_from, __cu_len, get_fs()))					\
+-		__cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len);	\
+-	__cu_len;									\
+-})
++static inline unsigned long
++copy_from_user(void *to, const void __user *from, unsigned long n)
++{
++	if (likely(__access_ok(from, n, get_fs())))
++		n = __copy_user((__force void __user *) to, from, n);
++	else
++		memset(to, 0, n);
++	return n;
++}
+ 
+ #define __copy_in_user(to, from, size)	__copy_user((to), (from), (size))
+ 
diff --git a/queue-3.16/ib-core-fix-use-after-free-in-send_leave-function.patch b/queue-3.16/ib-core-fix-use-after-free-in-send_leave-function.patch
new file mode 100644
index 0000000..79d80cb
--- /dev/null
+++ b/queue-3.16/ib-core-fix-use-after-free-in-send_leave-function.patch
@@ -0,0 +1,59 @@
+From: Erez Shitrit <erezsh@mellanox.com>
+Date: Sun, 28 Aug 2016 10:58:30 +0300
+Subject: IB/core: Fix use after free in send_leave function
+
+commit 68c6bcdd8bd00394c234b915ab9b97c74104130c upstream.
+
+The function send_leave sets the member: group->query_id
+(group->query_id = ret) after calling the sa_query, but leave_handler
+can be executed before the setting and it might delete the group object,
+and will get a memory corruption.
+
+Additionally, this patch gets rid of group->query_id variable which is
+not used.
+
+Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests')
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/infiniband/core/multicast.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/infiniband/core/multicast.c
++++ b/drivers/infiniband/core/multicast.c
+@@ -106,7 +106,6 @@ struct mcast_group {
+ 	atomic_t		refcount;
+ 	enum mcast_group_state	state;
+ 	struct ib_sa_query	*query;
+-	int			query_id;
+ 	u16			pkey_index;
+ 	u8			leave_state;
+ 	int			retries;
+@@ -339,11 +338,7 @@ static int send_join(struct mcast_group
+ 				       member->multicast.comp_mask,
+ 				       3000, GFP_KERNEL, join_handler, group,
+ 				       &group->query);
+-	if (ret >= 0) {
+-		group->query_id = ret;
+-		ret = 0;
+-	}
+-	return ret;
++	return (ret > 0) ? 0 : ret;
+ }
+ 
+ static int send_leave(struct mcast_group *group, u8 leave_state)
+@@ -363,11 +358,7 @@ static int send_leave(struct mcast_group
+ 				       IB_SA_MCMEMBER_REC_JOIN_STATE,
+ 				       3000, GFP_KERNEL, leave_handler,
+ 				       group, &group->query);
+-	if (ret >= 0) {
+-		group->query_id = ret;
+-		ret = 0;
+-	}
+-	return ret;
++	return (ret > 0) ? 0 : ret;
+ }
+ 
+ static void join_group(struct mcast_group *group, struct mcast_member *member,
diff --git a/queue-3.16/ib-ipoib-don-t-allow-mc-joins-during-light-mc-flush.patch b/queue-3.16/ib-ipoib-don-t-allow-mc-joins-during-light-mc-flush.patch
new file mode 100644
index 0000000..e044f01
--- /dev/null
+++ b/queue-3.16/ib-ipoib-don-t-allow-mc-joins-during-light-mc-flush.patch
@@ -0,0 +1,81 @@
+From: Alex Vesker <valex@mellanox.com>
+Date: Mon, 12 Sep 2016 09:55:28 +0300
+Subject: IB/ipoib: Don't allow MC joins during light MC flush
+
+commit 344bacca8cd811809fc33a249f2738ab757d327f upstream.
+
+This fix solves a race between light flush and on the fly joins.
+Light flush doesn't set the device to down and unset IPOIB_OPER_UP
+flag, this means that if while flushing we have a MC join in progress
+and the QP was attached to BC MGID we can have a mismatches when
+re-attaching a QP to the BC MGID.
+
+The light flush would set the broadcast group to NULL causing an on
+the fly join to rejoin and reattach to the BC MCG as well as adding
+the BC MGID to the multicast list. The flush process would later on
+remove the BC MGID and detach it from the QP. On the next flush
+the BC MGID is present in the multicast list but not found when trying
+to detach it because of the previous double attach and single detach.
+
+[18332.714265] ------------[ cut here ]------------
+[18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core]
+...
+[18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011
+[18332.779411]  0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000
+[18332.784960]  0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300
+[18332.790547]  ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280
+[18332.796199] Call Trace:
+[18332.798015]  [<ffffffff813fed47>] dump_stack+0x63/0x8c
+[18332.801831]  [<ffffffff8109add1>] __warn+0xd1/0xf0
+[18332.805403]  [<ffffffff8109aebd>] warn_slowpath_null+0x1d/0x20
+[18332.809706]  [<ffffffffa025d90f>] ib_dealloc_pd+0xff/0x120 [ib_core]
+[18332.814384]  [<ffffffffa04f3d7c>] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib]
+[18332.820031]  [<ffffffffa04ed648>] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib]
+[18332.825220]  [<ffffffffa04e62c8>] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib]
+[18332.830290]  [<ffffffffa04e656f>] ipoib_uninit+0x2f/0x40 [ib_ipoib]
+[18332.834911]  [<ffffffff81772a8a>] rollback_registered_many+0x1aa/0x2c0
+[18332.839741]  [<ffffffff81772bd1>] rollback_registered+0x31/0x40
+[18332.844091]  [<ffffffff81773b18>] unregister_netdevice_queue+0x48/0x80
+[18332.848880]  [<ffffffffa04f489b>] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib]
+[18332.853848]  [<ffffffffa04df1cd>] delete_child+0x7d/0xf0 [ib_ipoib]
+[18332.858474]  [<ffffffff81520c08>] dev_attr_store+0x18/0x30
+[18332.862510]  [<ffffffff8127fe4a>] sysfs_kf_write+0x3a/0x50
+[18332.866349]  [<ffffffff8127f4e0>] kernfs_fop_write+0x120/0x170
+[18332.870471]  [<ffffffff81207198>] __vfs_write+0x28/0xe0
+[18332.874152]  [<ffffffff810e09bf>] ? percpu_down_read+0x1f/0x50
+[18332.878274]  [<ffffffff81208062>] vfs_write+0xa2/0x1a0
+[18332.881896]  [<ffffffff812093a6>] SyS_write+0x46/0xa0
+[18332.885632]  [<ffffffff810039b7>] do_syscall_64+0x57/0xb0
+[18332.889709]  [<ffffffff81883321>] entry_SYSCALL64_slow_path+0x25/0x25
+[18332.894727] ---[ end trace 09ebbe31f831ef17 ]---
+
+Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events")
+Signed-off-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+@@ -1030,8 +1030,17 @@ static void __ipoib_ib_dev_flush(struct
+ 	}
+ 
+ 	if (level == IPOIB_FLUSH_LIGHT) {
++		int oper_up;
+ 		ipoib_mark_paths_invalid(dev);
++		/* Set IPoIB operation as down to prevent races between:
++		 * the flush flow which leaves MCG and on the fly joins
++		 * which can happen during that time. mcast restart task
++		 * should deal with join requests we missed.
++		 */
++		oper_up = test_and_clear_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
+ 		ipoib_mcast_dev_flush(dev);
++		if (oper_up)
++			set_bit(IPOIB_FLAG_OPER_UP, &priv->flags);
+ 	}
+ 
+ 	if (level >= IPOIB_FLUSH_NORMAL)
diff --git a/queue-3.16/ib-ipoib-fix-memory-corruption-in-ipoib-cm-mode-connect-flow.patch b/queue-3.16/ib-ipoib-fix-memory-corruption-in-ipoib-cm-mode-connect-flow.patch
new file mode 100644
index 0000000..968b6a8
--- /dev/null
+++ b/queue-3.16/ib-ipoib-fix-memory-corruption-in-ipoib-cm-mode-connect-flow.patch
@@ -0,0 +1,107 @@
+From: Erez Shitrit <erezsh@mellanox.com>
+Date: Sun, 28 Aug 2016 10:58:31 +0300
+Subject: IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
+
+commit 546481c2816ea3c061ee9d5658eb48070f69212e upstream.
+
+When a new CM connection is being requested, ipoib driver copies data
+from the path pointer in the CM/tx object, the path object might be
+invalid at the point and memory corruption will happened later when now
+the CM driver will try using that data.
+
+The next scenario demonstrates it:
+	neigh_add_path --> ipoib_cm_create_tx -->
+	queue_work (pointer to path is in the cm/tx struct)
+	#while the work is still in the queue,
+	#the port goes down and causes the ipoib_flush_paths:
+	ipoib_flush_paths --> path_free --> kfree(path)
+	#at this point the work scheduled starts.
+	ipoib_cm_tx_start --> copy from the (invalid)path pointer:
+	(memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);)
+	 -> memory corruption.
+
+To fix that the driver now starts the CM/tx connection only if that
+specific path exists in the general paths database.
+This check is protected with the relevant locks, and uses the gid from
+the neigh member in the CM/tx object which is valid according to the ref
+count that was taken by the CM/tx.
+
+Fixes: 839fcaba35 ('IPoIB: Connected mode experimental support')
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/infiniband/ulp/ipoib/ipoib.h      |  1 +
+ drivers/infiniband/ulp/ipoib/ipoib_cm.c   | 16 ++++++++++++++++
+ drivers/infiniband/ulp/ipoib/ipoib_main.c |  2 +-
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/ulp/ipoib/ipoib.h
++++ b/drivers/infiniband/ulp/ipoib/ipoib.h
+@@ -463,6 +463,7 @@ void ipoib_send(struct net_device *dev,
+ 		struct ipoib_ah *address, u32 qpn);
+ void ipoib_reap_ah(struct work_struct *work);
+ 
++struct ipoib_path *__path_find(struct net_device *dev, void *gid);
+ void ipoib_mark_paths_invalid(struct net_device *dev);
+ void ipoib_flush_paths(struct net_device *dev);
+ struct ipoib_dev_priv *ipoib_intf_alloc(const char *format);
+--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+@@ -1303,6 +1303,8 @@ void ipoib_cm_destroy_tx(struct ipoib_cm
+ 	}
+ }
+ 
++#define QPN_AND_OPTIONS_OFFSET	4
++
+ static void ipoib_cm_tx_start(struct work_struct *work)
+ {
+ 	struct ipoib_dev_priv *priv = container_of(work, struct ipoib_dev_priv,
+@@ -1311,6 +1313,7 @@ static void ipoib_cm_tx_start(struct wor
+ 	struct ipoib_neigh *neigh;
+ 	struct ipoib_cm_tx *p;
+ 	unsigned long flags;
++	struct ipoib_path *path;
+ 	int ret;
+ 
+ 	struct ib_sa_path_rec pathrec;
+@@ -1323,7 +1326,19 @@ static void ipoib_cm_tx_start(struct wor
+ 		p = list_entry(priv->cm.start_list.next, typeof(*p), list);
+ 		list_del_init(&p->list);
+ 		neigh = p->neigh;
++
+ 		qpn = IPOIB_QPN(neigh->daddr);
++		/*
++		 * As long as the search is with these 2 locks,
++		 * path existence indicates its validity.
++		 */
++		path = __path_find(dev, neigh->daddr + QPN_AND_OPTIONS_OFFSET);
++		if (!path) {
++			pr_info("%s ignore not valid path %pI6\n",
++				__func__,
++				neigh->daddr + QPN_AND_OPTIONS_OFFSET);
++			goto free_neigh;
++		}
+ 		memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);
+ 
+ 		spin_unlock_irqrestore(&priv->lock, flags);
+@@ -1335,6 +1350,7 @@ static void ipoib_cm_tx_start(struct wor
+ 		spin_lock_irqsave(&priv->lock, flags);
+ 
+ 		if (ret) {
++free_neigh:
+ 			neigh = p->neigh;
+ 			if (neigh) {
+ 				neigh->cm = NULL;
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -253,7 +253,7 @@ int ipoib_set_mode(struct net_device *de
+ 	return -EINVAL;
+ }
+ 
+-static struct ipoib_path *__path_find(struct net_device *dev, void *gid)
++struct ipoib_path *__path_find(struct net_device *dev, void *gid)
+ {
+ 	struct ipoib_dev_priv *priv = netdev_priv(dev);
+ 	struct rb_node *n = priv->path_tree.rb_node;
diff --git a/queue-3.16/ib-mlx4-fix-code-indentation-in-qp1-mad-flow.patch b/queue-3.16/ib-mlx4-fix-code-indentation-in-qp1-mad-flow.patch
new file mode 100644
index 0000000..0244b4d
--- /dev/null
+++ b/queue-3.16/ib-mlx4-fix-code-indentation-in-qp1-mad-flow.patch
@@ -0,0 +1,66 @@
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Mon, 12 Sep 2016 19:16:19 +0300
+Subject: IB/mlx4: Fix code indentation in QP1 MAD flow
+
+commit baa0be7026e2f7d1d40bfd45909044169e9e3c68 upstream.
+
+The indentation in the QP1 GRH flow in procedure build_mlx_header is
+really confusing. Fix it, in preparation for a commit which touches
+this code.
+
+Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/infiniband/hw/mlx4/qp.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -2149,24 +2149,26 @@ static int build_mlx_header(struct mlx4_
+ 		sqp->ud_header.grh.flow_label    =
+ 			ah->av.ib.sl_tclass_flowlabel & cpu_to_be32(0xfffff);
+ 		sqp->ud_header.grh.hop_limit     = ah->av.ib.hop_limit;
+-		if (is_eth)
++		if (is_eth) {
+ 			memcpy(sqp->ud_header.grh.source_gid.raw, sgid.raw, 16);
+-		else {
+-		if (mlx4_is_mfunc(to_mdev(ib_dev)->dev)) {
+-			/* When multi-function is enabled, the ib_core gid
+-			 * indexes don't necessarily match the hw ones, so
+-			 * we must use our own cache */
+-			sqp->ud_header.grh.source_gid.global.subnet_prefix =
+-				to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
+-						       subnet_prefix;
+-			sqp->ud_header.grh.source_gid.global.interface_id =
+-				to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
+-					       guid_cache[ah->av.ib.gid_index];
+-		} else
+-			ib_get_cached_gid(ib_dev,
+-					  be32_to_cpu(ah->av.ib.port_pd) >> 24,
+-					  ah->av.ib.gid_index,
+-					  &sqp->ud_header.grh.source_gid);
++		} else {
++			if (mlx4_is_mfunc(to_mdev(ib_dev)->dev)) {
++				/* When multi-function is enabled, the ib_core gid
++				 * indexes don't necessarily match the hw ones, so
++				 * we must use our own cache
++				 */
++				sqp->ud_header.grh.source_gid.global.subnet_prefix =
++					to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
++							       subnet_prefix;
++				sqp->ud_header.grh.source_gid.global.interface_id =
++					to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
++						       guid_cache[ah->av.ib.gid_index];
++			} else {
++				ib_get_cached_gid(ib_dev,
++						  be32_to_cpu(ah->av.ib.port_pd) >> 24,
++						  ah->av.ib.gid_index,
++						  &sqp->ud_header.grh.source_gid);
++			}
+ 		}
+ 		memcpy(sqp->ud_header.grh.destination_gid.raw,
+ 		       ah->av.ib.dgid, 16);
diff --git a/queue-3.16/ib-mlx4-fix-incorrect-mc-join-state-bit-masking-on-sr-iov.patch b/queue-3.16/ib-mlx4-fix-incorrect-mc-join-state-bit-masking-on-sr-iov.patch
new file mode 100644
index 0000000..528c78d
--- /dev/null
+++ b/queue-3.16/ib-mlx4-fix-incorrect-mc-join-state-bit-masking-on-sr-iov.patch
@@ -0,0 +1,75 @@
+From: Alex Vesker <valex@mellanox.com>
+Date: Mon, 12 Sep 2016 19:16:18 +0300
+Subject: IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV
+
+commit e5ac40cd66c2f3cd11bc5edc658f012661b16347 upstream.
+
+Because of an incorrect bit-masking done on the join state bits, when
+handling a join request we failed to detect a difference between the
+group join state and the request join state when joining as send only
+full member (0x8). This caused the MC join request not to be sent.
+This issue is relevant only when SRIOV is enabled and SM supports
+send only full member.
+
+This fix separates scope bits and join states bits a nibble each.
+
+Fixes: b9c5d6a64358 ('IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV')
+Signed-off-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/infiniband/hw/mlx4/mcg.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/mcg.c
++++ b/drivers/infiniband/hw/mlx4/mcg.c
+@@ -485,7 +485,7 @@ static u8 get_leave_state(struct mcast_g
+ 		if (!group->members[i])
+ 			leave_state |= (1 << i);
+ 
+-	return leave_state & (group->rec.scope_join_state & 7);
++	return leave_state & (group->rec.scope_join_state & 0xf);
+ }
+ 
+ static int join_group(struct mcast_group *group, int slave, u8 join_mask)
+@@ -560,8 +560,8 @@ static void mlx4_ib_mcg_timeout_handler(
+ 		} else
+ 			mcg_warn_group(group, "DRIVER BUG\n");
+ 	} else if (group->state == MCAST_LEAVE_SENT) {
+-		if (group->rec.scope_join_state & 7)
+-			group->rec.scope_join_state &= 0xf8;
++		if (group->rec.scope_join_state & 0xf)
++			group->rec.scope_join_state &= 0xf0;
+ 		group->state = MCAST_IDLE;
+ 		mutex_unlock(&group->lock);
+ 		if (release_group(group, 1))
+@@ -601,7 +601,7 @@ static int handle_leave_req(struct mcast
+ static int handle_join_req(struct mcast_group *group, u8 join_mask,
+ 			   struct mcast_req *req)
+ {
+-	u8 group_join_state = group->rec.scope_join_state & 7;
++	u8 group_join_state = group->rec.scope_join_state & 0xf;
+ 	int ref = 0;
+ 	u16 status;
+ 	struct ib_sa_mcmember_data *sa_data = (struct ib_sa_mcmember_data *)req->sa_mad.data;
+@@ -686,8 +686,8 @@ static void mlx4_ib_mcg_work_handler(str
+ 			u8 cur_join_state;
+ 
+ 			resp_join_state = ((struct ib_sa_mcmember_data *)
+-						group->response_sa_mad.data)->scope_join_state & 7;
+-			cur_join_state = group->rec.scope_join_state & 7;
++						group->response_sa_mad.data)->scope_join_state & 0xf;
++			cur_join_state = group->rec.scope_join_state & 0xf;
+ 
+ 			if (method == IB_MGMT_METHOD_GET_RESP) {
+ 				/* successfull join */
+@@ -706,7 +706,7 @@ process_requests:
+ 		req = list_first_entry(&group->pending_list, struct mcast_req,
+ 				       group_list);
+ 		sa_data = (struct ib_sa_mcmember_data *)req->sa_mad.data;
+-		req_join_state = sa_data->scope_join_state & 0x7;
++		req_join_state = sa_data->scope_join_state & 0xf;
+ 
+ 		/* For a leave request, we will immediately answer the VF, and
+ 		 * update our internal counters. The actual leave will be sent
diff --git a/queue-3.16/ib-mlx4-use-correct-subnet-prefix-in-qp1-mads-under-sr-iov.patch b/queue-3.16/ib-mlx4-use-correct-subnet-prefix-in-qp1-mads-under-sr-iov.patch
new file mode 100644
index 0000000..c727e37
--- /dev/null
+++ b/queue-3.16/ib-mlx4-use-correct-subnet-prefix-in-qp1-mads-under-sr-iov.patch
@@ -0,0 +1,112 @@
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Mon, 12 Sep 2016 19:16:20 +0300
+Subject: IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV
+
+commit 8ec07bf8a8b57d6c58927a16a0a22c0115cf2855 upstream.
+
+When sending QP1 MAD packets which use a GRH, the source GID
+(which consists of the 64-bit subnet prefix, and the 64 bit port GUID)
+must be included in the packet GRH.
+
+For SR-IOV, a GID cache is used, since the source GID needs to be the
+slave's source GID, and not the Hypervisor's GID. This cache also
+included a subnet_prefix. Unfortunately, the subnet_prefix field in
+the cache was never initialized (to the default subnet prefix 0xfe80::0).
+As a result, this field remained all zeroes.  Therefore, when SR-IOV
+was active, all QP1 packets which included a GRH had a source GID
+subnet prefix of all-zeroes.
+
+However, the subnet-prefix should initially be 0xfe80::0 (the default
+subnet prefix). In addition, if OpenSM modifies a port's subnet prefix,
+the new subnet prefix must be used in the GRH when sending QP1 packets.
+To fix this we now initialize the subnet prefix in the SR-IOV GID cache
+to the default subnet prefix. We update the cached value if/when OpenSM
+modifies the port's subnet prefix. We take this cached value when sending
+QP1 packets when SR-IOV is active.
+
+Note that the value is stored as an atomic64. This eliminates any need
+for locking when the subnet prefix is being updated.
+
+Note also that we depend on the FW generating the "port management change"
+event for tracking subnet-prefix changes performed by OpenSM. If running
+early FW (before 2.9.4630), subnet prefix changes will not be tracked (but
+the default subnet prefix still will be stored in the cache; therefore
+users who do not modify the subnet prefix will not have a problem).
+IF there is a need for such tracking also for early FW, we will add that
+capability in a subsequent patch.
+
+Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/infiniband/hw/mlx4/mad.c     | 23 +++++++++++++++++++++++
+ drivers/infiniband/hw/mlx4/mlx4_ib.h |  2 +-
+ drivers/infiniband/hw/mlx4/qp.c      |  5 +++--
+ 3 files changed, 27 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx4/mad.c
++++ b/drivers/infiniband/hw/mlx4/mad.c
+@@ -1062,6 +1062,27 @@ void handle_port_mgmt_change_event(struc
+ 
+ 		/* Generate GUID changed event */
+ 		if (changed_attr & MLX4_EQ_PORT_INFO_GID_PFX_CHANGE_MASK) {
++			if (mlx4_is_master(dev->dev)) {
++				union ib_gid gid;
++				int err = 0;
++
++				if (!eqe->event.port_mgmt_change.params.port_info.gid_prefix)
++					err = __mlx4_ib_query_gid(&dev->ib_dev, port, 0, &gid, 1);
++				else
++					gid.global.subnet_prefix =
++						eqe->event.port_mgmt_change.params.port_info.gid_prefix;
++				if (err) {
++					pr_warn("Could not change QP1 subnet prefix for port %d: query_gid error (%d)\n",
++						port, err);
++				} else {
++					pr_debug("Changing QP1 subnet prefix for port %d. old=0x%llx. new=0x%llx\n",
++						 port,
++						 (u64)atomic64_read(&dev->sriov.demux[port - 1].subnet_prefix),
++						 be64_to_cpu(gid.global.subnet_prefix));
++					atomic64_set(&dev->sriov.demux[port - 1].subnet_prefix,
++						     be64_to_cpu(gid.global.subnet_prefix));
++				}
++			}
+ 			mlx4_ib_dispatch_event(dev, port, IB_EVENT_GID_CHANGE);
+ 			/*if master, notify all slaves*/
+ 			if (mlx4_is_master(dev->dev))
+@@ -2134,6 +2155,8 @@ int mlx4_ib_init_sriov(struct mlx4_ib_de
+ 		if (err)
+ 			goto demux_err;
+ 		dev->sriov.demux[i].guid_cache[0] = gid.global.interface_id;
++		atomic64_set(&dev->sriov.demux[i].subnet_prefix,
++			     be64_to_cpu(gid.global.subnet_prefix));
+ 		err = alloc_pv_object(dev, mlx4_master_func_num(dev->dev), i + 1,
+ 				      &dev->sriov.sqps[i]);
+ 		if (err)
+--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
++++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
+@@ -417,7 +417,7 @@ struct mlx4_ib_demux_ctx {
+ 	struct workqueue_struct *wq;
+ 	struct workqueue_struct *ud_wq;
+ 	spinlock_t ud_lock;
+-	__be64 subnet_prefix;
++	atomic64_t subnet_prefix;
+ 	__be64 guid_cache[128];
+ 	struct mlx4_ib_dev *dev;
+ 	/* the following lock protects both mcg_table and mcg_mgid0_list */
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -2158,8 +2158,9 @@ static int build_mlx_header(struct mlx4_
+ 				 * we must use our own cache
+ 				 */
+ 				sqp->ud_header.grh.source_gid.global.subnet_prefix =
+-					to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
+-							       subnet_prefix;
++					cpu_to_be64(atomic64_read(&(to_mdev(ib_dev)->sriov.
++								    demux[sqp->qp.port - 1].
++								    subnet_prefix)));
+ 				sqp->ud_header.grh.source_gid.global.interface_id =
+ 					to_mdev(ib_dev)->sriov.demux[sqp->qp.port - 1].
+ 						       guid_cache[ah->av.ib.gid_index];
diff --git a/queue-3.16/ib-mlx5-fix-modify_qp-command-input-structure.patch b/queue-3.16/ib-mlx5-fix-modify_qp-command-input-structure.patch
new file mode 100644
index 0000000..a5f567f
--- /dev/null
+++ b/queue-3.16/ib-mlx5-fix-modify_qp-command-input-structure.patch
@@ -0,0 +1,31 @@
+From: Artemy Kovalyov <artemyko@mellanox.com>
+Date: Fri, 17 Jun 2016 15:33:31 +0300
+Subject: IB/mlx5: Fix MODIFY_QP command input structure
+
+commit e3353c268b06236d6c40fa1714c114f21f44451c upstream.
+
+Make MODIFY_QP command input structure compliant to specification
+
+Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
+Signed-off-by: Artemy Kovalyov <artemyko@mellanox.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/mlx5/qp.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mlx5/qp.h
++++ b/include/linux/mlx5/qp.h
+@@ -442,9 +442,9 @@ struct mlx5_destroy_qp_mbox_out {
+ struct mlx5_modify_qp_mbox_in {
+ 	struct mlx5_inbox_hdr	hdr;
+ 	__be32			qpn;
+-	u8			rsvd1[4];
+-	__be32			optparam;
+ 	u8			rsvd0[4];
++	__be32			optparam;
++	u8			rsvd1[4];
+ 	struct mlx5_qp_context	ctx;
+ 	u8			rsvd2[16];
+ };
diff --git a/queue-3.16/iio-accel-kxsd9-fix-raw-read-return.patch b/queue-3.16/iio-accel-kxsd9-fix-raw-read-return.patch
new file mode 100644
index 0000000..299f40d
--- /dev/null
+++ b/queue-3.16/iio-accel-kxsd9-fix-raw-read-return.patch
@@ -0,0 +1,28 @@
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Aug 2016 15:33:28 +0200
+Subject: iio: accel: kxsd9: Fix raw read return
+
+commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 upstream.
+
+Any readings from the raw interface of the KXSD9 driver will
+return an empty string, because it does not return
+IIO_VAL_INT but rather some random value from the accelerometer
+to the caller.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/accel/kxsd9.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/accel/kxsd9.c
++++ b/drivers/iio/accel/kxsd9.c
+@@ -160,6 +160,7 @@ static int kxsd9_read_raw(struct iio_dev
+ 		if (ret < 0)
+ 			goto error_ret;
+ 		*val = ret;
++		ret = IIO_VAL_INT;
+ 		break;
+ 	case IIO_CHAN_INFO_SCALE:
+ 		ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
diff --git a/queue-3.16/iio-accel-kxsd9-fix-scaling-bug.patch b/queue-3.16/iio-accel-kxsd9-fix-scaling-bug.patch
new file mode 100644
index 0000000..4abcfcf
--- /dev/null
+++ b/queue-3.16/iio-accel-kxsd9-fix-scaling-bug.patch
@@ -0,0 +1,36 @@
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Thu, 1 Sep 2016 11:44:35 +0200
+Subject: iio: accel: kxsd9: Fix scaling bug
+
+commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de upstream.
+
+All the scaling of the KXSD9 involves multiplication with a
+fraction number < 1.
+
+However the scaling value returned from IIO_INFO_SCALE was
+unpredictable as only the micros of the value was assigned, and
+not the integer part, resulting in scaling like this:
+
+$cat in_accel_scale
+-1057462640.011978
+
+Fix this by assigning zero to the integer part.
+
+Tested-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/accel/kxsd9.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/accel/kxsd9.c
++++ b/drivers/iio/accel/kxsd9.c
+@@ -166,6 +166,7 @@ static int kxsd9_read_raw(struct iio_dev
+ 		ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
+ 		if (ret < 0)
+ 			goto error_ret;
++		*val = 0;
+ 		*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
+ 		ret = IIO_VAL_INT_PLUS_MICRO;
+ 		break;
diff --git a/queue-3.16/iio-adc-at91-unbreak-channel-adc-channel-3.patch b/queue-3.16/iio-adc-at91-unbreak-channel-adc-channel-3.patch
new file mode 100644
index 0000000..1ce2257
--- /dev/null
+++ b/queue-3.16/iio-adc-at91-unbreak-channel-adc-channel-3.patch
@@ -0,0 +1,38 @@
+From: Anders Darander <anders@chargestorm.se>
+Date: Mon, 8 Aug 2016 14:42:16 +0200
+Subject: iio: adc: at91: unbreak channel adc channel 3
+
+commit c2ab447454d498e709d9011c0f2d2945ee321f9b upstream.
+
+The driver always assumes that an input device has been created when
+reading channel 3. This causes a kernel panic when dereferencing
+st->ts_input.
+
+The change was introduced in
+commit 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens
+without TSMR"). Earlier versions only entered that part of the if-else
+statement if only the following flags are set:
+
+AT91_ADC_IER_XRDY | AT91_ADC_IER_YRDY | AT91_ADC_IER_PRDY
+
+Signed-off-by: Anders Darander <anders@chargestorm.se>
+Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/adc/at91_adc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -381,8 +381,8 @@ static irqreturn_t at91_adc_rl_interrupt
+ 		st->ts_bufferedmeasure = false;
+ 		input_report_key(st->ts_input, BTN_TOUCH, 0);
+ 		input_sync(st->ts_input);
+-	} else if (status & AT91_ADC_EOC(3)) {
+-		/* Conversion finished */
++	} else if (status & AT91_ADC_EOC(3) && st->ts_input) {
++		/* Conversion finished and we've a touchscreen */
+ 		if (st->ts_bufferedmeasure) {
+ 			/*
+ 			 * Last measurement is always discarded, since it can
diff --git a/queue-3.16/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch b/queue-3.16/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch
new file mode 100644
index 0000000..91d48aa
--- /dev/null
+++ b/queue-3.16/iio-adc-ti_am335x_adc-protect-fifo1-from-concurrent-access.patch
@@ -0,0 +1,83 @@
+From: Vignesh R <vigneshr@ti.com>
+Date: Wed, 17 Aug 2016 17:43:00 +0530
+Subject: iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
+
+commit 90c43ec6997a892448f1f86180a515f59cafd8a3 upstream.
+
+It is possible that two or more ADC channels can be simultaneously
+requested for raw samples, in which case there can be race in access to
+FIFO data resulting in loss of samples.
+If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when
+ADC is still acquired to sample one of the channels, the second process
+might be put into uninterruptible sleep state. Fix these issues, by
+protecting FIFO access and channel configurations with a mutex. Since
+tiadc_read_raw() might take anywhere between few microseconds to few
+milliseconds to finish execution (depending on averaging and delay
+values supplied via DT), its better to use mutex instead of spinlock.
+
+Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization")
+Signed-off-by: Vignesh R <vigneshr@ti.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/adc/ti_am335x_adc.c
++++ b/drivers/iio/adc/ti_am335x_adc.c
+@@ -32,6 +32,7 @@
+ 
+ struct tiadc_device {
+ 	struct ti_tscadc_dev *mfd_tscadc;
++	struct mutex fifo1_lock; /* to protect fifo access */
+ 	int channels;
+ 	u8 channel_line[8];
+ 	u8 channel_step[8];
+@@ -341,6 +342,7 @@ static int tiadc_read_raw(struct iio_dev
+ 		int *val, int *val2, long mask)
+ {
+ 	struct tiadc_device *adc_dev = iio_priv(indio_dev);
++	int ret = IIO_VAL_INT;
+ 	int i, map_val;
+ 	unsigned int fifo1count, read, stepid;
+ 	bool found = false;
+@@ -354,6 +356,7 @@ static int tiadc_read_raw(struct iio_dev
+ 	if (!step_en)
+ 		return -EINVAL;
+ 
++	mutex_lock(&adc_dev->fifo1_lock);
+ 	fifo1count = tiadc_readl(adc_dev, REG_FIFO1CNT);
+ 	while (fifo1count--)
+ 		tiadc_readl(adc_dev, REG_FIFO1);
+@@ -370,7 +373,8 @@ static int tiadc_read_raw(struct iio_dev
+ 
+ 		if (time_after(jiffies, timeout)) {
+ 			am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
+-			return -EAGAIN;
++			ret = -EAGAIN;
++			goto err_unlock;
+ 		}
+ 	}
+ 	map_val = adc_dev->channel_step[chan->scan_index];
+@@ -396,8 +400,11 @@ static int tiadc_read_raw(struct iio_dev
+ 	am335x_tsc_se_adc_done(adc_dev->mfd_tscadc);
+ 
+ 	if (found == false)
+-		return -EBUSY;
+-	return IIO_VAL_INT;
++		ret =  -EBUSY;
++
++err_unlock:
++	mutex_unlock(&adc_dev->fifo1_lock);
++	return ret;
+ }
+ 
+ static const struct iio_info tiadc_info = {
+@@ -444,6 +451,7 @@ static int tiadc_probe(struct platform_d
+ 
+ 	tiadc_step_config(indio_dev);
+ 	tiadc_writel(adc_dev, REG_FIFO1THR, FIFO1_THRESHOLD);
++	mutex_init(&adc_dev->fifo1_lock);
+ 
+ 	err = tiadc_channel_init(indio_dev, adc_dev->channels);
+ 	if (err < 0)
diff --git a/queue-3.16/iio-core-fix-iio_val_fractional-sign-handling.patch b/queue-3.16/iio-core-fix-iio_val_fractional-sign-handling.patch
new file mode 100644
index 0000000..f80ae1b
--- /dev/null
+++ b/queue-3.16/iio-core-fix-iio_val_fractional-sign-handling.patch
@@ -0,0 +1,39 @@
+From: Gregor Boirie <gregor.boirie@parrot.com>
+Date: Fri, 2 Sep 2016 20:27:46 +0200
+Subject: iio:core: fix IIO_VAL_FRACTIONAL sign handling
+
+commit 171c0091837c81ed5c949fec6966bb5afff2d1cf upstream.
+
+7985e7c100 ("iio: Introduce a new fractional value type") introduced a
+new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers
+expressed by a numerator and denominator combination.
+
+Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This
+fails handling negative values properly since parameters are reevaluated
+as unsigned values.
+Fix this by using div_s64_rem() instead. Computed integer part will carry
+properly signed value. Formatted fractional part will always be positive.
+
+Fixes: 7985e7c100 ("iio: Introduce a new fractional value type")
+Signed-off-by: Gregor Boirie <gregor.boirie@parrot.com>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/industrialio-core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -404,9 +404,8 @@ ssize_t iio_format_value(char *buf, unsi
+ 			return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
+ 	case IIO_VAL_FRACTIONAL:
+ 		tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]);
+-		vals[1] = do_div(tmp, 1000000000LL);
+-		vals[0] = tmp;
+-		return sprintf(buf, "%d.%09u\n", vals[0], vals[1]);
++		vals[0] = (int)div_s64_rem(tmp, 1000000000, &vals[1]);
++		return sprintf(buf, "%d.%09u\n", vals[0], abs(vals[1]));
+ 	case IIO_VAL_FRACTIONAL_LOG2:
+ 		tmp = (s64)vals[0] * 1000000000LL >> vals[1];
+ 		vals[1] = do_div(tmp, 1000000000LL);
diff --git a/queue-3.16/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch b/queue-3.16/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch
new file mode 100644
index 0000000..9bd7287
--- /dev/null
+++ b/queue-3.16/iio-fix-pressure-data-output-unit-in-hid-sensor-attributes.patch
@@ -0,0 +1,34 @@
+From: "Kweh, Hock Leong" <hock.leong.kweh@intel.com>
+Date: Mon, 29 Aug 2016 18:50:56 +0800
+Subject: iio: fix pressure data output unit in hid-sensor-attributes
+
+commit 36afb176d3c9580651d7f410ed7f000ec48b5137 upstream.
+
+According to IIO ABI definition, IIO_PRESSURE data output unit is
+kilopascal:
+http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio
+
+This patch fix output unit of HID pressure sensor IIO driver from pascal to
+kilopascal to follow IIO ABI definition.
+
+Signed-off-by: Kweh, Hock Leong <hock.leong.kweh@intel.com>
+Reviewed-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c
+@@ -56,8 +56,8 @@ struct {
+ 	{HID_USAGE_SENSOR_ALS, 0, 1, 0},
+ 	{HID_USAGE_SENSOR_ALS, HID_USAGE_SENSOR_UNITS_LUX, 1, 0},
+ 
+-	{HID_USAGE_SENSOR_PRESSURE, 0, 100000, 0},
+-	{HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 1, 0},
++	{HID_USAGE_SENSOR_PRESSURE, 0, 100, 0},
++	{HID_USAGE_SENSOR_PRESSURE, HID_USAGE_SENSOR_UNITS_PASCAL, 0, 1000},
+ };
+ 
+ static int pow_10(unsigned power)
diff --git a/queue-3.16/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch b/queue-3.16/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch
new file mode 100644
index 0000000..2ee96cc
--- /dev/null
+++ b/queue-3.16/iio-proximity-as3935-set-up-buffer-timestamps-for-non-zero-values.patch
@@ -0,0 +1,28 @@
+From: Alison Schofield <amsfield22@gmail.com>
+Date: Mon, 11 Jul 2016 08:26:56 -0700
+Subject: iio: proximity: as3935: set up buffer timestamps for non-zero values
+
+commit f8adf645db03345af2d9a8b6095b02327ea50885 upstream.
+
+Use the iio_pollfunc_store_time parameter during triggered buffer
+set-up to get valid timestamps.
+
+Signed-off-by: Alison Schofield <amsfield22@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/iio/proximity/as3935.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -389,7 +389,7 @@ static int as3935_probe(struct spi_devic
+ 		return ret;
+ 	}
+ 
+-	ret = iio_triggered_buffer_setup(indio_dev, NULL,
++	ret = iio_triggered_buffer_setup(indio_dev, iio_pollfunc_store_time,
+ 		&as3935_trigger_handler, NULL);
+ 
+ 	if (ret) {
diff --git a/queue-3.16/input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch b/queue-3.16/input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch
new file mode 100644
index 0000000..cdb44e3
--- /dev/null
+++ b/queue-3.16/input-i8042-break-load-dependency-between-atkbd-psmouse-and-i8042.patch
@@ -0,0 +1,164 @@
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 25 Jul 2016 11:36:54 -0700
+Subject: Input: i8042 - break load dependency between atkbd/psmouse and i8042
+
+commit 4097461897df91041382ff6fcd2bfa7ee6b2448c upstream.
+
+As explained in 1407814240-4275-1-git-send-email-decui@microsoft.com we
+have a hard load dependency between i8042 and atkbd which prevents
+keyboard from working on Gen2 Hyper-V VMs.
+
+> hyperv_keyboard invokes serio_interrupt(), which needs a valid serio
+> driver like atkbd.c.  atkbd.c depends on libps2.c because it invokes
+> ps2_command().  libps2.c depends on i8042.c because it invokes
+> i8042_check_port_owner().  As a result, hyperv_keyboard actually
+> depends on i8042.c.
+>
+> For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a
+> Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042=m
+> rather than =y, atkbd.ko can't load because i8042.ko can't load(due to
+> no i8042 device emulated) and finally hyperv_keyboard can't work and
+> the user can't input: https://bugs.archlinux.org/task/39820
+> (Ubuntu/RHEL/SUSE aren't affected since they use CONFIG_SERIO_I8042=y)
+
+To break the dependency we move away from using i8042_check_port_owner()
+and instead allow serio port owner specify a mutex that clients should use
+to serialize PS/2 command stream.
+
+Reported-by: Mark Laws <mdl@60hz.org>
+Tested-by: Mark Laws <mdl@60hz.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/serio/i8042.c  | 16 +---------------
+ drivers/input/serio/libps2.c | 10 ++++------
+ include/linux/i8042.h        |  6 ------
+ include/linux/serio.h        | 24 +++++++++++++++++++-----
+ 4 files changed, 24 insertions(+), 32 deletions(-)
+
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -1230,6 +1230,7 @@ static int __init i8042_create_kbd_port(
+ 	serio->start		= i8042_start;
+ 	serio->stop		= i8042_stop;
+ 	serio->close		= i8042_port_close;
++	serio->ps2_cmd_mutex	= &i8042_mutex;
+ 	serio->port_data	= port;
+ 	serio->dev.parent	= &i8042_platform_device->dev;
+ 	strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name));
+@@ -1321,21 +1322,6 @@ static void i8042_unregister_ports(void)
+ 	}
+ }
+ 
+-/*
+- * Checks whether port belongs to i8042 controller.
+- */
+-bool i8042_check_port_owner(const struct serio *port)
+-{
+-	int i;
+-
+-	for (i = 0; i < I8042_NUM_PORTS; i++)
+-		if (i8042_ports[i].serio == port)
+-			return true;
+-
+-	return false;
+-}
+-EXPORT_SYMBOL(i8042_check_port_owner);
+-
+ static void i8042_free_irqs(void)
+ {
+ 	if (i8042_aux_irq_registered)
+--- a/drivers/input/serio/libps2.c
++++ b/drivers/input/serio/libps2.c
+@@ -56,19 +56,17 @@ EXPORT_SYMBOL(ps2_sendbyte);
+ 
+ void ps2_begin_command(struct ps2dev *ps2dev)
+ {
+-	mutex_lock(&ps2dev->cmd_mutex);
++	struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
+ 
+-	if (i8042_check_port_owner(ps2dev->serio))
+-		i8042_lock_chip();
++	mutex_lock(m);
+ }
+ EXPORT_SYMBOL(ps2_begin_command);
+ 
+ void ps2_end_command(struct ps2dev *ps2dev)
+ {
+-	if (i8042_check_port_owner(ps2dev->serio))
+-		i8042_unlock_chip();
++	struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
+ 
+-	mutex_unlock(&ps2dev->cmd_mutex);
++	mutex_unlock(m);
+ }
+ EXPORT_SYMBOL(ps2_end_command);
+ 
+--- a/include/linux/i8042.h
++++ b/include/linux/i8042.h
+@@ -62,7 +62,6 @@ struct serio;
+ void i8042_lock_chip(void);
+ void i8042_unlock_chip(void);
+ int i8042_command(unsigned char *param, int command);
+-bool i8042_check_port_owner(const struct serio *);
+ int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
+ 					struct serio *serio));
+ int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str,
+@@ -83,11 +82,6 @@ static inline int i8042_command(unsigned
+ 	return -ENODEV;
+ }
+ 
+-static inline bool i8042_check_port_owner(const struct serio *serio)
+-{
+-	return false;
+-}
+-
+ static inline int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
+ 					struct serio *serio))
+ {
+--- a/include/linux/serio.h
++++ b/include/linux/serio.h
+@@ -29,7 +29,8 @@ struct serio {
+ 
+ 	struct serio_device_id id;
+ 
+-	spinlock_t lock;		/* protects critical sections from port's interrupt handler */
++	/* Protects critical sections from port's interrupt handler */
++	spinlock_t lock;
+ 
+ 	int (*write)(struct serio *, unsigned char);
+ 	int (*open)(struct serio *);
+@@ -38,16 +39,29 @@ struct serio {
+ 	void (*stop)(struct serio *);
+ 
+ 	struct serio *parent;
+-	struct list_head child_node;	/* Entry in parent->children list */
++	/* Entry in parent->children list */
++	struct list_head child_node;
+ 	struct list_head children;
+-	unsigned int depth;		/* level of nesting in serio hierarchy */
++	/* Level of nesting in serio hierarchy */
++	unsigned int depth;
+ 
+-	struct serio_driver *drv;	/* accessed from interrupt, must be protected by serio->lock and serio->sem */
+-	struct mutex drv_mutex;		/* protects serio->drv so attributes can pin driver */
++	/*
++	 * serio->drv is accessed from interrupt handlers; when modifying
++	 * caller should acquire serio->drv_mutex and serio->lock.
++	 */
++	struct serio_driver *drv;
++	/* Protects serio->drv so attributes can pin current driver */
++	struct mutex drv_mutex;
+ 
+ 	struct device dev;
+ 
+ 	struct list_head node;
++
++	/*
++	 * For use by PS/2 layer when several ports share hardware and
++	 * may get indigestion when exposed to concurrent access (i8042).
++	 */
++	struct mutex *ps2_cmd_mutex;
+ };
+ #define to_serio_port(d)	container_of(d, struct serio, dev)
+ 
diff --git a/queue-3.16/input-i8042-set-up-shared-ps2_cmd_mutex-for-aux-ports.patch b/queue-3.16/input-i8042-set-up-shared-ps2_cmd_mutex-for-aux-ports.patch
new file mode 100644
index 0000000..27baad7
--- /dev/null
+++ b/queue-3.16/input-i8042-set-up-shared-ps2_cmd_mutex-for-aux-ports.patch
@@ -0,0 +1,30 @@
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 16 Aug 2016 17:38:54 -0700
+Subject: Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
+
+commit 47af45d684b5f3ae000ad448db02ce4f13f73273 upstream.
+
+The commit 4097461897df ("Input: i8042 - break load dependency ...")
+correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do
+the same for AUX port(s), which results in communication on KBD and AUX
+ports to clash with each other.
+
+Fixes: 4097461897df ("Input: i8042 - break load dependency ...")
+Reported-by: Bruno Wolff III <bruno@wolff.to>
+Tested-by: Bruno Wolff III <bruno@wolff.to>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/serio/i8042.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -1258,6 +1258,7 @@ static int __init i8042_create_aux_port(
+ 	serio->write		= i8042_aux_write;
+ 	serio->start		= i8042_start;
+ 	serio->stop		= i8042_stop;
++	serio->ps2_cmd_mutex	= &i8042_mutex;
+ 	serio->port_data	= port;
+ 	serio->dev.parent	= &i8042_platform_device->dev;
+ 	if (idx < 0) {
diff --git a/queue-3.16/input-tegra-kbc-fix-inverted-reset-logic.patch b/queue-3.16/input-tegra-kbc-fix-inverted-reset-logic.patch
new file mode 100644
index 0000000..2d53495
--- /dev/null
+++ b/queue-3.16/input-tegra-kbc-fix-inverted-reset-logic.patch
@@ -0,0 +1,31 @@
+From: Masahiro Yamada <yamada.masahiro@socionext.com>
+Date: Mon, 22 Aug 2016 13:25:56 -0700
+Subject: Input: tegra-kbc - fix inverted reset logic
+
+commit fae16989be77b09bab86c79233e4b511ea769cea upstream.
+
+Commit fe6b0dfaba68 ("Input: tegra-kbc - use reset framework")
+accidentally converted _deassert to _assert, so there is no code
+to wake up this hardware.
+
+Fixes: fe6b0dfaba68 ("Input: tegra-kbc - use reset framework")
+Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Acked-by: Laxman Dewangan <ldewangan@nvidia.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/keyboard/tegra-kbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/keyboard/tegra-kbc.c
++++ b/drivers/input/keyboard/tegra-kbc.c
+@@ -376,7 +376,7 @@ static int tegra_kbc_start(struct tegra_
+ 	/* Reset the KBC controller to clear all previous status.*/
+ 	reset_control_assert(kbc->rst);
+ 	udelay(100);
+-	reset_control_assert(kbc->rst);
++	reset_control_deassert(kbc->rst);
+ 	udelay(100);
+ 
+ 	tegra_kbc_config_pins(kbc);
diff --git a/queue-3.16/input-xpad-validate-usb-endpoint-count-during-probe.patch b/queue-3.16/input-xpad-validate-usb-endpoint-count-during-probe.patch
new file mode 100644
index 0000000..68334f2
--- /dev/null
+++ b/queue-3.16/input-xpad-validate-usb-endpoint-count-during-probe.patch
@@ -0,0 +1,27 @@
+From: Cameron Gutman <aicommander@gmail.com>
+Date: Wed, 29 Jun 2016 09:51:35 -0700
+Subject: Input: xpad - validate USB endpoint count during probe
+
+commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.
+
+This prevents a malicious USB device from causing an oops.
+
+Signed-off-by: Cameron Gutman <aicommander@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/input/joystick/xpad.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -883,6 +883,9 @@ static int xpad_probe(struct usb_interfa
+ 	struct usb_endpoint_descriptor *ep_irq_in;
+ 	int i, error;
+ 
++	if (intf->cur_altsetting->desc.bNumEndpoints != 2)
++		return -ENODEV;
++
+ 	for (i = 0; xpad_device[i].idVendor; i++) {
+ 		if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
+ 		    (le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))
diff --git a/queue-3.16/ip6_gre-fix-flowi6_proto-value-in-ip6gre_xmit_other.patch b/queue-3.16/ip6_gre-fix-flowi6_proto-value-in-ip6gre_xmit_other.patch
new file mode 100644
index 0000000..928bb31
--- /dev/null
+++ b/queue-3.16/ip6_gre-fix-flowi6_proto-value-in-ip6gre_xmit_other.patch
@@ -0,0 +1,37 @@
+From: Lance Richardson <lrichard@redhat.com>
+Date: Fri, 23 Sep 2016 15:50:29 -0400
+Subject: ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()
+
+commit db32e4e49ce2b0e5fcc17803d011a401c0a637f6 upstream.
+
+Similar to commit 3be07244b733 ("ip6_gre: fix flowi6_proto value in
+xmit path"), set flowi6_proto to IPPROTO_GRE for output route lookup.
+
+Up until now, ip6gre_xmit_other() has set flowi6_proto to a bogus value.
+This affected output route lookup for packets sent on an ip6gretap device
+in cases where routing was dependent on the value of flowi6_proto.
+
+Since the correct proto is already set in the tunnel flowi6 template via
+commit 252f3f5a1189 ("ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit
+path."), simply delete the line setting the incorrect flowi6_proto value.
+
+Suggested-by: Jiri Benc <jbenc@redhat.com>
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Signed-off-by: Lance Richardson <lrichard@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv6/ip6_gre.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -881,7 +881,6 @@ static int ip6gre_xmit_other(struct sk_b
+ 		encap_limit = t->parms.encap_limit;
+ 
+ 	memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
+-	fl6.flowi6_proto = skb->protocol;
+ 
+ 	err = ip6gre_xmit2(skb, dev, 0, &fl6, encap_limit, &mtu);
+ 
diff --git a/queue-3.16/ip6_gre-set-flowi6_proto-as-ipproto_gre-in-xmit-path.patch b/queue-3.16/ip6_gre-set-flowi6_proto-as-ipproto_gre-in-xmit-path.patch
new file mode 100644
index 0000000..e4d98a6
--- /dev/null
+++ b/queue-3.16/ip6_gre-set-flowi6_proto-as-ipproto_gre-in-xmit-path.patch
@@ -0,0 +1,26 @@
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sat, 21 May 2016 18:17:35 +0800
+Subject: ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path.
+
+commit 252f3f5a1189a7f6c309d8e4ff1c4c1888a27f13 upstream.
+
+In gre6 xmit path, we are sending a GRE packet, so set fl6 proto
+to IPPROTO_GRE properly.
+
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv6/ip6_gre.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -939,6 +939,7 @@ static void ip6gre_tnl_link_config(struc
+ 	fl6->daddr = p->raddr;
+ 	fl6->flowi6_oif = p->link;
+ 	fl6->flowlabel = 0;
++	fl6->flowi6_proto = IPPROTO_GRE;
+ 
+ 	if (!(p->flags&IP6_TNL_F_USE_ORIG_TCLASS))
+ 		fl6->flowlabel |= IPV6_TCLASS_MASK & p->flowinfo;
diff --git a/queue-3.16/ipmr-ip6mr-fix-scheduling-while-atomic-and-a-deadlock-with.patch b/queue-3.16/ipmr-ip6mr-fix-scheduling-while-atomic-and-a-deadlock-with.patch
new file mode 100644
index 0000000..304d716
--- /dev/null
+++ b/queue-3.16/ipmr-ip6mr-fix-scheduling-while-atomic-and-a-deadlock-with.patch
@@ -0,0 +1,158 @@
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Sun, 25 Sep 2016 23:08:31 +0200
+Subject: ipmr, ip6mr: fix scheduling while atomic and a deadlock with
+ ipmr_get_route
+
+commit 2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8 upstream.
+
+Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid
+instead of the previous dst_pid which was copied from in_skb's portid.
+Since the skb is new the portid is 0 at that point so the packets are sent
+to the kernel and we get scheduling while atomic or a deadlock (depending
+on where it happens) by trying to acquire rtnl two times.
+Also since this is RTM_GETROUTE, it can be triggered by a normal user.
+
+Here's the sleeping while atomic trace:
+[ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
+[ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0
+[ 7858.212881] 2 locks held by swapper/0/0:
+[ 7858.213013]  #0:  (((&mrt->ipmr_expire_timer))){+.-...}, at: [<ffffffff810fbbf5>] call_timer_fn+0x5/0x350
+[ 7858.213422]  #1:  (mfc_unres_lock){+.....}, at: [<ffffffff8161e005>] ipmr_expire_process+0x25/0x130
+[ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179
+[ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+[ 7858.214108]  0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000
+[ 7858.214412]  ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e
+[ 7858.214716]  000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f
+[ 7858.215251] Call Trace:
+[ 7858.215412]  <IRQ>  [<ffffffff813a7804>] dump_stack+0x85/0xc1
+[ 7858.215662]  [<ffffffff810a4a72>] ___might_sleep+0x192/0x250
+[ 7858.215868]  [<ffffffff810a4b9f>] __might_sleep+0x6f/0x100
+[ 7858.216072]  [<ffffffff8165bea3>] mutex_lock_nested+0x33/0x4d0
+[ 7858.216279]  [<ffffffff815a7a5f>] ? netlink_lookup+0x25f/0x460
+[ 7858.216487]  [<ffffffff8157474b>] rtnetlink_rcv+0x1b/0x40
+[ 7858.216687]  [<ffffffff815a9a0c>] netlink_unicast+0x19c/0x260
+[ 7858.216900]  [<ffffffff81573c70>] rtnl_unicast+0x20/0x30
+[ 7858.217128]  [<ffffffff8161cd39>] ipmr_destroy_unres+0xa9/0xf0
+[ 7858.217351]  [<ffffffff8161e06f>] ipmr_expire_process+0x8f/0x130
+[ 7858.217581]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
+[ 7858.217785]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
+[ 7858.217990]  [<ffffffff810fbc95>] call_timer_fn+0xa5/0x350
+[ 7858.218192]  [<ffffffff810fbbf5>] ? call_timer_fn+0x5/0x350
+[ 7858.218415]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
+[ 7858.218656]  [<ffffffff810fde10>] run_timer_softirq+0x260/0x640
+[ 7858.218865]  [<ffffffff8166379b>] ? __do_softirq+0xbb/0x54f
+[ 7858.219068]  [<ffffffff816637c8>] __do_softirq+0xe8/0x54f
+[ 7858.219269]  [<ffffffff8107a948>] irq_exit+0xb8/0xc0
+[ 7858.219463]  [<ffffffff81663452>] smp_apic_timer_interrupt+0x42/0x50
+[ 7858.219678]  [<ffffffff816625bc>] apic_timer_interrupt+0x8c/0xa0
+[ 7858.219897]  <EOI>  [<ffffffff81055f16>] ? native_safe_halt+0x6/0x10
+[ 7858.220165]  [<ffffffff810d64dd>] ? trace_hardirqs_on+0xd/0x10
+[ 7858.220373]  [<ffffffff810298e3>] default_idle+0x23/0x190
+[ 7858.220574]  [<ffffffff8102a20f>] arch_cpu_idle+0xf/0x20
+[ 7858.220790]  [<ffffffff810c9f8c>] default_idle_call+0x4c/0x60
+[ 7858.221016]  [<ffffffff810ca33b>] cpu_startup_entry+0x39b/0x4d0
+[ 7858.221257]  [<ffffffff8164f995>] rest_init+0x135/0x140
+[ 7858.221469]  [<ffffffff81f83014>] start_kernel+0x50e/0x51b
+[ 7858.221670]  [<ffffffff81f82120>] ? early_idt_handler_array+0x120/0x120
+[ 7858.221894]  [<ffffffff81f8243f>] x86_64_start_reservations+0x2a/0x2c
+[ 7858.222113]  [<ffffffff81f8257c>] x86_64_start_kernel+0x13b/0x14a
+
+Fixes: 2942e9005056 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/mroute.h  | 2 +-
+ include/linux/mroute6.h | 2 +-
+ net/ipv4/ipmr.c         | 3 ++-
+ net/ipv4/route.c        | 3 ++-
+ net/ipv6/ip6mr.c        | 5 +++--
+ net/ipv6/route.c        | 4 +++-
+ 6 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/include/linux/mroute.h
++++ b/include/linux/mroute.h
+@@ -103,5 +103,5 @@ struct mfc_cache {
+ struct rtmsg;
+ extern int ipmr_get_route(struct net *net, struct sk_buff *skb,
+ 			  __be32 saddr, __be32 daddr,
+-			  struct rtmsg *rtm, int nowait);
++			  struct rtmsg *rtm, int nowait, u32 portid);
+ #endif
+--- a/include/linux/mroute6.h
++++ b/include/linux/mroute6.h
+@@ -115,7 +115,7 @@ struct mfc6_cache {
+ 
+ struct rtmsg;
+ extern int ip6mr_get_route(struct net *net, struct sk_buff *skb,
+-			   struct rtmsg *rtm, int nowait);
++			   struct rtmsg *rtm, int nowait, u32 portid);
+ 
+ #ifdef CONFIG_IPV6_MROUTE
+ extern struct sock *mroute6_socket(struct net *net, struct sk_buff *skb);
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -2188,7 +2188,7 @@ static int __ipmr_fill_mroute(struct mr_
+ 
+ int ipmr_get_route(struct net *net, struct sk_buff *skb,
+ 		   __be32 saddr, __be32 daddr,
+-		   struct rtmsg *rtm, int nowait)
++		   struct rtmsg *rtm, int nowait, u32 portid)
+ {
+ 	struct mfc_cache *cache;
+ 	struct mr_table *mrt;
+@@ -2233,6 +2233,7 @@ int ipmr_get_route(struct net *net, stru
+ 			return -ENOMEM;
+ 		}
+ 
++		NETLINK_CB(skb2).portid = portid;
+ 		skb_push(skb2, sizeof(struct iphdr));
+ 		skb_reset_network_header(skb2);
+ 		iph = ip_hdr(skb2);
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2413,7 +2413,8 @@ static int rt_fill_info(struct net *net,
+ 		    IPV4_DEVCONF_ALL(net, MC_FORWARDING)) {
+ 			int err = ipmr_get_route(net, skb,
+ 						 fl4->saddr, fl4->daddr,
+-						 r, nowait);
++						 r, nowait, portid);
++
+ 			if (err <= 0) {
+ 				if (!nowait) {
+ 					if (err == 0)
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -2272,8 +2272,8 @@ static int __ip6mr_fill_mroute(struct mr
+ 	return 1;
+ }
+ 
+-int ip6mr_get_route(struct net *net,
+-		    struct sk_buff *skb, struct rtmsg *rtm, int nowait)
++int ip6mr_get_route(struct net *net, struct sk_buff *skb, struct rtmsg *rtm,
++		    int nowait, u32 portid)
+ {
+ 	int err;
+ 	struct mr6_table *mrt;
+@@ -2318,6 +2318,7 @@ int ip6mr_get_route(struct net *net,
+ 			return -ENOMEM;
+ 		}
+ 
++		NETLINK_CB(skb2).portid = portid;
+ 		skb_reset_transport_header(skb2);
+ 
+ 		skb_put(skb2, sizeof(struct ipv6hdr));
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2618,7 +2618,9 @@ static int rt6_fill_node(struct net *net
+ 	if (iif) {
+ #ifdef CONFIG_IPV6_MROUTE
+ 		if (ipv6_addr_is_multicast(&rt->rt6i_dst.addr)) {
+-			int err = ip6mr_get_route(net, skb, rtm, nowait);
++			int err = ip6mr_get_route(net, skb, rtm, nowait,
++						  portid);
++
+ 			if (err <= 0) {
+ 				if (!nowait) {
+ 					if (err == 0)
diff --git a/queue-3.16/ipv6-add-missing-netconf-notif-when-all-is-updated.patch b/queue-3.16/ipv6-add-missing-netconf-notif-when-all-is-updated.patch
new file mode 100644
index 0000000..acc74fa
--- /dev/null
+++ b/queue-3.16/ipv6-add-missing-netconf-notif-when-all-is-updated.patch
@@ -0,0 +1,33 @@
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Tue, 30 Aug 2016 10:09:21 +0200
+Subject: ipv6: add missing netconf notif when 'all' is updated
+
+commit d26c638c16cb54f6fb1507e27df93ede692db572 upstream.
+
+The 'default' value was not advertised.
+
+Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv6/addrconf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -723,7 +723,14 @@ static int addrconf_fixup_forwarding(str
+ 	}
+ 
+ 	if (p == &net->ipv6.devconf_all->forwarding) {
++		int old_dflt = net->ipv6.devconf_dflt->forwarding;
++
+ 		net->ipv6.devconf_dflt->forwarding = newf;
++		if ((!newf) ^ (!old_dflt))
++			inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING,
++						     NETCONFA_IFINDEX_DEFAULT,
++						     net->ipv6.devconf_dflt);
++
+ 		addrconf_forward_change(net, newf);
+ 		if ((!newf) ^ (!old))
+ 			inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING,
diff --git a/queue-3.16/ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch b/queue-3.16/ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch
new file mode 100644
index 0000000..71cb0e4
--- /dev/null
+++ b/queue-3.16/ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch
@@ -0,0 +1,55 @@
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Mon, 5 Sep 2016 16:06:31 +0800
+Subject: ipv6: addrconf: fix dev refcont leak when DAD failed
+
+commit 751eb6b6042a596b0080967c1a529a9fe98dac1d upstream.
+
+In general, when DAD detected IPv6 duplicate address, ifp->state
+will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
+delayed work, the call tree should be like this:
+
+ndisc_recv_ns
+  -> addrconf_dad_failure        <- missing ifp put
+     -> addrconf_mod_dad_work
+       -> schedule addrconf_dad_work()
+         -> addrconf_dad_stop()  <- missing ifp hold before call it
+
+addrconf_dad_failure() called with ifp refcont holding but not put.
+addrconf_dad_work() call addrconf_dad_stop() without extra holding
+refcount. This will not cause any issue normally.
+
+But the race between addrconf_dad_failure() and addrconf_dad_work()
+may cause ifp refcount leak and netdevice can not be unregister,
+dmesg show the following messages:
+
+IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
+...
+unregister_netdevice: waiting for eth0 to become free. Usage count = 1
+
+Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing
+to workqueue")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ipv6/addrconf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1686,6 +1686,7 @@ void addrconf_dad_failure(struct inet6_i
+ 	spin_unlock_bh(&ifp->state_lock);
+ 
+ 	addrconf_mod_dad_work(ifp, 0);
++	in6_ifa_put(ifp);
+ }
+ 
+ /* Join to solicited addr multicast group.
+@@ -3262,6 +3263,7 @@ static void addrconf_dad_work(struct wor
+ 		addrconf_dad_begin(ifp);
+ 		goto out;
+ 	} else if (action == DAD_ABORT) {
++		in6_ifa_hold(ifp);
+ 		addrconf_dad_stop(ifp, 1);
+ 		goto out;
+ 	}
diff --git a/queue-3.16/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch b/queue-3.16/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch
new file mode 100644
index 0000000..85736a2
--- /dev/null
+++ b/queue-3.16/ipv6-suppress-sparse-warnings-in-ip6_ecn_set_ce.patch
@@ -0,0 +1,32 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 12 Aug 2016 07:48:21 +0200
+Subject: ipv6: suppress sparse warnings in IP6_ECN_set_ce()
+
+commit c15c0ab12fd62f2b19181d05c62d24bc9fa55a42 upstream.
+
+Pass the correct type __wsum to csum_sub() and csum_add(). This doesn't
+really change anything since __wsum really *is* __be32, but removes the
+address space warnings from sparse.
+
+Cc: Eric Dumazet <edumazet@google.com>
+Fixes: 34ae6a1aa054 ("ipv6: update skb->csum when CE mark is propagated")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/net/inet_ecn.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/net/inet_ecn.h
++++ b/include/net/inet_ecn.h
+@@ -128,7 +128,8 @@ static inline int IP6_ECN_set_ce(struct
+ 	to = from | htonl(INET_ECN_CE << 20);
+ 	*(__be32 *)iph = to;
+ 	if (skb->ip_summed == CHECKSUM_COMPLETE)
+-		skb->csum = csum_add(csum_sub(skb->csum, from), to);
++		skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from),
++				     (__force __wsum)to);
+ 	return 1;
+ }
+ 
diff --git a/queue-3.16/irda-free-skb-on-irda_accept-error-path.patch b/queue-3.16/irda-free-skb-on-irda_accept-error-path.patch
new file mode 100644
index 0000000..dd800d9
--- /dev/null
+++ b/queue-3.16/irda-free-skb-on-irda_accept-error-path.patch
@@ -0,0 +1,53 @@
+From: "phil.turnbull@oracle.com" <phil.turnbull@oracle.com>
+Date: Thu, 15 Sep 2016 12:41:44 -0400
+Subject: irda: Free skb on irda_accept error path.
+
+commit 8ab86c00e349cef9fb14719093a7f198bcc72629 upstream.
+
+skb is not freed if newsk is NULL. Rework the error path so free_skb is
+unconditionally called on function exit.
+
+Fixes: c3ea9fa27413 ("[IrDA] af_irda: IRDA_ASSERT cleanups")
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/irda/af_irda.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -843,7 +843,7 @@ static int irda_accept(struct socket *so
+ 	struct sock *sk = sock->sk;
+ 	struct irda_sock *new, *self = irda_sk(sk);
+ 	struct sock *newsk;
+-	struct sk_buff *skb;
++	struct sk_buff *skb = NULL;
+ 	int err;
+ 
+ 	IRDA_DEBUG(2, "%s()\n", __func__);
+@@ -913,7 +913,6 @@ static int irda_accept(struct socket *so
+ 	err = -EPERM; /* value does not seem to make sense. -arnd */
+ 	if (!new->tsap) {
+ 		IRDA_DEBUG(0, "%s(), dup failed!\n", __func__);
+-		kfree_skb(skb);
+ 		goto out;
+ 	}
+ 
+@@ -932,7 +931,6 @@ static int irda_accept(struct socket *so
+ 	/* Clean up the original one to keep it in listen state */
+ 	irttp_listen(self->tsap);
+ 
+-	kfree_skb(skb);
+ 	sk->sk_ack_backlog--;
+ 
+ 	newsock->state = SS_CONNECTED;
+@@ -940,6 +938,7 @@ static int irda_accept(struct socket *so
+ 	irda_connect_response(new);
+ 	err = 0;
+ out:
++	kfree_skb(skb);
+ 	release_sock(sk);
+ 	return err;
+ }
diff --git a/queue-3.16/iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi.patch b/queue-3.16/iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi.patch
new file mode 100644
index 0000000..8d7bdfd
--- /dev/null
+++ b/queue-3.16/iscsi-target-fix-panic-when-adding-second-tcp-connection-to-iscsi.patch
@@ -0,0 +1,36 @@
+From: Feng Li <lifeng1519@gmail.com>
+Date: Tue, 12 Jul 2016 06:15:44 +0800
+Subject: iscsi-target: Fix panic when adding second TCP connection to iSCSI
+ session
+
+commit 8abc718de6e9e52d8a6bfdb735060554aeae25e4 upstream.
+
+In MC/S scenario, the conn->sess has been set NULL in
+iscsi_login_non_zero_tsih_s1 when the second connection comes here,
+then kernel panic.
+
+The conn->sess will be assigned in iscsi_login_non_zero_tsih_s2. So
+we should check whether it's NULL before calling.
+
+Signed-off-by: Feng Li <lifeng1519@gmail.com>
+Tested-by: Sumit Rai <sumit.rai@calsoftinc.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/target/iscsi/iscsi_target_login.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -1418,8 +1418,9 @@ static int __iscsi_target_login_thread(s
+ 	}
+ 	login->zero_tsih = zero_tsih;
+ 
+-	conn->sess->se_sess->sup_prot_ops =
+-		conn->conn_transport->iscsit_get_sup_prot_ops(conn);
++	if (conn->sess)
++		conn->sess->se_sess->sup_prot_ops =
++			conn->conn_transport->iscsit_get_sup_prot_ops(conn);
+ 
+ 	tpg = conn->tpg;
+ 	if (!tpg) {
diff --git a/queue-3.16/iwlwifi-pcie-fix-access-to-scratch-buffer.patch b/queue-3.16/iwlwifi-pcie-fix-access-to-scratch-buffer.patch
new file mode 100644
index 0000000..d70ebea
--- /dev/null
+++ b/queue-3.16/iwlwifi-pcie-fix-access-to-scratch-buffer.patch
@@ -0,0 +1,40 @@
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Thu, 9 Jun 2016 17:19:35 +0300
+Subject: iwlwifi: pcie: fix access to scratch buffer
+
+commit d5d0689aefc59c6a5352ca25d7e6d47d03f543ce upstream.
+
+This fixes a pretty ancient bug that hasn't manifested itself
+until now.
+The scratchbuf for command queue is allocated only for 32 slots
+but is accessed with the queue write pointer - which can be
+up to 256.
+Since the scratch buf size was 16 and there are up to 256 TFDs
+we never passed a page boundary when accessing the scratch buffer,
+but when attempting to increase the size of the scratch buffer a
+panic was quick to follow when trying to access the address resulted
+in a page boundary.
+
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+Fixes: 38c0f334b359 ("iwlwifi: use coherent DMA memory for command header")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+[bwh: Backported to 3.2: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/wireless/iwlwifi/pcie/tx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/pcie/tx.c
++++ b/drivers/net/wireless/iwlwifi/pcie/tx.c
+@@ -1364,9 +1364,9 @@ static int iwl_pcie_enqueue_hcmd(struct
+ 
+ 	/* start the TFD with the scratchbuf */
+ 	scratch_size = min_t(int, copy_size, IWL_HCMD_SCRATCHBUF_SIZE);
+-	memcpy(&txq->scratchbufs[q->write_ptr], &out_cmd->hdr, scratch_size);
++	memcpy(&txq->scratchbufs[idx], &out_cmd->hdr, scratch_size);
+ 	iwl_pcie_txq_build_tfd(trans, txq,
+-			       iwl_pcie_get_scratchbuf_dma(txq, q->write_ptr),
++			       iwl_pcie_get_scratchbuf_dma(txq, idx),
+ 			       scratch_size, true);
+ 
+ 	/* map first command fragment, if any remains */
diff --git a/queue-3.16/kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch b/queue-3.16/kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch
new file mode 100644
index 0000000..2f3397f
--- /dev/null
+++ b/queue-3.16/kernel-fork-fix-clone_child_cleartid-regression-in-nscd.patch
@@ -0,0 +1,77 @@
+From: Michal Hocko <mhocko@suse.com>
+Date: Thu, 1 Sep 2016 16:15:13 -0700
+Subject: kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
+
+commit 735f2770a770156100f534646158cb58cb8b2939 upstream.
+
+Commit fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal
+exit") has caused a subtle regression in nscd which uses
+CLONE_CHILD_CLEARTID to clear the nscd_certainly_running flag in the
+shared databases, so that the clients are notified when nscd is
+restarted.  Now, when nscd uses a non-persistent database, clients that
+have it mapped keep thinking the database is being updated by nscd, when
+in fact nscd has created a new (anonymous) one (for non-persistent
+databases it uses an unlinked file as backend).
+
+The original proposal for the CLONE_CHILD_CLEARTID change claimed
+(https://lkml.org/lkml/2006/10/25/233):
+
+: The NPTL library uses the CLONE_CHILD_CLEARTID flag on clone() syscalls
+: on behalf of pthread_create() library calls.  This feature is used to
+: request that the kernel clear the thread-id in user space (at an address
+: provided in the syscall) when the thread disassociates itself from the
+: address space, which is done in mm_release().
+:
+: Unfortunately, when a multi-threaded process incurs a core dump (such as
+: from a SIGSEGV), the core-dumping thread sends SIGKILL signals to all of
+: the other threads, which then proceed to clear their user-space tids
+: before synchronizing in exit_mm() with the start of core dumping.  This
+: misrepresents the state of process's address space at the time of the
+: SIGSEGV and makes it more difficult for someone to debug NPTL and glibc
+: problems (misleading him/her to conclude that the threads had gone away
+: before the fault).
+:
+: The fix below is to simply avoid the CLONE_CHILD_CLEARTID action if a
+: core dump has been initiated.
+
+The resulting patch from Roland (https://lkml.org/lkml/2006/10/26/269)
+seems to have a larger scope than the original patch asked for.  It
+seems that limitting the scope of the check to core dumping should work
+for SIGSEGV issue describe above.
+
+[Changelog partly based on Andreas' description]
+Fixes: fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit")
+Link: http://lkml.kernel.org/r/1471968749-26173-1-git-send-email-mhocko@kernel.org
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Tested-by: William Preston <wpreston@suse.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Roland McGrath <roland@hack.frob.com>
+Cc: Andreas Schwab <schwab@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ kernel/fork.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -777,14 +777,12 @@ void mm_release(struct task_struct *tsk,
+ 	deactivate_mm(tsk, mm);
+ 
+ 	/*
+-	 * If we're exiting normally, clear a user-space tid field if
+-	 * requested.  We leave this alone when dying by signal, to leave
+-	 * the value intact in a core dump, and to save the unnecessary
+-	 * trouble, say, a killed vfork parent shouldn't touch this mm.
+-	 * Userland only wants this done for a sys_exit.
++	 * Signal userspace if we're not exiting with a core dump
++	 * because we want to leave the value intact for debugging
++	 * purposes.
+ 	 */
+ 	if (tsk->clear_child_tid) {
+-		if (!(tsk->flags & PF_SIGNALED) &&
++		if (!(tsk->signal->flags & SIGNAL_GROUP_COREDUMP) &&
+ 		    atomic_read(&mm->mm_users) > 1) {
+ 			/*
+ 			 * We don't check the error code - if userspace has
diff --git a/queue-3.16/kernfs-don-t-depend-on-d_find_any_alias-when-generating.patch b/queue-3.16/kernfs-don-t-depend-on-d_find_any_alias-when-generating.patch
new file mode 100644
index 0000000..423d820
--- /dev/null
+++ b/queue-3.16/kernfs-don-t-depend-on-d_find_any_alias-when-generating.patch
@@ -0,0 +1,86 @@
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 17 Jun 2016 17:51:17 -0400
+Subject: kernfs: don't depend on d_find_any_alias() when generating
+ notifications
+
+commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 upstream.
+
+kernfs_notify_workfn() sends out file modified events for the
+scheduled kernfs_nodes.  Because the modifications aren't from
+userland, it doesn't have the matching file struct at hand and can't
+use fsnotify_modify().  Instead, it looked up the inode and then used
+d_find_any_alias() to find the dentry and used fsnotify_parent() and
+fsnotify() directly to generate notifications.
+
+The assumption was that the relevant dentries would have been pinned
+if there are listeners, which isn't true as inotify doesn't pin
+dentries at all and watching the parent doesn't pin the child dentries
+even for dnotify.  This led to, for example, inotify watchers not
+getting notifications if the system is under memory pressure and the
+matching dentries got reclaimed.  It can also be triggered through
+/proc/sys/vm/drop_caches or a remount attempt which involves shrinking
+dcache.
+
+fsnotify_parent() only uses the dentry to access the parent inode,
+which kernfs can do easily.  Update kernfs_notify_workfn() so that it
+uses fsnotify() directly for both the parent and target inodes without
+going through d_find_any_alias().  While at it, supply the target file
+name to fsnotify() from kernfs_node->name.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Evgeny Vereshchagin <evvers@ya.ru>
+Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too")
+Cc: John McCutchan <john@johnmccutchan.com>
+Cc: Robert Love <rlove@rlove.org>
+Cc: Eric Paris <eparis@parisplace.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ fs/kernfs/file.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -828,21 +828,35 @@ repeat:
+ 	mutex_lock(&kernfs_mutex);
+ 
+ 	list_for_each_entry(info, &kernfs_root(kn)->supers, node) {
++		struct kernfs_node *parent;
+ 		struct inode *inode;
+-		struct dentry *dentry;
+ 
++		/*
++		 * We want fsnotify_modify() on @kn but as the
++		 * modifications aren't originating from userland don't
++		 * have the matching @file available.  Look up the inodes
++		 * and generate the events manually.
++		 */
+ 		inode = ilookup(info->sb, kn->ino);
+ 		if (!inode)
+ 			continue;
+ 
+-		dentry = d_find_any_alias(inode);
+-		if (dentry) {
+-			fsnotify_parent(NULL, dentry, FS_MODIFY);
+-			fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
+-				 NULL, 0);
+-			dput(dentry);
++		parent = kernfs_get_parent(kn);
++		if (parent) {
++			struct inode *p_inode;
++
++			p_inode = ilookup(info->sb, parent->ino);
++			if (p_inode) {
++				fsnotify(p_inode, FS_MODIFY | FS_EVENT_ON_CHILD,
++					 inode, FSNOTIFY_EVENT_INODE, kn->name, 0);
++				iput(p_inode);
++			}
++
++			kernfs_put(parent);
+ 		}
+ 
++		fsnotify(inode, FS_MODIFY, inode, FSNOTIFY_EVENT_INODE,
++			 kn->name, 0);
+ 		iput(inode);
+ 	}
+ 
diff --git a/queue-3.16/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch b/queue-3.16/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch
new file mode 100644
index 0000000..874e2d2
--- /dev/null
+++ b/queue-3.16/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch
@@ -0,0 +1,46 @@
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 27 Jul 2016 11:43:37 +0100
+Subject: KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
+
+commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream.
+
+MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than
+calling sys_keyctl.  The latter will work in a lot of cases, thereby hiding
+the issue.
+
+Reported-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-security-module@vger.kernel.org
+Cc: keyrings@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/13832/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/kernel/scall64-n32.S | 2 +-
+ arch/mips/kernel/scall64-o32.S | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -353,7 +353,7 @@ EXPORT(sysn32_call_table)
+ 	PTR	sys_ni_syscall			/* available, was setaltroot */
+ 	PTR	sys_add_key
+ 	PTR	sys_request_key
+-	PTR	sys_keyctl			/* 6245 */
++	PTR	compat_sys_keyctl		/* 6245 */
+ 	PTR	sys_set_thread_area
+ 	PTR	sys_inotify_init
+ 	PTR	sys_inotify_add_watch
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -491,7 +491,7 @@ EXPORT(sys32_call_table)
+ 	PTR	sys_ni_syscall			/* available, was setaltroot */
+ 	PTR	sys_add_key			/* 4280 */
+ 	PTR	sys_request_key
+-	PTR	sys_keyctl
++	PTR	compat_sys_keyctl
+ 	PTR	sys_set_thread_area
+ 	PTR	sys_inotify_init
+ 	PTR	sys_inotify_add_watch		/* 4285 */
diff --git a/queue-3.16/kvm-arm-unmap-shadow-pagetables-properly.patch b/queue-3.16/kvm-arm-unmap-shadow-pagetables-properly.patch
new file mode 100644
index 0000000..8508029
--- /dev/null
+++ b/queue-3.16/kvm-arm-unmap-shadow-pagetables-properly.patch
@@ -0,0 +1,88 @@
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 8 Sep 2016 16:25:49 +0100
+Subject: kvm-arm: Unmap shadow pagetables properly
+
+commit 293f293637b55db4f9f522a5a72514e98a541076 upstream.
+
+On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via
+mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when
+the userspace buffer gets unmapped. However, when the Hypervisor
+process exits without explicit unmap of the guest buffers, the only
+notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release
+) which does nothing on arm. Later this causes us to access pages that
+were already released [via exit_mmap() -> unmap_vmas()] when we actually
+get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() ->
+kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC,
+which unmaps any free'd pages from the linear map.
+
+ [  757.644120] Unable to handle kernel paging request at virtual address
+  ffff800661e00000
+ [  757.652046] pgd = ffff20000b1a2000
+ [  757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003,
+  *pmd=00000047fcc7c003, *pte=00e8004661e00712
+ [  757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP
+ [  757.672041] Modules linked in:
+ [  757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G      D
+ 4.8.0-rc1 #3
+ [  757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board,
+  BIOS 3.06.15 Aug 19 2016
+ [  757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000
+ [  757.698840] PC is at __flush_dcache_area+0x1c/0x40
+ [  757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70
+ [  757.708469] pc : [<ffff20000809dbdc>] lr : [<ffff2000080b4a70>] pstate: 20000145
+ ...
+ [  758.357249] [<ffff20000809dbdc>] __flush_dcache_area+0x1c/0x40
+ [  758.363059] [<ffff2000080b6748>] unmap_stage2_range+0x458/0x5f0
+ [  758.368954] [<ffff2000080b708c>] kvm_free_stage2_pgd+0x34/0x60
+ [  758.374761] [<ffff2000080b2280>] kvm_arch_destroy_vm+0x20/0x68
+ [  758.380570] [<ffff2000080aa330>] kvm_put_kvm+0x210/0x358
+ [  758.385860] [<ffff2000080aa524>] kvm_vm_release+0x2c/0x40
+ [  758.391239] [<ffff2000082ad234>] __fput+0x114/0x2e8
+ [  758.396096] [<ffff2000082ad46c>] ____fput+0xc/0x18
+ [  758.400869] [<ffff200008104658>] task_work_run+0x108/0x138
+ [  758.406332] [<ffff2000080dc8ec>] do_exit+0x48c/0x10e8
+ [  758.411363] [<ffff2000080dd5fc>] do_group_exit+0x6c/0x130
+ [  758.416739] [<ffff2000080ed924>] get_signal+0x284/0xa18
+ [  758.421943] [<ffff20000808a098>] do_signal+0x158/0x860
+ [  758.427060] [<ffff20000808aad4>] do_notify_resume+0x6c/0x88
+ [  758.432608] [<ffff200008083624>] work_pending+0x10/0x14
+ [  758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20)
+
+This patch fixes the issue by moving the kvm_free_stage2_pgd() to
+kvm_arch_flush_shadow_all().
+
+Tested-by: Itaru Kitayama <itaru.kitayama@riken.jp>
+Reported-by: Itaru Kitayama <itaru.kitayama@riken.jp>
+Reported-by: James Morse <james.morse@arm.com>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/arm/kvm/arm.c | 2 --
+ arch/arm/kvm/mmu.c | 1 +
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -164,8 +164,6 @@ void kvm_arch_destroy_vm(struct kvm *kvm
+ {
+ 	int i;
+ 
+-	kvm_free_stage2_pgd(kvm);
+-
+ 	for (i = 0; i < KVM_MAX_VCPUS; ++i) {
+ 		if (kvm->vcpus[i]) {
+ 			kvm_arch_vcpu_free(kvm->vcpus[i]);
+--- a/arch/arm/kvm/mmu.c
++++ b/arch/arm/kvm/mmu.c
+@@ -1257,6 +1257,7 @@ void kvm_arch_memslots_updated(struct kv
+ 
+ void kvm_arch_flush_shadow_all(struct kvm *kvm)
+ {
++	kvm_free_stage2_pgd(kvm);
+ }
+ 
+ void kvm_arch_flush_shadow_memslot(struct kvm *kvm,
diff --git a/queue-3.16/kvm-nvmx-fix-lifetime-issues-for-vmcs02.patch b/queue-3.16/kvm-nvmx-fix-lifetime-issues-for-vmcs02.patch
new file mode 100644
index 0000000..7dfe1e4
--- /dev/null
+++ b/queue-3.16/kvm-nvmx-fix-lifetime-issues-for-vmcs02.patch
@@ -0,0 +1,115 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 17 Jul 2014 12:25:16 +0200
+Subject: KVM: nVMX: fix lifetime issues for vmcs02
+
+commit 4fa7734c62cdd8c07edd54fa5a5e91482273071a upstream.
+
+free_nested needs the loaded_vmcs to be valid if it is a vmcs02, in
+order to detach it from the shadow vmcs.  However, this is not
+available anymore after commit 26a865f4aa8e (KVM: VMX: fix use after
+free of vmx->loaded_vmcs, 2014-01-03).
+
+Revert that patch, and fix its problem by forcing a vmcs01 as the
+active VMCS before freeing all the nested VMX state.
+
+Reported-by: Wanpeng Li <wanpeng.li@linux.intel.com>
+Tested-by: Wanpeng Li <wanpeng.li@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/kvm/vmx.c | 49 +++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 33 insertions(+), 16 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -5777,22 +5777,27 @@ static void nested_free_vmcs02(struct vc
+ 
+ /*
+  * Free all VMCSs saved for this vcpu, except the one pointed by
+- * vmx->loaded_vmcs. These include the VMCSs in vmcs02_pool (except the one
+- * currently used, if running L2), and vmcs01 when running L2.
++ * vmx->loaded_vmcs. We must be running L1, so vmx->loaded_vmcs
++ * must be &vmx->vmcs01.
+  */
+ static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
+ {
+ 	struct vmcs02_list *item, *n;
++
++	WARN_ON(vmx->loaded_vmcs != &vmx->vmcs01);
+ 	list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
+-		if (vmx->loaded_vmcs != &item->vmcs02)
+-			free_loaded_vmcs(&item->vmcs02);
++		/*
++		 * Something will leak if the above WARN triggers.  Better than
++		 * a use-after-free.
++		 */
++		if (vmx->loaded_vmcs == &item->vmcs02)
++			continue;
++
++		free_loaded_vmcs(&item->vmcs02);
+ 		list_del(&item->list);
+ 		kfree(item);
++		vmx->nested.vmcs02_num--;
+ 	}
+-	vmx->nested.vmcs02_num = 0;
+-
+-	if (vmx->loaded_vmcs != &vmx->vmcs01)
+-		free_loaded_vmcs(&vmx->vmcs01);
+ }
+ 
+ /*
+@@ -7557,13 +7562,31 @@ static void __noclone vmx_vcpu_run(struc
+ 	vmx_complete_interrupts(vmx);
+ }
+ 
++static void vmx_load_vmcs01(struct kvm_vcpu *vcpu)
++{
++	struct vcpu_vmx *vmx = to_vmx(vcpu);
++	int cpu;
++
++	if (vmx->loaded_vmcs == &vmx->vmcs01)
++		return;
++
++	cpu = get_cpu();
++	vmx->loaded_vmcs = &vmx->vmcs01;
++	vmx_vcpu_put(vcpu);
++	vmx_vcpu_load(vcpu, cpu);
++	vcpu->cpu = cpu;
++	put_cpu();
++}
++
+ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
+ {
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+ 
+ 	free_vpid(vmx);
+-	free_loaded_vmcs(vmx->loaded_vmcs);
++	leave_guest_mode(vcpu);
++	vmx_load_vmcs01(vcpu);
+ 	free_nested(vmx);
++	free_loaded_vmcs(vmx->loaded_vmcs);
+ 	kfree(vmx->guest_msrs);
+ 	kvm_vcpu_uninit(vcpu);
+ 	kmem_cache_free(kvm_vcpu_cache, vmx);
+@@ -8707,7 +8730,6 @@ static void nested_vmx_vmexit(struct kvm
+ 			      unsigned long exit_qualification)
+ {
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+-	int cpu;
+ 	struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+ 
+ 	/* trying to cancel vmlaunch/vmresume is a bug */
+@@ -8732,12 +8754,7 @@ static void nested_vmx_vmexit(struct kvm
+ 				       vmcs12->vm_exit_intr_error_code,
+ 				       KVM_ISA_VMX);
+ 
+-	cpu = get_cpu();
+-	vmx->loaded_vmcs = &vmx->vmcs01;
+-	vmx_vcpu_put(vcpu);
+-	vmx_vcpu_load(vcpu, cpu);
+-	vcpu->cpu = cpu;
+-	put_cpu();
++	vmx_load_vmcs01(vcpu);
+ 
+ 	vm_entry_controls_init(vmx, vmcs_read32(VM_ENTRY_CONTROLS));
+ 	vm_exit_controls_init(vmx, vmcs_read32(VM_EXIT_CONTROLS));
diff --git a/queue-3.16/kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch b/queue-3.16/kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch
new file mode 100644
index 0000000..b7c48d5
--- /dev/null
+++ b/queue-3.16/kvm-nvmx-fix-memory-corruption-when-using-vmcs-shadowing.patch
@@ -0,0 +1,80 @@
+From: Jim Mattson <jmattson@google.com>
+Date: Fri, 8 Jul 2016 15:36:06 -0700
+Subject: KVM: nVMX: Fix memory corruption when using VMCS shadowing
+
+commit 2f1fe81123f59271bddda673b60116bde9660385 upstream.
+
+When freeing the nested resources of a vcpu, there is an assumption that
+the vcpu's vmcs01 is the current VMCS on the CPU that executes
+nested_release_vmcs12(). If this assumption is violated, the vcpu's
+vmcs01 may be made active on multiple CPUs at the same time, in
+violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
+not VMCLEARed on every CPU on which it is active, it can linger in a
+CPU's VMCS cache after it has been freed and potentially
+repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
+miss can result in memory corruption.
+
+It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
+the vcpu in question was last loaded on a different CPU, it must be
+migrated to the current CPU before calling vmx_load_vmcs01().
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/kvm/vmx.c  | 19 +++++++++++++++++--
+ virt/kvm/kvm_main.c |  2 ++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7578,14 +7578,29 @@ static void vmx_load_vmcs01(struct kvm_v
+ 	put_cpu();
+ }
+ 
++/*
++ * Ensure that the current vmcs of the logical processor is the
++ * vmcs01 of the vcpu before calling free_nested().
++ */
++static void vmx_free_vcpu_nested(struct kvm_vcpu *vcpu)
++{
++       struct vcpu_vmx *vmx = to_vmx(vcpu);
++       int r;
++
++       r = vcpu_load(vcpu);
++       BUG_ON(r);
++       vmx_load_vmcs01(vcpu);
++       free_nested(vmx);
++       vcpu_put(vcpu);
++}
++
+ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
+ {
+ 	struct vcpu_vmx *vmx = to_vmx(vcpu);
+ 
+ 	free_vpid(vmx);
+ 	leave_guest_mode(vcpu);
+-	vmx_load_vmcs01(vcpu);
+-	free_nested(vmx);
++	vmx_free_vcpu_nested(vcpu);
+ 	free_loaded_vmcs(vmx->loaded_vmcs);
+ 	kfree(vmx->guest_msrs);
+ 	kvm_vcpu_uninit(vcpu);
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -137,6 +137,7 @@ int vcpu_load(struct kvm_vcpu *vcpu)
+ 	put_cpu();
+ 	return 0;
+ }
++EXPORT_SYMBOL_GPL(vcpu_load);
+ 
+ void vcpu_put(struct kvm_vcpu *vcpu)
+ {
+@@ -146,6 +147,7 @@ void vcpu_put(struct kvm_vcpu *vcpu)
+ 	preempt_enable();
+ 	mutex_unlock(&vcpu->mutex);
+ }
++EXPORT_SYMBOL_GPL(vcpu_put);
+ 
+ static void ack_flush(void *_completed)
+ {
diff --git a/queue-3.16/kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch b/queue-3.16/kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch
new file mode 100644
index 0000000..cf556d4
--- /dev/null
+++ b/queue-3.16/kvm-nvmx-postpone-vmcs-changes-on-msr_ia32_apicbase-write.patch
@@ -0,0 +1,64 @@
+From: =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
+Date: Mon, 8 Aug 2016 20:16:23 +0200
+Subject: KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit dccbfcf52cebb8963246eba5b177b77f26b34da0 upstream.
+
+If vmcs12 does not intercept APIC_BASE writes, then KVM will handle the
+write with vmcs02 as the current VMCS.
+This will incorrectly apply modifications intended for vmcs01 to vmcs02
+and L2 can use it to gain access to L0's x2APIC registers by disabling
+virtualized x2APIC while using msr bitmap that assumes enabled.
+
+Postpone execution of vmx_set_virtual_x2apic_mode until vmcs01 is the
+current VMCS.  An alternative solution would temporarily make vmcs01 the
+current VMCS, but it requires more care.
+
+Fixes: 8d14695f9542 ("x86, apicv: add virtual x2apic support")
+Reported-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Wanpeng Li <wanpeng.li@hotmail.com>
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/x86/kvm/vmx.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -372,6 +372,7 @@ struct nested_vmx {
+ 	struct list_head vmcs02_pool;
+ 	int vmcs02_num;
+ 	u64 vmcs01_tsc_offset;
++	bool change_vmcs01_virtual_x2apic_mode;
+ 	/* L2 must run next, and mustn't decide to exit to L1. */
+ 	bool nested_run_pending;
+ 	/*
+@@ -7084,6 +7085,12 @@ static void vmx_set_virtual_x2apic_mode(
+ {
+ 	u32 sec_exec_control;
+ 
++	/* Postpone execution until vmcs01 is the current VMCS. */
++	if (is_guest_mode(vcpu)) {
++		to_vmx(vcpu)->nested.change_vmcs01_virtual_x2apic_mode = true;
++		return;
++	}
++
+ 	/*
+ 	 * There is not point to enable virtualize x2apic without enable
+ 	 * apicv
+@@ -8784,6 +8791,12 @@ static void nested_vmx_vmexit(struct kvm
+ 	/* Update TSC_OFFSET if TSC was changed while L2 ran */
+ 	vmcs_write64(TSC_OFFSET, vmx->nested.vmcs01_tsc_offset);
+ 
++	if (vmx->nested.change_vmcs01_virtual_x2apic_mode) {
++		vmx->nested.change_vmcs01_virtual_x2apic_mode = false;
++		vmx_set_virtual_x2apic_mode(vcpu,
++				vcpu->arch.apic_base & X2APIC_ENABLE);
++	}
++
+ 	/* This is needed for same reason as it was needed in prepare_vmcs02 */
+ 	vmx->host_rsp = 0;
+ 
diff --git a/queue-3.16/l2tp-correctly-return-ebadf-from-pppol2tp_getname.patch b/queue-3.16/l2tp-correctly-return-ebadf-from-pppol2tp_getname.patch
new file mode 100644
index 0000000..8975c49
--- /dev/null
+++ b/queue-3.16/l2tp-correctly-return-ebadf-from-pppol2tp_getname.patch
@@ -0,0 +1,46 @@
+From: "phil.turnbull@oracle.com" <phil.turnbull@oracle.com>
+Date: Tue, 26 Jul 2016 15:14:35 -0400
+Subject: l2tp: Correctly return -EBADF from pppol2tp_getname.
+
+commit 4ac36a4adaf80013a60013d6f829f5863d5d0e05 upstream.
+
+If 'tunnel' is NULL we should return -EBADF but the 'end_put_sess' path
+unconditionally sets 'error' back to zero. Rework the error path so it
+more closely matches pppol2tp_sendmsg.
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/l2tp/l2tp_ppp.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -883,10 +883,8 @@ static int pppol2tp_getname(struct socke
+ 
+ 	pls = l2tp_session_priv(session);
+ 	tunnel = l2tp_sock_to_tunnel(pls->tunnel_sock);
+-	if (tunnel == NULL) {
+-		error = -EBADF;
++	if (tunnel == NULL)
+ 		goto end_put_sess;
+-	}
+ 
+ 	inet = inet_sk(tunnel->sock);
+ 	if ((tunnel->version == 2) && (tunnel->sock->sk_family == AF_INET)) {
+@@ -964,12 +962,11 @@ static int pppol2tp_getname(struct socke
+ 	}
+ 
+ 	*usockaddr_len = len;
++	error = 0;
+ 
+ 	sock_put(pls->tunnel_sock);
+ end_put_sess:
+ 	sock_put(sk);
+-	error = 0;
+-
+ end:
+ 	return error;
+ }
diff --git a/queue-3.16/l2tp-fix-use-after-free-during-module-unload.patch b/queue-3.16/l2tp-fix-use-after-free-during-module-unload.patch
new file mode 100644
index 0000000..040e597
--- /dev/null
+++ b/queue-3.16/l2tp-fix-use-after-free-during-module-unload.patch
@@ -0,0 +1,39 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Fri, 2 Sep 2016 10:22:54 +0200
+Subject: l2tp: fix use-after-free during module unload
+
+commit 2f86953e7436c9b9a4690909c5e2db24799e173b upstream.
+
+Tunnel deletion is delayed by both a workqueue (l2tp_tunnel_delete -> wq
+ -> l2tp_tunnel_del_work) and RCU (sk_destruct -> RCU ->
+l2tp_tunnel_destruct).
+
+By the time l2tp_tunnel_destruct() runs to destroy the tunnel and finish
+destroying the socket, the private data reserved via the net_generic
+mechanism has already been freed, but l2tp_tunnel_destruct() actually
+uses this data.
+
+Make sure tunnel deletion for the netns has completed before returning
+from l2tp_exit_net() by first flushing the tunnel removal workqueue, and
+then waiting for RCU callbacks to complete.
+
+Fixes: 167eb17e0b17 ("l2tp: create tunnel sockets in the right namespace")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/l2tp/l2tp_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1892,6 +1892,9 @@ static __net_exit void l2tp_exit_net(str
+ 		(void)l2tp_tunnel_delete(tunnel);
+ 	}
+ 	rcu_read_unlock_bh();
++
++	flush_workqueue(l2tp_wq);
++	rcu_barrier();
+ }
+ 
+ static struct pernet_operations l2tp_net_ops = {
diff --git a/queue-3.16/lib-mpi-mpi_read_raw_data-fix-nbits-calculation.patch b/queue-3.16/lib-mpi-mpi_read_raw_data-fix-nbits-calculation.patch
new file mode 100644
index 0000000..67c0696
--- /dev/null
+++ b/queue-3.16/lib-mpi-mpi_read_raw_data-fix-nbits-calculation.patch
@@ -0,0 +1,50 @@
+From: Nicolai Stange <nicstange@gmail.com>
+Date: Thu, 26 May 2016 13:05:32 +0200
+Subject: lib/mpi: mpi_read_raw_data(): fix nbits calculation
+
+commit eef0df6a59537032ab6b708f30b28d9530f8760e upstream.
+
+The number of bits, nbits, is calculated in mpi_read_raw_data() as follows:
+
+  nbits = nbytes * 8;
+
+Afterwards, the number of leading zero bits of the first byte get
+subtracted:
+
+  nbits -= count_leading_zeros(buffer[0]);
+
+However, count_leading_zeros() takes an unsigned long and thus,
+the u8 gets promoted to an unsigned long.
+
+Thus, the above doesn't subtract the number of leading zeros in the most
+significant nonzero input byte from nbits, but the number of leading
+zeros of the most significant nonzero input byte promoted to unsigned long,
+i.e. BITS_PER_LONG - 8 too many.
+
+Fix this by subtracting
+
+  count_leading_zeros(...) - (BITS_PER_LONG - 8)
+
+from nbits only.
+
+Fixes: e1045992949 ("MPILIB: Provide a function to read raw data into an
+                     MPI")
+Signed-off-by: Nicolai Stange <nicstange@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ lib/mpi/mpicoder.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/mpi/mpicoder.c
++++ b/lib/mpi/mpicoder.c
+@@ -48,7 +48,7 @@ MPI mpi_read_raw_data(const void *xbuffe
+ 		return NULL;
+ 	}
+ 	if (nbytes > 0)
+-		nbits -= count_leading_zeros(buffer[0]);
++		nbits -= count_leading_zeros(buffer[0]) - (BITS_PER_LONG - 8);
+ 	else
+ 		nbits = 0;
+ 
diff --git a/queue-3.16/libceph-apply-new_state-before-new_up_client-on-incrementals.patch b/queue-3.16/libceph-apply-new_state-before-new_up_client-on-incrementals.patch
new file mode 100644
index 0000000..2cbb756
--- /dev/null
+++ b/queue-3.16/libceph-apply-new_state-before-new_up_client-on-incrementals.patch
@@ -0,0 +1,223 @@
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 19 Jul 2016 03:50:28 +0200
+Subject: libceph: apply new_state before new_up_client on incrementals
+
+commit 930c532869774ebf8af9efe9484c597f896a7d46 upstream.
+
+Currently, osd_weight and osd_state fields are updated in the encoding
+order.  This is wrong, because an incremental map may look like e.g.
+
+    new_up_client: { osd=6, addr=... } # set osd_state and addr
+    new_state: { osd=6, xorstate=EXISTS } # clear osd_state
+
+Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down).  After
+applying new_up_client, osd_state is changed to EXISTS | UP.  Carrying
+on with the new_state update, we flip EXISTS and leave osd6 in a weird
+"!EXISTS but UP" state.  A non-existent OSD is considered down by the
+mapping code
+
+2087    for (i = 0; i < pg->pg_temp.len; i++) {
+2088            if (ceph_osd_is_down(osdmap, pg->pg_temp.osds[i])) {
+2089                    if (ceph_can_shift_osds(pi))
+2090                            continue;
+2091
+2092                    temp->osds[temp->size++] = CRUSH_ITEM_NONE;
+
+and so requests get directed to the second OSD in the set instead of
+the first, resulting in OSD-side errors like:
+
+[WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680
+
+and hung rbds on the client:
+
+[  493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)
+[  493.566805] rbd: rbd0:   result -6 xferred 400000
+[  493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688
+
+The fix is to decouple application from the decoding and:
+- apply new_weight first
+- apply new_state before new_up_client
+- twiddle osd_state flags if marking in
+- clear out some of the state if osd is destroyed
+
+Fixes: http://tracker.ceph.com/issues/14901
+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Josh Durgin <jdurgin@redhat.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ceph/osdmap.c | 156 +++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 113 insertions(+), 43 deletions(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1167,6 +1167,115 @@ struct ceph_osdmap *ceph_osdmap_decode(v
+ }
+ 
+ /*
++ * Encoding order is (new_up_client, new_state, new_weight).  Need to
++ * apply in the (new_weight, new_state, new_up_client) order, because
++ * an incremental map may look like e.g.
++ *
++ *     new_up_client: { osd=6, addr=... } # set osd_state and addr
++ *     new_state: { osd=6, xorstate=EXISTS } # clear osd_state
++ */
++static int decode_new_up_state_weight(void **p, void *end,
++				      struct ceph_osdmap *map)
++{
++	void *new_up_client;
++	void *new_state;
++	void *new_weight_end;
++	u32 len;
++
++	new_up_client = *p;
++	ceph_decode_32_safe(p, end, len, e_inval);
++	len *= sizeof(u32) + sizeof(struct ceph_entity_addr);
++	ceph_decode_need(p, end, len, e_inval);
++	*p += len;
++
++	new_state = *p;
++	ceph_decode_32_safe(p, end, len, e_inval);
++	len *= sizeof(u32) + sizeof(u8);
++	ceph_decode_need(p, end, len, e_inval);
++	*p += len;
++
++	/* new_weight */
++	ceph_decode_32_safe(p, end, len, e_inval);
++	while (len--) {
++		s32 osd;
++		u32 w;
++
++		ceph_decode_need(p, end, 2*sizeof(u32), e_inval);
++		osd = ceph_decode_32(p);
++		w = ceph_decode_32(p);
++		BUG_ON(osd >= map->max_osd);
++		pr_info("osd%d weight 0x%x %s\n", osd, w,
++		     w == CEPH_OSD_IN ? "(in)" :
++		     (w == CEPH_OSD_OUT ? "(out)" : ""));
++		map->osd_weight[osd] = w;
++
++		/*
++		 * If we are marking in, set the EXISTS, and clear the
++		 * AUTOOUT and NEW bits.
++		 */
++		if (w) {
++			map->osd_state[osd] |= CEPH_OSD_EXISTS;
++			map->osd_state[osd] &= ~(CEPH_OSD_AUTOOUT |
++						 CEPH_OSD_NEW);
++		}
++	}
++	new_weight_end = *p;
++
++	/* new_state (up/down) */
++	*p = new_state;
++	len = ceph_decode_32(p);
++	while (len--) {
++		s32 osd;
++		u8 xorstate;
++		int ret;
++
++		osd = ceph_decode_32(p);
++		xorstate = ceph_decode_8(p);
++		if (xorstate == 0)
++			xorstate = CEPH_OSD_UP;
++		BUG_ON(osd >= map->max_osd);
++		if ((map->osd_state[osd] & CEPH_OSD_UP) &&
++		    (xorstate & CEPH_OSD_UP))
++			pr_info("osd%d down\n", osd);
++		if ((map->osd_state[osd] & CEPH_OSD_EXISTS) &&
++		    (xorstate & CEPH_OSD_EXISTS)) {
++			pr_info("osd%d does not exist\n", osd);
++			map->osd_weight[osd] = CEPH_OSD_IN;
++			ret = set_primary_affinity(map, osd,
++						   CEPH_OSD_DEFAULT_PRIMARY_AFFINITY);
++			if (ret)
++				return ret;
++			memset(map->osd_addr + osd, 0, sizeof(*map->osd_addr));
++			map->osd_state[osd] = 0;
++		} else {
++			map->osd_state[osd] ^= xorstate;
++		}
++	}
++
++	/* new_up_client */
++	*p = new_up_client;
++	len = ceph_decode_32(p);
++	while (len--) {
++		s32 osd;
++		struct ceph_entity_addr addr;
++
++		osd = ceph_decode_32(p);
++		ceph_decode_copy(p, &addr, sizeof(addr));
++		ceph_decode_addr(&addr);
++		BUG_ON(osd >= map->max_osd);
++		pr_info("osd%d up\n", osd);
++		map->osd_state[osd] |= CEPH_OSD_EXISTS | CEPH_OSD_UP;
++		map->osd_addr[osd] = addr;
++	}
++
++	*p = new_weight_end;
++	return 0;
++
++e_inval:
++	return -EINVAL;
++}
++
++/*
+  * decode and apply an incremental map update.
+  */
+ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end,
+@@ -1265,49 +1374,10 @@ struct ceph_osdmap *osdmap_apply_increme
+ 			__remove_pg_pool(&map->pg_pools, pi);
+ 	}
+ 
+-	/* new_up */
+-	ceph_decode_32_safe(p, end, len, e_inval);
+-	while (len--) {
+-		u32 osd;
+-		struct ceph_entity_addr addr;
+-		ceph_decode_32_safe(p, end, osd, e_inval);
+-		ceph_decode_copy_safe(p, end, &addr, sizeof(addr), e_inval);
+-		ceph_decode_addr(&addr);
+-		pr_info("osd%d up\n", osd);
+-		BUG_ON(osd >= map->max_osd);
+-		map->osd_state[osd] |= CEPH_OSD_UP | CEPH_OSD_EXISTS;
+-		map->osd_addr[osd] = addr;
+-	}
+-
+-	/* new_state */
+-	ceph_decode_32_safe(p, end, len, e_inval);
+-	while (len--) {
+-		u32 osd;
+-		u8 xorstate;
+-		ceph_decode_32_safe(p, end, osd, e_inval);
+-		xorstate = **(u8 **)p;
+-		(*p)++;  /* clean flag */
+-		if (xorstate == 0)
+-			xorstate = CEPH_OSD_UP;
+-		if (xorstate & CEPH_OSD_UP)
+-			pr_info("osd%d down\n", osd);
+-		if (osd < map->max_osd)
+-			map->osd_state[osd] ^= xorstate;
+-	}
+-
+-	/* new_weight */
+-	ceph_decode_32_safe(p, end, len, e_inval);
+-	while (len--) {
+-		u32 osd, off;
+-		ceph_decode_need(p, end, sizeof(u32)*2, e_inval);
+-		osd = ceph_decode_32(p);
+-		off = ceph_decode_32(p);
+-		pr_info("osd%d weight 0x%x %s\n", osd, off,
+-		     off == CEPH_OSD_IN ? "(in)" :
+-		     (off == CEPH_OSD_OUT ? "(out)" : ""));
+-		if (osd < map->max_osd)
+-			map->osd_weight[osd] = off;
+-	}
++	/* new_up_client, new_state, new_weight */
++	err = decode_new_up_state_weight(p, end, map);
++	if (err)
++		goto bad;
+ 
+ 	/* new_pg_temp */
+ 	err = decode_new_pg_temp(p, end, map);
diff --git a/queue-3.16/libceph-set-exists-flag-for-newly-up-osd.patch b/queue-3.16/libceph-set-exists-flag-for-newly-up-osd.patch
new file mode 100644
index 0000000..7b2326c
--- /dev/null
+++ b/queue-3.16/libceph-set-exists-flag-for-newly-up-osd.patch
@@ -0,0 +1,25 @@
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Fri, 28 Aug 2015 17:59:35 +0800
+Subject: libceph: set 'exists' flag for newly up osd
+
+commit 6dd74e44dc1df85f125982a8d6591bc4a76c9f5d upstream.
+
+Signed-off-by: Yan, Zheng <zyan@redhat.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/ceph/osdmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/osdmap.c
++++ b/net/ceph/osdmap.c
+@@ -1275,7 +1275,7 @@ struct ceph_osdmap *osdmap_apply_increme
+ 		ceph_decode_addr(&addr);
+ 		pr_info("osd%d up\n", osd);
+ 		BUG_ON(osd >= map->max_osd);
+-		map->osd_state[osd] |= CEPH_OSD_UP;
++		map->osd_state[osd] |= CEPH_OSD_UP | CEPH_OSD_EXISTS;
+ 		map->osd_addr[osd] = addr;
+ 	}
+ 
diff --git a/queue-3.16/m32r-fix-__get_user.patch b/queue-3.16/m32r-fix-__get_user.patch
new file mode 100644
index 0000000..c520ab7
--- /dev/null
+++ b/queue-3.16/m32r-fix-__get_user.patch
@@ -0,0 +1,24 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:20:13 -0400
+Subject: m32r: fix __get_user()
+
+commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/m32r/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/m32r/include/asm/uaccess.h
++++ b/arch/m32r/include/asm/uaccess.h
+@@ -215,7 +215,7 @@ extern int fixup_exception(struct pt_reg
+ #define __get_user_nocheck(x,ptr,size)					\
+ ({									\
+ 	long __gu_err = 0;						\
+-	unsigned long __gu_val;						\
++	unsigned long __gu_val = 0;					\
+ 	might_fault();							\
+ 	__get_user_size(__gu_val,(ptr),(size),__gu_err);		\
+ 	(x) = (__typeof__(*(ptr)))__gu_val;				\
diff --git a/queue-3.16/mac80211-fix-purging-multicast-ps-buffer-queue.patch b/queue-3.16/mac80211-fix-purging-multicast-ps-buffer-queue.patch
new file mode 100644
index 0000000..9586dd2
--- /dev/null
+++ b/queue-3.16/mac80211-fix-purging-multicast-ps-buffer-queue.patch
@@ -0,0 +1,61 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 2 Aug 2016 11:13:41 +0200
+Subject: mac80211: fix purging multicast PS buffer queue
+
+commit 6b07d9ca9b5363dda959b9582a3fc9c0b89ef3b5 upstream.
+
+The code currently assumes that buffered multicast PS frames don't have
+a pending ACK frame for tx status reporting.
+However, hostapd sends a broadcast deauth frame on teardown for which tx
+status is requested. This can lead to the "Have pending ack frames"
+warning on module reload.
+Fix this by using ieee80211_free_txskb/ieee80211_purge_tx_queue.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/tx.c  | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1186,7 +1186,7 @@ static int ieee80211_stop_ap(struct wiph
+ 
+ 	/* free all potentially still buffered bcast frames */
+ 	local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf);
+-	skb_queue_purge(&sdata->u.ap.ps.bc_buf);
++	ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf);
+ 
+ 	mutex_lock(&local->mtx);
+ 	ieee80211_vif_copy_chanctx_to_vlans(sdata, true);
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -351,7 +351,7 @@ static void purge_old_ps_buffers(struct
+ 		skb = skb_dequeue(&ps->bc_buf);
+ 		if (skb) {
+ 			purged++;
+-			dev_kfree_skb(skb);
++			ieee80211_free_txskb(&local->hw, skb);
+ 		}
+ 		total += skb_queue_len(&ps->bc_buf);
+ 	}
+@@ -434,7 +434,7 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+ 	if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) {
+ 		ps_dbg(tx->sdata,
+ 		       "BC TX buffer full - dropping the oldest frame\n");
+-		dev_kfree_skb(skb_dequeue(&ps->bc_buf));
++		ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf));
+ 	} else
+ 		tx->local->total_ps_buffered++;
+ 
+@@ -2989,7 +2989,7 @@ ieee80211_get_buffered_bc(struct ieee802
+ 			sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
+ 		if (!ieee80211_tx_prepare(sdata, &tx, skb))
+ 			break;
+-		dev_kfree_skb_any(skb);
++		ieee80211_free_txskb(hw, skb);
+ 	}
+ 
+ 	info = IEEE80211_SKB_CB(skb);
diff --git a/queue-3.16/macvlan-fix-potential-use-after-free-for-broadcasts.patch b/queue-3.16/macvlan-fix-potential-use-after-free-for-broadcasts.patch
new file mode 100644
index 0000000..1c8fe95
--- /dev/null
+++ b/queue-3.16/macvlan-fix-potential-use-after-free-for-broadcasts.patch
@@ -0,0 +1,63 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 1 Jun 2016 11:43:00 +0800
+Subject: macvlan: Fix potential use-after free for broadcasts
+
+commit 260916dfb48c374f7840f3b86e69afd3afdb6e96 upstream.
+
+When we postpone a broadcast packet we save the source port in
+the skb if it is local.  However, the source port can disappear
+before we get a chance to process the packet.
+
+This patch fixes this by holding a ref count on the netdev.
+
+It also delays the skb->cb modification until after we allocate
+the new skb as you should not modify shared skbs.
+
+Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/net/macvlan.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -234,11 +234,14 @@ static void macvlan_process_broadcast(st
+ 
+ 		rcu_read_unlock();
+ 
++		if (src)
++			dev_put(src->dev);
+ 		kfree_skb(skb);
+ 	}
+ }
+ 
+ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
++				      const struct macvlan_dev *src,
+ 				      struct sk_buff *skb)
+ {
+ 	struct sk_buff *nskb;
+@@ -248,8 +251,12 @@ static void macvlan_broadcast_enqueue(st
+ 	if (!nskb)
+ 		goto err;
+ 
++	MACVLAN_SKB_CB(nskb)->src = src;
++
+ 	spin_lock(&port->bc_queue.lock);
+ 	if (skb_queue_len(&port->bc_queue) < MACVLAN_BC_QUEUE_LEN) {
++		if (src)
++			dev_hold(src->dev);
+ 		__skb_queue_tail(&port->bc_queue, nskb);
+ 		err = 0;
+ 	}
+@@ -296,8 +303,7 @@ static rx_handler_result_t macvlan_handl
+ 			goto out;
+ 		}
+ 
+-		MACVLAN_SKB_CB(skb)->src = src;
+-		macvlan_broadcast_enqueue(port, skb);
++		macvlan_broadcast_enqueue(port, src, skb);
+ 
+ 		return RX_HANDLER_PASS;
+ 	}
diff --git a/queue-3.16/media-dvb_ringbuffer-add-memory-barriers.patch b/queue-3.16/media-dvb_ringbuffer-add-memory-barriers.patch
new file mode 100644
index 0000000..11f2ee7
--- /dev/null
+++ b/queue-3.16/media-dvb_ringbuffer-add-memory-barriers.patch
@@ -0,0 +1,172 @@
+From: Soeren Moch <smoch@web.de>
+Date: Wed, 11 May 2016 13:49:11 -0300
+Subject: [media] media: dvb_ringbuffer: Add memory barriers
+
+commit ca6e6126db5494f18c6c6615060d4d803b528bff upstream.
+
+Implement memory barriers according to Documentation/circular-buffers.txt:
+- use smp_store_release() to update ringbuffer read/write pointers
+- use smp_load_acquire() to load write pointer on reader side
+- use ACCESS_ONCE() to load read pointer on writer side
+
+This fixes data stream corruptions observed e.g. on an ARM Cortex-A9
+quad core system with different types (PCI, USB) of DVB tuners.
+
+Signed-off-by: Soeren Moch <smoch@web.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/media/dvb-core/dvb_ringbuffer.c | 74 +++++++++++++++++++++++++++------
+ 1 file changed, 61 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/dvb-core/dvb_ringbuffer.c
++++ b/drivers/media/dvb-core/dvb_ringbuffer.c
+@@ -55,7 +55,13 @@ void dvb_ringbuffer_init(struct dvb_ring
+ 
+ int dvb_ringbuffer_empty(struct dvb_ringbuffer *rbuf)
+ {
+-	return (rbuf->pread==rbuf->pwrite);
++	/* smp_load_acquire() to load write pointer on reader side
++	 * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++	 * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++	 *
++	 * for memory barriers also see Documentation/circular-buffers.txt
++	 */
++	return (rbuf->pread == smp_load_acquire(&rbuf->pwrite));
+ }
+ 
+ 
+@@ -64,7 +70,12 @@ ssize_t dvb_ringbuffer_free(struct dvb_r
+ {
+ 	ssize_t free;
+ 
+-	free = rbuf->pread - rbuf->pwrite;
++	/* ACCESS_ONCE() to load read pointer on writer side
++	 * this pairs with smp_store_release() in dvb_ringbuffer_read(),
++	 * dvb_ringbuffer_read_user(), dvb_ringbuffer_flush(),
++	 * or dvb_ringbuffer_reset()
++	 */
++	free = ACCESS_ONCE(rbuf->pread) - rbuf->pwrite;
+ 	if (free <= 0)
+ 		free += rbuf->size;
+ 	return free-1;
+@@ -76,7 +87,11 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
+ {
+ 	ssize_t avail;
+ 
+-	avail = rbuf->pwrite - rbuf->pread;
++	/* smp_load_acquire() to load write pointer on reader side
++	 * this pairs with smp_store_release() in dvb_ringbuffer_write(),
++	 * dvb_ringbuffer_write_user(), or dvb_ringbuffer_reset()
++	 */
++	avail = smp_load_acquire(&rbuf->pwrite) - rbuf->pread;
+ 	if (avail < 0)
+ 		avail += rbuf->size;
+ 	return avail;
+@@ -86,14 +101,25 @@ ssize_t dvb_ringbuffer_avail(struct dvb_
+ 
+ void dvb_ringbuffer_flush(struct dvb_ringbuffer *rbuf)
+ {
+-	rbuf->pread = rbuf->pwrite;
++	/* dvb_ringbuffer_flush() counts as read operation
++	 * smp_load_acquire() to load write pointer
++	 * smp_store_release() to update read pointer, this ensures that the
++	 * correct pointer is visible for subsequent dvb_ringbuffer_free()
++	 * calls on other cpu cores
++	 */
++	smp_store_release(&rbuf->pread, smp_load_acquire(&rbuf->pwrite));
+ 	rbuf->error = 0;
+ }
+ EXPORT_SYMBOL(dvb_ringbuffer_flush);
+ 
+ void dvb_ringbuffer_reset(struct dvb_ringbuffer *rbuf)
+ {
+-	rbuf->pread = rbuf->pwrite = 0;
++	/* dvb_ringbuffer_reset() counts as read and write operation
++	 * smp_store_release() to update read pointer
++	 */
++	smp_store_release(&rbuf->pread, 0);
++	/* smp_store_release() to update write pointer */
++	smp_store_release(&rbuf->pwrite, 0);
+ 	rbuf->error = 0;
+ }
+ 
+@@ -119,12 +145,17 @@ ssize_t dvb_ringbuffer_read_user(struct
+ 			return -EFAULT;
+ 		buf += split;
+ 		todo -= split;
+-		rbuf->pread = 0;
++		/* smp_store_release() for read pointer update to ensure
++		 * that buf is not overwritten until read is complete,
++		 * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++		 */
++		smp_store_release(&rbuf->pread, 0);
+ 	}
+ 	if (copy_to_user(buf, rbuf->data+rbuf->pread, todo))
+ 		return -EFAULT;
+ 
+-	rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++	/* smp_store_release() to update read pointer, see above */
++	smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+ 
+ 	return len;
+ }
+@@ -139,11 +170,16 @@ void dvb_ringbuffer_read(struct dvb_ring
+ 		memcpy(buf, rbuf->data+rbuf->pread, split);
+ 		buf += split;
+ 		todo -= split;
+-		rbuf->pread = 0;
++		/* smp_store_release() for read pointer update to ensure
++		 * that buf is not overwritten until read is complete,
++		 * this pairs with ACCESS_ONCE() in dvb_ringbuffer_free()
++		 */
++		smp_store_release(&rbuf->pread, 0);
+ 	}
+ 	memcpy(buf, rbuf->data+rbuf->pread, todo);
+ 
+-	rbuf->pread = (rbuf->pread + todo) % rbuf->size;
++	/* smp_store_release() to update read pointer, see above */
++	smp_store_release(&rbuf->pread, (rbuf->pread + todo) % rbuf->size);
+ }
+ 
+ 
+@@ -158,10 +194,16 @@ ssize_t dvb_ringbuffer_write(struct dvb_
+ 		memcpy(rbuf->data+rbuf->pwrite, buf, split);
+ 		buf += split;
+ 		todo -= split;
+-		rbuf->pwrite = 0;
++		/* smp_store_release() for write pointer update to ensure that
++		 * written data is visible on other cpu cores before the pointer
++		 * update, this pairs with smp_load_acquire() in
++		 * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++		 */
++		smp_store_release(&rbuf->pwrite, 0);
+ 	}
+ 	memcpy(rbuf->data+rbuf->pwrite, buf, todo);
+-	rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++	/* smp_store_release() for write pointer update, see above */
++	smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+ 
+ 	return len;
+ }
+@@ -181,12 +223,18 @@ ssize_t dvb_ringbuffer_write_user(struct
+ 			return len - todo;
+ 		buf += split;
+ 		todo -= split;
+-		rbuf->pwrite = 0;
++		/* smp_store_release() for write pointer update to ensure that
++		 * written data is visible on other cpu cores before the pointer
++		 * update, this pairs with smp_load_acquire() in
++		 * dvb_ringbuffer_empty() or dvb_ringbuffer_avail()
++		 */
++		smp_store_release(&rbuf->pwrite, 0);
+ 	}
+ 	status = copy_from_user(rbuf->data+rbuf->pwrite, buf, todo);
+ 	if (status)
+ 		return len - todo;
+-	rbuf->pwrite = (rbuf->pwrite + todo) % rbuf->size;
++	/* smp_store_release() for write pointer update, see above */
++	smp_store_release(&rbuf->pwrite, (rbuf->pwrite + todo) % rbuf->size);
+ 
+ 	return len;
+ }
diff --git a/queue-3.16/megaraid_sas-fix-probing-cards-without-io-port.patch b/queue-3.16/megaraid_sas-fix-probing-cards-without-io-port.patch
new file mode 100644
index 0000000..0892723
--- /dev/null
+++ b/queue-3.16/megaraid_sas-fix-probing-cards-without-io-port.patch
@@ -0,0 +1,80 @@
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Fri, 5 Aug 2016 23:37:34 -0700
+Subject: megaraid_sas: Fix probing cards without io port
+
+commit e7f851684efb3377e9c93aca7fae6e76212e5680 upstream.
+
+Found one megaraid_sas HBA probe fails,
+
+[  187.235190] scsi host2: Avago SAS based MegaRAID driver
+[  191.112365] megaraid_sas 0000:89:00.0: BAR 0: can't reserve [io  0x0000-0x00ff]
+[  191.120548] megaraid_sas 0000:89:00.0: IO memory region busy!
+
+and the card has resource like,
+[  125.097714] pci 0000:89:00.0: [1000:005d] type 00 class 0x010400
+[  125.104446] pci 0000:89:00.0: reg 0x10: [io  0x0000-0x00ff]
+[  125.110686] pci 0000:89:00.0: reg 0x14: [mem 0xce400000-0xce40ffff 64bit]
+[  125.118286] pci 0000:89:00.0: reg 0x1c: [mem 0xce300000-0xce3fffff 64bit]
+[  125.125891] pci 0000:89:00.0: reg 0x30: [mem 0xce200000-0xce2fffff pref]
+
+that does not io port resource allocated from BIOS, and kernel can not
+assign one as io port shortage.
+
+The driver is only looking for MEM, and should not fail.
+
+It turns out megasas_init_fw() etc are using bar index as mask.  index 1
+is used as mask 1, so that pci_request_selected_regions() is trying to
+request BAR0 instead of BAR1.
+
+Fix all related reference.
+
+Fixes: b6d5d8808b4c ("megaraid_sas: Use lowest memory bar for SR-IOV VF support")
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Acked-by: Kashyap Desai <kashyap.desai@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c   | 6 +++---
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -3996,7 +3996,7 @@ static int megasas_init_fw(struct megasa
+ 	/* Find first memory bar */
+ 	bar_list = pci_select_bars(instance->pdev, IORESOURCE_MEM);
+ 	instance->bar = find_first_bit(&bar_list, sizeof(unsigned long));
+-	if (pci_request_selected_regions(instance->pdev, instance->bar,
++	if (pci_request_selected_regions(instance->pdev, 1<<instance->bar,
+ 					 "megasas: LSI")) {
+ 		printk(KERN_DEBUG "megasas: IO memory region busy!\n");
+ 		return -EBUSY;
+@@ -4261,7 +4261,7 @@ fail_ready_state:
+ 	iounmap(instance->reg_set);
+ 
+       fail_ioremap:
+-	pci_release_selected_regions(instance->pdev, instance->bar);
++	pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+ 
+ 	return -EINVAL;
+ }
+@@ -4282,7 +4282,7 @@ static void megasas_release_mfi(struct m
+ 
+ 	iounmap(instance->reg_set);
+ 
+-	pci_release_selected_regions(instance->pdev, instance->bar);
++	pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+ }
+ 
+ /**
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -2190,7 +2190,7 @@ megasas_release_fusion(struct megasas_in
+ 
+ 	iounmap(instance->reg_set);
+ 
+-	pci_release_selected_regions(instance->pdev, instance->bar);
++	pci_release_selected_regions(instance->pdev, 1<<instance->bar);
+ }
+ 
+ /**
diff --git a/queue-3.16/metag-copy_from_user-should-zero-the-destination-on-access_ok.patch b/queue-3.16/metag-copy_from_user-should-zero-the-destination-on-access_ok.patch
new file mode 100644
index 0000000..46ad12b
--- /dev/null
+++ b/queue-3.16/metag-copy_from_user-should-zero-the-destination-on-access_ok.patch
@@ -0,0 +1,27 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 22:08:20 -0400
+Subject: metag: copy_from_user() should zero the destination on access_ok()
+ failure
+
+commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream.
+
+Acked-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/metag/include/asm/uaccess.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/metag/include/asm/uaccess.h
++++ b/arch/metag/include/asm/uaccess.h
+@@ -199,8 +199,9 @@ extern unsigned long __must_check __copy
+ static inline unsigned long
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+-	if (access_ok(VERIFY_READ, from, n))
++	if (likely(access_ok(VERIFY_READ, from, n)))
+ 		return __copy_user_zeroing(to, from, n);
++	memset(to, 0, n);
+ 	return n;
+ }
+ 
diff --git a/queue-3.16/metag-fix-__cmpxchg_u32-asm-constraint-for-cmp.patch b/queue-3.16/metag-fix-__cmpxchg_u32-asm-constraint-for-cmp.patch
new file mode 100644
index 0000000..2f2958f
--- /dev/null
+++ b/queue-3.16/metag-fix-__cmpxchg_u32-asm-constraint-for-cmp.patch
@@ -0,0 +1,44 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 4 Aug 2016 17:36:08 +0100
+Subject: metag: Fix __cmpxchg_u32 asm constraint for CMP
+
+commit 6154c187b97ee7513046bb4eb317a89f738f13ef upstream.
+
+The LNKGET based atomic sequence in __cmpxchg_u32 has slightly incorrect
+constraints for the return value which under certain circumstances can
+allow an address unit register to be used as the first operand of a CMP
+instruction. This isn't a valid instruction however as the encodings
+only allow a data unit to be specified. This would result in an
+assembler error like the following:
+
+  Error: failed to assemble instruction: "CMP A0.2,D0Ar6"
+
+Fix by changing the constraint from "=&da" (assigned, early clobbered,
+data or address unit register) to "=&d" (data unit register only).
+
+The constraint for the second operand, "bd" (an op2 register where op1
+is a data unit register and the instruction supports O2R) is already
+correct assuming the first operand is a data unit register.
+
+Other cases of CMP in inline asm have had their constraints checked, and
+appear to all be fine.
+
+Fixes: 6006c0d8ce94 ("metag: Atomics, locks and bitops")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-metag@vger.kernel.org
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/metag/include/asm/cmpxchg_lnkget.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/metag/include/asm/cmpxchg_lnkget.h
++++ b/arch/metag/include/asm/cmpxchg_lnkget.h
+@@ -73,7 +73,7 @@ static inline unsigned long __cmpxchg_u3
+ 		      "	DCACHE	[%2], %0\n"
+ #endif
+ 		      "2:\n"
+-		      : "=&d" (temp), "=&da" (retval)
++		      : "=&d" (temp), "=&d" (retval)
+ 		      : "da" (m), "bd" (old), "da" (new)
+ 		      : "cc"
+ 		      );
diff --git a/queue-3.16/microblaze-fix-__get_user.patch b/queue-3.16/microblaze-fix-__get_user.patch
new file mode 100644
index 0000000..1243e76
--- /dev/null
+++ b/queue-3.16/microblaze-fix-__get_user.patch
@@ -0,0 +1,23 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:23:33 -0400
+Subject: microblaze: fix __get_user()
+
+commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/microblaze/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/microblaze/include/asm/uaccess.h
++++ b/arch/microblaze/include/asm/uaccess.h
+@@ -226,7 +226,7 @@ extern long __user_bad(void);
+ 
+ #define __get_user(x, ptr)						\
+ ({									\
+-	unsigned long __gu_val;						\
++	unsigned long __gu_val = 0;					\
+ 	/*unsigned long __gu_ptr = (unsigned long)(ptr);*/		\
+ 	long __gu_err;							\
+ 	switch (sizeof(*(ptr))) {					\
diff --git a/queue-3.16/microblaze-fix-copy_from_user.patch b/queue-3.16/microblaze-fix-copy_from_user.patch
new file mode 100644
index 0000000..adaeb2c
--- /dev/null
+++ b/queue-3.16/microblaze-fix-copy_from_user.patch
@@ -0,0 +1,31 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:22:34 -0400
+Subject: microblaze: fix copy_from_user()
+
+commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/microblaze/include/asm/uaccess.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/microblaze/include/asm/uaccess.h
++++ b/arch/microblaze/include/asm/uaccess.h
+@@ -371,10 +371,13 @@ extern long __user_bad(void);
+ static inline long copy_from_user(void *to,
+ 		const void __user *from, unsigned long n)
+ {
++	unsigned long res = n;
+ 	might_fault();
+-	if (access_ok(VERIFY_READ, from, n))
+-		return __copy_from_user(to, from, n);
+-	return n;
++	if (likely(access_ok(VERIFY_READ, from, n)))
++		res = __copy_from_user(to, from, n);
++	if (unlikely(res))
++		memset(to + (n - res), 0, res);
++	return res;
+ }
+ 
+ #define __copy_to_user(to, from, n)	\
diff --git a/queue-3.16/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch b/queue-3.16/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch
new file mode 100644
index 0000000..868e7ff
--- /dev/null
+++ b/queue-3.16/mips-c-r4k-fix-protected_writeback_scache_line-for-eva.patch
@@ -0,0 +1,53 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Wed, 13 Jul 2016 14:12:47 +0100
+Subject: MIPS: c-r4k: Fix protected_writeback_scache_line for EVA
+
+commit 0758b116b4080d9a2a2a715bec6eee2cbd828215 upstream.
+
+The protected_writeback_scache_line() function is used by
+local_r4k_flush_cache_sigtramp() to flush an FPU delay slot emulation
+trampoline on the userland stack from the caches so it is visible to
+subsequent instruction fetches.
+
+Commit de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing
+functions") updated some protected_ cache flush functions to use EVA
+CACHEE instructions via protected_cachee_op(), and commit 83fd43449baa
+("MIPS: r4kcache: Add EVA case for protected_writeback_dcache_line") did
+the same thing for protected_writeback_dcache_line(), but
+protected_writeback_scache_line() never got updated. Lets fix that now
+to flush the right user address from the secondary cache rather than
+some arbitrary kernel unmapped address.
+
+This issue was spotted through code inspection, and it seems unlikely to
+be possible to hit this in practice. It theoretically affect EVA kernels
+on EVA capable cores with an L2 cache, where the icache fetches straight
+from RAM (cpu_icache_snoops_remote_store == 0), running a hard float
+userland with FPU disabled (nofpu). That both Malta and Boston platforms
+override cpu_icache_snoops_remote_store to 1 suggests that all MIPS
+cores fetch instructions into icache straight from L2 rather than RAM.
+
+Fixes: de8974e3f76c ("MIPS: asm: r4kcache: Add EVA cache flushing functions")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/13800/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/include/asm/r4kcache.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/mips/include/asm/r4kcache.h
++++ b/arch/mips/include/asm/r4kcache.h
+@@ -263,7 +263,11 @@ static inline void protected_writeback_d
+ 
+ static inline void protected_writeback_scache_line(unsigned long addr)
+ {
++#ifdef CONFIG_EVA
++	protected_cachee_op(Hit_Writeback_Inv_SD, addr);
++#else
+ 	protected_cache_op(Hit_Writeback_Inv_SD, addr);
++#endif
+ }
+ 
+ /*
diff --git a/queue-3.16/mips-copy_from_user-must-zero-the-destination-on-access_ok.patch b/queue-3.16/mips-copy_from_user-must-zero-the-destination-on-access_ok.patch
new file mode 100644
index 0000000..fd8b075
--- /dev/null
+++ b/queue-3.16/mips-copy_from_user-must-zero-the-destination-on-access_ok.patch
@@ -0,0 +1,32 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:18:53 -0400
+Subject: mips: copy_from_user() must zero the destination on access_ok()
+ failure
+
+commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/include/asm/uaccess.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/mips/include/asm/uaccess.h
++++ b/arch/mips/include/asm/uaccess.h
+@@ -14,6 +14,7 @@
+ #include <linux/kernel.h>
+ #include <linux/errno.h>
+ #include <linux/thread_info.h>
++#include <linux/string.h>
+ #include <asm/asm-eva.h>
+ 
+ /*
+@@ -1139,6 +1140,8 @@ extern size_t __copy_in_user_eva(void *_
+ 			__cu_len = __invoke_copy_from_user(__cu_to,	\
+ 							   __cu_from,	\
+ 							   __cu_len);   \
++		} else {						\
++			memset(__cu_to, 0, __cu_len);			\
+ 		}							\
+ 	}								\
+ 	__cu_len;							\
diff --git a/queue-3.16/mips-fix-page-table-corruption-on-thp-permission-changes.patch b/queue-3.16/mips-fix-page-table-corruption-on-thp-permission-changes.patch
new file mode 100644
index 0000000..6cb3c20
--- /dev/null
+++ b/queue-3.16/mips-fix-page-table-corruption-on-thp-permission-changes.patch
@@ -0,0 +1,70 @@
+From: David Daney <david.daney@cavium.com>
+Date: Thu, 16 Jun 2016 15:50:31 -0700
+Subject: MIPS: Fix page table corruption on THP permission changes.
+
+commit acd168c0bf2ce709f056a6b1bf21634b1207d7a5 upstream.
+
+When the core THP code is modifying the permissions of a huge page it
+calls pmd_modify(), which unfortunately was clearing the _PAGE_HUGE bit
+of the page table entry.  The result can be kernel messages like:
+
+mm/memory.c:397: bad pmd 000000040080004d.
+mm/memory.c:397: bad pmd 00000003ff00004d.
+mm/memory.c:397: bad pmd 000000040100004d.
+
+or:
+
+------------[ cut here ]------------
+WARNING: at mm/mmap.c:3200 exit_mmap+0x150/0x158()
+Modules linked in: ipv6 at24 octeon3_ethernet octeon_srio_nexus m25p80
+CPU: 12 PID: 1295 Comm: pmderr Not tainted 3.10.87-rt80-Cavium-Octeon #4
+Stack : 0000000040808000 0000000014009ce1 0000000000400004 ffffffff81076ba0
+          0000000000000000 0000000000000000 ffffffff85110000 0000000000000119
+          0000000000000004 0000000000000000 0000000000000119 43617669756d2d4f
+          0000000000000000 ffffffff850fda40 ffffffff85110000 0000000000000000
+          0000000000000000 0000000000000009 ffffffff809207a0 0000000000000c80
+          ffffffff80f1bf20 0000000000000001 000000ffeca36828 0000000000000001
+          0000000000000000 0000000000000001 000000ffeca7e700 ffffffff80886924
+          80000003fd7a0000 80000003fd7a39b0 80000003fdea8000 ffffffff80885780
+          80000003fdea8000 ffffffff80f12218 000000000000000c 000000000000050f
+          0000000000000000 ffffffff80865c4c 0000000000000000 0000000000000000
+          ...
+Call Trace:
+[<ffffffff80865c4c>] show_stack+0x6c/0xf8
+[<ffffffff80885780>] warn_slowpath_common+0x78/0xa8
+[<ffffffff809207a0>] exit_mmap+0x150/0x158
+[<ffffffff80882d44>] mmput+0x5c/0x110
+[<ffffffff8088b450>] do_exit+0x230/0xa68
+[<ffffffff8088be34>] do_group_exit+0x54/0x1d0
+[<ffffffff8088bfc0>] __wake_up_parent+0x0/0x18
+
+---[ end trace c7b38293191c57dc ]---
+BUG: Bad rss-counter state mm:80000003fa168000 idx:1 val:1536
+
+Fix by not clearing _PAGE_HUGE bit.
+
+Signed-off-by: David Daney <david.daney@cavium.com>
+Tested-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/13687/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+[bwh: Backported to 3.16:
+ - Adjust context
+ - _PAGE_HUGE might not be defined]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/arch/mips/include/asm/pgtable.h
++++ b/arch/mips/include/asm/pgtable.h
+@@ -572,7 +572,11 @@ static inline struct page *pmd_page(pmd_
+ 
+ static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot)
+ {
+-	pmd_val(pmd) = (pmd_val(pmd) & _PAGE_CHG_MASK) | pgprot_val(newprot);
++	pmd_val(pmd) = (pmd_val(pmd) & (_PAGE_CHG_MASK
++#ifdef _PAGE_HUGE
++					| _PAGE_HUGE
++#endif
++				) | pgprot_val(newprot);
+ 	return pmd;
+ }
+ 
diff --git a/queue-3.16/mips-kvm-add-missing-gfn-range-check.patch b/queue-3.16/mips-kvm-add-missing-gfn-range-check.patch
new file mode 100644
index 0000000..2a70bb9
--- /dev/null
+++ b/queue-3.16/mips-kvm-add-missing-gfn-range-check.patch
@@ -0,0 +1,72 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 11 Aug 2016 11:58:13 +0100
+Subject: MIPS: KVM: Add missing gfn range check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream.
+
+kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number
+based on the guest TLB EntryLo values, however it is not range checked
+to ensure it lies within the guest_pmap. If the physical memory the
+guest refers to is out of range then dump the guest TLB and emit an
+internal error.
+
+Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář" <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+[bwh: Backported to 3.16: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/kvm/kvm_tlb.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/arch/mips/kvm/kvm_tlb.c
++++ b/arch/mips/kvm/kvm_tlb.c
+@@ -361,6 +361,7 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
+ 	unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
+ 	struct kvm *kvm = vcpu->kvm;
+ 	pfn_t pfn0, pfn1;
++	gfn_t gfn0, gfn1;
+ 	long tlb_lo[2];
+ 
+ 
+@@ -375,18 +376,24 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
+ 			VPN2_MASK & (PAGE_MASK << 1)))
+ 		tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
+ 
+-	if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0])
+-				   >> PAGE_SHIFT) < 0)
++	gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
++	gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
++	if (gfn0 >= kvm->arch.guest_pmap_npages ||
++	    gfn1 >= kvm->arch.guest_pmap_npages) {
++		kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
++			__func__, gfn0, gfn1, tlb->tlb_hi);
++		kvm_mips_dump_guest_tlbs(vcpu);
+ 		return -1;
++	}
+ 
+-	if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1])
+-				   >> PAGE_SHIFT) < 0)
++	if (kvm_mips_map_page(kvm, gfn0) < 0)
+ 		return -1;
+ 
+-	pfn0 = kvm->arch.guest_pmap[
+-		mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT];
+-	pfn1 = kvm->arch.guest_pmap[
+-		mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT];
++	if (kvm_mips_map_page(kvm, gfn1) < 0)
++		return -1;
++
++	pfn0 = kvm->arch.guest_pmap[gfn0];
++	pfn1 = kvm->arch.guest_pmap[gfn1];
+ 
+ 	if (hpa0)
+ 		*hpa0 = pfn0 << PAGE_SHIFT;
diff --git a/queue-3.16/mips-kvm-check-for-pfn-noslot-case.patch b/queue-3.16/mips-kvm-check-for-pfn-noslot-case.patch
new file mode 100644
index 0000000..bf0a7c9
--- /dev/null
+++ b/queue-3.16/mips-kvm-check-for-pfn-noslot-case.patch
@@ -0,0 +1,52 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Fri, 19 Aug 2016 14:30:29 +0100
+Subject: MIPS: KVM: Check for pfn noslot case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit ba913e4f72fc9cfd03dad968dfb110eb49211d80 upstream.
+
+When mapping a page into the guest we error check using is_error_pfn(),
+however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an
+error HVA for the page. This can only happen on MIPS right now due to
+unusual memslot management (e.g. being moved / removed / resized), or
+with an Enhanced Virtual Memory (EVA) configuration where the default
+KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed
+in a later patch). This case will be treated as a pfn of zero, mapping
+the first page of physical memory into the guest.
+
+It would appear the MIPS KVM port wasn't updated prior to being merged
+(in v3.10) to take commit 81c52c56e2b4 ("KVM: do not treat noslot pfn as
+a error pfn") into account (merged v3.8), which converted a bunch of
+is_error_pfn() calls to is_error_noslot_pfn(). Switch to using
+is_error_noslot_pfn() instead to catch this case properly.
+
+Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[james.hogan@imgtec.com: Backport to v4.7.y]
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/kvm/kvm_tlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/kvm_tlb.c
++++ b/arch/mips/kvm/kvm_tlb.c
+@@ -155,7 +155,7 @@ static int kvm_mips_map_page(struct kvm
+         srcu_idx = srcu_read_lock(&kvm->srcu);
+ 	pfn = kvm_mips_gfn_to_pfn(kvm, gfn);
+ 
+-	if (kvm_mips_is_error_pfn(pfn)) {
++	if (is_error_noslot_pfn(pfn)) {
+ 		kvm_err("Couldn't get pfn for gfn %#" PRIx64 "!\n", gfn);
+ 		err = -EFAULT;
+ 		goto out;
diff --git a/queue-3.16/mips-kvm-fix-gfn-range-check-in-kseg0-tlb-faults.patch b/queue-3.16/mips-kvm-fix-gfn-range-check-in-kseg0-tlb-faults.patch
new file mode 100644
index 0000000..c8022e0
--- /dev/null
+++ b/queue-3.16/mips-kvm-fix-gfn-range-check-in-kseg0-tlb-faults.patch
@@ -0,0 +1,37 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 11 Aug 2016 11:58:14 +0100
+Subject: MIPS: KVM: Fix gfn range check in kseg0 tlb faults
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 0741f52d1b980dbeb290afe67d88fc2928edd8ab upstream.
+
+Two consecutive gfns are loaded into host TLB, so ensure the range check
+isn't off by one if guest_pmap_npages is odd.
+
+Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář" <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+[bwh: Backported to 3.16: adjust filename]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/kvm/kvm_tlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kvm/kvm_tlb.c
++++ b/arch/mips/kvm/kvm_tlb.c
+@@ -278,7 +278,7 @@ int kvm_mips_handle_kseg0_tlb_fault(unsi
+ 	}
+ 
+ 	gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT);
+-	if (gfn >= kvm->arch.guest_pmap_npages) {
++	if ((gfn | 1) >= kvm->arch.guest_pmap_npages) {
+ 		kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__,
+ 			gfn, badvaddr);
+ 		kvm_mips_dump_host_tlbs();
diff --git a/queue-3.16/mips-kvm-fix-mapped-fault-broken-commpage-handling.patch b/queue-3.16/mips-kvm-fix-mapped-fault-broken-commpage-handling.patch
new file mode 100644
index 0000000..09204b0
--- /dev/null
+++ b/queue-3.16/mips-kvm-fix-mapped-fault-broken-commpage-handling.patch
@@ -0,0 +1,95 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 11 Aug 2016 11:58:12 +0100
+Subject: MIPS: KVM: Fix mapped fault broken commpage handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit c604cffa93478f8888bec62b23d6073dad03d43a upstream.
+
+kvm_mips_handle_mapped_seg_tlb_fault() appears to map the guest page at
+virtual address 0 to PFN 0 if the guest has created its own mapping
+there. The intention is unclear, but it may have been an attempt to
+protect the zero page from being mapped to anything but the comm page in
+code paths you wouldn't expect from genuine commpage accesses (guest
+kernel mode cache instructions on that address, hitting trapping
+instructions when executing from that address with a coincidental TLB
+eviction during the KVM handling, and guest user mode accesses to that
+address).
+
+Fix this to check for mappings exactly at KVM_GUEST_COMMPAGE_ADDR (it
+may not be at address 0 since commit 42aa12e74e91 ("MIPS: KVM: Move
+commpage so 0x0 is unmapped")), and set the corresponding EntryLo to be
+interpreted as 0 (invalid).
+
+Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář" <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+[bwh: Backported to 3.16: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/arch/mips/kvm/kvm_tlb.c
++++ b/arch/mips/kvm/kvm_tlb.c
+@@ -361,21 +361,32 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
+ 	unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
+ 	struct kvm *kvm = vcpu->kvm;
+ 	pfn_t pfn0, pfn1;
++	long tlb_lo[2];
+ 
+ 
+-	if ((tlb->tlb_hi & VPN2_MASK) == 0) {
+-		pfn0 = 0;
+-		pfn1 = 0;
+-	} else {
+-		if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT) < 0)
+-			return -1;
+-
+-		if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT) < 0)
+-			return -1;
+-
+-		pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo0) >> PAGE_SHIFT];
+-		pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo1) >> PAGE_SHIFT];
+-	}
++	tlb_lo[0] = tlb->tlb_lo0;
++	tlb_lo[1] = tlb->tlb_lo1;
++
++	/*
++	 * The commpage address must not be mapped to anything else if the guest
++	 * TLB contains entries nearby, or commpage accesses will break.
++	 */
++	if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) &
++			VPN2_MASK & (PAGE_MASK << 1)))
++		tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
++
++	if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0])
++				   >> PAGE_SHIFT) < 0)
++		return -1;
++
++	if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1])
++				   >> PAGE_SHIFT) < 0)
++		return -1;
++
++	pfn0 = kvm->arch.guest_pmap[
++		mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT];
++	pfn1 = kvm->arch.guest_pmap[
++		mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT];
+ 
+ 	if (hpa0)
+ 		*hpa0 = pfn0 << PAGE_SHIFT;
+@@ -387,9 +398,9 @@ kvm_mips_handle_mapped_seg_tlb_fault(str
+ 	entryhi = (tlb->tlb_hi & VPN2_MASK) | (KVM_GUEST_KERNEL_MODE(vcpu) ?
+ 			kvm_mips_get_kernel_asid(vcpu) : kvm_mips_get_user_asid(vcpu));
+ 	entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) | (0x3 << 3) |
+-			(tlb->tlb_lo0 & MIPS3_PG_D) | (tlb->tlb_lo0 & MIPS3_PG_V);
++		(tlb_lo[0] & MIPS3_PG_D) | (tlb_lo[0] & MIPS3_PG_V);
+ 	entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) | (0x3 << 3) |
+-			(tlb->tlb_lo1 & MIPS3_PG_D) | (tlb->tlb_lo1 & MIPS3_PG_V);
++		(tlb_lo[1] & MIPS3_PG_D) | (tlb_lo[1] & MIPS3_PG_V);
+ 
+ 	kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc,
+ 		  tlb->tlb_lo0, tlb->tlb_lo1);
diff --git a/queue-3.16/mips-kvm-propagate-kseg0-mapped-tlb-fault-errors.patch b/queue-3.16/mips-kvm-propagate-kseg0-mapped-tlb-fault-errors.patch
new file mode 100644
index 0000000..6923411
--- /dev/null
+++ b/queue-3.16/mips-kvm-propagate-kseg0-mapped-tlb-fault-errors.patch
@@ -0,0 +1,109 @@
+From: James Hogan <james.hogan@imgtec.com>
+Date: Thu, 11 Aug 2016 11:58:15 +0100
+Subject: MIPS: KVM: Propagate kseg0/mapped tlb fault errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 9b731bcfdec4c159ad2e4312e25d69221709b96a upstream.
+
+Propagate errors from kvm_mips_handle_kseg0_tlb_fault() and
+kvm_mips_handle_mapped_seg_tlb_fault(), usually triggering an internal
+error since they normally indicate the guest accessed bad physical
+memory or the commpage in an unexpected way.
+
+Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
+Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch emulation.")
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: "Radim Krčmář" <rkrcmar@redhat.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: linux-mips@linux-mips.org
+Cc: kvm@vger.kernel.org
+Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
+[bwh: Backported to 3.16: adjust filename, context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/arch/mips/kvm/kvm_mips_emul.c
++++ b/arch/mips/kvm/kvm_mips_emul.c
+@@ -1481,9 +1481,13 @@ kvm_mips_emulate_cache(uint32_t inst, ui
+ 
+ 	preempt_disable();
+ 	if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) {
+-
+-		if (kvm_mips_host_tlb_lookup(vcpu, va) < 0) {
+-			kvm_mips_handle_kseg0_tlb_fault(va, vcpu);
++		if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 &&
++		    kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) {
++			kvm_err("%s: handling mapped kseg0 tlb fault for %lx, vcpu: %p, ASID: %#lx\n",
++				__func__, va, vcpu, read_c0_entryhi());
++			er = EMULATE_FAIL;
++			preempt_enable();
++			goto done;
+ 		}
+ 	} else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) ||
+ 		   KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) {
+@@ -1516,11 +1520,19 @@ kvm_mips_emulate_cache(uint32_t inst, ui
+ 								run, vcpu);
+ 				preempt_enable();
+ 				goto dont_update_pc;
+-			} else {
+-				/* We fault an entry from the guest tlb to the shadow host TLB */
+-				kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
+-								     NULL,
+-								     NULL);
++			}
++			/*
++			 * We fault an entry from the guest tlb to the
++			 * shadow host TLB
++			 */
++			if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
++								 NULL, NULL)) {
++				kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
++					__func__, va, index, vcpu,
++					read_c0_entryhi());
++				er = EMULATE_FAIL;
++				preempt_enable();
++				goto done;
+ 			}
+ 		}
+ 	} else {
+@@ -2335,8 +2347,13 @@ kvm_mips_handle_tlbmiss(unsigned long ca
+ 			    ("Injecting hi: %#lx, lo0: %#lx, lo1: %#lx into shadow host TLB\n",
+ 			     tlb->tlb_hi, tlb->tlb_lo0, tlb->tlb_lo1);
+ 			/* OK we have a Guest TLB entry, now inject it into the shadow host TLB */
+-			kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, NULL,
+-							     NULL);
++			if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
++								 NULL, NULL)) {
++				kvm_err("%s: handling mapped seg tlb fault for %lx, index: %u, vcpu: %p, ASID: %#lx\n",
++					__func__, va, index, vcpu,
++					read_c0_entryhi());
++				er = EMULATE_FAIL;
++			}
+ 		}
+ 	}
+ 
+--- a/arch/mips/kvm/kvm_tlb.c
++++ b/arch/mips/kvm/kvm_tlb.c
+@@ -801,10 +801,16 @@ uint32_t kvm_get_inst(uint32_t *opc, str
+ 				local_irq_restore(flags);
+ 				return KVM_INVALID_INST;
+ 			}
+-			kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
+-							     &vcpu->arch.
+-							     guest_tlb[index],
+-							     NULL, NULL);
++			if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
++						&vcpu->arch.guest_tlb[index],
++						NULL, NULL)) {
++				kvm_err("%s: handling mapped seg tlb fault failed for %p, index: %u, vcpu: %p, ASID: %#lx\n",
++					__func__, opc, index, vcpu,
++					read_c0_entryhi());
++				kvm_mips_dump_guest_tlbs(vcpu);
++				local_irq_restore(flags);
++				return KVM_INVALID_INST;
++			}
+ 			inst = *(opc);
+ 		}
+ 		local_irq_restore(flags);
diff --git a/queue-3.16/mips-malta-fix-iocu-disable-switch-read-for-mips64.patch b/queue-3.16/mips-malta-fix-iocu-disable-switch-read-for-mips64.patch
new file mode 100644
index 0000000..68ac60a
--- /dev/null
+++ b/queue-3.16/mips-malta-fix-iocu-disable-switch-read-for-mips64.patch
@@ -0,0 +1,70 @@
+From: Paul Burton <paul.burton@imgtec.com>
+Date: Fri, 2 Sep 2016 16:07:10 +0100
+Subject: MIPS: Malta: Fix IOCU disable switch read for MIPS64
+
+commit 305723ab439e14debc1d339aa04e835d488b8253 upstream.
+
+Malta boards used with CPU emulators feature a switch to disable use of
+an IOCU. Software has to check this switch & ignore any present IOCU if
+the switch is closed. The read used to do this was unsafe for 64 bit
+kernels, as it simply casted the address 0xbf403000 to a pointer &
+dereferenced it. Whilst in a 32 bit kernel this would access kseg1, in a
+64 bit kernel this attempts to access xuseg & results in an address
+error exception.
+
+Fix by accessing a correctly formed ckseg1 address generated using the
+CKSEG1ADDR macro.
+
+Whilst modifying this code, define the name of the register and the bit
+we care about within it, which indicates whether PCI DMA is routed to
+the IOCU or straight to DRAM. The code previously checked that bit 0 was
+also set, but the least significant 7 bits of the CONFIG_GEN0 register
+contain the value of the MReqInfo signal provided to the IOCU OCP bus,
+so singling out bit 0 makes little sense & that part of the check is
+dropped.
+
+Signed-off-by: Paul Burton <paul.burton@imgtec.com>
+Fixes: b6d92b4a6bdb ("MIPS: Add option to disable software I/O coherency.")
+Cc: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/14187/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/mti-malta/malta-setup.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mti-malta/malta-setup.c
++++ b/arch/mips/mti-malta/malta-setup.c
+@@ -36,6 +36,9 @@
+ #include <linux/console.h>
+ #endif
+ 
++#define ROCIT_CONFIG_GEN0		0x1f403000
++#define  ROCIT_CONFIG_GEN0_PCI_IOCU	BIT(7)
++
+ extern void malta_be_init(void);
+ extern int malta_be_handler(struct pt_regs *regs, int is_fixup);
+ 
+@@ -104,6 +107,8 @@ static void __init fd_activate(void)
+ static int __init plat_enable_iocoherency(void)
+ {
+ 	int supported = 0;
++	u32 cfg;
++
+ 	if (mips_revision_sconid == MIPS_REVISION_SCON_BONITO) {
+ 		if (BONITO_PCICACHECTRL & BONITO_PCICACHECTRL_CPUCOH_PRES) {
+ 			BONITO_PCICACHECTRL |= BONITO_PCICACHECTRL_CPUCOH_EN;
+@@ -126,7 +131,8 @@ static int __init plat_enable_iocoherenc
+ 	} else if (mips_cm_numiocu() != 0) {
+ 		/* Nothing special needs to be done to enable coherency */
+ 		pr_info("CMP IOCU detected\n");
+-		if ((*(unsigned int *)0xbf403000 & 0x81) != 0x81) {
++		cfg = __raw_readl((u32 *)CKSEG1ADDR(ROCIT_CONFIG_GEN0));
++		if (!(cfg & ROCIT_CONFIG_GEN0_PCI_IOCU)) {
+ 			pr_crit("IOCU OPERATION DISABLED BY SWITCH - DEFAULTING TO SW IO COHERENCY\n");
+ 			return 0;
+ 		}
diff --git a/queue-3.16/mips-paravirt-fix-undefined-reference-to-smp_bootstrap.patch b/queue-3.16/mips-paravirt-fix-undefined-reference-to-smp_bootstrap.patch
new file mode 100644
index 0000000..9ee3f71
--- /dev/null
+++ b/queue-3.16/mips-paravirt-fix-undefined-reference-to-smp_bootstrap.patch
@@ -0,0 +1,41 @@
+From: Matt Redfearn <matt.redfearn@imgtec.com>
+Date: Mon, 5 Sep 2016 15:43:40 +0100
+Subject: MIPS: paravirt: Fix undefined reference to smp_bootstrap
+
+commit 951c39cd3bc0aedf67fbd8fb4b9380287e6205d1 upstream.
+
+If the paravirt machine is compiles without CONFIG_SMP, the following
+linker error occurs
+
+arch/mips/kernel/head.o: In function `kernel_entry':
+(.ref.text+0x10): undefined reference to `smp_bootstrap'
+
+due to the kernel entry macro always including SMP startup code.
+Wrap this code in CONFIG_SMP to fix the error.
+
+Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/14212/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/include/asm/mach-paravirt/kernel-entry-init.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
++++ b/arch/mips/include/asm/mach-paravirt/kernel-entry-init.h
+@@ -11,11 +11,13 @@
+ #define CP0_EBASE $15, 1
+ 
+ 	.macro  kernel_entry_setup
++#ifdef CONFIG_SMP
+ 	mfc0	t0, CP0_EBASE
+ 	andi	t0, t0, 0x3ff		# CPUNum
+ 	beqz	t0, 1f
+ 	# CPUs other than zero goto smp_bootstrap
+ 	j	smp_bootstrap
++#endif /* CONFIG_SMP */
+ 
+ 1:
+ 	.endm
diff --git a/queue-3.16/mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch b/queue-3.16/mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch
new file mode 100644
index 0000000..5a6de0b
--- /dev/null
+++ b/queue-3.16/mips-rm7000-double-locking-bug-in-rm7k_tc_disable.patch
@@ -0,0 +1,31 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 15 Jul 2016 14:16:44 +0300
+Subject: MIPS: RM7000: Double locking bug in rm7k_tc_disable()
+
+commit 58a7e1c140f3ad61646bc0cd9a1f6a9cafc0b225 upstream.
+
+We obviously intended to enable IRQs again at the end.
+
+Fixes: 745aef5df1e2 ('MIPS: RM7000: Add support for tertiary cache')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Cc: kernel-janitors@vger.kernel.org
+Patchwork: https://patchwork.linux-mips.org/patch/13815/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mips/mm/sc-rm7k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/mm/sc-rm7k.c
++++ b/arch/mips/mm/sc-rm7k.c
+@@ -161,7 +161,7 @@ static void rm7k_tc_disable(void)
+ 	local_irq_save(flags);
+ 	blast_rm7k_tcache();
+ 	clear_c0_config(RM7K_CONF_TE);
+-	local_irq_save(flags);
++	local_irq_restore(flags);
+ }
+ 
+ static void rm7k_sc_disable(void)
diff --git a/queue-3.16/mm-hugetlb-avoid-soft-lockup-in-set_max_huge_pages.patch b/queue-3.16/mm-hugetlb-avoid-soft-lockup-in-set_max_huge_pages.patch
new file mode 100644
index 0000000..129872f
--- /dev/null
+++ b/queue-3.16/mm-hugetlb-avoid-soft-lockup-in-set_max_huge_pages.patch
@@ -0,0 +1,52 @@
+From: Jia He <hejianet@gmail.com>
+Date: Tue, 2 Aug 2016 14:02:31 -0700
+Subject: mm/hugetlb: avoid soft lockup in set_max_huge_pages()
+
+commit 649920c6ab93429b94bc7c1aa7c0e8395351be32 upstream.
+
+In powerpc servers with large memory(32TB), we watched several soft
+lockups for hugepage under stress tests.
+
+The call traces are as follows:
+1.
+get_page_from_freelist+0x2d8/0xd50
+__alloc_pages_nodemask+0x180/0xc20
+alloc_fresh_huge_page+0xb0/0x190
+set_max_huge_pages+0x164/0x3b0
+
+2.
+prep_new_huge_page+0x5c/0x100
+alloc_fresh_huge_page+0xc8/0x190
+set_max_huge_pages+0x164/0x3b0
+
+This patch fixes such soft lockups.  It is safe to call cond_resched()
+there because it is out of spin_lock/unlock section.
+
+Link: http://lkml.kernel.org/r/1469674442-14848-1-git-send-email-hejianet@gmail.com
+Signed-off-by: Jia He <hejianet@gmail.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ mm/hugetlb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -1655,6 +1655,10 @@ static unsigned long set_max_huge_pages(
+ 		 * and reducing the surplus.
+ 		 */
+ 		spin_unlock(&hugetlb_lock);
++
++		/* yield cpu to avoid soft lockup */
++		cond_resched();
++
+ 		if (hstate_is_gigantic(h))
+ 			ret = alloc_fresh_gigantic_page(h, nodes_allowed);
+ 		else
diff --git a/queue-3.16/mm-ksm-fix-endless-looping-in-allocating-memory-when-ksm-enable.patch b/queue-3.16/mm-ksm-fix-endless-looping-in-allocating-memory-when-ksm-enable.patch
new file mode 100644
index 0000000..a393175
--- /dev/null
+++ b/queue-3.16/mm-ksm-fix-endless-looping-in-allocating-memory-when-ksm-enable.patch
@@ -0,0 +1,71 @@
+From: zhong jiang <zhongjiang@huawei.com>
+Date: Wed, 28 Sep 2016 15:22:30 -0700
+Subject: mm,ksm: fix endless looping in allocating memory when ksm enable
+
+commit 5b398e416e880159fe55eefd93c6588fa072cd66 upstream.
+
+I hit the following hung task when runing a OOM LTP test case with 4.1
+kernel.
+
+Call trace:
+[<ffffffc000086a88>] __switch_to+0x74/0x8c
+[<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
+[<ffffffc000a1c09c>] schedule+0x3c/0x94
+[<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
+[<ffffffc000a1e32c>] down_write+0x64/0x80
+[<ffffffc00021f794>] __ksm_exit+0x90/0x19c
+[<ffffffc0000be650>] mmput+0x118/0x11c
+[<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
+[<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
+[<ffffffc0000d0f34>] get_signal+0x444/0x5e0
+[<ffffffc000089fcc>] do_signal+0x1d8/0x450
+[<ffffffc00008a35c>] do_notify_resume+0x70/0x78
+
+The oom victim cannot terminate because it needs to take mmap_sem for
+write while the lock is held by ksmd for read which loops in the page
+allocator
+
+ksm_do_scan
+	scan_get_next_rmap_item
+		down_read
+		get_next_rmap_item
+			alloc_rmap_item   #ksmd will loop permanently.
+
+There is no way forward because the oom victim cannot release any memory
+in 4.1 based kernel.  Since 4.6 we have the oom reaper which would solve
+this problem because it would release the memory asynchronously.
+Nevertheless we can relax alloc_rmap_item requirements and use
+__GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
+would just retry later after the lock got dropped.
+
+Such a patch would be also easy to backport to older stable kernels which
+do not have oom_reaper.
+
+While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
+by the allocation failure.
+
+Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.com
+Signed-off-by: zhong jiang <zhongjiang@huawei.com>
+Suggested-by: Hugh Dickins <hughd@google.com>
+Suggested-by: Michal Hocko <mhocko@suse.cz>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ mm/ksm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -283,7 +283,8 @@ static inline struct rmap_item *alloc_rm
+ {
+ 	struct rmap_item *rmap_item;
+ 
+-	rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL);
++	rmap_item = kmem_cache_zalloc(rmap_item_cache, GFP_KERNEL |
++						__GFP_NORETRY | __GFP_NOWARN);
+ 	if (rmap_item)
+ 		ksm_rmap_items++;
+ 	return rmap_item;
diff --git a/queue-3.16/mm-workingset-fix-crash-in-shadow-node-shrinker-caused-by.patch b/queue-3.16/mm-workingset-fix-crash-in-shadow-node-shrinker-caused-by.patch
new file mode 100644
index 0000000..61fb122
--- /dev/null
+++ b/queue-3.16/mm-workingset-fix-crash-in-shadow-node-shrinker-caused-by.patch
@@ -0,0 +1,219 @@
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Fri, 30 Sep 2016 15:11:29 -0700
+Subject: mm: workingset: fix crash in shadow node shrinker caused by
+ replace_page_cache_page()
+
+commit 22f2ac51b6d643666f4db093f13144f773ff3f3a upstream.
+
+Antonio reports the following crash when using fuse under memory pressure:
+
+  kernel BUG at /build/linux-a2WvEb/linux-4.4.0/mm/workingset.c:346!
+  invalid opcode: 0000 [#1] SMP
+  Modules linked in: all of them
+  CPU: 2 PID: 63 Comm: kswapd0 Not tainted 4.4.0-36-generic #55-Ubuntu
+  Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013
+  task: ffff88040cae6040 ti: ffff880407488000 task.ti: ffff880407488000
+  RIP: shadow_lru_isolate+0x181/0x190
+  Call Trace:
+    __list_lru_walk_one.isra.3+0x8f/0x130
+    list_lru_walk_one+0x23/0x30
+    scan_shadow_nodes+0x34/0x50
+    shrink_slab.part.40+0x1ed/0x3d0
+    shrink_zone+0x2ca/0x2e0
+    kswapd+0x51e/0x990
+    kthread+0xd8/0xf0
+    ret_from_fork+0x3f/0x70
+
+which corresponds to the following sanity check in the shadow node
+tracking:
+
+  BUG_ON(node->count & RADIX_TREE_COUNT_MASK);
+
+The workingset code tracks radix tree nodes that exclusively contain
+shadow entries of evicted pages in them, and this (somewhat obscure)
+line checks whether there are real pages left that would interfere with
+reclaim of the radix tree node under memory pressure.
+
+While discussing ways how fuse might sneak pages into the radix tree
+past the workingset code, Miklos pointed to replace_page_cache_page(),
+and indeed there is a problem there: it properly accounts for the old
+page being removed - __delete_from_page_cache() does that - but then
+does a raw raw radix_tree_insert(), not accounting for the replacement
+page.  Eventually the page count bits in node->count underflow while
+leaving the node incorrectly linked to the shadow node LRU.
+
+To address this, make sure replace_page_cache_page() uses the tracked
+page insertion code, page_cache_tree_insert().  This fixes the page
+accounting and makes sure page-containing nodes are properly unlinked
+from the shadow node LRU again.
+
+Also, make the sanity checks a bit less obscure by using the helpers for
+checking the number of pages and shadows in a radix tree node.
+
+Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
+Link: http://lkml.kernel.org/r/20160919155822.29498-1-hannes@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
+Debugged-by: Miklos Szeredi <miklos@szeredi.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 3.16:
+ - Implementation of page_cache_tree_insert() is different
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/include/linux/swap.h
++++ b/include/linux/swap.h
+@@ -274,6 +274,7 @@ static inline void workingset_node_pages
+ 
+ static inline void workingset_node_pages_dec(struct radix_tree_node *node)
+ {
++	VM_BUG_ON(!workingset_node_pages(node));
+ 	node->count--;
+ }
+ 
+@@ -289,6 +290,7 @@ static inline void workingset_node_shado
+ 
+ static inline void workingset_node_shadows_dec(struct radix_tree_node *node)
+ {
++	VM_BUG_ON(!workingset_node_shadows(node));
+ 	node->count -= 1U << RADIX_TREE_COUNT_SHIFT;
+ }
+ 
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -108,6 +108,48 @@
+  *   ->tasklist_lock            (memory_failure, collect_procs_ao)
+  */
+ 
++static int page_cache_tree_insert(struct address_space *mapping,
++				  struct page *page, void **shadowp)
++{
++	struct radix_tree_node *node;
++	void **slot;
++	int error;
++
++	error = __radix_tree_create(&mapping->page_tree, page->index,
++				    &node, &slot);
++	if (error)
++		return error;
++	if (*slot) {
++		void *p;
++
++		p = radix_tree_deref_slot_protected(slot, &mapping->tree_lock);
++		if (!radix_tree_exceptional_entry(p))
++			return -EEXIST;
++		if (shadowp)
++			*shadowp = p;
++		mapping->nrshadows--;
++		if (node)
++			workingset_node_shadows_dec(node);
++	}
++	radix_tree_replace_slot(slot, page);
++	mapping->nrpages++;
++	if (node) {
++		workingset_node_pages_inc(node);
++		/*
++		 * Don't track node that contains actual pages.
++		 *
++		 * Avoid acquiring the list_lru lock if already
++		 * untracked.  The list_empty() test is safe as
++		 * node->private_list is protected by
++		 * mapping->tree_lock.
++		 */
++		if (!list_empty(&node->private_list))
++			list_lru_del(&workingset_shadow_nodes,
++				     &node->private_list);
++	}
++	return 0;
++}
++
+ static void page_cache_tree_delete(struct address_space *mapping,
+ 				   struct page *page, void *shadow)
+ {
+@@ -494,7 +536,7 @@ int replace_page_cache_page(struct page
+ 
+ 		spin_lock_irq(&mapping->tree_lock);
+ 		__delete_from_page_cache(old, NULL);
+-		error = radix_tree_insert(&mapping->page_tree, offset, new);
++		error = page_cache_tree_insert(mapping, new, NULL);
+ 		BUG_ON(error);
+ 		mapping->nrpages++;
+ 		__inc_zone_page_state(new, NR_FILE_PAGES);
+@@ -513,48 +555,6 @@ int replace_page_cache_page(struct page
+ }
+ EXPORT_SYMBOL_GPL(replace_page_cache_page);
+ 
+-static int page_cache_tree_insert(struct address_space *mapping,
+-				  struct page *page, void **shadowp)
+-{
+-	struct radix_tree_node *node;
+-	void **slot;
+-	int error;
+-
+-	error = __radix_tree_create(&mapping->page_tree, page->index,
+-				    &node, &slot);
+-	if (error)
+-		return error;
+-	if (*slot) {
+-		void *p;
+-
+-		p = radix_tree_deref_slot_protected(slot, &mapping->tree_lock);
+-		if (!radix_tree_exceptional_entry(p))
+-			return -EEXIST;
+-		if (shadowp)
+-			*shadowp = p;
+-		mapping->nrshadows--;
+-		if (node)
+-			workingset_node_shadows_dec(node);
+-	}
+-	radix_tree_replace_slot(slot, page);
+-	mapping->nrpages++;
+-	if (node) {
+-		workingset_node_pages_inc(node);
+-		/*
+-		 * Don't track node that contains actual pages.
+-		 *
+-		 * Avoid acquiring the list_lru lock if already
+-		 * untracked.  The list_empty() test is safe as
+-		 * node->private_list is protected by
+-		 * mapping->tree_lock.
+-		 */
+-		if (!list_empty(&node->private_list))
+-			list_lru_del(&workingset_shadow_nodes,
+-				     &node->private_list);
+-	}
+-	return 0;
+-}
+-
+ static int __add_to_page_cache_locked(struct page *page,
+ 				      struct address_space *mapping,
+ 				      pgoff_t offset, gfp_t gfp_mask,
+--- a/mm/workingset.c
++++ b/mm/workingset.c
+@@ -340,21 +340,19 @@ static enum lru_status shadow_lru_isolat
+ 	 * no pages, so we expect to be able to remove them all and
+ 	 * delete and free the empty node afterwards.
+ 	 */
+-
+-	BUG_ON(!node->count);
+-	BUG_ON(node->count & RADIX_TREE_COUNT_MASK);
++	BUG_ON(!workingset_node_shadows(node));
++	BUG_ON(workingset_node_pages(node));
+ 
+ 	for (i = 0; i < RADIX_TREE_MAP_SIZE; i++) {
+ 		if (node->slots[i]) {
+ 			BUG_ON(!radix_tree_exceptional_entry(node->slots[i]));
+ 			node->slots[i] = NULL;
+-			BUG_ON(node->count < (1U << RADIX_TREE_COUNT_SHIFT));
+-			node->count -= 1U << RADIX_TREE_COUNT_SHIFT;
++			workingset_node_shadows_dec(node);
+ 			BUG_ON(!mapping->nrshadows);
+ 			mapping->nrshadows--;
+ 		}
+ 	}
+-	BUG_ON(node->count);
++	BUG_ON(workingset_node_shadows(node));
+ 	inc_zone_state(page_zone(virt_to_page(node)), WORKINGSET_NODERECLAIM);
+ 	if (!__radix_tree_delete_node(&mapping->page_tree, node))
+ 		BUG();
diff --git a/queue-3.16/mmc-block-fix-packed-command-header-endianness.patch b/queue-3.16/mmc-block-fix-packed-command-header-endianness.patch
new file mode 100644
index 0000000..b9eac68
--- /dev/null
+++ b/queue-3.16/mmc-block-fix-packed-command-header-endianness.patch
@@ -0,0 +1,55 @@
+From: Taras Kondratiuk <takondra@cisco.com>
+Date: Wed, 13 Jul 2016 22:05:38 +0000
+Subject: mmc: block: fix packed command header endianness
+
+commit f68381a70bb2b26c31b13fdaf67c778f92fd32b4 upstream.
+
+The code that fills packed command header assumes that CPU runs in
+little-endian mode. Hence the header is malformed in big-endian mode
+and causes MMC data transfer errors:
+
+[  563.200828] mmcblk0: error -110 transferring data, sector 2048, nr 8, cmd response 0x900, card status 0xc40
+[  563.219647] mmcblk0: packed cmd failed, nr 2, sectors 16, failure index: -1
+
+Convert header data to LE.
+
+Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
+Fixes: ce39f9d17c14 ("mmc: support packed write command for eMMC4.5 devices")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/mmc/card/block.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -1659,8 +1659,8 @@ static void mmc_blk_packed_hdr_wrq_prep(
+ 
+ 	packed_cmd_hdr = packed->cmd_hdr;
+ 	memset(packed_cmd_hdr, 0, sizeof(packed->cmd_hdr));
+-	packed_cmd_hdr[0] = (packed->nr_entries << 16) |
+-		(PACKED_CMD_WR << 8) | PACKED_CMD_VER;
++	packed_cmd_hdr[0] = cpu_to_le32((packed->nr_entries << 16) |
++		(PACKED_CMD_WR << 8) | PACKED_CMD_VER);
+ 	hdr_blocks = mmc_large_sector(card) ? 8 : 1;
+ 
+ 	/*
+@@ -1674,14 +1674,14 @@ static void mmc_blk_packed_hdr_wrq_prep(
+ 			((brq->data.blocks * brq->data.blksz) >=
+ 			 card->ext_csd.data_tag_unit_size);
+ 		/* Argument of CMD23 */
+-		packed_cmd_hdr[(i * 2)] =
++		packed_cmd_hdr[(i * 2)] = cpu_to_le32(
+ 			(do_rel_wr ? MMC_CMD23_ARG_REL_WR : 0) |
+ 			(do_data_tag ? MMC_CMD23_ARG_TAG_REQ : 0) |
+-			blk_rq_sectors(prq);
++			blk_rq_sectors(prq));
+ 		/* Argument of CMD18 or CMD25 */
+-		packed_cmd_hdr[((i * 2)) + 1] =
++		packed_cmd_hdr[((i * 2)) + 1] = cpu_to_le32(
+ 			mmc_card_blockaddr(card) ?
+-			blk_rq_pos(prq) : blk_rq_pos(prq) << 9;
++			blk_rq_pos(prq) : blk_rq_pos(prq) << 9);
+ 		packed->blocks += blk_rq_sectors(prq);
+ 		i++;
+ 	}
diff --git a/queue-3.16/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch b/queue-3.16/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch
new file mode 100644
index 0000000..f658137
--- /dev/null
+++ b/queue-3.16/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch
@@ -0,0 +1,32 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:33:10 -0400
+Subject: mn10300: copy_from_user() should zero on access_ok() failure...
+
+commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mn10300/lib/usercopy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/mn10300/lib/usercopy.c
++++ b/arch/mn10300/lib/usercopy.c
+@@ -9,7 +9,7 @@
+  * as published by the Free Software Foundation; either version
+  * 2 of the Licence, or (at your option) any later version.
+  */
+-#include <asm/uaccess.h>
++#include <linux/uaccess.h>
+ 
+ unsigned long
+ __generic_copy_to_user(void *to, const void *from, unsigned long n)
+@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const
+ {
+ 	if (access_ok(VERIFY_READ, from, n))
+ 		__copy_user_zeroing(to, from, n);
++	else
++		memset(to, 0, n);
+ 	return n;
+ }
+ 
diff --git a/queue-3.16/mn10300-failing-__get_user-and-get_user-should-zero.patch b/queue-3.16/mn10300-failing-__get_user-and-get_user-should-zero.patch
new file mode 100644
index 0000000..651164e
--- /dev/null
+++ b/queue-3.16/mn10300-failing-__get_user-and-get_user-should-zero.patch
@@ -0,0 +1,22 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:32:02 -0400
+Subject: mn10300: failing __get_user() and get_user() should zero
+
+commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/mn10300/include/asm/uaccess.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mn10300/include/asm/uaccess.h
++++ b/arch/mn10300/include/asm/uaccess.h
+@@ -181,6 +181,7 @@ struct __large_struct { unsigned long bu
+ 		"2:\n"						\
+ 		"	.section	.fixup,\"ax\"\n"	\
+ 		"3:\n\t"					\
++		"	mov		0,%1\n"			\
+ 		"	mov		%3,%0\n"		\
+ 		"	jmp		2b\n"			\
+ 		"	.previous\n"				\
diff --git a/queue-3.16/module-invalidate-signatures-on-force-loaded-modules.patch b/queue-3.16/module-invalidate-signatures-on-force-loaded-modules.patch
new file mode 100644
index 0000000..becbdf3
--- /dev/null
+++ b/queue-3.16/module-invalidate-signatures-on-force-loaded-modules.patch
@@ -0,0 +1,59 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 28 Apr 2016 09:24:01 +0930
+Subject: module: Invalidate signatures on force-loaded modules
+
+commit bca014caaa6130e57f69b5bf527967aa8ee70fdd upstream.
+
+Signing a module should only make it trusted by the specific kernel it
+was built for, not anything else.  Loading a signed module meant for a
+kernel with a different ABI could have interesting effects.
+Therefore, treat all signatures as invalid when a module is
+force-loaded.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+---
+ kernel/module.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/kernel/module.c
++++ b/kernel/module.c
+@@ -2435,13 +2435,18 @@ static inline void kmemleak_load_module(
+ #endif
+ 
+ #ifdef CONFIG_MODULE_SIG
+-static int module_sig_check(struct load_info *info)
++static int module_sig_check(struct load_info *info, int flags)
+ {
+ 	int err = -ENOKEY;
+ 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
+ 	const void *mod = info->hdr;
+ 
+-	if (info->len > markerlen &&
++	/*
++	 * Require flags == 0, as a module with version information
++	 * removed is no longer the module that was signed
++	 */
++	if (flags == 0 &&
++	    info->len > markerlen &&
+ 	    memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
+ 		/* We truncate the module to discard the signature */
+ 		info->len -= markerlen;
+@@ -2463,7 +2468,7 @@ static int module_sig_check(struct load_
+ 	return err;
+ }
+ #else /* !CONFIG_MODULE_SIG */
+-static int module_sig_check(struct load_info *info)
++static int module_sig_check(struct load_info *info, int flags)
+ {
+ 	return 0;
+ }
+@@ -3200,7 +3205,7 @@ static int load_module(struct load_info
+ 	long err;
+ 	char *after_dashes;
+ 
+-	err = module_sig_check(info);
++	err = module_sig_check(info, flags);
+ 	if (err)
+ 		goto free_copy;
+ 
diff --git a/queue-3.16/mtd-nand-davinci-reinitialize-the-hw-ecc-engine-in-4bit-hwctl.patch b/queue-3.16/mtd-nand-davinci-reinitialize-the-hw-ecc-engine-in-4bit-hwctl.patch
new file mode 100644
index 0000000..1284cf9
--- /dev/null
+++ b/queue-3.16/mtd-nand-davinci-reinitialize-the-hw-ecc-engine-in-4bit-hwctl.patch
@@ -0,0 +1,49 @@
+From: Karl Beldan <kbeldan@baylibre.com>
+Date: Mon, 29 Aug 2016 07:45:49 +0000
+Subject: mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
+
+commit f6d7c1b5598b6407c3f1da795dd54acf99c1990c upstream.
+
+This fixes subpage writes when using 4-bit HW ECC.
+
+There has been numerous reports about ECC errors with devices using this
+driver for a while.  Also the 4-bit ECC has been reported as broken with
+subpages