On 32-bit systems, the initial_page_table is reused by
efi_call_phys_prolog as an identity map to call
SetVirtualAddressMap.  efi_call_phys_prolog takes care of
converting the current CPU's GDT to a physical address too.

For PAE kernels the identity mapping is achieved by aliasing the
first PDPE for the kernel memory mapping into the first PDPE
of initial_page_table.  This makes the EFI stub's trick "just work".

However, for non-PAE kernels there is no guarantee that the identity
mapping in the initial_page_table extends as far as the GDT; in this
case, accesses to the GDT will cause a page fault (which quickly becomes
a triple fault).  Fix this by copying the kernel mappings from
swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at
identity mapping.

For some reason, this is only reproducible with QEMU's dynamic translation
mode, and not for example with KVM.  However, even under KVM one can clearly
see that the page table is bogus:

    $ qemu-system-i386 -pflash OVMF.fd -M q35 vmlinuz0 -s -S -daemonize
    $ gdb
    (gdb) target remote localhost:1234
    (gdb) hb *0x02858f6f
    Hardware assisted breakpoint 1 at 0x2858f6f
    (gdb) c
    Continuing.

    Breakpoint 1, 0x02858f6f in ?? ()
    (gdb) monitor info registers
    ...
    GDT=     0724e000 000000ff
    IDT=     fffbb000 000007ff
    CR0=0005003b CR2=ff896000 CR3=032b7000 CR4=00000690
    ...

The page directory is sane:

    (gdb) x/4wx 0x32b7000
    0x32b7000:	0x03398063	0x03399063	0x0339a063	0x0339b063
    (gdb) x/4wx 0x3398000
    0x3398000:	0x00000163	0x00001163	0x00002163	0x00003163
    (gdb) x/4wx 0x3399000
    0x3399000:	0x00400003	0x00401003	0x00402003	0x00403003

but our particular page directory entry is empty:

    (gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4
    0x32b7070:	0x00000000

[ It appears that you can skate past this issue if you don't receive
  any interrupts while the bogus GDT pointer is loaded, or if you avoid
  reloading the segment registers in general.

  Andy Lutomirski provides some additional insight:

   "AFAICT it's entirely permissible for the GDTR and/or LDT
    descriptor to point to unmapped memory.  Any attempt to use them
    (segment loads, interrupts, IRET, etc) will try to access that memory
    as if the access came from CPL 0 and, if the access fails, will
    generate a valid page fault with CR2 pointing into the GDT or
    LDT."

  Up until commit 23a0d4e8 ("efi: Disable interrupts around EFI
  calls, not in the epilog/prolog calls") interrupts were disabled
  around the prolog and epilog calls, and the functional GDT was
  re-installed before interrupts were re-enabled.

  Which explains why no one has hit this issue until now. ]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Laszlo Ersek <lersek@redhat.com>
Cc: <stable@vger.kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
[ Updated changelog. ]

When multiple GOP devices exists, but none of them implements
ConOut, the code should just choose the first GOP (according to
the comments). But currently 'fb_base' will refer to the last GOP,
while other parameters to the first GOP, which will likely
result in a garbled display.

I can reliably reproduce this bug using my ASRock Z87M Extreme4
motherboard with CSM and integrated GPU disabled, and two PCIe
video cards (NVidia GT640 and GTX980), booting from efi-stub
(booting from grub works fine).  On the primary display the
ASRock logo remains and on the secondary screen it is garbled
up completely.
Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Cc: <stable@vger.kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1444659236-24837-2-git-send-email-matt@codeblueprint.co.ukSigned-off-by: Ingo Molnar <mingo@kernel.org>

Pull nfsd fixes from Bruce Fields:
 "Two nfsd fixes, one for an RDMA crash, one for a pnfs/block protocol
  bug"

* tag 'nfsd-4.3-2' of git://linux-nfs.org/~bfields/linux:
  svcrdma: Fix NFS server crash triggered by 1MB NFS WRITE
  nfsd/blocklayout: accept any minlength

Pull crypto fixes from Herbert Xu:
 "This fixes the following issues:

   - Fix AVX detection to prevent use of non-existent AESNI.

   - Some SPARC ciphers did not set their IV size which may lead to
     memory corruption"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: ahash - ensure statesize is non-zero
  crypto: camellia_aesni_avx - Fix CPU feature checks
  crypto: sparc - initialize blkcipher.ivsize

Pull IOMMU fixes from Joerg Roedel:
 "A few fixes piled up:

   - Fix for a suspend/resume issue where PCI probing code overwrote
     dev->irq for the MSI irq of the AMD IOMMU.

   - Fix for a kernel crash when a 32 bit PCI device was assigned to a
     KVM guest.

   - Fix for a possible memory leak in the VT-d driver

   - A couple of fixes for the ARM-SMMU driver"

* tag 'iommu-fixes-v4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/amd: Fix NULL pointer deref on device detach
  iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices
  iommu/vt-d: Fix memory leak in dmar_insert_one_dev_info()
  iommu/arm-smmu: Use correct address mask for CMD_TLBI_S2_IPA
  iommu/arm-smmu: Ensure IAS is set correctly for AArch32-capable SMMUs
  iommu/io-pgtable-arm: Don't use dma_to_phys()

Pull drm fixes from Dave Airlie:
 "I got a bit behind last week, so here is a delayed fixes pull:

   - a bunch of radeon/amd gpu fixes
   - some nouveau regression fixes (ppc bios reading and runtime pm fix)
   - one drm core oops fix
   - two qxl locking fixes
   - one qxl regression fix"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/nouveau/bios: fix OF loading
  drm/nouveau/fbcon: take runpm reference when userspace has an open fd
  drm/nouveau/nouveau: Disable AGP for SiS 761
  drm/nouveau/display: allow up to 16k width/height for fermi+
  drm/nouveau/bios: translate devinit pri/sec i2c bus to internal identifiers
  drm: Fix locking for sysfs dpms file
  drm/amdgpu: fix memory leak in amdgpu_vm_update_page_directory
  drm/amdgpu: fix 32-bit compiler warning
  drm/qxl: avoid dependency lock
  drm/qxl: avoid buffer reservation in qxl_crtc_page_flip
  drm/qxl: fix framebuffer dirty rectangle tracking.
  drm/amdgpu: flag iceland as experimental
  drm/amdgpu: check before checking pci bridge registers
  drm/amdgpu: fix num_crtc on CZ
  drm/amdgpu: restore the fbdev mode in lastclose
  drm/radeon: restore the fbdev mode in lastclose
  drm/radeon: add quirk for ASUS R7 370
  drm/amdgpu: add pm sysfs files late
  drm/radeon: add pm sysfs files late

Unlike shash algorithms, ahash drivers must implement export
and import as their descriptors may contain hardware state and
cannot be exported as is.  Unfortunately some ahash drivers did
not provide them and end up causing crashes with algif_hash.

This patch adds a check to prevent these drivers from registering
ahash algorithms until they are fixed.

Cc: stable@vger.kernel.org
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Now that the NFS server advertises a maximum payload size of 1MB
for RPC/RDMA again, it crashes in svc_process_common() when NFS
client sends a 1MB NFS WRITE on an NFS/RDMA mount.

The server has set up a 259 element array of struct page pointers
in rq_pages[] for each incoming request. The last element of the
array is NULL.

When an incoming request has been completely received,
rdma_read_complete() attempts to set the starting page of the
incoming page vector:

  rqstp->rq_arg.pages = &rqstp->rq_pages[head->hdr_count];

and the page to use for the reply:

  rqstp->rq_respages = &rqstp->rq_arg.pages[page_no];

But the value of page_no has already accounted for head->hdr_count.
Thus rq_respages now points past the end of the incoming pages.

For NFS WRITE operations smaller than the maximum, this is harmless.
But when the NFS WRITE operation is as large as the server's max
payload size, rq_respages now points at the last entry in rq_pages,
which is NULL.

Fixes: cc9a903d ('svcrdma: Change maximum server payload . . .')
BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=270Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Sagi Grimberg <sagig@dev.mellanox.co.il>
Reviewed-by: Steve Wise <swise@opengridcomputing.com>
Reviewed-by: Shirley Ma <shirley.ma@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

Nothing too crazy here, a couple of regression fixes + runpm/fbcon
race fix.

* 'linux-4.3' of git://anongit.freedesktop.org/git/nouveau/linux-2.6:
  drm/nouveau/bios: fix OF loading
  drm/nouveau/fbcon: take runpm reference when userspace has an open fd
  drm/nouveau/nouveau: Disable AGP for SiS 761
  drm/nouveau/display: allow up to 16k width/height for fermi+
  drm/nouveau/bios: translate devinit pri/sec i2c bus to internal identifiers

Currently OF bios load fails for a few reasons:
 - checksum failure
 - bios size too small
 - no PCIR header
 - bios length not a multiple of 4

In this change, we resolve all of the above by ignoring any checksum
failures (since OF VBIOS tends not to have a checksum), and faking the
PCIR data when loading from OF.
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

We need to do this in order to prevent accesses to the device while it's
powered down.  Userspace may have an mmap of the fb, and there's no good
way (that I know of) to prevent it from touching the device otherwise.

This fixes some nasty races between runpm and plymouth on some systems,
which result in the GPU getting very upset and hanging the boot.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Cc: stable@vger.kernel.org

SiS 761 chipset does not support AGP cards but has AGP capability (for
the onboard video). At least PC Chips A31G board using this chipset has
an AGP-like AGPro slot that's wired to the PCI bus. Enabling AGP will
fail (GPU lockup and software fbcon, X11 hangs).

Add support for matching just the host bridge in nvkm_device_agp_quirks
and add entry for SiS 761 with mode 0 (AGP disabled).
Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

fdo#92013.

Regression from "i2c: transition pad/ports away from being based on nvkm_object"
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

Pull scheduler fix from Thomas Gleixner:
 "Fix a long standing state race in finish_task_switch()"

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched/core: Fix TASK_DEAD race in finish_task_switch()

Pull perf fix from Thomas Glexiner:
 "Fix build breakage on powerpc in perf tools"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf tools: Fix build break on powerpc due to sample_reg_masks

Pull maintainer email update from Thomas Gleixner:
 "Change Matt Fleming's email address in the maintainers file"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  MAINTAINERS: Change Matt Fleming's email address

Pull irq fixes from Thomas Gleixner:
 "Three trivial commits:

   - Fix a kerneldoc regression

   - Export handle_bad_irq to unbreak a driver in next

   - Add an accessor for the of_node field so refactoring in next does
     not depend on merge ordering"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irqdomain: Add an accessor for the of_node field
  genirq: Fix handle_bad_irq kerneldoc comment
  genirq: Export handle_bad_irq

Pull SCSI fixes from James Bottomley:
 "This is a set of three bug fixes, two of which are regressions from
  recent updates (the 3ware one from 4.1 and the device handler fixes
  from 4.2)"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  3w-9xxx: don't unmap bounce buffered commands
  scsi_dh: Use the correct module name when loading device handler
  libiscsi: Fix iscsi_check_transport_timeouts possible infinite loop

Pull md bugfix from Neil Brown:
 "One bug fix for raid1/raid10.

  Very careless bug earler in 4.3-rc, now fixed :-)"

* tag 'md/4.3-rc4-fix' of git://neil.brown.name/md:
  crash in md-raid1 and md-raid10 due to incorrect list manipulation

My Intel email address will soon expire. Replace it with my
personal address so people still know where to send patches.
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1444494136-10333-1-git-send-email-matt@codeblueprint.co.ukSigned-off-by: Ingo Molnar <mingo@kernel.org>

Pull USB fixes from Greg KH:
 "Here are some small USB and PHY fixes and quirk updates for 4.3-rc5.

  Nothing major here, full details in the shortlog, and all of these
  have been in linux-next for a while"

* tag 'usb-4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  usb: Add device quirk for Logitech PTZ cameras
  USB: chaoskey read offset bug
  USB: Add reset-resume quirk for two Plantronics usb headphones.
  usb: renesas_usbhs: Add support for R-Car H3
  usb: renesas_usbhs: fix build warning if 64-bit architecture
  usb: gadget: bdc: fix memory leak
  phy: berlin-sata: Fix module autoload for OF platform driver
  phy: rockchip-usb: power down phy when rockchip phy probe
  phy: qcom-ufs: fix build error when the component is built as a module

Pull tty/serial driver fixes from Greg KH:
 "Here are a few bug fixes for the tty core that resolve reported
  issues, and some serial driver fixes as well (including the
  much-reported imx driver problem)

  All of these have been in linux-next with no reported problems"

* tag 'tty-4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  drivers/tty: require read access for controlling terminal
  serial: 8250: add uart_config entry for PORT_RT2880
  tty: fix data race on tty_buffer.commit
  tty: fix data race in tty_buffer_flush
  tty: fix data race in flush_to_ldisc
  tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
  serial: atmel: fix error path of probe function
  tty: don't leak cdev in tty_cdev_add()
  Revert "serial: imx: remove unbalanced clk_prepare"

Pull staging fixes from Greg KH:
 "Here are two tiny staging tree fixes for 4.3-rc5.

  One fixes the broken speakup subsystem as reported by a user, and the
  other removes an entry in the MAINTAINERS file for a developer that
  doesn't want to be listed anymore"

* tag 'staging-4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: speakup: fix speakup-r regression
  MAINTAINERS: Remove myself as nvec co-maintainer

Pull char/misc driver fixes from Greg KH:
 "Here are some small fixes for some misc drivers that resolve some
  reported issues.  All of these have been linux-next for a while"

* tag 'char-misc-4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  mcb: Fix error handling in mcb_pci_probe()
  mei: hbm: fix error in state check logic
  nvmem: sunxi: Check for memory allocation failure
  nvmem: core: Fix memory leak in nvmem_cell_write
  nvmem: core: Handle shift bits in-place if cell->nbits is non-zero
  nvmem: core: fix the out-of-range leak in read/write()

Pull MIPS fixes from Ralf Baechle:

 - MIPS didn't define the new ioremap_uc.  Defined it as an alias for
   ioremap_uncached.

 - Replace workaround for MIPS16 build issue with a correct one.

* git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: Define ioremap_uc
  MIPS: UAPI: Ignore __arch_swab{16,32,64} when using MIPS16
  Revert "MIPS: UAPI: Fix unrecognized opcode WSBH/DSBH/DSHD when using MIPS16."

Pull swiotlb fixlet from Konrad Rzeszutek Wilk:
 "Enable the SWIOTLB under 32-bit PAE kernels.

  Nowadays most distros enable this due to CONFIG_HYPERVISOR|XEN=y which
  select SWIOTLB.  But for those that are not interested in
  virtualization and wanting to use 32-bit PAE kernels and wanting to
  have working DMA operations - this configures it for them"

* 'stable/for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/swiotlb:
  swiotlb: Enable it under x86 PAE

Leandro Awa writes:
 "After switching to version 4.1.6, our parallelized and distributed
  workflows now fail consistently with errors of the form:

  T34: ./regex.c:39:22: error: config.h: No such file or directory

  From our 'git bisect' testing, the following commit appears to be the
  possible cause of the behavior we've been seeing: commit 766c4cbf"

Al Viro says:
 "What happens is that 766c4cbf got the things subtly wrong.

  We used to treat d_is_negative() after lookup_fast() as "fall with
  ENOENT".  That was wrong - checking ->d_flags outside of ->d_seq
  protection is unreliable and failing with hard error on what should've
  fallen back to non-RCU pathname resolution is a bug.

  Unfortunately, we'd pulled the test too far up and ran afoul of
  another kind of staleness.  The dentry might have been absolutely
  stable from the RCU point of view (and we might be on UP, etc), but
  stale from the remote fs point of view.  If ->d_revalidate() returns
  "it's actually stale", dentry gets thrown away and the original code
  wouldn't even have looked at its ->d_flags.

  What we need is to check ->d_flags where 766c4cbf does (prior to
  ->d_seq validation) but only use the result in cases where we do not
  discard this dentry outright"
Reported-by: Leandro Awa <lawa@nvidia.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=104911
Fixes: 766c4cbf ("namei: d_is_negative() should be checked...")
Tested-by: Leandro Awa <lawa@nvidia.com>
Cc: stable@vger.kernel.org # v4.1+
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Pull power management and ACPI fixes from Rafael Wysocki:
 "These are four fixes for bugs in the devfreq and cpufreq subsystems,
  including two regression fixes (one for a recent regression and one
  for a problem introduced in 4.2).

  Specifics:

   - Two fixes for cpufreq regressions, an acpi-cpufreq driver one
     introduced during the 4.2 cycle when we started to preserve cpufreq
     directories for offline CPUs and a general one introduced recently
     (Srinivas Pandruvada).

   - Two devfreq fixes, one for a double kfree() in an error code path
     and one for a confusing sysfs-related failure (Geliang Tang, Tobias
     Jakobi)"

* tag 'pm+acpi-4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: prevent lockup on reading scaling_available_frequencies
  cpufreq: acpi_cpufreq: prevent crash on reading freqdomain_cpus
  PM / devfreq: fix double kfree
  PM / devfreq: Fix governor_store()

Pull strscpy powerpc fix from Chris Metcalf.

Fix powerpc big-endian build.

* 'strscpy' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  arch/powerpc: provide zero_bytemask() for big-endian

Pull sound fixes from Takashi Iwai:
 "We see various small fixes, but nothing looks too scary, all are small
  gentle bug fixes:

   - Most of changes are for ASoC codecs: Realtek, SGTL5000, TAS2552,
     TLV320, WM8962

   - A couple of dwc and imx-ssi fixes

   - Usual oneliner HD-audio quirks

   - An old emux synth code fix"

* tag 'sound-4.3-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  MAINTAINERS: Remove wm97xx entry
  ASoC: tas2552: fix dBscale-min declaration
  ALSA: synth: Fix conflicting OSS device registration on AWE32
  ALSA: hda - Disable power_save_node for IDT 92HD73xx chips
  ALSA: hda - Apply SPDIF pin ctl to MacBookPro 12,1
  ALSA: hda: Add dock support for ThinkPad T550
  ASoC: dwc: fix dma stop transferring issue
  ASoC: dwc: correct irq clear method
  ASoC: tlv320aic3x: Prevent writing reserved registers on tlv320aic3104 CODECs
  ASoC: rt5645: Correct the naming and setting of ADC Boost Volume Control
  ASoC: sgtl5000: fix wrong register MIC_BIAS_VOLTAGE setup on probe
  ASoC: wm8962: balance pm_runtime_enable
  ASoC: imx-ssi: Fix DAI hardware signal inversions
  ASoC: sgtl5000: fix error message output for MicBias voltage
  ASoC: db1200: Fix DAI link format for db1300 and db1550

Pull clk fixes from Stephen Boyd:
 "A Samsung driver fix and a handful of TI driver fixes"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: ti: dflt: fix enable_reg validity check
  clk: ti: fix dual-registration of uart4_ick
  clk: ti: clk-7xx: Remove hardwired ABE clock configuration
  clk: samsung: fix cpu clock's flags checking

Pull MMC fixes from Ulf Hansson:
 "MMC host:
   - omap_hsmmc: Fix boot regressions for omap4430
   - omap_hsmmc: Fix legacy boot regression for omap3
   - sdhci-pxav3: Fix some clock issues for Armada 38x
   - sdhci-pxav3: Fix error handling at probe
   - sdhci-of-at91: Fix clock stabilization problem"

* tag 'mmc-v4.3-rc4' of git://git.linaro.org/people/ulf.hansson/mmc:
  mmc: sdhci-of-at91: use SDHCI_QUIRK2_NEED_DELAY_AFTER_INT_CLK_RST quirk
  mmc: sdhci: add quirk SDHCI_QUIRK2_NEED_DELAY_AFTER_INT_CLK_RST
  mmc: sdhci-pxav3: fix error handling of armada_38x_quirks
  mmc: sdhci-pxav3: disable clock inversion for HS MMC cards
  mmc: sdhci-pxav3: remove broken clock base quirk for Armada 38x sdhci driver
  mmc: host: omap_hsmmc: Fix MMC for omap3 legacy booting
  Revert "mmc: host: omap_hsmmc: use regulator_is_enabled to find pbias status"

Pull dm fixes from Mike Snitzer:
 "Three stable fixes:

   - DM core AB-BA deadlock fix in the device destruction path (vs
     device creation's DM table swap).

   - DM raid fix to properly round up the region_size to the next
     power-of-2.

   - DM cache fix for a NULL pointer seen while switching from the
     "cleaner" cache policy.

  Two fixes for regressions introduced during the 4.3 merge:

   - request-based DM error propagation regressed due to incorrect
     changes introduced when adding the bi_error field to bio.

   - DM snapshot fix to only support snapshots that overflow if the
     client (e.g. lvm2) is prepared to deal with the associated
     snapshot status interface change"

* tag 'dm-4.3-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm snapshot: add new persistent store option to support overflow
  dm cache: fix NULL pointer when switching from cleaner policy
  dm: fix request-based dm error reporting
  dm raid: fix round up of default region size
  dm: fix AB-BA deadlock in __dm_destroy()

Pull btrfs fixes from Chris Mason:
 "These are small and assorted.  Neil's is the oldest, I dropped the
  ball thinking he was going to send it in"

* 'for-linus-4.3' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: support NFSv2 export
  Btrfs: open_ctree: Fix possible memory leak
  Btrfs: fix deadlock when finalizing block group creation
  Btrfs: update fix for read corruption of compressed and shared extents
  Btrfs: send, fix corner case for reference overwrite detection

Pull nfsd bugfix from Bruce Fields:
 "Just one RDMA bugfix"

* tag 'nfsd-4.3-1' of git://linux-nfs.org/~bfields/linux:
  svcrdma: handle rdma read with a non-zero initial page offset

Pull ARM SoC fixes from Arnd Bergmann:
 "The fixes for this week include one small patch that was years in the
  making and that finally fixes using all eight CPUs on exynos542x.

  The rest are lots of minor changes for sunxi, imx, exynos and shmobile

   - fixing the minimum voltage for Allwinner A20
   - thermal boot issue on SMDK5250.
   - invalid clock used for FIMD IOMMU.
   - audio on Renesas r8a7790/r8a7791
   - invalid clock used for FIMD IOMMU
   - LEDs on exynos5422-odroidxu3-common
   - usb pin control for imx-rex
   - imx53: fix PMIC interrupt level
   - a Makefile typo"

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: dts: Fix wrong clock binding for sysmmu_fimd1_1 on exynos5420
  ARM: dts: Fix bootup thermal issue on smdk5250
  ARM: shmobile: r8a7791 dtsi: Add CPG/MSTP Clock Domain for sound
  ARM: shmobile: r8a7790 dtsi: Add CPG/MSTP Clock Domain for sound
  arm-cci500: Don't enable PMU driver by default
  ARM: dts: fix usb pin control for imx-rex dts
  ARM: imx53: qsrb: fix PMIC interrupt level
  ARM: imx53: include IRQ dt-bindings header
  ARM: dts: add suspend opp to exynos4412
  ARM: dts: Fix LEDs on exynos5422-odroidxu3
  ARM: EXYNOS: reset Little cores when cpu is up
  ARM: dts: Fix Makefile target for sun4i-a10-itead-iteaduino-plus
  ARM: dts: sunxi: Raise minimum CPU voltage for sun7i-a20 to meet SoC specifications

Commit 76c44f6d introduced the possibly for "Overflow" to be reported
by the snapshot device's status.  Older userspace (e.g. lvm2) does not
handle the "Overflow" status response.

Fix this incompatibility by requiring newer userspace code, that can
cope with "Overflow", request the persistent store with overflow support
by using "PO" (Persistent with Overflow) for the snapshot store type.
Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
Fixes: 76c44f6d ("dm snapshot: don't invalidate on-disk image on snapshot write overflow")
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>

* pm-devfreq:
  PM / devfreq: fix double kfree
  PM / devfreq: Fix governor_store()

* pm-cpufreq:
  cpufreq: prevent lockup on reading scaling_available_frequencies
  cpufreq: acpi_cpufreq: prevent crash on reading freqdomain_cpus