Merge tag 'debian/4.3.3-6'

34 files changed, 929 insertions, 65 deletions

diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 9c0070f1ee9b..d3da5db4d366 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -25,6 +25,7 @@ class Gencontrol(Base):
         'build': {
             'debug-info': config.SchemaItemBoolean(),
             'modules': config.SchemaItemBoolean(),
+            'vdso': config.SchemaItemBoolean(),
         },
         'description': {
             'parts': config.SchemaItemList(),
@@ -369,6 +370,9 @@ class Gencontrol(Base):
             if extra.get('headers_arch_depends'):
                 extra['headers_arch_depends'].append('%s (= ${binary:Version})' % packages_own[-1]['Package'])
 
+        if config_entry_build.get('vdso', False):
+            makeflags['VDSO'] = True
+
         build_debug = config_entry_build.get('debug-info')
 
         if os.getenv('DEBIAN_KERNEL_DISABLE_DEBUG'):
diff --git a/debian/bin/genorig.py b/debian/bin/genorig.py
index b83f31c09cd5..c3a4eea26d12 100755
--- a/debian/bin/genorig.py
+++ b/debian/bin/genorig.py
@@ -40,6 +40,7 @@ class Main(object):
     def __call__(self):
         import tempfile
         self.dir = tempfile.mkdtemp(prefix='genorig', dir='debian')
+        old_umask = os.umask(0o022)
         try:
             if os.path.isdir(self.input_files[0]):
                 self.upstream_export(self.input_files[0])
@@ -59,8 +60,10 @@ class Main(object):
                     .st_mtime))
 
             self.debian_patch()
+            os.umask(old_umask)
             self.tar(orig_date)
         finally:
+            os.umask(old_umask)
             shutil.rmtree(self.dir)
 
     def upstream_export(self, input_repo):
@@ -131,7 +134,7 @@ class Main(object):
         self.log("Generate tarball %s\n" % out)
         cmdline = '''(cd '%s' && find '%s' -print0) |
                      LC_ALL=C sort -z |
-                     tar -C '%s' --no-recursion --null -T - --mtime '%s' -caf '%s'
+                     tar -C '%s' --no-recursion --null -T - --mtime '%s' --owner root --group root -caf '%s'
                   ''' % (self.dir, self.orig, self.dir, orig_date, out)
         try:
             if os.spawnv(os.P_WAIT, '/bin/sh', ['sh', '-c', cmdline]):
diff --git a/debian/changelog b/debian/changelog
index 71ca4245a538..31c8f43766f1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -94,6 +94,41 @@ linux (4.4~rc4-1~exp1) experimental; urgency=medium
 
  -- Ben Hutchings <ben@decadent.org.uk>  Sun, 13 Dec 2015 16:25:45 +0000
 
+linux (4.3.3-6) unstable; urgency=medium
+
+  [ Ben Hutchings ]
+  * debian.py: Implement stable order of fields in debian/tests/control
+  * debian.py: Implement stable order of fields not in the predefined order
+  * genorig.py: Make orig tarballs really reproducible:
+    - Override umask while extracting/exporting files
+    - Override user and group names in tarball
+  * xen/gntdev: Grant maps should not be subject to NUMA balancing
+    (Closes: #810472)
+  * gpio: Enable GPIO_SYSFS wherever GPIOLIB is enabled (Closes: #810085)
+  * [armhf] udeb: Include usbhid in input-modules (Closes: #809521)
+  * linux-image-dbg: Include debugging symbols for VDSOs
+  * [armel/kirkwood] power/reset: Re-enable POWER_RESET, POWER_RESET_GPIO
+    (regression in 3.17~rc5-1~exp1)
+  * usb: serial: visor: fix crash on detecting device without write_urbs
+    (CVE-2015-7566)
+  * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD) (CVE-2016-0723)
+  * [x86] drm/vmwgfx: Fix a width / pitch mismatch on framebuffer updates
+  * bcache: Add upstream fixes marked for stable:
+    - fix a livelock when we cause a huge number of cache misses
+    - Add a cond_resched() call to gc
+    - clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing device
+    - fix a leak in bch_cached_dev_run()
+    - unregister reboot notifier if bcache fails to unregister device
+    - allows use of register in udev to avoid "device_busy" error.
+    - prevent crash on changing writeback_running
+    - Change refill_dirty() to always scan entire disk if necessary
+  * KEYS: Fix keyring ref leak in join_session_keyring() (CVE-2016-0728)
+
+  [ Salvatore Bonaccorso ]
+  * unix: properly account for FDs passed over unix sockets (CVE-2013-4312)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Tue, 19 Jan 2016 00:41:31 +0000
+
 linux (4.3.3-5) unstable; urgency=medium
 
   * [armhf] udeb: Fix duplication and circular dependency between core-modules
diff --git a/debian/config/amd64/defines b/debian/config/amd64/defines
index 224defcd1584..649a067b57e1 100644
--- a/debian/config/amd64/defines
+++ b/debian/config/amd64/defines
@@ -8,6 +8,7 @@ kernel-arch: x86
 [build]
 debug-info: true
 image-file: arch/x86/boot/bzImage
+vdso: true
 
 [image]
 bootloaders: grub-pc grub-efi extlinux
diff --git a/debian/config/arm64/defines b/debian/config/arm64/defines
index eba3b6f2d115..6880132da40e 100644
--- a/debian/config/arm64/defines
+++ b/debian/config/arm64/defines
@@ -6,6 +6,7 @@ featuresets:
 [build]
 debug-info: true
 image-file: arch/arm64/boot/Image
+vdso: true
 
 [image]
 install-stem: vmlinuz
diff --git a/debian/config/armel/config.kirkwood b/debian/config/armel/config.kirkwood
index 8ab415d1b640..c636dcac2edc 100644
--- a/debian/config/armel/config.kirkwood
+++ b/debian/config/armel/config.kirkwood
@@ -159,11 +159,6 @@ CONFIG_DMADEVICES=y
 CONFIG_MV_XOR=y
 
 ##
-## file: drivers/gpio/Kconfig
-##
-CONFIG_GPIO_SYSFS=y
-
-##
 ## file: drivers/gpu/drm/Kconfig
 ##
 # CONFIG_DRM is not set
@@ -438,6 +433,8 @@ CONFIG_PCI_MVEBU=y
 ##
 ## file: drivers/power/reset/Kconfig
 ##
+CONFIG_POWER_RESET=y
+CONFIG_POWER_RESET_GPIO=y
 CONFIG_POWER_RESET_QNAP=y
 CONFIG_POWER_RESET_RESTART=y
 
diff --git a/debian/config/armel/config.orion5x b/debian/config/armel/config.orion5x
index 5727d4a4a21c..cda43ba00ea7 100644
--- a/debian/config/armel/config.orion5x
+++ b/debian/config/armel/config.orion5x
@@ -166,11 +166,6 @@ CONFIG_DMADEVICES=y
 CONFIG_MV_XOR=y
 
 ##
-## file: drivers/gpio/Kconfig
-##
-CONFIG_GPIO_SYSFS=y
-
-##
 ## file: drivers/gpu/drm/Kconfig
 ##
 # CONFIG_DRM is not set
diff --git a/debian/config/armhf/config.armmp b/debian/config/armhf/config.armmp
index e86061944731..71480597d781 100644
--- a/debian/config/armhf/config.armmp
+++ b/debian/config/armhf/config.armmp
@@ -233,7 +233,6 @@ CONFIG_RASPBERRYPI_FIRMWARE=y
 ## file: drivers/gpio/Kconfig
 ##
 CONFIG_GPIOLIB=y
-CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_GENERIC_PLATFORM=m
 CONFIG_GPIO_PCA953X=m
 CONFIG_GPIO_DA9052=m
diff --git a/debian/config/armhf/defines b/debian/config/armhf/defines
index fd62b693dcf1..8f7551f049fd 100644
--- a/debian/config/armhf/defines
+++ b/debian/config/armhf/defines
@@ -6,6 +6,7 @@ kernel-arch: arm
 
 [build]
 image-file: arch/arm/boot/zImage
+vdso: true
 
 [image]
 suggests: fdutils
diff --git a/debian/config/config b/debian/config/config
index 9569f60fa34e..cf5bdd64b2b2 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -480,7 +480,7 @@ CONFIG_EFI_VARS_PSTORE=m
 ##
 # CONFIG_GPIOLIB is not set
 # CONFIG_DEBUG_GPIO is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_DWAPB is not set
 # CONFIG_GPIO_GENERIC_PLATFORM is not set
 # CONFIG_GPIO_VX855 is not set
diff --git a/debian/config/i386/defines b/debian/config/i386/defines
index 90f576294b07..14f3b86ab948 100644
--- a/debian/config/i386/defines
+++ b/debian/config/i386/defines
@@ -7,6 +7,7 @@ kernel-arch: x86
 
 [build]
 image-file: arch/x86/boot/bzImage
+vdso: true
 
 [description]
 part-long-pae: This kernel requires PAE (Physical Address Extension).
diff --git a/debian/config/kernelarch-arm/config b/debian/config/kernelarch-arm/config
index 03046fe67804..ef877a98ad51 100644
--- a/debian/config/kernelarch-arm/config
+++ b/debian/config/kernelarch-arm/config
@@ -4,6 +4,7 @@
 CONFIG_MMU=y
 CONFIG_AEABI=y
 # CONFIG_OABI_COMPAT is not set
+CONFIG_CPU_SW_DOMAIN_PAN=y
 CONFIG_KEXEC=y
 
 ##
diff --git a/debian/config/powerpc/defines b/debian/config/powerpc/defines
index 8407a7416083..24b8b528facf 100644
--- a/debian/config/powerpc/defines
+++ b/debian/config/powerpc/defines
@@ -7,6 +7,7 @@ kernel-arch: powerpc
 
 [build]
 image-file: vmlinux
+vdso: true
 
 [image]
 configs:
diff --git a/debian/config/powerpcspe/defines b/debian/config/powerpcspe/defines
index 667efcffff77..adb4bea0733d 100644
--- a/debian/config/powerpcspe/defines
+++ b/debian/config/powerpcspe/defines
@@ -5,6 +5,7 @@ kernel-arch: powerpc
 
 [build]
 image-file: vmlinux
+vdso: true
 
 [image]
 suggests: mkvmlinuz
diff --git a/debian/config/ppc64/defines b/debian/config/ppc64/defines
index 98fcc3b6ec37..7efcb1a95b00 100644
--- a/debian/config/ppc64/defines
+++ b/debian/config/ppc64/defines
@@ -5,6 +5,7 @@ kernel-arch: powerpc
 
 [build]
 image-file: vmlinux
+vdso: true
 
 [image]
 configs:
diff --git a/debian/config/ppc64el/defines b/debian/config/ppc64el/defines
index b5ec5ed6739d..987ab7df19ad 100644
--- a/debian/config/ppc64el/defines
+++ b/debian/config/ppc64el/defines
@@ -5,6 +5,7 @@ kernel-arch: powerpc
 
 [build]
 image-file: vmlinux
+vdso: true
 
 [image]
 configs:
diff --git a/debian/config/s390x/defines b/debian/config/s390x/defines
index 5e0ff29eabd4..30d86c99ff10 100644
--- a/debian/config/s390x/defines
+++ b/debian/config/s390x/defines
@@ -5,6 +5,7 @@ kernel-arch: s390
 
 [build]
 image-file: arch/s390/boot/image
+vdso: true
 
 [image]
 bootloaders: s390-tools
diff --git a/debian/installer/armhf/modules/armhf-armmp/input-modules b/debian/installer/armhf/modules/armhf-armmp/input-modules
index 1a248663bdf0..5ecb595a4a49 100644
--- a/debian/installer/armhf/modules/armhf-armmp/input-modules
+++ b/debian/installer/armhf/modules/armhf-armmp/input-modules
@@ -1,4 +1 @@
 #include <input-modules>
-usbhid -
-usbmouse -
-usbkbd -
diff --git a/debian/lib/python/debian_linux/debian.py b/debian/lib/python/debian_linux/debian.py
index b9164630c601..445547bbfae2 100644
--- a/debian/lib/python/debian_linux/debian.py
+++ b/debian/lib/python/debian_linux/debian.py
@@ -396,29 +396,7 @@ class PackageRelationEntry(object):
             self.restrictions = []
 
 
-class Package(dict):
-    _fields = collections.OrderedDict((
-        ('Package', str),
-        ('Source', str),
-        ('Architecture', PackageArchitecture),
-        ('Section', str),
-        ('Priority', str),
-        ('Maintainer', str),
-        ('Uploaders', str),
-        ('Standards-Version', str),
-        ('Build-Depends', PackageRelation),
-        ('Build-Depends-Indep', PackageRelation),
-        ('Provides', PackageRelation),
-        ('Pre-Depends', PackageRelation),
-        ('Depends', PackageRelation),
-        ('Recommends', PackageRelation),
-        ('Suggests', PackageRelation),
-        ('Replaces', PackageRelation),
-        ('Breaks', PackageRelation),
-        ('Conflicts', PackageRelation),
-        ('Description', PackageDescription),
-    ))
-
+class _ControlFileDict(dict):
     def __setitem__(self, key, value):
         try:
             cls = self._fields[key]
@@ -426,15 +404,15 @@ class Package(dict):
                 value = cls(value)
         except KeyError:
             pass
-        super(Package, self).__setitem__(key, value)
+        super(_ControlFileDict, self).__setitem__(key, value)
 
     def keys(self):
-        keys = set(super(Package, self).keys())
+        keys = set(super(_ControlFileDict, self).keys())
         for i in self._fields.keys():
             if i in self:
                 keys.remove(i)
                 yield i
-        for i in keys:
+        for i in sorted(list(keys)):
             yield i
 
     def items(self):
@@ -446,22 +424,37 @@ class Package(dict):
             yield self[i]
 
 
-class TestsControl(dict):
-    _fields = {
-        'Tests': str,
-        'Test-Command': str,
-        'Restrictions': str,
-        'Features': str,
-        'Depends': PackageRelation,
-        'Tests-Directory': str,
-        'Classes': str,
-    }
+class Package(_ControlFileDict):
+    _fields = collections.OrderedDict((
+        ('Package', str),
+        ('Source', str),
+        ('Architecture', PackageArchitecture),
+        ('Section', str),
+        ('Priority', str),
+        ('Maintainer', str),
+        ('Uploaders', str),
+        ('Standards-Version', str),
+        ('Build-Depends', PackageRelation),
+        ('Build-Depends-Indep', PackageRelation),
+        ('Provides', PackageRelation),
+        ('Pre-Depends', PackageRelation),
+        ('Depends', PackageRelation),
+        ('Recommends', PackageRelation),
+        ('Suggests', PackageRelation),
+        ('Replaces', PackageRelation),
+        ('Breaks', PackageRelation),
+        ('Conflicts', PackageRelation),
+        ('Description', PackageDescription),
+    ))
+
 
-    def __setitem__(self, key, value):
-        try:
-            cls = self._fields[key]
-            if not isinstance(value, cls):
-                value = cls(value)
-        except KeyError:
-            pass
-        super(TestsControl, self).__setitem__(key, value)
+class TestsControl(_ControlFileDict):
+    _fields = collections.OrderedDict((
+        ('Tests', str),
+        ('Test-Command', str),
+        ('Restrictions', str),
+        ('Features', str),
+        ('Depends', PackageRelation),
+        ('Tests-Directory', str),
+        ('Classes', str),
+    ))
diff --git a/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
new file mode 100644
index 000000000000..9c6a9697387d
--- /dev/null
+++ b/debian/patches/bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
@@ -0,0 +1,75 @@
+From 7ca88764d45c209791e8813131c1457c2e9e51e7 Mon Sep 17 00:00:00 2001
+From: Yevgeny Pats <yevgeny@perception-point.io>
+Date: Mon, 11 Jan 2016 12:05:28 +0000
+Subject: KEYS: Fix keyring ref leak in join_session_keyring()
+
+If a thread is asked to join as a session keyring the keyring that's already
+set as its session, we leak a keyring reference.
+
+This can be tested with the following program:
+
+	#include <stddef.h>
+	#include <stdio.h>
+	#include <sys/types.h>
+	#include <keyutils.h>
+
+	int main(int argc, const char *argv[])
+	{
+		int i = 0;
+		key_serial_t serial;
+
+		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+				"leaked-keyring");
+		if (serial < 0) {
+			perror("keyctl");
+			return -1;
+		}
+
+		if (keyctl(KEYCTL_SETPERM, serial,
+			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
+			perror("keyctl");
+			return -1;
+		}
+
+		for (i = 0; i < 100; i++) {
+			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
+					"leaked-keyring");
+			if (serial < 0) {
+				perror("keyctl");
+				return -1;
+			}
+		}
+
+		return 0;
+	}
+
+If, after the program has run, there something like the following line in
+/proc/keys:
+
+3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
+
+with a usage count of 100 * the number of times the program has been run,
+then the kernel is malfunctioning.  If leaked-keyring has zero usages or
+has been garbage collected, then the problem is fixed.
+
+Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
+Signed-off-by: David Howells <dhowells@redhat.com>
+---
+ security/keys/process_keys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index a3f85d2..e6d50172 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
+-- 
+2.7.0.rc3
+
diff --git a/debian/patches/bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch b/debian/patches/bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
new file mode 100644
index 000000000000..0580e6163ea4
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
@@ -0,0 +1,26 @@
+From: Kent Overstreet <kmo@daterainc.com>
+Date: Sun, 29 Nov 2015 17:18:33 -0800
+Subject: [2/8] bcache: Add a cond_resched() call to gc
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=c5f1e5adf956e3ba82d204c7c141a75da9fa449a
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/btree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
+index 4a1179c..22b9e34 100644
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1741,6 +1741,7 @@ static void bch_btree_gc(struct cache_set *c)
+ 	do {
+ 		ret = btree_root(gc_root, c, &op, &writes, &stats);
+ 		closure_sync(&writes);
++		cond_resched();
+ 
+ 		if (ret && ret != -EAGAIN)
+ 			pr_warn("gc failed!");
diff --git a/debian/patches/bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch b/debian/patches/bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
new file mode 100644
index 000000000000..782979770e92
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
@@ -0,0 +1,46 @@
+From: Gabriel de Perthuis <g2p.code@gmail.com>
+Date: Sun, 29 Nov 2015 18:40:23 -0800
+Subject: [6/8] bcache: allows use of register in udev to avoid "device_busy"
+ error.
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=d7076f21629f8f329bca4a44dc408d94670f49e2
+
+Allows to use register, not register_quiet in udev to avoid "device_busy" error.
+The initial patch proposed at https://lkml.org/lkml/2013/8/26/549 by Gabriel de Perthuis
+<g2p.code@gmail.com> does not unlock the mutex and hangs the kernel.
+
+See http://thread.gmane.org/gmane.linux.kernel.bcache.devel/2594 for the discussion.
+
+Cc: Denis Bychkov <manover@gmail.com>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: Eric Wheeler <bcache@linux.ewheeler.net>
+Cc: Gabriel de Perthuis <g2p.code@gmail.com>
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/super.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 18f14a2..8d0ead9 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1938,6 +1938,8 @@ static ssize_t register_bcache(struct kobject *k, struct kobj_attribute *attr,
+ 			else
+ 				err = "device busy";
+ 			mutex_unlock(&bch_register_lock);
++			if (attr == &ksysfs_register_quiet)
++				goto out;
+ 		}
+ 		goto err;
+ 	}
+@@ -1976,8 +1978,7 @@ out:
+ err_close:
+ 	blkdev_put(bdev, FMODE_READ|FMODE_WRITE|FMODE_EXCL);
+ err:
+-	if (attr != &ksysfs_register_quiet)
+-		pr_info("error opening %s: %s", path, err);
++	pr_info("error opening %s: %s", path, err);
+ 	ret = -EINVAL;
+ 	goto out;
+ }
diff --git a/debian/patches/bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch b/debian/patches/bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
new file mode 100644
index 000000000000..7dae0c8e973b
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
@@ -0,0 +1,91 @@
+From: Kent Overstreet <kent.overstreet@gmail.com>
+Date: Sun, 29 Nov 2015 18:47:01 -0800
+Subject: [8/8] bcache: Change refill_dirty() to always scan entire disk if
+ necessary
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=627ccd20b4ad3ba836472468208e2ac4dfadbf03
+
+Previously, it would only scan the entire disk if it was starting from
+the very start of the disk - i.e. if the previous scan got to the end.
+
+This was broken by refill_full_stripes(), which updates last_scanned so
+that refill_dirty was never triggering the searched_from_start path.
+
+But if we change refill_dirty() to always scan the entire disk if
+necessary, regardless of what last_scanned was, the code gets cleaner
+and we fix that bug too.
+
+Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/writeback.c | 37 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
+index b23f88d..b9346cd 100644
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -323,6 +323,10 @@ void bcache_dev_sectors_dirty_add(struct cache_set *c, unsigned inode,
+ 
+ static bool dirty_pred(struct keybuf *buf, struct bkey *k)
+ {
++	struct cached_dev *dc = container_of(buf, struct cached_dev, writeback_keys);
++
++	BUG_ON(KEY_INODE(k) != dc->disk.id);
++
+ 	return KEY_DIRTY(k);
+ }
+ 
+@@ -372,11 +376,24 @@ next:
+ 	}
+ }
+ 
++/*
++ * Returns true if we scanned the entire disk
++ */
+ static bool refill_dirty(struct cached_dev *dc)
+ {
+ 	struct keybuf *buf = &dc->writeback_keys;
++	struct bkey start = KEY(dc->disk.id, 0, 0);
+ 	struct bkey end = KEY(dc->disk.id, MAX_KEY_OFFSET, 0);
+-	bool searched_from_start = false;
++	struct bkey start_pos;
++
++	/*
++	 * make sure keybuf pos is inside the range for this disk - at bringup
++	 * we might not be attached yet so this disk's inode nr isn't
++	 * initialized then
++	 */
++	if (bkey_cmp(&buf->last_scanned, &start) < 0 ||
++	    bkey_cmp(&buf->last_scanned, &end) > 0)
++		buf->last_scanned = start;
+ 
+ 	if (dc->partial_stripes_expensive) {
+ 		refill_full_stripes(dc);
+@@ -384,14 +401,20 @@ static bool refill_dirty(struct cached_dev *dc)
+ 			return false;
+ 	}
+ 
+-	if (bkey_cmp(&buf->last_scanned, &end) >= 0) {
+-		buf->last_scanned = KEY(dc->disk.id, 0, 0);
+-		searched_from_start = true;
+-	}
+-
++	start_pos = buf->last_scanned;
+ 	bch_refill_keybuf(dc->disk.c, buf, &end, dirty_pred);
+ 
+-	return bkey_cmp(&buf->last_scanned, &end) >= 0 && searched_from_start;
++	if (bkey_cmp(&buf->last_scanned, &end) < 0)
++		return false;
++
++	/*
++	 * If we get to the end start scanning again from the beginning, and
++	 * only scan up to where we initially started scanning from:
++	 */
++	buf->last_scanned = start;
++	bch_refill_keybuf(dc->disk.c, buf, &start_pos, dirty_pred);
++
++	return bkey_cmp(&buf->last_scanned, &start_pos) >= 0;
+ }
+ 
+ static int bch_writeback_thread(void *arg)
diff --git a/debian/patches/bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch b/debian/patches/bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch
new file mode 100644
index 000000000000..83e0bf81febf
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch
@@ -0,0 +1,109 @@
+From: Zheng Liu <wenqing.lz@taobao.com>
+Date: Sun, 29 Nov 2015 17:19:32 -0800
+Subject: [3/8] bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a
+ backing device
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=fecaee6f20ee122ad75402c53d8278f9bb142ddc
+
+This bug can be reproduced by the following script:
+
+  #!/bin/bash
+
+  bcache_sysfs="/sys/fs/bcache"
+
+  function clear_cache()
+  {
+  	if [ ! -e $bcache_sysfs ]; then
+  		echo "no bcache sysfs"
+  		exit
+  	fi
+
+  	cset_uuid=$(ls -l $bcache_sysfs|head -n 2|tail -n 1|awk '{print $9}')
+  	sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/detach"
+  	sleep 5
+  	sudo sh -c "echo $cset_uuid > /sys/block/sdb/sdb1/bcache/attach"
+  }
+
+  for ((i=0;i<10;i++)); do
+  	clear_cache
+  done
+
+The warning messages look like below:
+[  275.948611] ------------[ cut here ]------------
+[  275.963840] WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xb8/0xd0() (Tainted: P        W
+---------------   )
+[  275.979253] Hardware name: Tecal RH2285
+[  275.994106] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:09.0/0000:08:00.0/host4/target4:2:1/4:2:1:0/block/sdb/sdb1/bcache/cache'
+[  276.024105] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler
+bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801
+i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas
+pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan]
+[  276.072643] Pid: 2765, comm: sh Tainted: P        W  ---------------    2.6.32 #1
+[  276.089315] Call Trace:
+[  276.105801]  [<ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0
+[  276.122650]  [<ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50
+[  276.139361]  [<ffffffff81205c08>] ? sysfs_add_one+0xb8/0xd0
+[  276.156012]  [<ffffffff8120609b>] ? sysfs_do_create_link+0x12b/0x170
+[  276.172682]  [<ffffffff81206113>] ? sysfs_create_link+0x13/0x20
+[  276.189282]  [<ffffffffa03bda21>] ? bcache_device_link+0xc1/0x110 [bcache]
+[  276.205993]  [<ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache]
+[  276.222794]  [<ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache]
+[  276.239680]  [<ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110
+[  276.256594]  [<ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170
+[  276.273364]  [<ffffffff811887b8>] ? vfs_write+0xb8/0x1a0
+[  276.290133]  [<ffffffff811890b1>] ? sys_write+0x51/0x90
+[  276.306368]  [<ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b
+[  276.322301] ---[ end trace 9f5d4fcdd0c3edfb ]---
+[  276.338241] ------------[ cut here ]------------
+[  276.354109] WARNING: at /home/wenqing.lz/bcache/bcache/super.c:720
+bcache_device_link+0xdf/0x110 [bcache]() (Tainted: P        W  ---------------   )
+[  276.386017] Hardware name: Tecal RH2285
+[  276.401430] Couldn't create device <-> cache set symlinks
+[  276.401759] Modules linked in: bcache tcp_diag inet_diag ipmi_devintf ipmi_si ipmi_msghandler
+bonding 8021q garp stp llc ipv6 ext3 jbd loop sg iomemory_vsl(P) bnx2 microcode serio_raw i2c_i801
+i2c_core iTCO_wdt iTCO_vendor_support i7core_edac edac_core shpchp ext4 jbd2 mbcache megaraid_sas
+pata_acpi ata_generic ata_piix dm_mod [last unloaded: scsi_wait_scan]
+[  276.465477] Pid: 2765, comm: sh Tainted: P        W  ---------------    2.6.32 #1
+[  276.482169] Call Trace:
+[  276.498610]  [<ffffffff81070fe7>] ? warn_slowpath_common+0x87/0xc0
+[  276.515405]  [<ffffffff810710d6>] ? warn_slowpath_fmt+0x46/0x50
+[  276.532059]  [<ffffffffa03bda3f>] ? bcache_device_link+0xdf/0x110 [bcache]
+[  276.548808]  [<ffffffffa03bfa08>] ? bch_cached_dev_attach+0x478/0x4f0 [bcache]
+[  276.565569]  [<ffffffffa03c4a17>] ? bch_cached_dev_store+0x627/0x780 [bcache]
+[  276.582418]  [<ffffffff8116783a>] ? alloc_pages_current+0xaa/0x110
+[  276.599341]  [<ffffffff81203b15>] ? sysfs_write_file+0xe5/0x170
+[  276.616142]  [<ffffffff811887b8>] ? vfs_write+0xb8/0x1a0
+[  276.632607]  [<ffffffff811890b1>] ? sys_write+0x51/0x90
+[  276.648671]  [<ffffffff8100c072>] ? system_call_fastpath+0x16/0x1b
+[  276.664756] ---[ end trace 9f5d4fcdd0c3edfc ]---
+
+We forget to clear BCACHE_DEV_UNLINK_DONE flag in bcache_device_attach()
+function when we attach a backing device first time.  After detaching this
+backing device, this flag will be true and sysfs_remove_link() isn't called in
+bcache_device_unlink().  Then when we attach this backing device again,
+sysfs_create_link() will return EEXIST error in bcache_device_link().
+
+So the fix is trival and we clear this flag in bcache_device_link().
+
+Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
+Tested-by: Joshua Schmid <jschmid@suse.com>
+Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 679a093..383f060 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -685,6 +685,8 @@ static void bcache_device_link(struct bcache_device *d, struct cache_set *c,
+ 	WARN(sysfs_create_link(&d->kobj, &c->kobj, "cache") ||
+ 	     sysfs_create_link(&c->kobj, &d->kobj, d->name),
+ 	     "Couldn't create device <-> cache set symlinks");
++
++	clear_bit(BCACHE_DEV_UNLINK_DONE, &d->flags);
+ }
+ 
+ static void bcache_device_detach(struct bcache_device *d)
diff --git a/debian/patches/bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch b/debian/patches/bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch
new file mode 100644
index 000000000000..b287e322635b
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch
@@ -0,0 +1,32 @@
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Sun, 29 Nov 2015 17:20:59 -0800
+Subject: [4/8] bcache: fix a leak in bch_cached_dev_run()
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=4d4d8573a8451acc9f01cbea24b7e55f04a252fe
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Tested-by: Joshua Schmid <jschmid@suse.com>
+Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/super.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 383f060..43e911e 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -849,8 +849,11 @@ void bch_cached_dev_run(struct cached_dev *dc)
+ 	buf[SB_LABEL_SIZE] = '\0';
+ 	env[2] = kasprintf(GFP_KERNEL, "CACHED_LABEL=%s", buf);
+ 
+-	if (atomic_xchg(&dc->running, 1))
++	if (atomic_xchg(&dc->running, 1)) {
++		kfree(env[1]);
++		kfree(env[2]);
+ 		return;
++	}
+ 
+ 	if (!d->c &&
+ 	    BDEV_STATE(&dc->sb) != BDEV_STATE_NONE) {
diff --git a/debian/patches/bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch b/debian/patches/bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
new file mode 100644
index 000000000000..88a52f7b199b
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
@@ -0,0 +1,67 @@
+From: Zheng Liu <gnehzuil.liu@gmail.com>
+Date: Sun, 29 Nov 2015 17:17:05 -0800
+Subject: [1/8] bcache: fix a livelock when we cause a huge number of cache
+ misses
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=2ef9ccbfcb90cf84bdba320a571b18b05c41101b
+
+Subject :	[PATCH v2] bcache: fix a livelock in btree lock
+Date :	Wed, 25 Feb 2015 20:32:09 +0800 (02/25/2015 04:32:09 AM)
+
+This commit tries to fix a livelock in bcache.  This livelock might
+happen when we causes a huge number of cache misses simultaneously.
+
+When we get a cache miss, bcache will execute the following path.
+
+->cached_dev_make_request()
+  ->cached_dev_read()
+    ->cached_lookup()
+      ->bch->btree_map_keys()
+        ->btree_root()  <------------------------
+          ->bch_btree_map_keys_recurse()        |
+            ->cache_lookup_fn()                 |
+              ->cached_dev_cache_miss()         |
+                ->bch_btree_insert_check_key() -|
+                  [If btree->seq is not equal to seq + 1, we should return
+                   EINTR and traverse btree again.]
+
+In bch_btree_insert_check_key() function we first need to check upgrade
+flag (op->lock == -1), and when this flag is true we need to release
+read btree->lock and try to take write btree->lock.  During taking and
+releasing this write lock, btree->seq will be monotone increased in
+order to prevent other threads modify this in cache miss (see btree.h:74).
+But if there are some cache misses caused by some requested, we could
+meet a livelock because btree->seq is always changed by others.  Thus no
+one can make progress.
+
+This commit will try to take write btree->lock if it encounters a race
+when we traverse btree.  Although it sacrifice the scalability but we
+can ensure that only one can modify the btree.
+
+Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
+Tested-by: Joshua Schmid <jschmid@suse.com>
+Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Cc: Joshua Schmid <jschmid@suse.com>
+Cc: Zhu Yanhai <zhu.yanhai@gmail.com>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/btree.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
+index 83392f8..4a1179c 100644
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -2162,8 +2162,10 @@ int bch_btree_insert_check_key(struct btree *b, struct btree_op *op,
+ 		rw_lock(true, b, b->level);
+ 
+ 		if (b->key.ptr[0] != btree_ptr ||
+-		    b->seq != seq + 1)
++                   b->seq != seq + 1) {
++                       op->lock = b->level;
+ 			goto out;
++               }
+ 	}
+ 
+ 	SET_KEY_PTRS(check_key, 1);
diff --git a/debian/patches/bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch b/debian/patches/bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
new file mode 100644
index 000000000000..5d4736fe6c9d
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
@@ -0,0 +1,32 @@
+From: Stefan Bader <stefan.bader@canonical.com>
+Date: Sun, 29 Nov 2015 18:44:49 -0800
+Subject: [7/8] bcache: prevent crash on changing writeback_running
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=8d16ce540c94c9d366eb36fc91b7154d92d6397b
+
+Added a safeguard in the shutdown case. At least while not being
+attached it is also possible to trigger a kernel bug by writing into
+writeback_running. This change  adds the same check before trying to
+wake up the thread for that case.
+
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+Cc: Kent Overstreet <kent.overstreet@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/writeback.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/writeback.h b/drivers/md/bcache/writeback.h
+index 0a9dab1..073a042 100644
+--- a/drivers/md/bcache/writeback.h
++++ b/drivers/md/bcache/writeback.h
+@@ -63,7 +63,8 @@ static inline bool should_writeback(struct cached_dev *dc, struct bio *bio,
+ 
+ static inline void bch_writeback_queue(struct cached_dev *dc)
+ {
+-	wake_up_process(dc->writeback_thread);
++	if (!IS_ERR_OR_NULL(dc->writeback_thread))
++		wake_up_process(dc->writeback_thread);
+ }
+ 
+ static inline void bch_writeback_add(struct cached_dev *dc)
diff --git a/debian/patches/bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch b/debian/patches/bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch
new file mode 100644
index 000000000000..538f34b021be
--- /dev/null
+++ b/debian/patches/bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch
@@ -0,0 +1,35 @@
+From: Zheng Liu <wenqing.lz@taobao.com>
+Date: Sun, 29 Nov 2015 17:21:57 -0800
+Subject: [5/8] bcache: unregister reboot notifier if bcache fails to
+ unregister device
+Origin: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git/commit?id=2ecf0cdb2b437402110ab57546e02abfa68a716b
+
+In bcache_init() function it forgot to unregister reboot notifier if
+bcache fails to unregister a block device.  This commit fixes this.
+
+Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
+Tested-by: Joshua Schmid <jschmid@suse.com>
+Tested-by: Eric Wheeler <bcache@linux.ewheeler.net>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ drivers/md/bcache/super.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 43e911e..18f14a2 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -2071,8 +2071,10 @@ static int __init bcache_init(void)
+ 	closure_debug_init();
+ 
+ 	bcache_major = register_blkdev(0, "bcache");
+-	if (bcache_major < 0)
++	if (bcache_major < 0) {
++		unregister_reboot_notifier(&reboot);
+ 		return bcache_major;
++	}
+ 
+ 	if (!(bcache_wq = create_workqueue("bcache")) ||
+ 	    !(bcache_kobj = kobject_create_and_add("bcache", fs_kobj)) ||
diff --git a/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch b/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
new file mode 100644
index 000000000000..02fe5e74bcd6
--- /dev/null
+++ b/debian/patches/bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
@@ -0,0 +1,63 @@
+From: Peter Hurley <peter@hurleysoftware.com>
+Subject: tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
+Date: Sun, 10 Jan 2016 22:40:55 -0800
+Origin: http://article.gmane.org/gmane.linux.kernel/2123249
+
+ioctl(TIOCGETD) retrieves the line discipline id directly from the
+ldisc because the line discipline id (c_line) in termios is untrustworthy;
+userspace may have set termios via ioctl(TCSETS*) without actually
+changing the line discipline via ioctl(TIOCSETD).
+
+However, directly accessing the current ldisc via tty->ldisc is
+unsafe; the ldisc ptr dereferenced may be stale if the line discipline
+is changing via ioctl(TIOCSETD) or hangup.
+
+Wait for the line discipline reference (just like read() or write())
+to retrieve the "current" line discipline id.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+---
+ drivers/tty/tty_io.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2654,6 +2654,28 @@ static int tiocsetd(struct tty_struct *t
+ }
+ 
+ /**
++ *	tiocgetd	-	get line discipline
++ *	@tty: tty device
++ *	@p: pointer to user data
++ *
++ *	Retrieves the line discipline id directly from the ldisc.
++ *
++ *	Locking: waits for ldisc reference (in case the line discipline
++ *		is changing or the tty is being hungup)
++ */
++
++static int tiocgetd(struct tty_struct *tty, int __user *p)
++{
++	struct tty_ldisc *ld;
++	int ret;
++
++	ld = tty_ldisc_ref_wait(tty);
++	ret = put_user(ld->ops->num, p);
++	tty_ldisc_deref(ld);
++	return ret;
++}
++
++/**
+  *	send_break	-	performed time break
+  *	@tty: device to break on
+  *	@duration: timeout in mS
+@@ -2879,7 +2901,7 @@ long tty_ioctl(struct file *file, unsign
+ 	case TIOCGSID:
+ 		return tiocgsid(tty, real_tty, p);
+ 	case TIOCGETD:
+-		return put_user(tty->ldisc->ops->num, (int __user *)p);
++		return tiocgetd(tty, p);
+ 	case TIOCSETD:
+ 		return tiocsetd(tty, p);
+ 	case TIOCVHANGUP:
diff --git a/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
new file mode 100644
index 000000000000..8cd6bb4ace1a
--- /dev/null
+++ b/debian/patches/bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
@@ -0,0 +1,140 @@
+From: willy tarreau <w@1wt.eu>
+Date: Sun, 10 Jan 2016 07:54:56 +0100
+Subject: unix: properly account for FDs passed over unix sockets
+Origin: https://git.kernel.org/linus/712f4aad406bb1ed67f3f98d04c044191f0ff593
+
+It is possible for a process to allocate and accumulate far more FDs than
+the process' limit by sending them over a unix socket then closing them
+to keep the process' fd count low.
+
+This change addresses this problem by keeping track of the number of FDs
+in flight per user and preventing non-privileged processes from having
+more FDs in flight than their configured FD limit.
+
+Reported-by: socketpair@gmail.com
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Mitigates: CVE-2013-4312 (Linux 2.0+)
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/linux/sched.h |  1 +
+ net/unix/af_unix.c    | 24 ++++++++++++++++++++----
+ net/unix/garbage.c    | 13 ++++++++-----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index edad7a4..fbf25f1 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -830,6 +830,7 @@ struct user_struct {
+ 	unsigned long mq_bytes;	/* How many bytes can be allocated to mqueue? */
+ #endif
+ 	unsigned long locked_shm; /* How many pages of mlocked shm ? */
++	unsigned long unix_inflight;	/* How many files in flight in unix sockets */
+ 
+ #ifdef CONFIG_KEYS
+ 	struct key *uid_keyring;	/* UID specific keyring */
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index ef05cd9..e3f85bc 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
+ 	sock_wfree(skb);
+ }
+ 
++/*
++ * The "user->unix_inflight" variable is protected by the garbage
++ * collection lock, and we just read it locklessly here. If you go
++ * over the limit, there might be a tiny race in actually noticing
++ * it across threads. Tough.
++ */
++static inline bool too_many_unix_fds(struct task_struct *p)
++{
++	struct user_struct *user = current_user();
++
++	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
++		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
++	return false;
++}
++
+ #define MAX_RECURSION_LEVEL 4
+ 
+ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+@@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ 	unsigned char max_level = 0;
+ 	int unix_sock_count = 0;
+ 
++	if (too_many_unix_fds(current))
++		return -ETOOMANYREFS;
++
+ 	for (i = scm->fp->count - 1; i >= 0; i--) {
+ 		struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+ 
+@@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
+ 	if (!UNIXCB(skb).fp)
+ 		return -ENOMEM;
+ 
+-	if (unix_sock_count) {
+-		for (i = scm->fp->count - 1; i >= 0; i--)
+-			unix_inflight(scm->fp->fp[i]);
+-	}
++	for (i = scm->fp->count - 1; i >= 0; i--)
++		unix_inflight(scm->fp->fp[i]);
+ 	return max_level;
+ }
+ 
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index a73a226..8fcdc22 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -120,11 +120,11 @@ void unix_inflight(struct file *fp)
+ {
+ 	struct sock *s = unix_get_socket(fp);
+ 
++	spin_lock(&unix_gc_lock);
++
+ 	if (s) {
+ 		struct unix_sock *u = unix_sk(s);
+ 
+-		spin_lock(&unix_gc_lock);
+-
+ 		if (atomic_long_inc_return(&u->inflight) == 1) {
+ 			BUG_ON(!list_empty(&u->link));
+ 			list_add_tail(&u->link, &gc_inflight_list);
+@@ -132,25 +132,28 @@ void unix_inflight(struct file *fp)
+ 			BUG_ON(list_empty(&u->link));
+ 		}
+ 		unix_tot_inflight++;
+-		spin_unlock(&unix_gc_lock);
+ 	}
++	fp->f_cred->user->unix_inflight++;
++	spin_unlock(&unix_gc_lock);
+ }
+ 
+ void unix_notinflight(struct file *fp)
+ {
+ 	struct sock *s = unix_get_socket(fp);
+ 
++	spin_lock(&unix_gc_lock);
++
+ 	if (s) {
+ 		struct unix_sock *u = unix_sk(s);
+ 
+-		spin_lock(&unix_gc_lock);
+ 		BUG_ON(list_empty(&u->link));
+ 
+ 		if (atomic_long_dec_and_test(&u->inflight))
+ 			list_del_init(&u->link);
+ 		unix_tot_inflight--;
+-		spin_unlock(&unix_gc_lock);
+ 	}
++	fp->f_cred->user->unix_inflight--;
++	spin_unlock(&unix_gc_lock);
+ }
+ 
+ static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
+-- 
+2.7.0.rc3
+
diff --git a/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch b/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
new file mode 100644
index 000000000000..4b6a5d63cb1e
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
@@ -0,0 +1,31 @@
+From: Vladis Dronov <vdronov@redhat.com>
+Subject: usb: serial: visor: fix crash on detecting device without write_urbs
+Date: Tue, 12 Jan 2016 15:10:50 +0100
+Origin: http://article.gmane.org/gmane.linux.usb.general/136045
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1296466
+
+The visor driver crashes in clie_5_attach() when a specially crafted USB
+device without bulk-out endpoint is detected. This fix adds a check that
+the device has proper configuration expected by the driver.
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+---
+ drivers/usb/serial/visor.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -597,8 +597,10 @@ static int clie_5_attach(struct usb_seri
+ 	 */
+ 
+ 	/* some sanity check */
+-	if (serial->num_ports < 2)
+-		return -1;
++	if (serial->num_bulk_out < 2) {
++		dev_err(&serial->interface->dev, "missing bulk out endpoints\n");
++		return -ENODEV;
++	}
+ 
+ 	/* port 0 now uses the modified endpoint Address */
+ 	port = serial->port[0];
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
new file mode 100644
index 000000000000..dd2d3da59910
--- /dev/null
+++ b/debian/patches/bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
@@ -0,0 +1,60 @@
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Fri, 8 Jan 2016 20:29:40 +0100
+Subject: drm/vmwgfx: Fix a width / pitch mismatch on framebuffer updates
+Origin: https://git.kernel.org/linus/a50e2bf5a0f674d62b69f51f6935a30e82bd015c
+
+When the framebuffer is a vmwgfx dma buffer and a proxy surface is
+created, the vmw_kms_update_proxy() function requires that the proxy
+surface width and the framebuffer pitch are compatible, otherwise
+display corruption occurs as seen in gnome-shell/native with software
+3D. Since the framebuffer pitch is determined by user-space, allocate
+a proxy surface the width of which is based on the framebuffer pitch
+rather than on the framebuffer width.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Raphael Hertzog <buxy@kali.org>
+Tested-by:  Mati Aharoni <muts@kali.org>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Reviewed-by: Brian Paul <brianp@vmware.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -725,21 +725,25 @@ static int vmw_create_dmabuf_proxy(struc
+ 	uint32_t format;
+ 	struct drm_vmw_size content_base_size;
+ 	struct vmw_resource *res;
++	unsigned int bytes_pp;
+ 	int ret;
+ 
+ 	switch (mode_cmd->depth) {
+ 	case 32:
+ 	case 24:
+ 		format = SVGA3D_X8R8G8B8;
++		bytes_pp = 4;
+ 		break;
+ 
+ 	case 16:
+ 	case 15:
+ 		format = SVGA3D_R5G6B5;
++		bytes_pp = 2;
+ 		break;
+ 
+ 	case 8:
+ 		format = SVGA3D_P8;
++		bytes_pp = 1;
+ 		break;
+ 
+ 	default:
+@@ -747,7 +751,7 @@ static int vmw_create_dmabuf_proxy(struc
+ 		return -EINVAL;
+ 	}
+ 
+-	content_base_size.width  = mode_cmd->width;
++	content_base_size.width  = mode_cmd->pitch / bytes_pp;
+ 	content_base_size.height = mode_cmd->height;
+ 	content_base_size.depth  = 1;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 125045fda91d..0805169e3032 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -96,3 +96,16 @@ features/all/grsecurity/grkernsec_perf_harden.patch
 bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
 bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
 bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
+bugfix/all/usb-serial-visor-fix-crash-on-detecting-device-without-write_urbs.patch
+bugfix/all/tty-fix-unsafe-ldisc-reference-via-ioctl-tiocgetd.patch
+bugfix/x86/drm-vmwgfx-fix-a-width-pitch-mismatch-on-framebuffer.patch
+bugfix/all/unix-properly-account-for-FDs-passed-over-unix-socke.patch
+bugfix/all/bcache-fix-a-livelock-when-we-cause-a-huge-number-of.patch
+bugfix/all/bcache-add-a-cond_resched-call-to-gc.patch
+bugfix/all/bcache-clear-bcache_dev_unlink_done-flag-when-attach.patch
+bugfix/all/bcache-fix-a-leak-in-bch_cached_dev_run.patch
+bugfix/all/bcache-unregister-reboot-notifier-if-bcache-fails-to.patch
+bugfix/all/bcache-allows-use-of-register-in-udev-to-avoid-devic.patch
+bugfix/all/bcache-prevent-crash-on-changing-writeback_running.patch
+bugfix/all/bcache-change-refill_dirty-to-always-scan-entire-dis.patch
+bugfix/all/KEYS-Fix-keyring-ref-leak-in-join_session_keyring.patch
diff --git a/debian/rules.real b/debian/rules.real
index 4861fce359fb..9a284baa448b 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -91,16 +91,16 @@ mkdir -p '$(1)'
 cp -al $(filter-out debian .pc .svk .svn .git, $(wildcard * .[^.]*)) '$(1)'
 endef
 
-$(BUILD_DIR)/linux-source-$(UPSTREAMVERSION).tar.xz: DIR = $(BUILD_DIR)/linux-source-$(UPSTREAMVERSION)
-$(BUILD_DIR)/linux-source-$(UPSTREAMVERSION).tar.xz: $(STAMPS_DIR)/source
+$(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz: DIR = $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION)
+$(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz: $(STAMPS_DIR)/source
 	rm -rf '$@' '$(DIR)'
 	$(call copy_source,$(DIR))
 	chmod -R u+rw,go=rX '$(DIR)'
 	find '$(DIR)' -depth -newermt '$(SOURCE_DATE)' -print0 | \
 		xargs -0r touch --no-dereference --date='$(SOURCE_DATE)'
-	cd '$(BUILD_DIR)'; find 'linux-source-$(UPSTREAMVERSION)' -print0 | \
+	cd '$(BUILD_DIR)'; find '$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION)' -print0 | \
 		sort -z | \
-		tar --no-recursion --null -T - -caf 'linux-source-$(UPSTREAMVERSION).tar.xz'
+		tar --no-recursion --null -T - -caf '$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz'
 	rm -rf '$(DIR)'
 
 $(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-%.patch.xz: $(STAMPS_DIR)/source_none $(STAMPS_DIR)/source_%
@@ -429,6 +429,17 @@ ifeq ($(MODULES),True)
 	find $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/ -mindepth 1 -maxdepth 1 \! -name kernel -exec rm {} \+
 	rm $(DEBUG_DIR)/lib/firmware -rf
 endif
+ifeq ($(VDSO),True)
+	+$(MAKE_CLEAN) -C $(DIR) vdso_install INSTALL_MOD_PATH='$(CURDIR)'/$(DEBUG_DIR)
+# Fix .build-id links
+	find $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vdso/.build-id -name '*.debug' | while read link; do \
+		rel_path="$${link#$(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vdso/.build-id/}" && \
+		mkdir -p "$(DEBUG_DIR)/.build-id/$$(dirname "$$rel_path")" && \
+		ln -s -r -L "$$link" "$(DEBUG_DIR)/.build-id/$$rel_path" || \
+		exit; \
+	done
+	rm -r $(DEBUG_DIR)/lib/modules/$(REAL_VERSION)/vdso/.build-id
+endif
 # Add symlinks to vmlinux from the locations expected by kdump-tools,
 # systemtap and others
 	ln -s boot/vmlinux-$(REAL_VERSION) $(DEBUG_DIR)/
@@ -450,7 +461,7 @@ install-udeb_$(ARCH):
 
 install-source: PACKAGE_NAME = $(SOURCE_PACKAGE_NAME)-source-$(VERSION)
 install-source: DH_OPTIONS = -p$(PACKAGE_NAME)
-install-source: $(BUILD_DIR)/linux-source-$(UPSTREAMVERSION).tar.xz $(foreach FEATURESET,$(filter-out none,$(ALL_FEATURESETS)),$(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-$(FEATURESET).patch.xz)
+install-source: $(BUILD_DIR)/$(SOURCE_PACKAGE_NAME)-source-$(UPSTREAMVERSION).tar.xz $(foreach FEATURESET,$(filter-out none,$(ALL_FEATURESETS)),$(BUILD_DIR)/linux-patch-$(UPSTREAMVERSION)-$(FEATURESET).patch.xz)
 	dh_testdir
 	dh_testroot
 	dh_installdirs /usr/src/linux-config-$(UPSTREAMVERSION)