Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
read-only bind mount read-only in a user namespace the
MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
to the remount a read-only mount read-write.

Upon review of the code in remount it was discovered that the code allowed
nosuid, noexec, and nodev to be cleared.  It was also discovered that
the code was allowing the per mount atime flags to be changed.

The first naive patch to fix these issues contained the flaw that using
default atime settings when remounting a filesystem could be disallowed.

To avoid this problems in the future add tests to ensure unprivileged
remounts are succeeding and failing at the appropriate times.

Cc: stable@vger.kernel.org
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>

Since March 2009 the kernel has treated the state that if no
MS_..ATIME flags are passed then the kernel defaults to relatime.

Defaulting to relatime instead of the existing atime state during a
remount is silly, and causes problems in practice for people who don't
specify any MS_...ATIME flags and to get the default filesystem atime
setting.  Those users may encounter a permission error because the
default atime setting does not work.

A default that does not work and causes permission problems is
ridiculous, so preserve the existing value to have a default
atime setting that is always guaranteed to work.

Using the default atime setting in this way is particularly
interesting for applications built to run in restricted userspace
environments without /proc mounted, as the existing atime mount
options of a filesystem can not be read from /proc/mounts.

In practice this fixes user space that uses the default atime
setting on remount that are broken by the permission checks
keeping less privileged users from changing more privileged users
atime settings.

Cc: stable@vger.kernel.org
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>

While invesgiating the issue where in "mount --bind -oremount,ro ..."
would result in later "mount --bind -oremount,rw" succeeding even if
the mount started off locked I realized that there are several
additional mount flags that should be locked and are not.

In particular MNT_NOSUID, MNT_NODEV, MNT_NOEXEC, and the atime
flags in addition to MNT_READONLY should all be locked.  These
flags are all per superblock, can all be changed with MS_BIND,
and should not be changable if set by a more privileged user.

The following additions to the current logic are added in this patch.
- nosuid may not be clearable by a less privileged user.
- nodev  may not be clearable by a less privielged user.
- noexec may not be clearable by a less privileged user.
- atime flags may not be changeable by a less privileged user.

The logic with atime is that always setting atime on access is a
global policy and backup software and auditing software could break if
atime bits are not updated (when they are configured to be updated),
and serious performance degradation could result (DOS attack) if atime
updates happen when they have been explicitly disabled.  Therefore an
unprivileged user should not be able to mess with the atime bits set
by a more privileged user.

The additional restrictions are implemented with the addition of
MNT_LOCK_NOSUID, MNT_LOCK_NODEV, MNT_LOCK_NOEXEC, and MNT_LOCK_ATIME
mnt flags.

Taken together these changes and the fixes for MNT_LOCK_READONLY
should make it safe for an unprivileged user to create a user
namespace and to call "mount --bind -o remount,... ..." without
the danger of mount flags being changed maliciously.

Cc: stable@vger.kernel.org
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>

There are no races as locked mount flags are guaranteed to never change.

Moving the test into do_remount makes it more visible, and ensures all
filesystem remounts pass the MNT_LOCK_READONLY permission check.  This
second case is not an issue today as filesystem remounts are guarded
by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
mount namespaces, but it could become an issue in the future.

Cc: stable@vger.kernel.org
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>

Kenton Varda <kenton@sandstorm.io> discovered that by remounting a
read-only bind mount read-only in a user namespace the
MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user
to the remount a read-only mount read-write.

Correct this by replacing the mask of mount flags to preserve
with a mask of mount flags that may be changed, and preserve
all others.   This ensures that any future bugs with this mask and
remount will fail in an easy to detect way where new mount flags
simply won't change.

Cc: stable@vger.kernel.org
Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>

The synchronous syncrhonize_rcu in switch_task_namespaces makes setns
a sufficiently expensive system call that people have complained.

Upon inspect nsproxy no longer needs rcu protection for remote reads.
remote reads are rare.  So optimize for same process reads and write
by switching using rask_lock instead.

This yields a simpler to understand lock, and a faster setns system call.

In particular this fixes a performance regression observed
by Rafael David Tinoco <rafael.tinoco@canonical.com>.

This is effectively a revert of Pavel Emelyanov's commit
cf7b708c Make access to task's nsproxy lighter
from 2007.  The race this originialy fixed no longer exists as
do_notify_parent uses task_active_pid_ns(parent) instead of
parent->nsproxy.
Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>

Pull more IIO driver fixes from Greg KH:
 "Here are two IIO driver fixes for 3.16-rc6 that resolve some reported
  issues"

* tag 'staging-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  iio: mma8452: Use correct acceleration units.
  iio:core: Handle error when mask type is not separate

Pull USB fixes from Greg KH:
 "Here are two USB patches that resolve some reported issues, one with
  an odd HUB, and one in the chipidea driver"

* tag 'usb-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  usb: Check if port status is equal to RxDetect
  usb: chipidea: udc: Disable auto ZLP generation on ep0

Merge tag 'driver-core-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core fix from Greg KH:
 "Here is a single driver core fix that reverts an older patch that has
  been causing a number of reported problems with the platform devices.

  This revert has been in linux-next for a while with no reported issues"

* tag 'driver-core-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  platform_get_irq: Revert to platform_get_resource if of_irq_get fails

Pull char/misc fix from Greg KH:
 "Here's a single hyper-v driver fix for a reported issue"

* tag 'char-misc-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  Drivers: hv: hv_fcopy: fix a race condition for SMP guest

Pull intel drm fixes from Dave Airlie:
 "Intel fixes came in late, but since I debugged one of them I'll send
  them on,

  Two reverts, a quirk and one warn regression"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  Revert "drm/i915: reverse dp link param selection, prefer fast over wide again"
  drm/i915: Track the primary plane correctly when reassigning planes
  drm/i915: Ignore VBT backlight presence check on HP Chromebook 14
  Revert "drm/i915: Don't set the 8to6 dither flag when not scaling"

Pull UML fixes from Richard Weinberger:
 "Four fixes, all discovered by Trinity"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml:
  um: segv: Save regs only in case of a kernel mode fault
  um: Fix hung task in fix_range_common()
  um: Ensure that a stub page cannot get unmapped
  Revert "um: Fix wait_stub_done() error handling"

Pull btrfs fixes from Chris Mason:
 "We have two more fixes in my for-linus branch.

  I was hoping to also include a fix for a btrfs deadlock with
  compression enabled, but we're still nailing that one down"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  btrfs: test for valid bdev before kobj removal in btrfs_rm_device
  Btrfs: fix abnormal long waiting in fsync

Pull NFS client fixes from Trond Myklebust:
 "Apologies for the relative lateness of this pull request, however the
  commits fix some issues with the NFS read/write code updates in
  3.16-rc1 that can cause serious Oopsing when using small r/wsize.  The
  delay was mainly due to extra testing to make sure that the fixes
  behave correctly.

  Highlights include;
   - Stable fix for an NFSv3 posix ACL regression
   - Multiple fixes for regressions to the NFS generic read/write code:
     - Fix page splitting bugs that come into play when a small
       rsize/wsize read/write needs to be sent again (due to error
       conditions or page redirty)
     - Fix nfs_wb_page_cancel, which is called by the "invalidatepage"
       method
   - Fix 2 compile warnings about unused variables
   - Fix a performance issue affecting unstable writes"

* tag 'nfs-for-3.16-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
  NFS: Don't reset pg_moreio in __nfs_pageio_add_request
  NFS: Remove 2 unused variables
  nfs: handle multiple reqs in nfs_wb_page_cancel
  nfs: handle multiple reqs in nfs_page_async_flush
  nfs: change find_request to find_head_request
  nfs: nfs_page should take a ref on the head req
  nfs: mark nfs_page reqs with flag for extra ref
  nfs: only show Posix ACLs in listxattr if actually present

...otherwise me lose user mode regs and the resulting
stack trace is useless.
Signed-off-by: NRichard Weinberger <richard@nod.at>

If do_ops() fails we have to release current->mm->mmap_sem
otherwise the failing task will never terminate.
Reported-by: NToralf Förster <toralf.foerster@gmx.de>
Signed-off-by: NRichard Weinberger <richard@nod.at>

Trinity discovered an execution path such that a task
can unmap his stub page.
Reported-by: NToralf Förster <toralf.foerster@gmx.de>
Signed-off-by: NRichard Weinberger <richard@nod.at>

This reverts commit 0974a9ca.
The real for for that issue is to release current->mm->mmap_sem in
fix_range_common().
Signed-off-by: NRichard Weinberger <richard@nod.at>

commit 99994cde btrfs: dev delete should remove sysfs entry
added a btrfs_kobj_rm_device, which dereferences device->bdev...
right after we check whether device->bdev might be NULL.

I don't honestly know if it's possible to have a NULL device->bdev
here, but assuming that it is (given the test), we need to move
the kobject removal to be under that test.

(Coverity spotted this)
Signed-off-by: NEric Sandeen <sandeen@redhat.com>
Signed-off-by: NChris Mason <clm@fb.com>

xfstests generic/127 detected this problem.

With commit 7fc34a62, now fsync will only flush
data within the passed range.  This is the cause of the above problem,
-- btrfs's fsync has a stage called 'sync log' which will wait for all the
ordered extents it've recorded to finish.

In xfstests/generic/127, with mixed operations such as truncate, fallocate,
punch hole, and mapwrite, we get some pre-allocated extents, and mapwrite will
mmap, and then msync.  And I find that msync will wait for quite a long time
(about 20s in my case), thanks to ftrace, it turns out that the previous
fallocate calls 'btrfs_wait_ordered_range()' to flush dirty pages, but as the
range of dirty pages may be larger than 'btrfs_wait_ordered_range()' wants,
there can be some ordered extents created but not getting corresponding pages
flushed, then they're left in memory until we fsync which runs into the
stage 'sync log', and fsync will just wait for the system writeback thread
to flush those pages and get ordered extents finished, so the latency is
inevitable.

This adds a flush similar to btrfs_start_ordered_extent() in
btrfs_wait_logged_extents() to fix that.
Reviewed-by: NMiao Xie <miaox@cn.fujitsu.com>
Signed-off-by: NLiu Bo <bo.li.liu@oracle.com>
Signed-off-by: NChris Mason <clm@fb.com>

Pull locking fixes from Thomas Gleixner:
 "The locking department delivers:

   - A rather large and intrusive bundle of fixes to address serious
     performance regressions introduced by the new rwsem / mcs
     technology.  Simpler solutions have been discussed, but they would
     have been ugly bandaids with more risk than doing the right thing.

   - Make the rwsem spin on owner technology opt-in for architectures
     and enable it only on the known to work ones.

   - A few fixes to the lockdep userspace library"

* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  locking/rwsem: Add CONFIG_RWSEM_SPIN_ON_OWNER
  locking/mutex: Disable optimistic spinning on some architectures
  locking/rwsem: Reduce the size of struct rw_semaphore
  locking/rwsem: Rename 'activity' to 'count'
  locking/spinlocks/mcs: Micro-optimize osq_unlock()
  locking/spinlocks/mcs: Introduce and use init macro and function for osq locks
  locking/spinlocks/mcs: Convert osq lock to atomic_t to reduce overhead
  locking/spinlocks/mcs: Rename optimistic_spin_queue() to optimistic_spin_node()
  locking/rwsem: Allow conservative optimistic spinning when readers have lock
  tools/liblockdep: Account for bitfield changes in lockdeps lock_acquire
  tools/liblockdep: Remove debug print left over from development
  tools/liblockdep: Fix comparison of a boolean value with a value of 2

Pull scheduler fix from Thomas Gleixner:
 "Prevent a possible divide by zero in the debugging code"

* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  sched: Fix possible divide by zero in avg_atom() calculation

Pull irq fixes from Thomas Gleixner:
 "Three patches addressing shortcomings in the ARM gic interrupt chip
  driver"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irqchip: gic: Fix core ID calculation when topology is read from DT
  irqchip: gic: Add binding probe for ARM GIC400
  irqchip: gic: Add support for cortex a7 compatible string

Pull timer fix from Thomas Gleixner:
 "A single fix for a long standing issue in the alarm timer subsystem,
  which was noticed recently when people finally started to use alarm
  timers for serious work"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  alarmtimer: Fix bug where relative alarm timers were treated as absolute

Pull RCU fixes from Thomas Gleixner:
 "Two RCU patches:
   - Address a serious performance regression on open/close caused by
     commit ac1bea85 ("Make cond_resched() report RCU quiescent
     states")
   - Export RCU debug functions.  Not a regression, but enablement to
     address a serious recursion bug in the sl*b allocators in 3.17"

* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  rcu: Reduce overhead of cond_resched() checks for RCU
  rcu: Export debug_init_rcu_head() and and debug_init_rcu_head()

Pull ARM SoC fixes from Olof Johansson:
 "A smaller set of fixes this week, and all regression fixes:
   - a handful of issues fixed on at91 with common clock conversion
   - a set of fixes for Marvell mvebu (SMP, coherency, PM)
   - a clock fix for i.MX6Q.
   - ... and a SMP/hotplug fix for Exynos"

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: EXYNOS: Fix core ID used by platsmp and hotplug code
  ARM: at91/dt: add missing clocks property to pwm node in sam9x5.dtsi
  ARM: at91/dt: fix usb0 clocks definition in sam9n12 dtsi
  ARM: at91: at91sam9x5: correct typo error for ohci clock
  ARM: clk-imx6q: parent lvds_sel input from upstream clock gates
  ARM: mvebu: Fix coherency bus notifiers by using separate notifiers
  ARM: mvebu: Fix the operand list in the inline asm of armada_370_xp_pmsu_idle_enter
  ARM: mvebu: fix SMP boot for Armada 38x and Armada 375 Z1 in big endian

But in any case nothing really shocking in
here, 2 reverts, 1 quirk and a regression fix a WARN.

* tag 'drm-intel-fixes-2014-07-18' of git://anongit.freedesktop.org/drm-intel:
  Revert "drm/i915: reverse dp link param selection, prefer fast over wide again"
  drm/i915: Track the primary plane correctly when reassigning planes
  drm/i915: Ignore VBT backlight presence check on HP Chromebook 14
  Revert "drm/i915: Don't set the 8to6 dither flag when not scaling"

Pull x86 fixes from Peter Anvin:
 "A couple of key fixes and a few less critical ones.  The main ones
  are:

   - add a .bss section to the PE/COFF headers when building with EFI
     stub

   - invoke the correct paravirt magic when building the espfix page
     tables

  Unfortunately both of these areas also have at least one additional
  fix each still in thie pipeline, but which are not yet ready to push"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86: Remove unused variable "polling"
  x86/espfix/xen: Fix allocation of pages for paravirt page tables
  x86/efi: Include a .bss section within the PE/COFF headers
  efi: fdt: Do not report an error during boot if UEFI is not available
  efi/arm64: efistub: remove local copy of linux_banner

Pull infiniband/rdma fixes from Roland Dreier:
 - cxgb4 hardware driver regression fixes
 - mlx5 hardware driver regression fixes

* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/mlx5: Enable "block multicast loopback" for kernel consumers
  RDMA/cxgb4: Call iwpm_init() only once
  mlx5_core: Fix possible race between mr tree insert/delete
  RDMA/cxgb4: Initialize the device status page
  RDMA/cxgb4: Clean up connection on ARP error
  RDMA/cxgb4: Fix skb_leak in reject_cr()

Pull hwmon fixes from Guenter Roeck:
 "More fallout from module tests and code inspection.

  Fixes to temperature limit write operations in adt7470 driver.  Also,
  dashes are not allowed in hwmon 'name' attributes.  Fix drivers where
  necessary"

* tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (adt7470) Fix writes to temperature limit registers
  hwmon: (da9055) Don't use dash in the name attribute
  hwmon: (da9052) Don't use dash in the name attribute

Pull iommu fixes from Joerg Roedel:
 "A couple of fixes for the Freescale PAMU driver queued up:

   - fix PAMU window size check.
   - fix the device domain attach condition.
   - fix the error condition during iommu group"

* tag 'iommu-fixes-v3.16-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/fsl: Fix the error condition during iommu group
  iommu/fsl: Fix the device domain attach condition.
  iommu/fsl: Fix PAMU window size check.

Pull ACPI and power management fixes from Rafael Wysocki:
 "These are a few recent regression fixes, a revert of the ACPI video
  commit I promised, a system resume fix related to request_firmware(),
  an ACPI video quirk for one more Win8-oriented BIOS, an ACPI device
  enumeration documentation update and a few fixes for ARM cpufreq
  drivers.

  Specifics:

   - Fix for a recently introduced NULL pointer dereference in the core
     system suspend code occuring when platforms without ACPI attempt to
     use the "freeze" sleep state from Zhang Rui.

   - Fix for a recently introduced build warning in cpufreq headers from
     Brian W Hart.

   - Fix for a 3.13 cpufreq regression related to sysem resume that
     triggers on some systems with multiple CPU clusters from Viresh
     Kumar.

   - Fix for a 3.4 regression in request_firmware() resulting in
     WARN_ON()s on some systems during system resume from Takashi Iwai.

   - Revert of the ACPI video commit that changed the default value of
     the video.brightness_switch_enabled command line argument to 0 as
     it has been reported to break existing setups.

   - ACPI device enumeration documentation update to take recent code
     changes into account and make the documentation match the code
     again from Darren Hart.

   - Fixes for the sa1110, imx6q, kirkwood, and cpu0 cpufreq drivers
     from Linus Walleij, Nicolas Del Piano, Quentin Armitage, Viresh
     Kumar.

   - New ACPI video blacklist entry for HP ProBook 4540s from Hans de
     Goede"

* tag 'pm+acpi-3.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: make table sentinel macros unsigned to match use
  cpufreq: move policy kobj to policy->cpu at resume
  cpufreq: cpu0: OPPs can be populated at runtime
  cpufreq: kirkwood: Reinstate cpufreq driver for ARCH_KIRKWOOD
  cpufreq: imx6q: Select PM_OPP
  cpufreq: sa1110: set memory type for h3600
  ACPI / video: Add use_native_backlight quirk for HP ProBook 4540s
  PM / sleep: fix freeze_ops NULL pointer dereferences
  PM / sleep: Fix request_firmware() error at resume
  Revert "ACPI / video: change acpi-video brightness_switch_enabled default to 0"
  ACPI / documentation: Remove reference to acpi_platform_device_ids from enumeration.txt

Pull drm fixes from Dave Airlie:
 "One nouveau deadlock fix, one qxl irq handling fix, and a set of
  radeon pageflipping changes that fix regressions in pageflipping since
  -rc1 along with a leak and backlight fix.

  The pageflipping fixes are a bit bigger than I'd like, but there has
  been a few people focused on testing them"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/radeon: Make classic pageflip completion path less racy.
  drm/radeon: Add missing vblank_put in pageflip ioctl error path.
  drm/radeon: Remove redundant fence unref in pageflip path.
  drm/radeon: Complete page flip even if waiting on the BO fence fails
  drm/radeon: Move pinning the BO back to radeon_crtc_page_flip()
  drm/radeon: Prevent too early kms-pageflips triggered by vblank.
  drm/radeon: set default bl level to something reasonable
  drm/radeon: avoid leaking edid data
  drm/qxl: return IRQ_NONE if it was not our irq
  drm/nouveau/therm: fix a potential deadlock in the therm monitoring code

Pull /dev/random fix from Ted Ts'o:
 "Fix a BUG splat found by trinity"

* tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random:
  random: check for increase of entropy_count because of signed conversion

Pull crypto fixes from Herbert Xu:
 "This push fixes a boot hang in virt guests when the virtio RNG is
  enabled"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  hwrng: virtio - ensure reads happen after successful probe
  hwrng: fetch randomness only after device init

The expression entropy_count -= ibytes << (ENTROPY_SHIFT + 3) could
actually increase entropy_count if during assignment of the unsigned
expression on the RHS (mind the -=) we reduce the value modulo
2^width(int) and assign it to entropy_count. Trinity found this.

[ Commit modified by tytso to add an additional safety check for a
  negative entropy_count -- which should never happen, and to also add
  an additional paranoia check to prevent overly large count values to
  be passed into urandom_read().  ]
Reported-by: NDave Jones <davej@redhat.com>
Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org

When CPU topology is specified in device tree, cpu_logical_map() does
not return core ID anymore, but rather full MPIDR value. This breaks
existing calculation of PMU register offsets on Exynos SoCs.

This patch fixes the problem by adjusting the code to use only core ID
bits of the value returned by cpu_logical_map() to allow CPU topology to
be specified in device tree on Exynos SoCs.
Signed-off-by: NTomasz Figa <t.figa@samsung.com>
Signed-off-by: NKukjin Kim <kgene.kim@samsung.com>
Signed-off-by: NOlof Johansson <olof@lixom.net>

Merge tag 'imx-fixes-3.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes

Merge "ARM: imx: fixes for 3.16, 2nd take" from Shawn Guo:

The i.MX fixes for 3.16, 2nd take:

It fixes a hard machine hang regression for boards where only pcie is
active but no sata, as the latest imx6-pcie driver is no longer enabling
the upstream clock directly but only lvds clk out.

* tag 'imx-fixes-3.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
  ARM: clk-imx6q: parent lvds_sel input from upstream clock gates
Signed-off-by: NOlof Johansson <olof@lixom.net>

Merge "at91: fixes for 3.16 #2" from Nicolas Ferre:

Second AT91 fixes series for 3.16
- fix clock definitions after the move to CCF for:
  * at91sam9n12 (ohci)
  * at91sam9x5 (ohci, pwm)

* tag 'at91-fixes' of git://github.com/at91linux/linux-at91:
  ARM: at91/dt: add missing clocks property to pwm node in sam9x5.dtsi
  ARM: at91/dt: fix usb0 clocks definition in sam9n12 dtsi
  ARM: at91: at91sam9x5: correct typo error for ohci clock
Signed-off-by: NOlof Johansson <olof@lixom.net>