Merge 4.4.294 into android-4.4-p

Changes in 4.4.294
	staging: ion: Prevent incorrect reference counting behavour
	USB: serial: option: add Telit LE910S1 0x9200 composition
	USB: serial: option: add Fibocom FM101-GL variants
	usb: hub: Fix usb enumeration issue due to address0 race
	usb: hub: Fix locking issues with address0_mutex
	binder: fix test regression due to sender_euid change
	ALSA: ctxfi: Fix out-of-range access
	staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
	xen: don't continue xenstore initialization in case of errors
	xen: detect uninitialized xenbus in xenbus_init
	ARM: dts: BCM5301X: Add interrupt properties to GPIO node
	ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
	net: ieee802154: handle iftypes as u32
	NFSv42: Don't fail clone() unless the OP_CLONE operation failed
	ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
	scsi: mpt3sas: Fix kernel panic during drive powercycle test
	tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
	tracing: Check pid filtering when creating events
	hugetlbfs: flush TLBs correctly after huge_pmd_unshare
	proc/vmcore: fix clearing user buffer by properly using clear_user()
	NFC: add NCI_UNREG flag to eliminate the race
	fuse: fix page stealing
	fuse: release pipe buf after last use
	shm: extend forced shm destroy to support objects from several IPC nses
	xen: sync include/xen/interface/io/ring.h with Xen's newest version
	xen/blkfront: read response from backend only once
	xen/blkfront: don't take local copy of a request from the ring page
	xen/blkfront: don't trust the backend response data blindly
	xen/netfront: read response from backend only once
	xen/netfront: don't read data from request on the ring page
	xen/netfront: disentangle tx_skb_freelist
	xen/netfront: don't trust the backend response data blindly
	tty: hvc: replace BUG_ON() with negative return value
	hugetlb: take PMD sharing into account when flushing tlb/caches
	net: return correct error code
	platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
	s390/setup: avoid using memblock_enforce_memory_limit
	scsi: iscsi: Unblock session then wake up error handler
	net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
	net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
	kprobes: Limit max data_size of the kretprobe instances
	sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
	sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
	fs: add fget_many() and fput_many()
	fget: check that the fd still exists after getting a ref to it
	natsemi: xtensa: fix section mismatch warnings
	net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
	siphash: use _unaligned version by default
	parisc: Fix "make install" on newer debian releases
	vgacon: Propagate console boot parameters before calling `vc_resize'
	tty: serial: msm_serial: Deactivate RX DMA for polling support
	serial: pl011: Add ACPI SBSA UART match id
	Linux 4.4.294

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id3cafc33da957a0501bcf61d000025167d552797

1 files changed, 9 insertions, 1 deletions

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 755a56f9fb58..c7cd7f65ed50 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -931,6 +931,13 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep)
 	if (!(buf->flags & PIPE_BUF_FLAG_LRU))
 		lru_cache_add_file(newpage);
 
+	/*
+	 * Release while we have extra ref on stolen page.  Otherwise
+	 * anon_pipe_buf_release() might think the page can be reused.
+	 */
+	buf->ops->release(cs->pipe, buf);
+	buf->ops = NULL;
+
 	err = 0;
 	spin_lock(&cs->req->waitq.lock);
 	if (test_bit(FR_ABORTED, &cs->req->flags))
@@ -2100,7 +2107,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
 out_free:
 	for (idx = 0; idx < nbuf; idx++) {
 		struct pipe_buffer *buf = &bufs[idx];
-		buf->ops->release(pipe, buf);
+		if (buf->ops)
+			buf->ops->release(pipe, buf);
 	}
 	pipe_unlock(pipe);