[S390] fix list corruption in gmap reverse mapping

	/* Free all segment & region tables. */

	/* Free all segment & region tables. */

	down_read(&gmap->mm->mmap_sem);

	down_read(&gmap->mm->mmap_sem);

	spin_lock(&gmap->mm->page_table_lock);

	list_for_each_entry_safe(page, next, &gmap->crst_list, lru) {

	list_for_each_entry_safe(page, next, &gmap->crst_list, lru) {

		table = (unsigned long *) page_to_phys(page);

		table = (unsigned long *) page_to_phys(page);

		if ((*table & _REGION_ENTRY_TYPE_MASK) == 0)

		if ((*table & _REGION_ENTRY_TYPE_MASK) == 0)

				gmap_unlink_segment(gmap, table);

				gmap_unlink_segment(gmap, table);

		__free_pages(page, ALLOC_ORDER);

		__free_pages(page, ALLOC_ORDER);

	}

	}

	spin_unlock(&gmap->mm->page_table_lock);

	up_read(&gmap->mm->mmap_sem);

	up_read(&gmap->mm->mmap_sem);

	list_del(&gmap->list);

	list_del(&gmap->list);

	kfree(gmap);

	kfree(gmap);

	flush = 0;

	flush = 0;

	down_read(&gmap->mm->mmap_sem);

	down_read(&gmap->mm->mmap_sem);

	spin_lock(&gmap->mm->page_table_lock);

	for (off = 0; off < len; off += PMD_SIZE) {

	for (off = 0; off < len; off += PMD_SIZE) {

		/* Walk the guest addr space page table */

		/* Walk the guest addr space page table */

		table = gmap->table + (((to + off) >> 53) & 0x7ff);

		table = gmap->table + (((to + off) >> 53) & 0x7ff);

		*table = _SEGMENT_ENTRY_INV;

		*table = _SEGMENT_ENTRY_INV;

	}

	}

out:

out:

	spin_unlock(&gmap->mm->page_table_lock);

	up_read(&gmap->mm->mmap_sem);

	up_read(&gmap->mm->mmap_sem);

	if (flush)

	if (flush)

		gmap_flush_tlb(gmap);

		gmap_flush_tlb(gmap);

	flush = 0;

	flush = 0;

	down_read(&gmap->mm->mmap_sem);

	down_read(&gmap->mm->mmap_sem);

	spin_lock(&gmap->mm->page_table_lock);

	for (off = 0; off < len; off += PMD_SIZE) {

	for (off = 0; off < len; off += PMD_SIZE) {

		/* Walk the gmap address space page table */

		/* Walk the gmap address space page table */

		table = gmap->table + (((to + off) >> 53) & 0x7ff);

		table = gmap->table + (((to + off) >> 53) & 0x7ff);

		flush |= gmap_unlink_segment(gmap, table);

		flush |= gmap_unlink_segment(gmap, table);

		*table = _SEGMENT_ENTRY_INV | _SEGMENT_ENTRY_RO | (from + off);

		*table = _SEGMENT_ENTRY_INV | _SEGMENT_ENTRY_RO | (from + off);

	}

	}

	spin_unlock(&gmap->mm->page_table_lock);

	up_read(&gmap->mm->mmap_sem);

	up_read(&gmap->mm->mmap_sem);

	if (flush)

	if (flush)

		gmap_flush_tlb(gmap);

		gmap_flush_tlb(gmap);

	return 0;

	return 0;

out_unmap:

out_unmap:

	spin_unlock(&gmap->mm->page_table_lock);

	up_read(&gmap->mm->mmap_sem);

	up_read(&gmap->mm->mmap_sem);

	gmap_unmap_segment(gmap, to, len);

	gmap_unmap_segment(gmap, to, len);

	return -ENOMEM;

	return -ENOMEM;

		page = pmd_page(*pmd);

		page = pmd_page(*pmd);

		mp = (struct gmap_pgtable *) page->index;

		mp = (struct gmap_pgtable *) page->index;

		rmap->entry = table;

		rmap->entry = table;

		spin_lock(&mm->page_table_lock);

		list_add(&rmap->list, &mp->mapper);

		list_add(&rmap->list, &mp->mapper);

		spin_unlock(&mm->page_table_lock);

		/* Set gmap segment table entry to page table. */

		/* Set gmap segment table entry to page table. */

		*table = pmd_val(*pmd) & PAGE_MASK;

		*table = pmd_val(*pmd) & PAGE_MASK;

		return vmaddr | (address & ~PMD_MASK);

		return vmaddr | (address & ~PMD_MASK);