--- /dev/null
+From cfe1580a6415bc37fd62d79eb8102a618f7650b2 Mon Sep 17 00:00:00 2001
+From: Lokesh Vutla <lokeshvutla@ti.com>
+Date: Tue, 8 Mar 2016 12:24:35 +0530
+Subject: ARM: dts: AM43x-epos: Fix clk parent for synctimer
+
+From: Lokesh Vutla <lokeshvutla@ti.com>
+
+commit cfe1580a6415bc37fd62d79eb8102a618f7650b2 upstream.
+
+commit 55ee7017ee31 ("arm: omap2: board-generic: use omap4_local_timer_init
+for AM437x") makes synctimer32k as the clocksource on AM43xx. By default
+the synctimer32k is clocked by 32K RTC OSC on AM43xx. But this 32K RTC OSC
+is not available on epos boards which makes it fail to boot.
+
+Synctimer32k can also be clocked by a peripheral PLL, so making this as
+clock parent for synctimer3k on epos boards.
+
+Fixes: 55ee7017ee31 ("arm: omap2: board-generic: use omap4_local_timer_init for AM437x")
+Reported-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/am43x-epos-evm.dts | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/arm/boot/dts/am43x-epos-evm.dts
++++ b/arch/arm/boot/dts/am43x-epos-evm.dts
+@@ -792,3 +792,8 @@
+ tx-num-evt = <32>;
+ rx-num-evt = <32>;
+ };
++
++&synctimer_32kclk {
++ assigned-clocks = <&mux_synctimer32k_ck>;
++ assigned-clock-parents = <&clkdiv32k_ick>;
++};
--- /dev/null
+From 199831c77c50e6913e893b6bc268ba9f4a9a2bf8 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Tue, 29 Mar 2016 16:57:40 +0000
+Subject: ARM: mvebu: Correct unit address for linksys
+
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+
+commit 199831c77c50e6913e893b6bc268ba9f4a9a2bf8 upstream.
+
+The USB2 port for Armada 38x is defined to be at 58000, not at
+50000.
+
+Fixes: 2d0a7addbd10 ("ARM: Kirkwood: Add support for many Synology NAS devices")
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+Acked-by: Imre Kaloz <kaloz@openwrt.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/armada-385-linksys.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/armada-385-linksys.dtsi
++++ b/arch/arm/boot/dts/armada-385-linksys.dtsi
+@@ -117,7 +117,7 @@
+ };
+
+ /* USB part of the eSATA/USB 2.0 port */
+- usb@50000 {
++ usb@58000 {
+ status = "okay";
+ };
+
--- /dev/null
+From 456e8d53482537616899a146b706eccd095404e6 Mon Sep 17 00:00:00 2001
+From: Nishanth Menon <nm@ti.com>
+Date: Fri, 11 Mar 2016 10:12:28 -0600
+Subject: ARM: OMAP2: Fix up interconnect barrier initialization for DRA7
+
+From: Nishanth Menon <nm@ti.com>
+
+commit 456e8d53482537616899a146b706eccd095404e6 upstream.
+
+The following commits:
+commit 3fa609755c11 ("ARM: omap2: restore OMAP4 barrier behaviour")
+commit f746929ffdc8 ("Revert "ARM: OMAP4: remove dead kconfig option OMAP4_ERRATA_I688"")
+and
+commit ea827ad5ffbb ("ARM: DRA7: Provide proper IO map table")
+came in around the same time, unfortunately this seem to have missed
+initializing the barrier for DRA7 platforms - omap5_map_io was reused
+for dra7 till it was split out by the last patch. barrier_init
+needs to be hence carried forward as it is valid for DRA7 family of
+processors as they are for OMAP5.
+
+Fixes: ea827ad5ffbb7 ("ARM: DRA7: Provide proper IO map table")
+Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reported-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/io.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-omap2/io.c
++++ b/arch/arm/mach-omap2/io.c
+@@ -368,6 +368,7 @@ void __init omap5_map_io(void)
+ void __init dra7xx_map_io(void)
+ {
+ iotable_init(dra7xx_io_desc, ARRAY_SIZE(dra7xx_io_desc));
++ omap_barriers_init();
+ }
+ #endif
+ /*
--- /dev/null
+From 3ca4a238106dedc285193ee47f494a6584b6fd2f Mon Sep 17 00:00:00 2001
+From: Lokesh Vutla <lokeshvutla@ti.com>
+Date: Sat, 26 Mar 2016 23:08:55 -0600
+Subject: ARM: OMAP2+: hwmod: Fix updating of sysconfig register
+
+From: Lokesh Vutla <lokeshvutla@ti.com>
+
+commit 3ca4a238106dedc285193ee47f494a6584b6fd2f upstream.
+
+Commit 127500ccb766f ("ARM: OMAP2+: Only write the sysconfig on idle
+when necessary") talks about verification of sysconfig cache value before
+updating it, only during idle path. But the patch is adding the
+verification in the enable path. So, adding the check in a proper place
+as per the commit description.
+
+Not keeping this check during enable path as there is a chance of losing
+context and it is safe to do on idle as the context of the register will
+never be lost while the device is active.
+
+Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
+Acked-by: Tero Kristo <t-kristo@ti.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Fixes: commit 127500ccb766 "ARM: OMAP2+: Only write the sysconfig on idle when necessary"
+[paul@pwsan.com: appears to have been caused by my own mismerge of the
+ originally posted patch]
+Signed-off-by: Paul Walmsley <paul@pwsan.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -1416,9 +1416,7 @@ static void _enable_sysc(struct omap_hwm
+ (sf & SYSC_HAS_CLOCKACTIVITY))
+ _set_clockactivity(oh, oh->class->sysc->clockact, &v);
+
+- /* If the cached value is the same as the new value, skip the write */
+- if (oh->_sysc_cache != v)
+- _write_sysconfig(v, oh);
++ _write_sysconfig(v, oh);
+
+ /*
+ * Set the autoidle bit only after setting the smartidle bit
+@@ -1481,7 +1479,9 @@ static void _idle_sysc(struct omap_hwmod
+ _set_master_standbymode(oh, idlemode, &v);
+ }
+
+- _write_sysconfig(v, oh);
++ /* If the cached value is the same as the new value, skip the write */
++ if (oh->_sysc_cache != v)
++ _write_sysconfig(v, oh);
+ }
+
+ /**
--- /dev/null
+From 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Wed, 6 Apr 2016 14:06:48 +0100
+Subject: assoc_array: don't call compare_object() on a node
+
+From: Jerome Marchand <jmarchan@redhat.com>
+
+commit 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 upstream.
+
+Changes since V1: fixed the description and added KASan warning.
+
+In assoc_array_insert_into_terminal_node(), we call the
+compare_object() method on all non-empty slots, even when they're
+not leaves, passing a pointer to an unexpected structure to
+compare_object(). Currently it causes an out-of-bound read access
+in keyring_compare_object detected by KASan (see below). The issue
+is easily reproduced with keyutils testsuite.
+Only call compare_object() when the slot is a leave.
+
+KASan warning:
+==================================================================
+BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838
+Read of size 8 by task keyctl/1655
+=============================================================================
+BUG kmalloc-192 (Not tainted): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647
+ ___slab_alloc+0x563/0x5c0
+ __slab_alloc+0x51/0x90
+ kmem_cache_alloc_trace+0x263/0x300
+ assoc_array_insert+0xfd0/0x3a60
+ __key_link_begin+0xfc/0x270
+ key_create_or_update+0x459/0xaf0
+ SyS_add_key+0x1ba/0x350
+ entry_SYSCALL_64_fastpath+0x12/0x76
+INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080
+INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1
+
+Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00 ...`............
+Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff ...`.......`....
+Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+CPU: 0 PID: 1655 Comm: keyctl Tainted: G B 4.5.0-rc4-kasan+ #291
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ 0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491
+ ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969
+ ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650
+Call Trace:
+ [<ffffffff81b60491>] dump_stack+0x85/0xc4
+ [<ffffffff815e2969>] print_trailer+0xf9/0x150
+ [<ffffffff815e9454>] object_err+0x34/0x40
+ [<ffffffff815ebe50>] kasan_report_error+0x230/0x550
+ [<ffffffff819949be>] ? keyring_get_key_chunk+0x13e/0x210
+ [<ffffffff815ec62d>] __asan_report_load_n_noabort+0x5d/0x70
+ [<ffffffff81994cc3>] ? keyring_compare_object+0x213/0x240
+ [<ffffffff81994cc3>] keyring_compare_object+0x213/0x240
+ [<ffffffff81bc238c>] assoc_array_insert+0x86c/0x3a60
+ [<ffffffff81bc1b20>] ? assoc_array_cancel_edit+0x70/0x70
+ [<ffffffff8199797d>] ? __key_link_begin+0x20d/0x270
+ [<ffffffff8199786c>] __key_link_begin+0xfc/0x270
+ [<ffffffff81993389>] key_create_or_update+0x459/0xaf0
+ [<ffffffff8128ce0d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff81992f30>] ? key_type_lookup+0xc0/0xc0
+ [<ffffffff8199e19d>] ? lookup_user_key+0x13d/0xcd0
+ [<ffffffff81534763>] ? memdup_user+0x53/0x80
+ [<ffffffff819983ea>] SyS_add_key+0x1ba/0x350
+ [<ffffffff81998230>] ? key_get_type_from_user.constprop.6+0xa0/0xa0
+ [<ffffffff828bcf4e>] ? retint_user+0x18/0x23
+ [<ffffffff8128cc7e>] ? trace_hardirqs_on_caller+0x3fe/0x580
+ [<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
+ [<ffffffff828bc432>] entry_SYSCALL_64_fastpath+0x12/0x76
+Memory state around the buggy address:
+ ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+ ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
+>ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
+==================================================================
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/assoc_array.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -524,7 +524,9 @@ static bool assoc_array_insert_into_term
+ free_slot = i;
+ continue;
+ }
+- if (ops->compare_object(assoc_array_ptr_to_leaf(ptr), index_key)) {
++ if (assoc_array_ptr_is_leaf(ptr) &&
++ ops->compare_object(assoc_array_ptr_to_leaf(ptr),
++ index_key)) {
+ pr_devel("replace in slot %d\n", i);
+ edit->leaf_p = &node->slots[i];
+ edit->dead_leaf = node->slots[i];
--- /dev/null
+From a7297a6a3a3322b054592e8e988981d2f5f29cc4 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Fri, 15 Apr 2016 18:51:28 +0800
+Subject: block: loop: fix filesystem corruption in case of aio/dio
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit a7297a6a3a3322b054592e8e988981d2f5f29cc4 upstream.
+
+Starting from commit e36f620428(block: split bios to max possible length),
+block core starts to split bio in the middle of bvec.
+
+Unfortunately loop dio/aio doesn't consider this situation, and
+always treat 'iter.iov_offset' as zero. Then filesystem corruption
+is observed.
+
+This patch figures out the offset of the base bvevc via
+'bio->bi_iter.bi_bvec_done' and fixes the issue by passing the offset
+to iov iterator.
+
+Fixes: e36f6204288088f (block: split bios to max possible length)
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 423f4ca7d712..80cf8add46ff 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -488,6 +488,12 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
+ bvec = __bvec_iter_bvec(bio->bi_io_vec, bio->bi_iter);
+ iov_iter_bvec(&iter, ITER_BVEC | rw, bvec,
+ bio_segments(bio), blk_rq_bytes(cmd->rq));
++ /*
++ * This bio may be started from the middle of the 'bvec'
++ * because of bio splitting, so offset from the bvec must
++ * be passed to iov iterator
++ */
++ iter.iov_offset = bio->bi_iter.bi_bvec_done;
+
+ cmd->iocb.ki_pos = pos;
+ cmd->iocb.ki_filp = file;
--- /dev/null
+From b30a337ca27c4f40439e4bfb290cba5f88d73bb7 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Wed, 30 Mar 2016 08:46:31 +0800
+Subject: block: partition: initialize percpuref before sending out KOBJ_ADD
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit b30a337ca27c4f40439e4bfb290cba5f88d73bb7 upstream.
+
+The initialization of partition's percpu_ref should have been done before
+sending out KOBJ_ADD uevent, which may cause userspace to read partition
+table. So the uninitialized percpu_ref may be accessed in data path.
+
+This patch fixes this issue reported by Naveen.
+
+Reported-by: Naveen Kaje <nkaje@codeaurora.org>
+Tested-by: Naveen Kaje <nkaje@codeaurora.org>
+Fixes: 6c71013ecb7e2(block: partition: convert percpu ref)
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/partition-generic.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -349,15 +349,20 @@ struct hd_struct *add_partition(struct g
+ goto out_del;
+ }
+
++ err = hd_ref_init(p);
++ if (err) {
++ if (flags & ADDPART_FLAG_WHOLEDISK)
++ goto out_remove_file;
++ goto out_del;
++ }
++
+ /* everything is up and running, commence */
+ rcu_assign_pointer(ptbl->part[partno], p);
+
+ /* suppress uevent if the disk suppresses it */
+ if (!dev_get_uevent_suppress(ddev))
+ kobject_uevent(&pdev->kobj, KOBJ_ADD);
+-
+- if (!hd_ref_init(p))
+- return p;
++ return p;
+
+ out_free_info:
+ free_part_info(p);
+@@ -366,6 +371,8 @@ out_free_stats:
+ out_free:
+ kfree(p);
+ return ERR_PTR(err);
++out_remove_file:
++ device_remove_file(pdev, &dev_attr_whole_disk);
+ out_del:
+ kobject_put(p->holder_dir);
+ device_del(pdev);
--- /dev/null
+From 1c5631c73fc2261a5df64a72c155cb53dcdc0c45 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Wed, 6 Apr 2016 09:37:22 +0100
+Subject: KVM: arm/arm64: Handle forward time correction gracefully
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 1c5631c73fc2261a5df64a72c155cb53dcdc0c45 upstream.
+
+On a host that runs NTP, corrections can have a direct impact on
+the background timer that we program on the behalf of a vcpu.
+
+In particular, NTP performing a forward correction will result in
+a timer expiring sooner than expected from a guest point of view.
+Not a big deal, we kick the vcpu anyway.
+
+But on wake-up, the vcpu thread is going to perform a check to
+find out whether or not it should block. And at that point, the
+timer check is going to say "timer has not expired yet, go back
+to sleep". This results in the timer event being lost forever.
+
+There are multiple ways to handle this. One would be record that
+the timer has expired and let kvm_cpu_has_pending_timer return
+true in that case, but that would be fairly invasive. Another is
+to check for the "short sleep" condition in the hrtimer callback,
+and restart the timer for the remaining time when the condition
+is detected.
+
+This patch implements the latter, with a bit of refactoring in
+order to avoid too much code duplication.
+
+Reported-by: Alexander Graf <agraf@suse.de>
+Reviewed-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/arch_timer.c | 49 ++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 39 insertions(+), 10 deletions(-)
+
+--- a/virt/kvm/arm/arch_timer.c
++++ b/virt/kvm/arm/arch_timer.c
+@@ -86,6 +86,8 @@ static void kvm_timer_inject_irq_work(st
+ vcpu = container_of(work, struct kvm_vcpu, arch.timer_cpu.expired);
+ vcpu->arch.timer_cpu.armed = false;
+
++ WARN_ON(!kvm_timer_should_fire(vcpu));
++
+ /*
+ * If the vcpu is blocked we want to wake it up so that it will see
+ * the timer has expired when entering the guest.
+@@ -93,10 +95,46 @@ static void kvm_timer_inject_irq_work(st
+ kvm_vcpu_kick(vcpu);
+ }
+
++static u64 kvm_timer_compute_delta(struct kvm_vcpu *vcpu)
++{
++ cycle_t cval, now;
++
++ cval = vcpu->arch.timer_cpu.cntv_cval;
++ now = kvm_phys_timer_read() - vcpu->kvm->arch.timer.cntvoff;
++
++ if (now < cval) {
++ u64 ns;
++
++ ns = cyclecounter_cyc2ns(timecounter->cc,
++ cval - now,
++ timecounter->mask,
++ &timecounter->frac);
++ return ns;
++ }
++
++ return 0;
++}
++
+ static enum hrtimer_restart kvm_timer_expire(struct hrtimer *hrt)
+ {
+ struct arch_timer_cpu *timer;
++ struct kvm_vcpu *vcpu;
++ u64 ns;
++
+ timer = container_of(hrt, struct arch_timer_cpu, timer);
++ vcpu = container_of(timer, struct kvm_vcpu, arch.timer_cpu);
++
++ /*
++ * Check that the timer has really expired from the guest's
++ * PoV (NTP on the host may have forced it to expire
++ * early). If we should have slept longer, restart it.
++ */
++ ns = kvm_timer_compute_delta(vcpu);
++ if (unlikely(ns)) {
++ hrtimer_forward_now(hrt, ns_to_ktime(ns));
++ return HRTIMER_RESTART;
++ }
++
+ queue_work(wqueue, &timer->expired);
+ return HRTIMER_NORESTART;
+ }
+@@ -170,8 +208,6 @@ static int kvm_timer_update_state(struct
+ void kvm_timer_schedule(struct kvm_vcpu *vcpu)
+ {
+ struct arch_timer_cpu *timer = &vcpu->arch.timer_cpu;
+- u64 ns;
+- cycle_t cval, now;
+
+ BUG_ON(timer_is_armed(timer));
+
+@@ -191,14 +227,7 @@ void kvm_timer_schedule(struct kvm_vcpu
+ return;
+
+ /* The timer has not yet expired, schedule a background timer */
+- cval = timer->cntv_cval;
+- now = kvm_phys_timer_read() - vcpu->kvm->arch.timer.cntvoff;
+-
+- ns = cyclecounter_cyc2ns(timecounter->cc,
+- cval - now,
+- timecounter->mask,
+- &timecounter->frac);
+- timer_arm(timer, ns);
++ timer_arm(timer, kvm_timer_compute_delta(vcpu));
+ }
+
+ void kvm_timer_unschedule(struct kvm_vcpu *vcpu)
--- /dev/null
+From fc5b7f3bf1e1414bd4e91db6918c85ace0c873a5 Mon Sep 17 00:00:00 2001
+From: David Matlack <dmatlack@google.com>
+Date: Wed, 30 Mar 2016 12:24:47 -0700
+Subject: kvm: x86: do not leak guest xcr0 into host interrupt handlers
+
+From: David Matlack <dmatlack@google.com>
+
+commit fc5b7f3bf1e1414bd4e91db6918c85ace0c873a5 upstream.
+
+An interrupt handler that uses the fpu can kill a KVM VM, if it runs
+under the following conditions:
+ - the guest's xcr0 register is loaded on the cpu
+ - the guest's fpu context is not loaded
+ - the host is using eagerfpu
+
+Note that the guest's xcr0 register and fpu context are not loaded as
+part of the atomic world switch into "guest mode". They are loaded by
+KVM while the cpu is still in "host mode".
+
+Usage of the fpu in interrupt context is gated by irq_fpu_usable(). The
+interrupt handler will look something like this:
+
+if (irq_fpu_usable()) {
+ kernel_fpu_begin();
+
+ [... code that uses the fpu ...]
+
+ kernel_fpu_end();
+}
+
+As long as the guest's fpu is not loaded and the host is using eager
+fpu, irq_fpu_usable() returns true (interrupted_kernel_fpu_idle()
+returns true). The interrupt handler proceeds to use the fpu with
+the guest's xcr0 live.
+
+kernel_fpu_begin() saves the current fpu context. If this uses
+XSAVE[OPT], it may leave the xsave area in an undesirable state.
+According to the SDM, during XSAVE bit i of XSTATE_BV is not modified
+if bit i is 0 in xcr0. So it's possible that XSTATE_BV[i] == 1 and
+xcr0[i] == 0 following an XSAVE.
+
+kernel_fpu_end() restores the fpu context. Now if any bit i in
+XSTATE_BV == 1 while xcr0[i] == 0, XRSTOR generates a #GP. The
+fault is trapped and SIGSEGV is delivered to the current process.
+
+Only pre-4.2 kernels appear to be vulnerable to this sequence of
+events. Commit 653f52c ("kvm,x86: load guest FPU context more eagerly")
+from 4.2 forces the guest's fpu to always be loaded on eagerfpu hosts.
+
+This patch fixes the bug by keeping the host's xcr0 loaded outside
+of the interrupts-disabled region where KVM switches into guest mode.
+
+Suggested-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: David Matlack <dmatlack@google.com>
+[Move load after goto cancel_injection. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/x86.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -697,7 +697,6 @@ static int __kvm_set_xcr(struct kvm_vcpu
+ if ((xcr0 & XFEATURE_MASK_AVX512) != XFEATURE_MASK_AVX512)
+ return 1;
+ }
+- kvm_put_guest_xcr0(vcpu);
+ vcpu->arch.xcr0 = xcr0;
+
+ if ((xcr0 ^ old_xcr0) & XFEATURE_MASK_EXTEND)
+@@ -6495,8 +6494,6 @@ static int vcpu_enter_guest(struct kvm_v
+ kvm_x86_ops->prepare_guest_switch(vcpu);
+ if (vcpu->fpu_active)
+ kvm_load_guest_fpu(vcpu);
+- kvm_load_guest_xcr0(vcpu);
+-
+ vcpu->mode = IN_GUEST_MODE;
+
+ srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
+@@ -6519,6 +6516,8 @@ static int vcpu_enter_guest(struct kvm_v
+ goto cancel_injection;
+ }
+
++ kvm_load_guest_xcr0(vcpu);
++
+ if (req_immediate_exit)
+ smp_send_reschedule(vcpu->cpu);
+
+@@ -6568,6 +6567,8 @@ static int vcpu_enter_guest(struct kvm_v
+ vcpu->mode = OUTSIDE_GUEST_MODE;
+ smp_wmb();
+
++ kvm_put_guest_xcr0(vcpu);
++
+ /* Interrupt is enabled by handle_external_intr() */
+ kvm_x86_ops->handle_external_intr(vcpu);
+
+@@ -7215,7 +7216,6 @@ void kvm_load_guest_fpu(struct kvm_vcpu
+ * and assume host would use all available bits.
+ * Guest xcr0 would be loaded later.
+ */
+- kvm_put_guest_xcr0(vcpu);
+ vcpu->guest_fpu_loaded = 1;
+ __kernel_fpu_begin();
+ __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu.state);
+@@ -7224,8 +7224,6 @@ void kvm_load_guest_fpu(struct kvm_vcpu
+
+ void kvm_put_guest_fpu(struct kvm_vcpu *vcpu)
+ {
+- kvm_put_guest_xcr0(vcpu);
+-
+ if (!vcpu->guest_fpu_loaded) {
+ vcpu->fpu_counter = 0;
+ return;
assoc_array-don-t-call-compare_object-on-a-node.patch
usb-xhci-applying-xhci_pme_stuck_quirk-to-intel-bxt-b0-host.patch
xhci-resume-usb-3-roothub-first.patch
-usb-host-xhci-plat-fix-cannot-work-if-r-car-gen2-3-run-on-above-4gb-phys.patch
usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch
xhci-fix-10-second-timeout-on-removal-of-pci-hotpluggable-xhci-controllers.patch
usb-hcd-out-of-bounds-access-in-for_each_companion.patch
--- /dev/null
+From 38740a5b87d53ceb89eb2c970150f6e94e00373a Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Thu, 14 Apr 2016 17:01:17 +0200
+Subject: usb: gadget: f_fs: Fix use-after-free
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 38740a5b87d53ceb89eb2c970150f6e94e00373a upstream.
+
+When using asynchronous read or write operations on the USB endpoints the
+issuer of the IO request is notified by calling the ki_complete() callback
+of the submitted kiocb when the URB has been completed.
+
+Calling this ki_complete() callback will free kiocb. Make sure that the
+structure is no longer accessed beyond that point, otherwise undefined
+behaviour might occur.
+
+Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -646,6 +646,7 @@ static void ffs_user_copy_worker(struct
+ work);
+ int ret = io_data->req->status ? io_data->req->status :
+ io_data->req->actual;
++ bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
+
+ if (io_data->read && ret > 0) {
+ use_mm(io_data->mm);
+@@ -657,13 +658,11 @@ static void ffs_user_copy_worker(struct
+
+ io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
+
+- if (io_data->ffs->ffs_eventfd &&
+- !(io_data->kiocb->ki_flags & IOCB_EVENTFD))
++ if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
+ eventfd_signal(io_data->ffs->ffs_eventfd, 1);
+
+ usb_ep_free_request(io_data->ep, io_data->req);
+
+- io_data->kiocb->private = NULL;
+ if (io_data->read)
+ kfree(io_data->to_free);
+ kfree(io_data->buf);
--- /dev/null
+From e86103a75705c7c530768f4ffaba74cf382910f2 Mon Sep 17 00:00:00 2001
+From: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+Date: Thu, 24 Mar 2016 03:30:07 -0700
+Subject: usb: hcd: out of bounds access in for_each_companion
+
+From: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+
+commit e86103a75705c7c530768f4ffaba74cf382910f2 upstream.
+
+On BXT platform Host Controller and Device Controller figure as
+same PCI device but with different device function. HCD should
+not pass data to Device Controller but only to Host Controllers.
+Checking if companion device is Host Controller, otherwise skip.
+
+Signed-off-by: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd-pci.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/core/hcd-pci.c
++++ b/drivers/usb/core/hcd-pci.c
+@@ -74,6 +74,15 @@ static void for_each_companion(struct pc
+ if (companion->bus != pdev->bus ||
+ PCI_SLOT(companion->devfn) != slot)
+ continue;
++
++ /*
++ * Companion device should be either UHCI,OHCI or EHCI host
++ * controller, otherwise skip.
++ */
++ if (companion->class != CL_UHCI && companion->class != CL_OHCI &&
++ companion->class != CL_EHCI)
++ continue;
++
+ companion_hcd = pci_get_drvdata(companion);
+ if (!companion_hcd || !companion_hcd->self.root_hub)
+ continue;
--- /dev/null
+From 0d46faca6f887a849efb07c1655b5a9f7c288b45 Mon Sep 17 00:00:00 2001
+From: Rafal Redzimski <rafal.f.redzimski@intel.com>
+Date: Fri, 8 Apr 2016 16:25:05 +0300
+Subject: usb: xhci: applying XHCI_PME_STUCK_QUIRK to Intel BXT B0 host
+
+From: Rafal Redzimski <rafal.f.redzimski@intel.com>
+
+commit 0d46faca6f887a849efb07c1655b5a9f7c288b45 upstream.
+
+Broxton B0 also requires XHCI_PME_STUCK_QUIRK.
+Adding PCI device ID for Broxton B and adding to quirk.
+
+Signed-off-by: Rafal Redzimski <rafal.f.redzimski@intel.com>
+Signed-off-by: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -48,6 +48,7 @@
+ #define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI 0xa12f
+ #define PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI 0x9d2f
+ #define PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI 0x0aa8
++#define PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI 0x1aa8
+
+ static const char hcd_name[] = "xhci_hcd";
+
+@@ -156,7 +157,8 @@ static void xhci_pci_quirks(struct devic
+ (pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_H_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI ||
+- pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI)) {
++ pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_M_XHCI ||
++ pdev->device == PCI_DEVICE_ID_INTEL_BROXTON_B_XHCI)) {
+ xhci->quirks |= XHCI_PME_STUCK_QUIRK;
+ }
+ if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
--- /dev/null
+From 71504062a7c34838c3fccd92c447f399d3cb5797 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Fri, 8 Apr 2016 16:25:09 +0300
+Subject: usb: xhci: fix wild pointers in xhci_mem_cleanup
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 71504062a7c34838c3fccd92c447f399d3cb5797 upstream.
+
+This patch fixes some wild pointers produced by xhci_mem_cleanup.
+These wild pointers will cause system crash if xhci_mem_cleanup()
+is called twice.
+
+Reported-and-tested-by: Pengcheng Li <lpc.li@hisilicon.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1875,6 +1875,12 @@ no_bw:
+ kfree(xhci->rh_bw);
+ kfree(xhci->ext_caps);
+
++ xhci->usb2_ports = NULL;
++ xhci->usb3_ports = NULL;
++ xhci->port_array = NULL;
++ xhci->rh_bw = NULL;
++ xhci->ext_caps = NULL;
++
+ xhci->page_size = 0;
+ xhci->page_shift = 0;
+ xhci->bus_state[0].bus_suspended = 0;
--- /dev/null
+From a3125494cff084b098c80bb36fbe2061ffed9d52 Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Wed, 6 Apr 2016 10:05:16 +0200
+Subject: x86/mce: Avoid using object after free in genpool
+
+From: Tony Luck <tony.luck@intel.com>
+
+commit a3125494cff084b098c80bb36fbe2061ffed9d52 upstream.
+
+When we loop over all queued machine check error records to pass them
+to the registered notifiers we use llist_for_each_entry(). But the loop
+calls gen_pool_free() for the entry in the body of the loop - and then
+the iterator looks at node->next after the free.
+
+Use llist_for_each_entry_safe() instead.
+
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: Gong Chen <gong.chen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-edac <linux-edac@vger.kernel.org>
+Link: http://lkml.kernel.org/r/0205920@agluck-desk.sc.intel.com
+Link: http://lkml.kernel.org/r/1459929916-12852-4-git-send-email-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/mcheck/mce-genpool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mcheck/mce-genpool.c
++++ b/arch/x86/kernel/cpu/mcheck/mce-genpool.c
+@@ -29,7 +29,7 @@ static char gen_pool_buf[MCE_POOLSZ];
+ void mce_gen_pool_process(void)
+ {
+ struct llist_node *head;
+- struct mce_evt_llist *node;
++ struct mce_evt_llist *node, *tmp;
+ struct mce *mce;
+
+ head = llist_del_all(&mce_event_llist);
+@@ -37,7 +37,7 @@ void mce_gen_pool_process(void)
+ return;
+
+ head = llist_reverse_order(head);
+- llist_for_each_entry(node, head, llnode) {
++ llist_for_each_entry_safe(node, tmp, head, llnode) {
+ mce = &node->mce;
+ atomic_notifier_call_chain(&x86_mce_decoder_chain, 0, mce);
+ gen_pool_free(mce_evt_pool, (unsigned long)node, sizeof(*node));
--- /dev/null
+From 98d74f9ceaefc2b6c4a6440050163a83be0abede Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 8 Apr 2016 16:25:10 +0300
+Subject: xhci: fix 10 second timeout on removal of PCI hotpluggable xhci controllers
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 98d74f9ceaefc2b6c4a6440050163a83be0abede upstream.
+
+PCI hotpluggable xhci controllers such as some Alpine Ridge solutions will
+remove the xhci controller from the PCI bus when the last USB device is
+disconnected.
+
+Add a flag to indicate that the host is being removed to avoid queueing
+configure_endpoint commands for the dropped endpoints.
+For PCI hotplugged controllers this will prevent 5 second command timeouts
+For static xhci controllers the configure_endpoint command is not needed
+in the removal case as everything will be returned, freed, and the
+controller is reset.
+
+For now the flag is only set for PCI connected host controllers.
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 1 +
+ drivers/usb/host/xhci-ring.c | 3 ++-
+ drivers/usb/host/xhci.c | 8 +++++---
+ drivers/usb/host/xhci.h | 1 +
+ 4 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -301,6 +301,7 @@ static void xhci_pci_remove(struct pci_d
+ struct xhci_hcd *xhci;
+
+ xhci = hcd_to_xhci(pci_get_drvdata(dev));
++ xhci->xhc_state |= XHCI_STATE_REMOVING;
+ if (xhci->shared_hcd) {
+ usb_remove_hcd(xhci->shared_hcd);
+ usb_put_hcd(xhci->shared_hcd);
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -4008,7 +4008,8 @@ static int queue_command(struct xhci_hcd
+ int reserved_trbs = xhci->cmd_ring_reserved_trbs;
+ int ret;
+
+- if (xhci->xhc_state) {
++ if ((xhci->xhc_state & XHCI_STATE_DYING) ||
++ (xhci->xhc_state & XHCI_STATE_HALTED)) {
+ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n");
+ return -ESHUTDOWN;
+ }
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -146,7 +146,8 @@ static int xhci_start(struct xhci_hcd *x
+ "waited %u microseconds.\n",
+ XHCI_MAX_HALT_USEC);
+ if (!ret)
+- xhci->xhc_state &= ~(XHCI_STATE_HALTED | XHCI_STATE_DYING);
++ /* clear state flags. Including dying, halted or removing */
++ xhci->xhc_state = 0;
+
+ return ret;
+ }
+@@ -2753,7 +2754,8 @@ int xhci_check_bandwidth(struct usb_hcd
+ if (ret <= 0)
+ return ret;
+ xhci = hcd_to_xhci(hcd);
+- if (xhci->xhc_state & XHCI_STATE_DYING)
++ if ((xhci->xhc_state & XHCI_STATE_DYING) ||
++ (xhci->xhc_state & XHCI_STATE_REMOVING))
+ return -ENODEV;
+
+ xhci_dbg(xhci, "%s called for udev %p\n", __func__, udev);
+@@ -3800,7 +3802,7 @@ static int xhci_setup_device(struct usb_
+
+ mutex_lock(&xhci->mutex);
+
+- if (xhci->xhc_state) /* dying or halted */
++ if (xhci->xhc_state) /* dying, removing or halted */
+ goto out;
+
+ if (!udev->slot_id) {
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1596,6 +1596,7 @@ struct xhci_hcd {
+ */
+ #define XHCI_STATE_DYING (1 << 0)
+ #define XHCI_STATE_HALTED (1 << 1)
++#define XHCI_STATE_REMOVING (1 << 2)
+ /* Statistics */
+ int error_bitmask;
+ unsigned int quirks;
--- /dev/null
+From 671ffdff5b13314b1fc65d62cf7604b873fb5dc4 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Fri, 8 Apr 2016 16:25:06 +0300
+Subject: xhci: resume USB 3 roothub first
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 671ffdff5b13314b1fc65d62cf7604b873fb5dc4 upstream.
+
+Give USB3 devices a better chance to enumerate at USB 3 speeds if
+they are connected to a suspended host.
+Solves an issue with NEC uPD720200 host hanging when partially
+enumerating a USB3 device as USB2 after host controller runtime resume.
+
+Tested-by: Mike Murdoch <main.haarp@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1103,8 +1103,8 @@ int xhci_resume(struct xhci_hcd *xhci, b
+ /* Resume root hubs only when have pending events. */
+ status = readl(&xhci->op_regs->status);
+ if (status & STS_EINT) {
+- usb_hcd_resume_root_hub(hcd);
+ usb_hcd_resume_root_hub(xhci->shared_hcd);
++ usb_hcd_resume_root_hub(hcd);
+ }
+ }
+
+@@ -1119,10 +1119,10 @@ int xhci_resume(struct xhci_hcd *xhci, b
+
+ /* Re-enable port polling. */
+ xhci_dbg(xhci, "%s: starting port polling.\n", __func__);
+- set_bit(HCD_FLAG_POLL_RH, &hcd->flags);
+- usb_hcd_poll_rh_status(hcd);
+ set_bit(HCD_FLAG_POLL_RH, &xhci->shared_hcd->flags);
+ usb_hcd_poll_rh_status(xhci->shared_hcd);
++ set_bit(HCD_FLAG_POLL_RH, &hcd->flags);
++ usb_hcd_poll_rh_status(hcd);
+
+ return retval;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
