--- /dev/null
+From 3ca4a238106dedc285193ee47f494a6584b6fd2f Mon Sep 17 00:00:00 2001
+From: Lokesh Vutla <lokeshvutla@ti.com>
+Date: Sat, 26 Mar 2016 23:08:55 -0600
+Subject: ARM: OMAP2+: hwmod: Fix updating of sysconfig register
+
+From: Lokesh Vutla <lokeshvutla@ti.com>
+
+commit 3ca4a238106dedc285193ee47f494a6584b6fd2f upstream.
+
+Commit 127500ccb766f ("ARM: OMAP2+: Only write the sysconfig on idle
+when necessary") talks about verification of sysconfig cache value before
+updating it, only during idle path. But the patch is adding the
+verification in the enable path. So, adding the check in a proper place
+as per the commit description.
+
+Not keeping this check during enable path as there is a chance of losing
+context and it is safe to do on idle as the context of the register will
+never be lost while the device is active.
+
+Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
+Acked-by: Tero Kristo <t-kristo@ti.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Fixes: commit 127500ccb766 "ARM: OMAP2+: Only write the sysconfig on idle when necessary"
+[paul@pwsan.com: appears to have been caused by my own mismerge of the
+ originally posted patch]
+Signed-off-by: Paul Walmsley <paul@pwsan.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -1439,9 +1439,7 @@ static void _enable_sysc(struct omap_hwm
+ (sf & SYSC_HAS_CLOCKACTIVITY))
+ _set_clockactivity(oh, oh->class->sysc->clockact, &v);
+
+- /* If the cached value is the same as the new value, skip the write */
+- if (oh->_sysc_cache != v)
+- _write_sysconfig(v, oh);
++ _write_sysconfig(v, oh);
+
+ /*
+ * Set the autoidle bit only after setting the smartidle bit
+@@ -1504,7 +1502,9 @@ static void _idle_sysc(struct omap_hwmod
+ _set_master_standbymode(oh, idlemode, &v);
+ }
+
+- _write_sysconfig(v, oh);
++ /* If the cached value is the same as the new value, skip the write */
++ if (oh->_sysc_cache != v)
++ _write_sysconfig(v, oh);
+ }
+
+ /**
--- /dev/null
+From 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Wed, 6 Apr 2016 14:06:48 +0100
+Subject: assoc_array: don't call compare_object() on a node
+
+From: Jerome Marchand <jmarchan@redhat.com>
+
+commit 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 upstream.
+
+Changes since V1: fixed the description and added KASan warning.
+
+In assoc_array_insert_into_terminal_node(), we call the
+compare_object() method on all non-empty slots, even when they're
+not leaves, passing a pointer to an unexpected structure to
+compare_object(). Currently it causes an out-of-bound read access
+in keyring_compare_object detected by KASan (see below). The issue
+is easily reproduced with keyutils testsuite.
+Only call compare_object() when the slot is a leave.
+
+KASan warning:
+==================================================================
+BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838
+Read of size 8 by task keyctl/1655
+=============================================================================
+BUG kmalloc-192 (Not tainted): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647
+ ___slab_alloc+0x563/0x5c0
+ __slab_alloc+0x51/0x90
+ kmem_cache_alloc_trace+0x263/0x300
+ assoc_array_insert+0xfd0/0x3a60
+ __key_link_begin+0xfc/0x270
+ key_create_or_update+0x459/0xaf0
+ SyS_add_key+0x1ba/0x350
+ entry_SYSCALL_64_fastpath+0x12/0x76
+INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080
+INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1
+
+Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00 ...`............
+Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff ...`.......`....
+Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+CPU: 0 PID: 1655 Comm: keyctl Tainted: G B 4.5.0-rc4-kasan+ #291
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ 0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491
+ ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969
+ ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650
+Call Trace:
+ [<ffffffff81b60491>] dump_stack+0x85/0xc4
+ [<ffffffff815e2969>] print_trailer+0xf9/0x150
+ [<ffffffff815e9454>] object_err+0x34/0x40
+ [<ffffffff815ebe50>] kasan_report_error+0x230/0x550
+ [<ffffffff819949be>] ? keyring_get_key_chunk+0x13e/0x210
+ [<ffffffff815ec62d>] __asan_report_load_n_noabort+0x5d/0x70
+ [<ffffffff81994cc3>] ? keyring_compare_object+0x213/0x240
+ [<ffffffff81994cc3>] keyring_compare_object+0x213/0x240
+ [<ffffffff81bc238c>] assoc_array_insert+0x86c/0x3a60
+ [<ffffffff81bc1b20>] ? assoc_array_cancel_edit+0x70/0x70
+ [<ffffffff8199797d>] ? __key_link_begin+0x20d/0x270
+ [<ffffffff8199786c>] __key_link_begin+0xfc/0x270
+ [<ffffffff81993389>] key_create_or_update+0x459/0xaf0
+ [<ffffffff8128ce0d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff81992f30>] ? key_type_lookup+0xc0/0xc0
+ [<ffffffff8199e19d>] ? lookup_user_key+0x13d/0xcd0
+ [<ffffffff81534763>] ? memdup_user+0x53/0x80
+ [<ffffffff819983ea>] SyS_add_key+0x1ba/0x350
+ [<ffffffff81998230>] ? key_get_type_from_user.constprop.6+0xa0/0xa0
+ [<ffffffff828bcf4e>] ? retint_user+0x18/0x23
+ [<ffffffff8128cc7e>] ? trace_hardirqs_on_caller+0x3fe/0x580
+ [<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
+ [<ffffffff828bc432>] entry_SYSCALL_64_fastpath+0x12/0x76
+Memory state around the buggy address:
+ ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+ ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
+>ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
+==================================================================
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/assoc_array.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -523,7 +523,9 @@ static bool assoc_array_insert_into_term
+ free_slot = i;
+ continue;
+ }
+- if (ops->compare_object(assoc_array_ptr_to_leaf(ptr), index_key)) {
++ if (assoc_array_ptr_is_leaf(ptr) &&
++ ops->compare_object(assoc_array_ptr_to_leaf(ptr),
++ index_key)) {
+ pr_devel("replace in slot %d\n", i);
+ edit->leaf_p = &node->slots[i];
+ edit->dead_leaf = node->slots[i];
arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch
assoc_array-don-t-call-compare_object-on-a-node.patch
-usb-host-xhci-plat-fix-cannot-work-if-r-car-gen2-3-run-on-above-4gb-phys.patch
usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch
usb-hcd-out-of-bounds-access-in-for_each_companion.patch
--- /dev/null
+From e86103a75705c7c530768f4ffaba74cf382910f2 Mon Sep 17 00:00:00 2001
+From: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+Date: Thu, 24 Mar 2016 03:30:07 -0700
+Subject: usb: hcd: out of bounds access in for_each_companion
+
+From: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+
+commit e86103a75705c7c530768f4ffaba74cf382910f2 upstream.
+
+On BXT platform Host Controller and Device Controller figure as
+same PCI device but with different device function. HCD should
+not pass data to Device Controller but only to Host Controllers.
+Checking if companion device is Host Controller, otherwise skip.
+
+Signed-off-by: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd-pci.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/core/hcd-pci.c
++++ b/drivers/usb/core/hcd-pci.c
+@@ -74,6 +74,15 @@ static void for_each_companion(struct pc
+ if (companion->bus != pdev->bus ||
+ PCI_SLOT(companion->devfn) != slot)
+ continue;
++
++ /*
++ * Companion device should be either UHCI,OHCI or EHCI host
++ * controller, otherwise skip.
++ */
++ if (companion->class != CL_UHCI && companion->class != CL_OHCI &&
++ companion->class != CL_EHCI)
++ continue;
++
+ companion_hcd = pci_get_drvdata(companion);
+ if (!companion_hcd || !companion_hcd->self.root_hub)
+ continue;
--- /dev/null
+From 71504062a7c34838c3fccd92c447f399d3cb5797 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Fri, 8 Apr 2016 16:25:09 +0300
+Subject: usb: xhci: fix wild pointers in xhci_mem_cleanup
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 71504062a7c34838c3fccd92c447f399d3cb5797 upstream.
+
+This patch fixes some wild pointers produced by xhci_mem_cleanup.
+These wild pointers will cause system crash if xhci_mem_cleanup()
+is called twice.
+
+Reported-and-tested-by: Pengcheng Li <lpc.li@hisilicon.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1785,6 +1785,12 @@ no_bw:
+ kfree(xhci->rh_bw);
+ kfree(xhci->ext_caps);
+
++ xhci->usb2_ports = NULL;
++ xhci->usb3_ports = NULL;
++ xhci->port_array = NULL;
++ xhci->rh_bw = NULL;
++ xhci->ext_caps = NULL;
++
+ xhci->page_size = 0;
+ xhci->page_shift = 0;
+ xhci->bus_state[0].bus_suspended = 0;