From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 9 Oct 2017 12:36:48 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.75~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=890d18c7bf135681bce7e9b11d2cf9509cb95d3d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	iio-ad7793-fix-the-serial-interface-reset.patch
	iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch
	iio-adc-mcp320x-fix-oops-on-module-unload.patch
	iio-adc-mcp320x-fix-readout-of-negative-voltages.patch
	iio-core-return-error-for-failed-read_reg.patch
	staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch
	usb-gadget-mass_storage-set-msg_registered-after-msg-registered.patch
	uwb-ensure-that-endpoint-is-interrupt.patch
	uwb-properly-check-kthread_run-return-value.patch
---

diff --git a/queue-4.4/iio-ad7793-fix-the-serial-interface-reset.patch b/queue-4.4/iio-ad7793-fix-the-serial-interface-reset.patch
new file mode 100644
index 00000000000..1a4fcdd9c70
--- /dev/null
+++ b/queue-4.4/iio-ad7793-fix-the-serial-interface-reset.patch
@@ -0,0 +1,44 @@
+From 7ee3b7ebcb74714df6d94c8f500f307e1ee5dda5 Mon Sep 17 00:00:00 2001
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+Date: Tue, 5 Sep 2017 15:16:13 +0300
+Subject: iio: ad7793: Fix the serial interface reset
+
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+
+commit 7ee3b7ebcb74714df6d94c8f500f307e1ee5dda5 upstream.
+
+The serial interface can be reset by writing 32 consecutive 1s to the device.
+'ret' was initialized correctly but its value was overwritten when
+ad7793_check_platform_data() was called. Since a dedicated reset function
+is present now, it should be used instead.
+
+Fixes: 2edb769d246e ("iio:ad7793: Add support for the ad7798 and ad7799")
+Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ad7793.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/ad7793.c
++++ b/drivers/iio/adc/ad7793.c
+@@ -257,7 +257,7 @@ static int ad7793_setup(struct iio_dev *
+ 	unsigned int vref_mv)
+ {
+ 	struct ad7793_state *st = iio_priv(indio_dev);
+-	int i, ret = -1;
++	int i, ret;
+ 	unsigned long long scale_uv;
+ 	u32 id;
+ 
+@@ -266,7 +266,7 @@ static int ad7793_setup(struct iio_dev *
+ 		return ret;
+ 
+ 	/* reset the serial interface */
+-	ret = spi_write(st->sd.spi, (u8 *)&ret, sizeof(ret));
++	ret = ad_sd_reset(&st->sd, 32);
+ 	if (ret < 0)
+ 		goto out;
+ 	usleep_range(500, 2000); /* Wait for at least 500us */
diff --git a/queue-4.4/iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch b/queue-4.4/iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch
new file mode 100644
index 00000000000..f6edcdcb43e
--- /dev/null
+++ b/queue-4.4/iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch
@@ -0,0 +1,73 @@
+From 7fc10de8d49a748c476532c9d8e8fe19e548dd67 Mon Sep 17 00:00:00 2001
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+Date: Tue, 5 Sep 2017 15:14:45 +0300
+Subject: iio: ad_sigma_delta: Implement a dedicated reset function
+
+From: Dragos Bogdan <dragos.bogdan@analog.com>
+
+commit 7fc10de8d49a748c476532c9d8e8fe19e548dd67 upstream.
+
+Since most of the SD ADCs have the option of reseting the serial
+interface by sending a number of SCLKs with CS = 0 and DIN = 1,
+a dedicated function that can do this is usefull.
+
+Needed for the patch:  iio: ad7793: Fix the serial interface reset
+Signed-off-by: Dragos Bogdan <dragos.bogdan@analog.com>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ad_sigma_delta.c       |   28 ++++++++++++++++++++++++++++
+ include/linux/iio/adc/ad_sigma_delta.h |    3 +++
+ 2 files changed, 31 insertions(+)
+
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -177,6 +177,34 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(ad_sd_read_reg);
+ 
++/**
++ * ad_sd_reset() - Reset the serial interface
++ *
++ * @sigma_delta: The sigma delta device
++ * @reset_length: Number of SCLKs with DIN = 1
++ *
++ * Returns 0 on success, an error code otherwise.
++ **/
++int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
++	unsigned int reset_length)
++{
++	uint8_t *buf;
++	unsigned int size;
++	int ret;
++
++	size = DIV_ROUND_UP(reset_length, 8);
++	buf = kcalloc(size, sizeof(*buf), GFP_KERNEL);
++	if (!buf)
++		return -ENOMEM;
++
++	memset(buf, 0xff, size);
++	ret = spi_write(sigma_delta->spi, buf, size);
++	kfree(buf);
++
++	return ret;
++}
++EXPORT_SYMBOL_GPL(ad_sd_reset);
++
+ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
+ 	unsigned int mode, unsigned int channel)
+ {
+--- a/include/linux/iio/adc/ad_sigma_delta.h
++++ b/include/linux/iio/adc/ad_sigma_delta.h
+@@ -111,6 +111,9 @@ int ad_sd_write_reg(struct ad_sigma_delt
+ int ad_sd_read_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
+ 	unsigned int size, unsigned int *val);
+ 
++int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
++	unsigned int reset_length);
++
+ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
+ 	const struct iio_chan_spec *chan, int *val);
+ int ad_sd_calibrate_all(struct ad_sigma_delta *sigma_delta,
diff --git a/queue-4.4/iio-adc-mcp320x-fix-oops-on-module-unload.patch b/queue-4.4/iio-adc-mcp320x-fix-oops-on-module-unload.patch
new file mode 100644
index 00000000000..18892f050c4
--- /dev/null
+++ b/queue-4.4/iio-adc-mcp320x-fix-oops-on-module-unload.patch
@@ -0,0 +1,45 @@
+From 0964e40947a630a2a6f724e968246992f97bcf1c Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 22 Aug 2017 15:33:00 +0200
+Subject: iio: adc: mcp320x: Fix oops on module unload
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 0964e40947a630a2a6f724e968246992f97bcf1c upstream.
+
+The driver calls spi_get_drvdata() in its ->remove hook even though it
+has never called spi_set_drvdata().  Stack trace for posterity:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000220
+Internal error: Oops: 5 [#1] SMP ARM
+[<8072f564>] (mutex_lock) from [<7f1400d0>] (iio_device_unregister+0x24/0x7c [industrialio])
+[<7f1400d0>] (iio_device_unregister [industrialio]) from [<7f15e020>] (mcp320x_remove+0x20/0x30 [mcp320x])
+[<7f15e020>] (mcp320x_remove [mcp320x]) from [<8055a8cc>] (spi_drv_remove+0x2c/0x44)
+[<8055a8cc>] (spi_drv_remove) from [<805087bc>] (__device_release_driver+0x98/0x134)
+[<805087bc>] (__device_release_driver) from [<80509180>] (driver_detach+0xdc/0xe0)
+[<80509180>] (driver_detach) from [<8050823c>] (bus_remove_driver+0x5c/0xb0)
+[<8050823c>] (bus_remove_driver) from [<80509ab0>] (driver_unregister+0x38/0x58)
+[<80509ab0>] (driver_unregister) from [<7f15e69c>] (mcp320x_driver_exit+0x14/0x1c [mcp320x])
+[<7f15e69c>] (mcp320x_driver_exit [mcp320x]) from [<801a78d0>] (SyS_delete_module+0x184/0x1d0)
+[<801a78d0>] (SyS_delete_module) from [<80108100>] (ret_fast_syscall+0x0/0x1c)
+
+Fixes: f5ce4a7a9291 ("iio: adc: add driver for MCP3204/08 12-bit ADC")
+Cc: Oskar Andero <oskar.andero@gmail.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/mcp320x.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/mcp320x.c
++++ b/drivers/iio/adc/mcp320x.c
+@@ -310,6 +310,7 @@ static int mcp320x_probe(struct spi_devi
+ 	indio_dev->name = spi_get_device_id(spi)->name;
+ 	indio_dev->modes = INDIO_DIRECT_MODE;
+ 	indio_dev->info = &mcp320x_info;
++	spi_set_drvdata(spi, indio_dev);
+ 
+ 	chip_info = &mcp320x_chip_infos[spi_get_device_id(spi)->driver_data];
+ 	indio_dev->channels = chip_info->channels;
diff --git a/queue-4.4/iio-adc-mcp320x-fix-readout-of-negative-voltages.patch b/queue-4.4/iio-adc-mcp320x-fix-readout-of-negative-voltages.patch
new file mode 100644
index 00000000000..2499b42fb27
--- /dev/null
+++ b/queue-4.4/iio-adc-mcp320x-fix-readout-of-negative-voltages.patch
@@ -0,0 +1,93 @@
+From e6f4794371ee7cce1339e7ca9542f1e703c5f84a Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 22 Aug 2017 15:33:00 +0200
+Subject: iio: adc: mcp320x: Fix readout of negative voltages
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit e6f4794371ee7cce1339e7ca9542f1e703c5f84a upstream.
+
+Commit f686a36b4b79 ("iio: adc: mcp320x: Add support for mcp3301")
+returns a signed voltage from mcp320x_adc_conversion() but neglects that
+the caller interprets a negative return value as failure.  Only mcp3301
+(and the upcoming mcp3550/1/3) is affected as the other chips are
+incapable of measuring negative voltages.
+
+Fix and while at it, add mcp3301 to the list of supported chips at the
+top of the file.
+
+Fixes: f686a36b4b79 ("iio: adc: mcp320x: Add support for mcp3301")
+Cc: Andrea Galbusera <gizero@gmail.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/mcp320x.c |   24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/iio/adc/mcp320x.c
++++ b/drivers/iio/adc/mcp320x.c
+@@ -17,6 +17,8 @@
+  * MCP3204
+  * MCP3208
+  * ------------
++ * 13 bit converter
++ * MCP3301
+  *
+  * Datasheet can be found here:
+  * http://ww1.microchip.com/downloads/en/DeviceDoc/21293C.pdf  mcp3001
+@@ -96,7 +98,7 @@ static int mcp320x_channel_to_tx_data(in
+ }
+ 
+ static int mcp320x_adc_conversion(struct mcp320x *adc, u8 channel,
+-				  bool differential, int device_index)
++				  bool differential, int device_index, int *val)
+ {
+ 	int ret;
+ 
+@@ -117,19 +119,25 @@ static int mcp320x_adc_conversion(struct
+ 
+ 	switch (device_index) {
+ 	case mcp3001:
+-		return (adc->rx_buf[0] << 5 | adc->rx_buf[1] >> 3);
++		*val = (adc->rx_buf[0] << 5 | adc->rx_buf[1] >> 3);
++		return 0;
+ 	case mcp3002:
+ 	case mcp3004:
+ 	case mcp3008:
+-		return (adc->rx_buf[0] << 2 | adc->rx_buf[1] >> 6);
++		*val = (adc->rx_buf[0] << 2 | adc->rx_buf[1] >> 6);
++		return 0;
+ 	case mcp3201:
+-		return (adc->rx_buf[0] << 7 | adc->rx_buf[1] >> 1);
++		*val = (adc->rx_buf[0] << 7 | adc->rx_buf[1] >> 1);
++		return 0;
+ 	case mcp3202:
+ 	case mcp3204:
+ 	case mcp3208:
+-		return (adc->rx_buf[0] << 4 | adc->rx_buf[1] >> 4);
++		*val = (adc->rx_buf[0] << 4 | adc->rx_buf[1] >> 4);
++		return 0;
+ 	case mcp3301:
+-		return sign_extend32((adc->rx_buf[0] & 0x1f) << 8 | adc->rx_buf[1], 12);
++		*val = sign_extend32((adc->rx_buf[0] & 0x1f) << 8
++				    | adc->rx_buf[1], 12);
++		return 0;
+ 	default:
+ 		return -EINVAL;
+ 	}
+@@ -150,12 +158,10 @@ static int mcp320x_read_raw(struct iio_d
+ 	switch (mask) {
+ 	case IIO_CHAN_INFO_RAW:
+ 		ret = mcp320x_adc_conversion(adc, channel->address,
+-			channel->differential, device_index);
+-
++			channel->differential, device_index, val);
+ 		if (ret < 0)
+ 			goto out;
+ 
+-		*val = ret;
+ 		ret = IIO_VAL_INT;
+ 		break;
+ 
diff --git a/queue-4.4/iio-core-return-error-for-failed-read_reg.patch b/queue-4.4/iio-core-return-error-for-failed-read_reg.patch
new file mode 100644
index 00000000000..2e75a91ad24
--- /dev/null
+++ b/queue-4.4/iio-core-return-error-for-failed-read_reg.patch
@@ -0,0 +1,37 @@
+From 3d62c78a6eb9a7d67bace9622b66ad51e81c5f9b Mon Sep 17 00:00:00 2001
+From: Matt Fornero <matt.fornero@mathworks.com>
+Date: Tue, 5 Sep 2017 16:34:10 +0200
+Subject: iio: core: Return error for failed read_reg
+
+From: Matt Fornero <matt.fornero@mathworks.com>
+
+commit 3d62c78a6eb9a7d67bace9622b66ad51e81c5f9b upstream.
+
+If an IIO device returns an error code for a read access via debugfs, it
+is currently ignored by the IIO core (other than emitting an error
+message). Instead, return this error code to user space, so upper layers
+can detect it correctly.
+
+Signed-off-by: Matt Fornero <matt.fornero@mathworks.com>
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/industrialio-core.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -221,8 +221,10 @@ static ssize_t iio_debugfs_read_reg(stru
+ 	ret = indio_dev->info->debugfs_reg_access(indio_dev,
+ 						  indio_dev->cached_reg_addr,
+ 						  0, &val);
+-	if (ret)
++	if (ret) {
+ 		dev_err(indio_dev->dev.parent, "%s: read failed\n", __func__);
++		return ret;
++	}
+ 
+ 	len = snprintf(buf, sizeof(buf), "0x%X\n", val);
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index 43a11710d27..4f3be332466 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -11,6 +11,7 @@ usb-dummy-hcd-fix-connection-failures-wrong-speed.patch
 usb-dummy-hcd-fix-infinite-loop-resubmission-bug.patch
 usb-dummy-hcd-fix-erroneous-synchronization-change.patch
 usb-devio-don-t-corrupt-user-memory.patch
+usb-gadget-mass_storage-set-msg_registered-after-msg-registered.patch
 usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch
 usb-uas-fix-bug-in-handling-of-alternate-settings.patch
 usb-core-harden-cdc_parse_cdc_header.patch
@@ -19,3 +20,11 @@ usb-fix-out-of-bounds-in-usb_set_configuration.patch
 xhci-fix-finding-correct-bus_state-structure-for-usb-3.1-hosts.patch
 iio-adc-twl4030-fix-an-error-handling-path-in-twl4030_madc_probe.patch
 iio-adc-twl4030-disable-the-vusb3v1-rugulator-in-the-error-handling-path-of-twl4030_madc_probe.patch
+iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch
+staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch
+iio-core-return-error-for-failed-read_reg.patch
+iio-ad7793-fix-the-serial-interface-reset.patch
+iio-adc-mcp320x-fix-readout-of-negative-voltages.patch
+iio-adc-mcp320x-fix-oops-on-module-unload.patch
+uwb-properly-check-kthread_run-return-value.patch
+uwb-ensure-that-endpoint-is-interrupt.patch
diff --git a/queue-4.4/staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch b/queue-4.4/staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch
new file mode 100644
index 00000000000..b951d46ce10
--- /dev/null
+++ b/queue-4.4/staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch
@@ -0,0 +1,41 @@
+From f790923f146140a261ad211e5baf75d169f16fb2 Mon Sep 17 00:00:00 2001
+From: Stefan Popa <stefan.popa@analog.com>
+Date: Thu, 14 Sep 2017 16:50:28 +0300
+Subject: staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
+
+From: Stefan Popa <stefan.popa@analog.com>
+
+commit f790923f146140a261ad211e5baf75d169f16fb2 upstream.
+
+Depends on: 691c4b95d1 ("iio: ad_sigma_delta: Implement a dedicated reset function")
+
+SPI host drivers can use DMA to transfer data, so the buffer should be properly allocated.
+Keeping it on the stack could cause an undefined behavior.
+
+The dedicated reset function solves this issue.
+
+Signed-off-by: Stefan Popa <stefan.popa@analog.com>
+Acked-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/adc/ad7192.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/staging/iio/adc/ad7192.c
++++ b/drivers/staging/iio/adc/ad7192.c
+@@ -205,11 +205,9 @@ static int ad7192_setup(struct ad7192_st
+ 	struct iio_dev *indio_dev = spi_get_drvdata(st->sd.spi);
+ 	unsigned long long scale_uv;
+ 	int i, ret, id;
+-	u8 ones[6];
+ 
+ 	/* reset the serial interface */
+-	memset(&ones, 0xFF, 6);
+-	ret = spi_write(st->sd.spi, &ones, 6);
++	ret = ad_sd_reset(&st->sd, 48);
+ 	if (ret < 0)
+ 		goto out;
+ 	usleep_range(500, 1000); /* Wait for at least 500us */
diff --git a/queue-4.4/usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch b/queue-4.4/usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch
index 792f47de766..33f3fd35c7d 100644
--- a/queue-4.4/usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch
+++ b/queue-4.4/usb-g_mass_storage-fix-deadlock-when-driver-is-unbound.patch
@@ -115,8 +115,8 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/usb/gadget/function/f_mass_storage.c |   29 +++++++--------------------
  drivers/usb/gadget/function/f_mass_storage.h |   14 -------------
- drivers/usb/gadget/legacy/mass_storage.c     |   19 +----------------
- 3 files changed, 10 insertions(+), 52 deletions(-)
+ drivers/usb/gadget/legacy/mass_storage.c     |   26 ++----------------------
+ 3 files changed, 11 insertions(+), 58 deletions(-)
 
 --- a/drivers/usb/gadget/function/f_mass_storage.c
 +++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -247,7 +247,17 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  	status = fsg_common_set_cdev(opts->common, cdev, config.can_stall);
  	if (status)
  		goto fail_set_cdev;
-@@ -261,9 +247,8 @@ static int __init msg_init(void)
+@@ -256,18 +242,12 @@ MODULE_LICENSE("GPL");
+ 
+ static int __init msg_init(void)
+ {
+-	int ret;
+-
+-	ret = usb_composite_probe(&msg_driver);
+-	set_bit(0, &msg_registered);
+-
+-	return ret;
++	return usb_composite_probe(&msg_driver);
  }
  module_init(msg_init);
  
diff --git a/queue-4.4/usb-gadget-mass_storage-set-msg_registered-after-msg-registered.patch b/queue-4.4/usb-gadget-mass_storage-set-msg_registered-after-msg-registered.patch
new file mode 100644
index 00000000000..6461e45867b
--- /dev/null
+++ b/queue-4.4/usb-gadget-mass_storage-set-msg_registered-after-msg-registered.patch
@@ -0,0 +1,46 @@
+From 8e55d30322c6a0ef746c256a1beda9c73ecb27a6 Mon Sep 17 00:00:00 2001
+From: Li Jun <jun.li@nxp.com>
+Date: Fri, 14 Apr 2017 19:12:07 +0800
+Subject: usb: gadget: mass_storage: set msg_registered after msg registered
+
+From: Li Jun <jun.li@nxp.com>
+
+commit 8e55d30322c6a0ef746c256a1beda9c73ecb27a6 upstream.
+
+If there is no UDC available, the msg register will fail and this
+flag will not be set, but the driver is already added into pending
+driver list, then the module removal modprobe -r can not remove
+the driver from the pending list.
+
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/legacy/mass_storage.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/mass_storage.c
++++ b/drivers/usb/gadget/legacy/mass_storage.c
+@@ -210,7 +210,6 @@ static int msg_bind(struct usb_composite
+ 	usb_composite_overwrite_options(cdev, &coverwrite);
+ 	dev_info(&cdev->gadget->dev,
+ 		 DRIVER_DESC ", version: " DRIVER_VERSION "\n");
+-	set_bit(0, &msg_registered);
+ 	return 0;
+ 
+ fail_otg_desc:
+@@ -257,7 +256,12 @@ MODULE_LICENSE("GPL");
+ 
+ static int __init msg_init(void)
+ {
+-	return usb_composite_probe(&msg_driver);
++	int ret;
++
++	ret = usb_composite_probe(&msg_driver);
++	set_bit(0, &msg_registered);
++
++	return ret;
+ }
+ module_init(msg_init);
+ 
diff --git a/queue-4.4/uwb-ensure-that-endpoint-is-interrupt.patch b/queue-4.4/uwb-ensure-that-endpoint-is-interrupt.patch
new file mode 100644
index 00000000000..8b472c3e769
--- /dev/null
+++ b/queue-4.4/uwb-ensure-that-endpoint-is-interrupt.patch
@@ -0,0 +1,91 @@
+From 70e743e4cec3733dc13559f6184b35d358b9ef3f Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Thu, 14 Sep 2017 16:52:59 +0200
+Subject: uwb: ensure that endpoint is interrupt
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit 70e743e4cec3733dc13559f6184b35d358b9ef3f upstream.
+
+hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no
+check for that, which results in a WARNING in USB core code, when a bad
+USB descriptor is provided from a device:
+
+usb 1-1: BOGUS urb xfer, pipe 1 != type 3
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0
+Modules linked in:
+CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+task: ffff88006bdc1a00 task.stack: ffff88006bde8000
+RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
+RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282
+RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000
+RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a
+RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff
+R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f
+R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90
+FS:  0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0
+Call Trace:
+ hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710
+ uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361
+ hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858
+ usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:385
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
+ bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
+ __device_attach+0x269/0x3c0 drivers/base/dd.c:682
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
+ bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
+ device_add+0xcf9/0x1640 drivers/base/core.c:1703
+ usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
+ generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
+ usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
+ really_probe drivers/base/dd.c:385
+ driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
+ __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
+ bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
+ __device_attach+0x269/0x3c0 drivers/base/dd.c:682
+ device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
+ bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
+ device_add+0xcf9/0x1640 drivers/base/core.c:1703
+ usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
+ hub_port_connect drivers/usb/core/hub.c:4890
+ hub_port_connect_change drivers/usb/core/hub.c:4996
+ port_event drivers/usb/core/hub.c:5102
+ hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182
+ process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
+ worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
+ kthread+0x324/0x3f0 kernel/kthread.c:231
+ ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
+Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89
+e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f>
+ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6
+---[ end trace 55d741234124cfc3 ]---
+
+Check that endpoint is interrupt.
+
+Found by syzkaller.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uwb/hwa-rc.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/uwb/hwa-rc.c
++++ b/drivers/uwb/hwa-rc.c
+@@ -827,6 +827,8 @@ static int hwarc_probe(struct usb_interf
+ 
+ 	if (iface->cur_altsetting->desc.bNumEndpoints < 1)
+ 		return -ENODEV;
++	if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc))
++		return -ENODEV;
+ 
+ 	result = -ENOMEM;
+ 	uwb_rc = uwb_rc_alloc();
diff --git a/queue-4.4/uwb-properly-check-kthread_run-return-value.patch b/queue-4.4/uwb-properly-check-kthread_run-return-value.patch
new file mode 100644
index 00000000000..24072b1680a
--- /dev/null
+++ b/queue-4.4/uwb-properly-check-kthread_run-return-value.patch
@@ -0,0 +1,53 @@
+From bbf26183b7a6236ba602f4d6a2f7cade35bba043 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Thu, 14 Sep 2017 14:30:55 +0200
+Subject: uwb: properly check kthread_run return value
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit bbf26183b7a6236ba602f4d6a2f7cade35bba043 upstream.
+
+uwbd_start() calls kthread_run() and checks that the return value is
+not NULL. But the return value is not NULL in case kthread_run() fails,
+it takes the form of ERR_PTR(-EINTR).
+
+Use IS_ERR() instead.
+
+Also add a check to uwbd_stop().
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uwb/uwbd.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/uwb/uwbd.c
++++ b/drivers/uwb/uwbd.c
+@@ -303,18 +303,22 @@ static int uwbd(void *param)
+ /** Start the UWB daemon */
+ void uwbd_start(struct uwb_rc *rc)
+ {
+-	rc->uwbd.task = kthread_run(uwbd, rc, "uwbd");
+-	if (rc->uwbd.task == NULL)
++	struct task_struct *task = kthread_run(uwbd, rc, "uwbd");
++	if (IS_ERR(task)) {
++		rc->uwbd.task = NULL;
+ 		printk(KERN_ERR "UWB: Cannot start management daemon; "
+ 		       "UWB won't work\n");
+-	else
++	} else {
++		rc->uwbd.task = task;
+ 		rc->uwbd.pid = rc->uwbd.task->pid;
++	}
+ }
+ 
+ /* Stop the UWB daemon and free any unprocessed events */
+ void uwbd_stop(struct uwb_rc *rc)
+ {
+-	kthread_stop(rc->uwbd.task);
++	if (rc->uwbd.task)
++		kthread_stop(rc->uwbd.task);
+ 	uwbd_flush(rc);
+ }
+