--- /dev/null
+From 08f63d97749185fab942a3a47ed80f5bd89b8b7d Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <jroedel@suse.de>
+Date: Wed, 22 Mar 2017 18:33:25 +0100
+Subject: ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
+
+From: Joerg Roedel <jroedel@suse.de>
+
+commit 08f63d97749185fab942a3a47ed80f5bd89b8b7d upstream.
+
+No platform-device is required for IO(x)APICs, so don't even
+create them.
+
+[ rjw: This fixes a problem with leaking platform device objects
+ after IOAPIC/IOxAPIC hot-removal events.]
+
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_platform.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/acpi_platform.c
++++ b/drivers/acpi/acpi_platform.c
+@@ -24,9 +24,11 @@
+ ACPI_MODULE_NAME("platform");
+
+ static const struct acpi_device_id forbidden_id_list[] = {
+- {"PNP0000", 0}, /* PIC */
+- {"PNP0100", 0}, /* Timer */
+- {"PNP0200", 0}, /* AT DMA Controller */
++ {"PNP0000", 0}, /* PIC */
++ {"PNP0100", 0}, /* Timer */
++ {"PNP0200", 0}, /* AT DMA Controller */
++ {"ACPI0009", 0}, /* IOxAPIC */
++ {"ACPI000A", 0}, /* IOAPIC */
+ {"", 0},
+ };
+
--- /dev/null
+From 61b79e16c68d703dde58c25d3935d67210b7d71b Mon Sep 17 00:00:00 2001
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+Date: Thu, 16 Mar 2017 08:56:28 -0500
+Subject: ACPI: Fix incompatibility with mcount-based function graph tracing
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+commit 61b79e16c68d703dde58c25d3935d67210b7d71b upstream.
+
+Paul Menzel reported a warning:
+
+ WARNING: CPU: 0 PID: 774 at /build/linux-ROBWaj/linux-4.9.13/kernel/trace/trace_functions_graph.c:233 ftrace_return_to_handler+0x1aa/0x1e0
+ Bad frame pointer: expected f6919d98, received f6919db0
+ from func acpi_pm_device_sleep_wake return to c43b6f9d
+
+The warning means that function graph tracing is broken for the
+acpi_pm_device_sleep_wake() function. That's because the ACPI Makefile
+unconditionally sets the '-Os' gcc flag to optimize for size. That's an
+issue because mcount-based function graph tracing is incompatible with
+'-Os' on x86, thanks to the following gcc bug:
+
+ https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109
+
+I have another patch pending which will ensure that mcount-based
+function graph tracing is never used with CONFIG_CC_OPTIMIZE_FOR_SIZE on
+x86.
+
+But this patch is needed in addition to that one because the ACPI
+Makefile overrides that config option for no apparent reason. It has
+had this flag since the beginning of git history, and there's no related
+comment, so I don't know why it's there. As far as I can tell, there's
+no reason for it to be there. The appropriate behavior is for it to
+honor CONFIG_CC_OPTIMIZE_FOR_{SIZE,PERFORMANCE} like the rest of the
+kernel.
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/acpi/Makefile
++++ b/drivers/acpi/Makefile
+@@ -2,7 +2,6 @@
+ # Makefile for the Linux ACPI interpreter
+ #
+
+-ccflags-y := -Os
+ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
+
+ #
--- /dev/null
+From 2f726aec19a9d2c63bec9a8a53a3910ffdcd09f8 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Fri, 31 Mar 2017 10:31:40 +0800
+Subject: ALSA: hda - fix a problem for lineout on a Dell AIO machine
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 2f726aec19a9d2c63bec9a8a53a3910ffdcd09f8 upstream.
+
+On this Dell AIO machine, the lineout jack does not work.
+
+We found the pin 0x1a is assigned to lineout on this machine, and in
+the past, we applied ALC298_FIXUP_DELL1_MIC_NO_PRESENCE to fix the
+heaset-set mic problem for this machine, this fixup will redefine
+the pin 0x1a to headphone-mic, as a result the lineout doesn't
+work anymore.
+
+After consulting with Dell, they told us this machine doesn't support
+microphone via headset jack, so we add a new fixup which only defines
+the pin 0x18 as the headset-mic.
+
+[rearranged the fixup insertion position by tiwai in order to make the
+ merge with other branches easier -- tiwai]
+
+Fixes: 59ec4b57bcae ("ALSA: hda - Fix headset mic detection problem for two dell machines")
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4831,6 +4831,7 @@ enum {
+ ALC292_FIXUP_DISABLE_AAMIX,
+ ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK,
+ ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
++ ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
+ ALC275_FIXUP_DELL_XPS,
+ ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE,
+ ALC293_FIXUP_LENOVO_SPK_NOISE,
+@@ -5429,6 +5430,15 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC269_FIXUP_HEADSET_MODE
+ },
++ [ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x18, 0x01a1913c }, /* use as headset mic, without its own jack detect */
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC269_FIXUP_HEADSET_MODE
++ },
+ [ALC275_FIXUP_DELL_XPS] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+@@ -5501,7 +5511,7 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc298_fixup_speaker_volume,
+ .chained = true,
+- .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
++ .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
+ },
+ [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
+ .type = HDA_FIXUP_PINS,
--- /dev/null
+From 2d7d54002e396c180db0c800c1046f0a3c471597 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 24 Mar 2017 17:07:57 +0100
+Subject: ALSA: seq: Fix race during FIFO resize
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream.
+
+When a new event is queued while processing to resize the FIFO in
+snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool
+that is being queued gets removed. For avoiding this race, we need to
+close the pool to be deleted and sync its usage before actually
+deleting it.
+
+The issue was spotted by syzkaller.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_fifo.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -265,6 +265,10 @@ int snd_seq_fifo_resize(struct snd_seq_f
+ /* NOTE: overflow flag is not cleared */
+ spin_unlock_irqrestore(&f->lock, flags);
+
++ /* close the old pool and wait until all users are gone */
++ snd_seq_pool_mark_closing(oldpool);
++ snd_use_lock_sync(&f->use_lock);
++
+ /* release cells in old pool */
+ for (cell = oldhead; cell; cell = next) {
+ next = cell->next;
--- /dev/null
+From cd3ac9affc43b44f49d7af70d275f0bd426ba643 Mon Sep 17 00:00:00 2001
+From: Songjun Wu <songjun.wu@microchip.com>
+Date: Fri, 24 Feb 2017 15:10:43 +0800
+Subject: ASoC: atmel-classd: fix audio clock rate
+
+From: Songjun Wu <songjun.wu@microchip.com>
+
+commit cd3ac9affc43b44f49d7af70d275f0bd426ba643 upstream.
+
+Fix the audio clock rate according to the datasheet.
+
+Reported-by: Dushara Jayasinghe <dushara@successful.com.au>
+Signed-off-by: Songjun Wu <songjun.wu@microchip.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/atmel/atmel-classd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/soc/atmel/atmel-classd.c
++++ b/sound/soc/atmel/atmel-classd.c
+@@ -343,7 +343,7 @@ static int atmel_classd_codec_dai_digita
+ }
+
+ #define CLASSD_ACLK_RATE_11M2896_MPY_8 (112896 * 100 * 8)
+-#define CLASSD_ACLK_RATE_12M288_MPY_8 (12228 * 1000 * 8)
++#define CLASSD_ACLK_RATE_12M288_MPY_8 (12288 * 1000 * 8)
+
+ static struct {
+ int rate;
--- /dev/null
+From 923713b357455cfb9aca2cd3429cb0806a724ed2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 26 Mar 2017 13:14:45 +0200
+Subject: mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 923713b357455cfb9aca2cd3429cb0806a724ed2 upstream.
+
+SDIO cards may need clock to send the card interrupt to the host.
+
+On a cherrytrail tablet with a RTL8723BS wifi chip, without this patch
+pinging the tablet results in:
+
+PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
+64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=78.6 ms
+64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1760 ms
+64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=753 ms
+64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=3.88 ms
+64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=795 ms
+64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1841 ms
+64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=810 ms
+64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1860 ms
+64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=812 ms
+64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=48.6 ms
+
+Where as with this patch I get:
+
+PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
+64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=3.96 ms
+64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1.97 ms
+64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=17.2 ms
+64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=2.46 ms
+64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=2.83 ms
+64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1.40 ms
+64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=2.10 ms
+64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1.40 ms
+64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=2.04 ms
+64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=1.40 ms
+
+Cc: Dong Aisheng <b29396@freescale.com>
+Cc: Ian W MORRISON <ianwmorrison@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Dong Aisheng <aisheng.dong@nxp.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -1886,6 +1886,9 @@ static int sdhci_prepare_hs400_tuning(st
+ struct sdhci_host *host = mmc_priv(mmc);
+ unsigned long flags;
+
++ if (enable)
++ pm_runtime_get_noresume(host->mmc->parent);
++
+ spin_lock_irqsave(&host->lock, flags);
+ host->flags |= SDHCI_HS400_TUNING;
+ spin_unlock_irqrestore(&host->lock, flags);
+@@ -2236,6 +2239,9 @@ static void sdhci_card_event(struct mmc_
+ }
+
+ spin_unlock_irqrestore(&host->lock, flags);
++
++ if (!enable)
++ pm_runtime_put_noidle(host->mmc->parent);
+ }
+
+ static const struct mmc_host_ops sdhci_ops = {
--- /dev/null
+From 9702c67c6066f583b629cf037d2056245bb7a8e6 Mon Sep 17 00:00:00 2001
+From: John Garry <john.garry@huawei.com>
+Date: Thu, 16 Mar 2017 23:07:28 +0800
+Subject: scsi: libsas: fix ata xfer length
+
+From: John Garry <john.garry@huawei.com>
+
+commit 9702c67c6066f583b629cf037d2056245bb7a8e6 upstream.
+
+The total ata xfer length may not be calculated properly, in that we do
+not use the proper method to get an sg element dma length.
+
+According to the code comment, sg_dma_len() should be used after
+dma_map_sg() is called.
+
+This issue was found by turning on the SMMUv3 in front of the hisi_sas
+controller in hip07. Multiple sg elements were being combined into a
+single element, but the original first element length was being use as
+the total xfer length.
+
+Fixes: ff2aeb1eb64c8a4770a6 ("libata: convert to chained sg")
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/libsas/sas_ata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/libsas/sas_ata.c
++++ b/drivers/scsi/libsas/sas_ata.c
+@@ -218,7 +218,7 @@ static unsigned int sas_ata_qc_issue(str
+ task->num_scatter = qc->n_elem;
+ } else {
+ for_each_sg(qc->sg, sg, qc->n_elem, si)
+- xfer += sg->length;
++ xfer += sg_dma_len(sg);
+
+ task->total_xfer_len = xfer;
+ task->num_scatter = si;
--- /dev/null
+From bf33f87dd04c371ea33feb821b60d63d754e3124 Mon Sep 17 00:00:00 2001
+From: peter chang <dpf@google.com>
+Date: Wed, 15 Feb 2017 14:11:54 -0800
+Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
+
+From: peter chang <dpf@google.com>
+
+commit bf33f87dd04c371ea33feb821b60d63d754e3124 upstream.
+
+The user can control the size of the next command passed along, but the
+value passed to the ioctl isn't checked against the usable max command
+size.
+
+Signed-off-by: Peter Chang <dpf@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1008,6 +1008,8 @@ sg_ioctl(struct file *filp, unsigned int
+ result = get_user(val, ip);
+ if (result)
+ return result;
++ if (val > SG_MAX_CDB_SIZE)
++ return -ENOMEM;
+ sfp->next_cmd_len = (val > 0) ? val : 0;
+ return 0;
+ case SG_GET_VERSION_NUM:
libceph-force-gfp_noio-for-socket-allocations.patch
xen-setup-don-t-relocate-p2m-over-existing-one.patch
scsi-mpt3sas-fix-hang-on-ata-passthrough-commands.patch
+scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
+scsi-libsas-fix-ata-xfer-length.patch
+alsa-seq-fix-race-during-fifo-resize.patch
+alsa-hda-fix-a-problem-for-lineout-on-a-dell-aio-machine.patch
+asoc-atmel-classd-fix-audio-clock-rate.patch
+mmc-sdhci-disable-runtime-pm-when-the-sdio_irq-is-enabled.patch
+acpi-fix-incompatibility-with-mcount-based-function-graph-tracing.patch
+acpi-do-not-create-a-platform_device-for-ioapic-ioxapic.patch
+tty-serial-atmel-fix-race-condition-tx-dma.patch
+tty-serial-atmel-fix-tx-path-in-atmel_console_write.patch
+usb-fix-linked-list-corruption-in-rh_call_control.patch
--- /dev/null
+From 31ca2c63fdc0aee725cbd4f207c1256f5deaabde Mon Sep 17 00:00:00 2001
+From: Richard Genoud <richard.genoud@gmail.com>
+Date: Mon, 20 Mar 2017 11:52:41 +0100
+Subject: tty/serial: atmel: fix race condition (TX+DMA)
+
+From: Richard Genoud <richard.genoud@gmail.com>
+
+commit 31ca2c63fdc0aee725cbd4f207c1256f5deaabde upstream.
+
+If uart_flush_buffer() is called between atmel_tx_dma() and
+atmel_complete_tx_dma(), the circular buffer has been cleared, but not
+atmel_port->tx_len.
+That leads to a circular buffer overflow (dumping (UART_XMIT_SIZE -
+atmel_port->tx_len) bytes).
+
+Tested-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -1987,6 +1987,11 @@ static void atmel_flush_buffer(struct ua
+ atmel_uart_writel(port, ATMEL_PDC_TCR, 0);
+ atmel_port->pdc_tx.ofs = 0;
+ }
++ /*
++ * in uart_flush_buffer(), the xmit circular buffer has just
++ * been cleared, so we have to reset tx_len accordingly.
++ */
++ atmel_port->tx_len = 0;
+ }
+
+ /*
--- /dev/null
+From 497e1e16f45c70574dc9922c7f75c642c2162119 Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+Date: Mon, 20 Mar 2017 16:38:57 +0100
+Subject: tty/serial: atmel: fix TX path in atmel_console_write()
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+commit 497e1e16f45c70574dc9922c7f75c642c2162119 upstream.
+
+A side effect of 89d8232411a8 ("tty/serial: atmel_serial: BUG: stop DMA
+from transmitting in stop_tx") is that the console can be called with
+TX path disabled. Then the system would hang trying to push charecters
+out in atmel_console_putchar().
+
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Fixes: 89d8232411a8 ("tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/atmel_serial.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/serial/atmel_serial.c
++++ b/drivers/tty/serial/atmel_serial.c
+@@ -2504,6 +2504,9 @@ static void atmel_console_write(struct c
+ pdc_tx = atmel_uart_readl(port, ATMEL_PDC_PTSR) & ATMEL_PDC_TXTEN;
+ atmel_uart_writel(port, ATMEL_PDC_PTCR, ATMEL_PDC_TXTDIS);
+
++ /* Make sure that tx path is actually able to send characters */
++ atmel_uart_writel(port, ATMEL_US_CR, ATMEL_US_TXEN);
++
+ uart_console_write(port, s, count, atmel_console_putchar);
+
+ /*
--- /dev/null
+From 1633682053a7ee8058e10c76722b9b28e97fb73f Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 24 Mar 2017 13:38:28 -0400
+Subject: USB: fix linked-list corruption in rh_call_control()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 1633682053a7ee8058e10c76722b9b28e97fb73f upstream.
+
+Using KASAN, Dmitry found a bug in the rh_call_control() routine: If
+buffer allocation fails, the routine returns immediately without
+unlinking its URB from the control endpoint, eventually leading to
+linked-list corruption.
+
+This patch fixes the problem by jumping to the end of the routine
+(where the URB is unlinked) when an allocation failure occurs.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -499,8 +499,10 @@ static int rh_call_control (struct usb_h
+ */
+ tbuf_size = max_t(u16, sizeof(struct usb_hub_descriptor), wLength);
+ tbuf = kzalloc(tbuf_size, GFP_KERNEL);
+- if (!tbuf)
+- return -ENOMEM;
++ if (!tbuf) {
++ status = -ENOMEM;
++ goto err_alloc;
++ }
+
+ bufp = tbuf;
+
+@@ -705,6 +707,7 @@ error:
+ }
+
+ kfree(tbuf);
++ err_alloc:
+
+ /* any errors get returned through the urb completion */
+ spin_lock_irq(&hcd_root_hub_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
