--- /dev/null
+From 5cda3ee5138e91ac369ed9d0b55eab0dab077686 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sun, 4 Jun 2017 14:03:42 +0200
+Subject: can: gs_usb: fix memory leak in gs_cmd_reset()
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 5cda3ee5138e91ac369ed9d0b55eab0dab077686 upstream.
+
+This patch adds the missing kfree() in gs_cmd_reset() to free the
+memory that is not used anymore after usb_control_msg().
+
+Cc: Maximilian Schneider <max@schneidersoft.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/gs_usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -246,6 +246,8 @@ static int gs_cmd_reset(struct gs_usb *g
+ sizeof(*dm),
+ 1000);
+
++ kfree(dm);
++
+ return rc;
+ }
+
--- /dev/null
+From ba80aa909c99802c428682c352b0ee0baac0acd3 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Thu, 8 Jun 2017 04:51:54 +0000
+Subject: configfs: Fix race between create_link and configfs_rmdir
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit ba80aa909c99802c428682c352b0ee0baac0acd3 upstream.
+
+This patch closes a long standing race in configfs between
+the creation of a new symlink in create_link(), while the
+symlink target's config_item is being concurrently removed
+via configfs_rmdir().
+
+This can happen because the symlink target's reference
+is obtained by config_item_get() in create_link() before
+the CONFIGFS_USET_DROPPING bit set by configfs_detach_prep()
+during configfs_rmdir() shutdown is actually checked..
+
+This originally manifested itself on ppc64 on v4.8.y under
+heavy load using ibmvscsi target ports with Novalink API:
+
+[ 7877.289863] rpadlpar_io: slot U8247.22L.212A91A-V1-C8 added
+[ 7879.893760] ------------[ cut here ]------------
+[ 7879.893768] WARNING: CPU: 15 PID: 17585 at ./include/linux/kref.h:46 config_item_get+0x7c/0x90 [configfs]
+[ 7879.893811] CPU: 15 PID: 17585 Comm: targetcli Tainted: G O 4.8.17-customv2.22 #12
+[ 7879.893812] task: c00000018a0d3400 task.stack: c0000001f3b40000
+[ 7879.893813] NIP: d000000002c664ec LR: d000000002c60980 CTR: c000000000b70870
+[ 7879.893814] REGS: c0000001f3b43810 TRAP: 0700 Tainted: G O (4.8.17-customv2.22)
+[ 7879.893815] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 28222242 XER: 00000000
+[ 7879.893820] CFAR: d000000002c664bc SOFTE: 1
+ GPR00: d000000002c60980 c0000001f3b43a90 d000000002c70908 c0000000fbc06820
+ GPR04: c0000001ef1bd900 0000000000000004 0000000000000001 0000000000000000
+ GPR08: 0000000000000000 0000000000000001 d000000002c69560 d000000002c66d80
+ GPR12: c000000000b70870 c00000000e798700 c0000001f3b43ca0 c0000001d4949d40
+ GPR16: c00000014637e1c0 0000000000000000 0000000000000000 c0000000f2392940
+ GPR20: c0000001f3b43b98 0000000000000041 0000000000600000 0000000000000000
+ GPR24: fffffffffffff000 0000000000000000 d000000002c60be0 c0000001f1dac490
+ GPR28: 0000000000000004 0000000000000000 c0000001ef1bd900 c0000000f2392940
+[ 7879.893839] NIP [d000000002c664ec] config_item_get+0x7c/0x90 [configfs]
+[ 7879.893841] LR [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
+[ 7879.893842] Call Trace:
+[ 7879.893844] [c0000001f3b43ac0] [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
+[ 7879.893847] [c0000001f3b43b10] [c000000000329770] do_dentry_open+0x2c0/0x460
+[ 7879.893849] [c0000001f3b43b70] [c000000000344480] path_openat+0x210/0x1490
+[ 7879.893851] [c0000001f3b43c80] [c00000000034708c] do_filp_open+0xfc/0x170
+[ 7879.893853] [c0000001f3b43db0] [c00000000032b5bc] do_sys_open+0x1cc/0x390
+[ 7879.893856] [c0000001f3b43e30] [c000000000009584] system_call+0x38/0xec
+[ 7879.893856] Instruction dump:
+[ 7879.893858] 409d0014 38210030 e8010010 7c0803a6 4e800020 3d220000 e94981e0 892a0000
+[ 7879.893861] 2f890000 409effe0 39200001 992a0000 <0fe00000> 4bffffd0 60000000 60000000
+[ 7879.893866] ---[ end trace 14078f0b3b5ad0aa ]---
+
+To close this race, go ahead and obtain the symlink's target
+config_item reference only after the existing CONFIGFS_USET_DROPPING
+check succeeds.
+
+This way, if configfs_rmdir() wins create_link() will return -ENONET,
+and if create_link() wins configfs_rmdir() will return -EBUSY.
+
+Reported-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Tested-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/configfs/symlink.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/configfs/symlink.c
++++ b/fs/configfs/symlink.c
+@@ -83,14 +83,13 @@ static int create_link(struct config_ite
+ ret = -ENOMEM;
+ sl = kmalloc(sizeof(struct configfs_symlink), GFP_KERNEL);
+ if (sl) {
+- sl->sl_target = config_item_get(item);
+ spin_lock(&configfs_dirent_lock);
+ if (target_sd->s_type & CONFIGFS_USET_DROPPING) {
+ spin_unlock(&configfs_dirent_lock);
+- config_item_put(item);
+ kfree(sl);
+ return -ENOENT;
+ }
++ sl->sl_target = config_item_get(item);
+ list_add(&sl->sl_list, &target_sd->s_links);
+ spin_unlock(&configfs_dirent_lock);
+ ret = configfs_create_link(sl, parent_item->ci_dentry,
--- /dev/null
+From b8e11f7d2791bd9320be1c6e772a60b2aa093e45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tomasz=20Wilczy=C5=84ski?= <twilczynski@naver.com>
+Date: Sun, 11 Jun 2017 17:28:39 +0900
+Subject: cpufreq: conservative: Allow down_threshold to take values from 1 to 10
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomasz Wilczyński <twilczynski@naver.com>
+
+commit b8e11f7d2791bd9320be1c6e772a60b2aa093e45 upstream.
+
+Commit 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency
+decrease checking) removed the 10 point substraction when comparing the
+load against down_threshold but did not remove the related limit for the
+down_threshold value. As a result, down_threshold lower than 11 is not
+allowed even though values from 1 to 10 do work correctly too. The
+comment ("cannot be lower than 11 otherwise freq will not fall") also
+does not apply after removing the substraction.
+
+For this reason, allow down_threshold to take any value from 1 to 99
+and fix the related comment.
+
+Fixes: 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency decrease checking)
+Signed-off-by: Tomasz Wilczyński <twilczynski@naver.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/cpufreq_conservative.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq_conservative.c
++++ b/drivers/cpufreq/cpufreq_conservative.c
+@@ -204,8 +204,8 @@ static ssize_t store_down_threshold(stru
+ int ret;
+ ret = sscanf(buf, "%u", &input);
+
+- /* cannot be lower than 11 otherwise freq will not fall */
+- if (ret != 1 || input < 11 || input > 100 ||
++ /* cannot be lower than 1 otherwise freq will not fall */
++ if (ret != 1 || input < 1 || input > 100 ||
+ input >= cs_tuners->up_threshold)
+ return -EINVAL;
+
--- /dev/null
+From 8128a31eaadbcdfa37774bbd28f3f00bac69996a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 8 May 2017 15:55:17 -0700
+Subject: drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8128a31eaadbcdfa37774bbd28f3f00bac69996a upstream.
+
+c2port_device_register() never returns NULL, it uses error pointers.
+
+Link: http://lkml.kernel.org/r/20170412083321.GC3250@mwanda
+Fixes: 65131cd52b9e ("c2port: add c2port support for Eurotech Duramar 2150")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Rodolfo Giometti <giometti@linux.it>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/c2port/c2port-duramar2150.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/c2port/c2port-duramar2150.c
++++ b/drivers/misc/c2port/c2port-duramar2150.c
+@@ -129,8 +129,8 @@ static int __init duramar2150_c2port_ini
+
+ duramar2150_c2port_dev = c2port_device_register("uc",
+ &duramar2150_c2port_ops, NULL);
+- if (!duramar2150_c2port_dev) {
+- ret = -ENODEV;
++ if (IS_ERR(duramar2150_c2port_dev)) {
++ ret = PTR_ERR(duramar2150_c2port_dev);
+ goto free_region;
+ }
+
--- /dev/null
+From 6272c0de13abf1480f701d38288f28a11b4301c4 Mon Sep 17 00:00:00 2001
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Fri, 14 Apr 2017 16:38:19 -0700
+Subject: iio: proximity: as3935: recalibrate RCO after resume
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+commit 6272c0de13abf1480f701d38288f28a11b4301c4 upstream.
+
+According to the datasheet the RCO must be recalibrated
+on every power-on-reset. Also remove mutex locking in the
+calibration function since callers other than the probe
+function (which doesn't need it) will have a lock.
+
+Fixes: 24ddb0e4bba4 ("iio: Add AS3935 lightning sensor support")
+Cc: George McCollister <george.mccollister@gmail.com>
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/proximity/as3935.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -256,8 +256,6 @@ static irqreturn_t as3935_interrupt_hand
+
+ static void calibrate_as3935(struct as3935_state *st)
+ {
+- mutex_lock(&st->lock);
+-
+ /* mask disturber interrupt bit */
+ as3935_write(st, AS3935_INT, BIT(5));
+
+@@ -267,8 +265,6 @@ static void calibrate_as3935(struct as39
+
+ mdelay(2);
+ as3935_write(st, AS3935_TUNE_CAP, (st->tune_cap / TUNE_CAP_DIV));
+-
+- mutex_unlock(&st->lock);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+@@ -305,6 +301,8 @@ static int as3935_resume(struct spi_devi
+ val &= ~AS3935_AFE_PWR_BIT;
+ ret = as3935_write(st, AS3935_AFE_GAIN, val);
+
++ calibrate_as3935(st);
++
+ err_resume:
+ mutex_unlock(&st->lock);
+
--- /dev/null
+From 769dc04db3ed8484798aceb015b94deacc2ba557 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Thu, 8 Jun 2017 14:00:49 +0300
+Subject: mac80211: don't look at the PM bit of BAR frames
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 769dc04db3ed8484798aceb015b94deacc2ba557 upstream.
+
+When a peer sends a BAR frame with PM bit clear, we should
+not modify its PM state as madated by the spec in
+802.11-20012 10.2.1.2.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1319,12 +1319,16 @@ ieee80211_rx_h_sta_process(struct ieee80
+ */
+ if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) &&
+ !ieee80211_has_morefrags(hdr->frame_control) &&
++ !ieee80211_is_back_req(hdr->frame_control) &&
+ !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
+ (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
+ rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
+- /* PM bit is only checked in frames where it isn't reserved,
++ /*
++ * PM bit is only checked in frames where it isn't reserved,
+ * in AP mode it's reserved in non-bufferable management frames
+ * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
++ * BAR frames should be ignored as specified in
++ * IEEE 802.11-2012 10.2.1.2.
+ */
+ (!ieee80211_is_mgmt(hdr->frame_control) ||
+ ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
--- /dev/null
+From 8b8a84c54aff4256d592dc18346c65ecf6811b45 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Sat, 15 Apr 2017 10:05:08 -0700
+Subject: mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 8b8a84c54aff4256d592dc18346c65ecf6811b45 upstream.
+
+Commit 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver")
+added support for USB TLL, but uses OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF
+bit the wrong way. The comments in the code are correct, but the inverted
+use of OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF causes the register to be
+enabled instead of disabled unlike what the comments say.
+
+Without this change the Wrigley 3G LTE modem on droid 4 EHCI bus can
+be only pinged few times before it stops responding.
+
+Fixes: 16fa3dc75c22 ("mfd: omap-usb-tll: HOST TLL platform driver")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/omap-usb-tll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/omap-usb-tll.c
++++ b/drivers/mfd/omap-usb-tll.c
+@@ -376,8 +376,8 @@ int omap_tll_init(struct usbhs_omap_plat
+ * and use SDR Mode
+ */
+ reg &= ~(OMAP_TLL_CHANNEL_CONF_UTMIAUTOIDLE
+- | OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF
+ | OMAP_TLL_CHANNEL_CONF_ULPIDDRMODE);
++ reg |= OMAP_TLL_CHANNEL_CONF_ULPINOBITSTUFF;
+ } else if (pdata->port_mode[i] ==
+ OMAP_EHCI_PORT_MODE_HSIC) {
+ /*
--- /dev/null
+From 6830733d53a4517588e56227b9c8538633f0c496 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 2 Feb 2017 12:53:04 -0200
+Subject: [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 6830733d53a4517588e56227b9c8538633f0c496 upstream.
+
+The driver uses a relatively large data structure on the stack, which
+showed up on my radar as we get a warning with the "latent entropy"
+GCC plugin:
+
+drivers/media/usb/pvrusb2/pvrusb2-eeprom.c:153:1: error: the frame size of 1376 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]
+
+The warning is usually hidden as we raise the warning limit to 2048
+when the plugin is enabled, but I'd like to lower that again in the
+future, and making this function smaller helps to do that without
+build regressions.
+
+Further analysis shows that putting an 'i2c_client' structure on
+the stack is not really supported, as the embedded 'struct device'
+is not initialized here, and we are only saved by the fact that
+the function that is called here does not use the pointer at all.
+
+Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/pvrusb2/pvrusb2-eeprom.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-eeprom.c
+@@ -123,15 +123,10 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
+ memset(&tvdata,0,sizeof(tvdata));
+
+ eeprom = pvr2_eeprom_fetch(hdw);
+- if (!eeprom) return -EINVAL;
++ if (!eeprom)
++ return -EINVAL;
+
+- {
+- struct i2c_client fake_client;
+- /* Newer version expects a useless client interface */
+- fake_client.addr = hdw->eeprom_addr;
+- fake_client.adapter = &hdw->i2c_adap;
+- tveeprom_hauppauge_analog(&fake_client,&tvdata,eeprom);
+- }
++ tveeprom_hauppauge_analog(NULL, &tvdata, eeprom);
+
+ trace_eeprom("eeprom assumed v4l tveeprom module");
+ trace_eeprom("eeprom direct call results:");
--- /dev/null
+From be40597a1bc173bf9dadccdf5388b956f620ae8f Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 12 May 2017 16:35:45 +0200
+Subject: serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit be40597a1bc173bf9dadccdf5388b956f620ae8f upstream.
+
+UARTn_FRAME_PARITY_ODD is 0x0300
+UARTn_FRAME_PARITY_EVEN is 0x0200
+So if the UART is configured for EVEN parity, it would be reported as ODD.
+Fix it by correctly testing if the 2 bits are set.
+
+Fixes: 3afbd89c9639 ("serial/efm32: add new driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/efm32-uart.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/efm32-uart.c
++++ b/drivers/tty/serial/efm32-uart.c
+@@ -27,6 +27,7 @@
+ #define UARTn_FRAME 0x04
+ #define UARTn_FRAME_DATABITS__MASK 0x000f
+ #define UARTn_FRAME_DATABITS(n) ((n) - 3)
++#define UARTn_FRAME_PARITY__MASK 0x0300
+ #define UARTn_FRAME_PARITY_NONE 0x0000
+ #define UARTn_FRAME_PARITY_EVEN 0x0200
+ #define UARTn_FRAME_PARITY_ODD 0x0300
+@@ -572,12 +573,16 @@ static void efm32_uart_console_get_optio
+ 16 * (4 + (clkdiv >> 6)));
+
+ frame = efm32_uart_read32(efm_port, UARTn_FRAME);
+- if (frame & UARTn_FRAME_PARITY_ODD)
++ switch (frame & UARTn_FRAME_PARITY__MASK) {
++ case UARTn_FRAME_PARITY_ODD:
+ *parity = 'o';
+- else if (frame & UARTn_FRAME_PARITY_EVEN)
++ break;
++ case UARTn_FRAME_PARITY_EVEN:
+ *parity = 'e';
+- else
++ break;
++ default:
+ *parity = 'n';
++ }
+
+ *bits = (frame & UARTn_FRAME_DATABITS__MASK) -
+ UARTn_FRAME_DATABITS(4) + 4;
--- /dev/null
+From 784047eb2d3405a35087af70cba46170c5576b25 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 22 Apr 2017 13:47:23 +0300
+Subject: staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 784047eb2d3405a35087af70cba46170c5576b25 upstream.
+
+The "len" could be as low as -14 so we should check for negatives.
+
+Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/core/rtw_ap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
++++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
+@@ -873,7 +873,7 @@ int rtw_check_beacon_data(struct adapter
+ return _FAIL;
+
+
+- if (len > MAX_IE_SZ)
++ if (len < 0 || len > MAX_IE_SZ)
+ return _FAIL;
+
+ pbss_network->IELength = len;
--- /dev/null
+From 1a744d2eb76aaafb997fda004ae3ae62a1538f85 Mon Sep 17 00:00:00 2001
+From: Anton Bondarenko <anton.bondarenko.sama@gmail.com>
+Date: Sun, 7 May 2017 01:53:46 +0200
+Subject: usb: core: fix potential memory leak in error path during hcd creation
+
+From: Anton Bondarenko <anton.bondarenko.sama@gmail.com>
+
+commit 1a744d2eb76aaafb997fda004ae3ae62a1538f85 upstream.
+
+Free memory allocated for address0_mutex if allocation of bandwidth_mutex
+failed.
+
+Fixes: feb26ac31a2a ("usb: core: hub: hub_port_init lock controller instead of bus")
+
+Signed-off-by: Anton Bondarenko <anton.bondarenko.sama@gmail.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -2461,6 +2461,7 @@ struct usb_hcd *usb_create_shared_hcd(co
+ hcd->bandwidth_mutex = kmalloc(sizeof(*hcd->bandwidth_mutex),
+ GFP_KERNEL);
+ if (!hcd->bandwidth_mutex) {
++ kfree(hcd->address0_mutex);
+ kfree(hcd);
+ dev_dbg(dev, "hcd bandwidth mutex alloc failed\n");
+ return NULL;
--- /dev/null
+From d81182ce30dbd497a1e7047d7fda2af040347790 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 May 2017 18:18:25 +0200
+Subject: USB: gadget: dummy_hcd: fix hub-descriptor removable fields
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d81182ce30dbd497a1e7047d7fda2af040347790 upstream.
+
+Flag the first and only port as removable while also leaving the
+remaining bits (including the reserved bit zero) unset in accordance
+with the specifications:
+
+ "Within a byte, if no port exists for a given location, the bit
+ field representing the port characteristics shall be 0."
+
+Also add a comment marking the legacy PortPwrCtrlMask field.
+
+Fixes: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add SuperSpeed support")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Tatyana Brokhman <tlinder@codeaurora.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -1935,7 +1935,7 @@ ss_hub_descriptor(struct usb_hub_descrip
+ desc->wHubCharacteristics = cpu_to_le16(0x0001);
+ desc->bNbrPorts = 1;
+ desc->u.ss.bHubHdrDecLat = 0x04; /* Worst case: 0.4 micro sec*/
+- desc->u.ss.DeviceRemovable = 0xffff;
++ desc->u.ss.DeviceRemovable = 0;
+ }
+
+ static inline void hub_descriptor(struct usb_hub_descriptor *desc)
+@@ -1945,8 +1945,8 @@ static inline void hub_descriptor(struct
+ desc->bDescLength = 9;
+ desc->wHubCharacteristics = cpu_to_le16(0x0001);
+ desc->bNbrPorts = 1;
+- desc->u.hs.DeviceRemovable[0] = 0xff;
+- desc->u.hs.DeviceRemovable[1] = 0xff;
++ desc->u.hs.DeviceRemovable[0] = 0;
++ desc->u.hs.DeviceRemovable[1] = 0xff; /* PortPwrCtrlMask */
+ }
+
+ static int dummy_hub_control(
--- /dev/null
+From 93491ced3c87c94b12220dbac0527e1356702179 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 May 2017 18:18:29 +0200
+Subject: USB: hub: fix SS max number of ports
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 93491ced3c87c94b12220dbac0527e1356702179 upstream.
+
+Add define for the maximum number of ports on a SuperSpeed hub as per
+USB 3.1 spec Table 10-5, and use it when verifying the retrieved hub
+descriptor.
+
+This specifically avoids benign attempts to update the DeviceRemovable
+mask for non-existing ports (should we get that far).
+
+Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 8 +++++++-
+ include/uapi/linux/usb/ch11.h | 3 +++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1346,7 +1346,13 @@ static int hub_configure(struct usb_hub
+ if (ret < 0) {
+ message = "can't read hub descriptor";
+ goto fail;
+- } else if (hub->descriptor->bNbrPorts > USB_MAXCHILDREN) {
++ }
++
++ maxchild = USB_MAXCHILDREN;
++ if (hub_is_superspeed(hdev))
++ maxchild = min_t(unsigned, maxchild, USB_SS_MAXPORTS);
++
++ if (hub->descriptor->bNbrPorts > maxchild) {
+ message = "hub has too many ports!";
+ ret = -ENODEV;
+ goto fail;
+--- a/include/uapi/linux/usb/ch11.h
++++ b/include/uapi/linux/usb/ch11.h
+@@ -22,6 +22,9 @@
+ */
+ #define USB_MAXCHILDREN 31
+
++/* See USB 3.1 spec Table 10-5 */
++#define USB_SS_MAXPORTS 15
++
+ /*
+ * Hub request types
+ */
--- /dev/null
+From dd14a3e9b92ac6f0918054f9e3477438760a4fa6 Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Thu, 27 Apr 2017 12:12:49 -0700
+Subject: usb: r8a66597-hcd: decrease timeout
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit dd14a3e9b92ac6f0918054f9e3477438760a4fa6 upstream.
+
+The timeout for BULK packets was 300ms which is a long time if other
+endpoints or devices are waiting for their turn. Changing it to 50ms
+greatly increased the overall performance for multi-endpoint devices.
+
+Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659")
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/r8a66597-hcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1269,7 +1269,7 @@ static void set_td_timer(struct r8a66597
+ time = 30;
+ break;
+ default:
+- time = 300;
++ time = 50;
+ break;
+ }
+
--- /dev/null
+From 1f873d857b6c2fefb4dada952674aa01bcfb92bd Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Thu, 27 Apr 2017 12:12:02 -0700
+Subject: usb: r8a66597-hcd: select a different endpoint on timeout
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit 1f873d857b6c2fefb4dada952674aa01bcfb92bd upstream.
+
+If multiple endpoints on a single device have pending IN URBs and one
+endpoint times out due to NAKs (perfectly legal), select a different
+endpoint URB to try.
+The existing code only checked to see another device address has pending
+URBs and ignores other IN endpoints on the current device address. This
+leads to endpoints never getting serviced if one endpoint is using NAK as
+a flow control method.
+
+Fixes: 5d3043586db4 ("usb: r8a66597-hcd: host controller driver for R8A6659")
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/r8a66597-hcd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/r8a66597-hcd.c
++++ b/drivers/usb/host/r8a66597-hcd.c
+@@ -1785,6 +1785,7 @@ static void r8a66597_td_timer(unsigned l
+ pipe = td->pipe;
+ pipe_stop(r8a66597, pipe);
+
++ /* Select a different address or endpoint */
+ new_td = td;
+ do {
+ list_move_tail(&new_td->queue,
+@@ -1794,7 +1795,8 @@ static void r8a66597_td_timer(unsigned l
+ new_td = td;
+ break;
+ }
+- } while (td != new_td && td->address == new_td->address);
++ } while (td != new_td && td->address == new_td->address &&
++ td->pipe->info.epnum == new_td->pipe->info.epnum);
+
+ start_transfer(r8a66597, new_td);
+
--- /dev/null
+From 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Fri, 28 Apr 2017 01:51:40 -0300
+Subject: [media] vb2: Fix an off by one error in 'vb2_plane_vaddr'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 upstream.
+
+We should ensure that 'plane_no' is '< vb->num_planes' as done in
+'vb2_plane_cookie' just a few lines below.
+
+Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework")
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1120,7 +1120,7 @@ EXPORT_SYMBOL_GPL(vb2_create_bufs);
+ */
+ void *vb2_plane_vaddr(struct vb2_buffer *vb, unsigned int plane_no)
+ {
+- if (plane_no > vb->num_planes || !vb->planes[plane_no].mem_priv)
++ if (plane_no >= vb->num_planes || !vb->planes[plane_no].mem_priv)
+ return NULL;
+
+ return call_ptr_memop(vb, vaddr, vb->planes[plane_no].mem_priv);
--- /dev/null
+From 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Mon, 8 May 2017 14:23:16 -0700
+Subject: x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 861ce4a3244c21b0af64f880d5bfe5e6e2fb9e4a upstream.
+
+'__vmalloc_start_set' currently only gets set in initmem_init() when
+!CONFIG_NEED_MULTIPLE_NODES. This breaks detection of vmalloc address
+with virt_addr_valid() with CONFIG_NEED_MULTIPLE_NODES=y, causing
+a kernel crash:
+
+ [mm/usercopy] 517e1fbeb6: kernel BUG at arch/x86/mm/physaddr.c:78!
+
+Set '__vmalloc_start_set' appropriately for that case as well.
+
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: dc16ecf7fd1f ("x86-32: use specific __vmalloc_start_set flag in __virt_addr_valid")
+Link: http://lkml.kernel.org/r/1494278596-30373-1-git-send-email-labbott@redhat.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/numa_32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/mm/numa_32.c
++++ b/arch/x86/mm/numa_32.c
+@@ -100,5 +100,6 @@ void __init initmem_init(void)
+ printk(KERN_DEBUG "High memory starts at vaddr %08lx\n",
+ (ulong) pfn_to_kaddr(highstart_pfn));
+
++ __vmalloc_start_set = true;
+ setup_bootmem_allocator();
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
