--- /dev/null
+From 3d392475c873c10c10d6d96b94d092a34ebd4791 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 02:27:43 +0000
+Subject: appletalk: fix atalk_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 3d392475c873c10c10d6d96b94d092a34ebd4791 upstream.
+
+atalk_getname() can leak 8 bytes of kernel memory to user
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/appletalk/ddp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1242,6 +1242,7 @@ static int atalk_getname(struct socket *
+ return -ENOBUFS;
+
+ *uaddr_len = sizeof(struct sockaddr_at);
++ memset(&sat.sat_zero, 0, sizeof(sat.sat_zero));
+
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
--- /dev/null
+From e9d126cdfa60b575f1b5b02024c4faee27dccf07 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Sun, 9 Aug 2009 14:24:09 +0200
+Subject: ar9170: fix read & write outside array bounds
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit e9d126cdfa60b575f1b5b02024c4faee27dccf07 upstream.
+
+Backport done by Christian Lamparter <chunkeey@googlemail.com>
+
+queue == __AR9170_NUM_TXQ would cause a bug on the next line.
+
+found by Smatch ( http://repo.or.cz/w/smatch.git ).
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Christian Lamparter <chunkeey@web.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ar9170/main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ar9170/main.c
++++ b/drivers/net/wireless/ar9170/main.c
+@@ -1486,13 +1486,14 @@ static int ar9170_conf_tx(struct ieee802
+ int ret;
+
+ mutex_lock(&ar->mutex);
+- if ((param) && !(queue > ar->hw->queues)) {
++ if (queue < __AR9170_NUM_TXQ) {
+ memcpy(&ar->edcf[ar9170_qos_hwmap[queue]],
+ param, sizeof(*param));
+
+ ret = ar9170_set_qos(ar);
+- } else
++ } else {
+ ret = -EINVAL;
++ }
+
+ mutex_unlock(&ar->mutex);
+ return ret;
--- /dev/null
+From e84b90ae5eb3c112d1f208964df1d8156a538289 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 20:27:04 +0000
+Subject: can: Fix raw_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream.
+
+raw_getname() can leak 10 bytes of kernel memory to user
+
+(two bytes hole between can_family and can_ifindex,
+8 bytes at the end of sockaddr_can structure)
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Acked-by: Oliver Hartkopp <oliver@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/can/raw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/can/raw.c
++++ b/net/can/raw.c
+@@ -397,6 +397,7 @@ static int raw_getname(struct socket *so
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(addr, 0, sizeof(*addr));
+ addr->can_family = AF_CAN;
+ addr->can_ifindex = ro->ifindex;
+
--- /dev/null
+From 80922bbb12a105f858a8f0abb879cb4302d0ecaa Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:48:36 +0000
+Subject: econet: Fix econet_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa upstream.
+
+econet_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/econet/af_econet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/econet/af_econet.c
++++ b/net/econet/af_econet.c
+@@ -520,6 +520,7 @@ static int econet_getname(struct socket
+ if (peer)
+ return -EOPNOTSUPP;
+
++ memset(sec, 0, sizeof(*sec));
+ mutex_lock(&econet_mutex);
+
+ sk = sock->sk;
--- /dev/null
+From 788d908f2879a17e5f80924f3da2e23f1034482d Mon Sep 17 00:00:00 2001
+From: Julien TINNES <julien@cr0.org>
+Date: Thu, 27 Aug 2009 15:26:58 +0200
+Subject: ipv4: make ip_append_data() handle NULL routing table
+
+From: Julien TINNES <julien@cr0.org>
+
+commit 788d908f2879a17e5f80924f3da2e23f1034482d upstream.
+
+Add a check in ip_append_data() for NULL *rtp to prevent future bugs in
+callers from being exploitable.
+
+Signed-off-by: Julien Tinnes <julien@cr0.org>
+Signed-off-by: Tavis Ormandy <taviso@sdf.lonestar.org>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -813,6 +813,8 @@ int ip_append_data(struct sock *sk,
+ inet->cork.addr = ipc->addr;
+ }
+ rt = *rtp;
++ if (unlikely(!rt))
++ return -EFAULT;
+ /*
+ * We steal reference to this route, caller should not release it
+ */
--- /dev/null
+From 09384dfc76e526c3993c09c42e016372dc9dd22c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:55:04 +0000
+Subject: irda: Fix irda_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 09384dfc76e526c3993c09c42e016372dc9dd22c upstream.
+
+irda_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/af_irda.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -714,6 +714,7 @@ static int irda_getname(struct socket *s
+ struct sock *sk = sock->sk;
+ struct irda_sock *self = irda_sk(sk);
+
++ memset(&saddr, 0, sizeof(saddr));
+ if (peer) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
--- /dev/null
+From 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jirislaby@gmail.com>
+Date: Sun, 23 Aug 2009 22:55:51 -0700
+Subject: NET: llc, zero sockaddr_llc struct
+
+From: Jiri Slaby <jirislaby@gmail.com>
+
+commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc upstream.
+
+sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc
+before copying to the above layer's structure.
+
+Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/llc/af_llc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -914,6 +914,7 @@ static int llc_ui_getname(struct socket
+ struct llc_sock *llc = llc_sk(sk);
+ int rc = 0;
+
++ memset(&sllc, 0, sizeof(sllc));
+ lock_sock(sk);
+ if (sock_flag(sk, SOCK_ZAPPED))
+ goto out;
--- /dev/null
+From f6b97b29513950bfbf621a83d85b6f86b39ec8db Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:31:07 +0000
+Subject: netrom: Fix nr_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit f6b97b29513950bfbf621a83d85b6f86b39ec8db upstream.
+
+nr_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -848,6 +848,7 @@ static int nr_getname(struct socket *soc
+ sax->fsa_ax25.sax25_family = AF_NETROM;
+ sax->fsa_ax25.sax25_ndigis = 1;
+ sax->fsa_ax25.sax25_call = nr->user_addr;
++ memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater));
+ sax->fsa_digipeater[0] = nr->dest_addr;
+ *uaddr_len = sizeof(struct full_sockaddr_ax25);
+ } else {
--- /dev/null
+From 7b6a09f3d6aedeaac923824af2a5df30300b56e9 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
+Date: Sun, 23 Aug 2009 22:54:32 +0000
+Subject: powerpc/ps3: Add missing check for PS3 to rtc-ps3 platform device registration
+
+From: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
+
+commit 7b6a09f3d6aedeaac923824af2a5df30300b56e9 upstream.
+
+On non-PS3, we get:
+
+| kernel BUG at drivers/rtc/rtc-ps3.c:36!
+
+because the rtc-ps3 platform device is registered unconditionally in a kernel
+with builtin support for PS3.
+
+Reported-by: Sachin Sant <sachinp@in.ibm.com>
+Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
+Acked-by: Geoff Levand <geoffrey.levand@am.sony.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/arch/powerpc/platforms/ps3/time.c
++++ b/arch/powerpc/platforms/ps3/time.c
+@@ -21,6 +21,7 @@
+ #include <linux/kernel.h>
+ #include <linux/platform_device.h>
+
++#include <asm/firmware.h>
+ #include <asm/rtc.h>
+ #include <asm/lv1call.h>
+ #include <asm/ps3.h>
+@@ -84,6 +85,9 @@ static int __init ps3_rtc_init(void)
+ {
+ struct platform_device *pdev;
+
++ if (!firmware_has_feature(FW_FEATURE_PS3_LV1))
++ return -ENODEV;
++
+ pdev = platform_device_register_simple("rtc-ps3", -1, NULL, 0);
+ if (IS_ERR(pdev))
+ return PTR_ERR(pdev);
--- /dev/null
+From 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Thu, 6 Aug 2009 03:34:06 +0000
+Subject: rose: Fix rose_getname() leak
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 upstream.
+
+rose_getname() can leak kernel memory to user.
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -957,6 +957,7 @@ static int rose_getname(struct socket *s
+ struct rose_sock *rose = rose_sk(sk);
+ int n;
+
++ memset(srose, 0, sizeof(*srose));
+ if (peer != 0) {
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTCONN;
gspca-ov534-fix-ov772x.patch
kthreads-fix-kthread_create-vs-kthread_stop-race.patch
ipv6-fix-commit-63d9950b08184e6531adceb65f64b429909cc101.patch
+usb-fix-the-clear_tt_buffer-interface.patch
+usb-ehci-use-the-new-clear_tt_buffer-interface.patch
+usb-ehci-fix-two-new-bugs-related-to-clear-tt-buffer.patch
+powerpc-ps3-add-missing-check-for-ps3-to-rtc-ps3-platform-device-registration.patch
+ipv4-make-ip_append_data-handle-null-routing-table.patch
+ar9170-fix-read-write-outside-array-bounds.patch
+xenfb-connect-to-backend-before-registering-fb.patch
+can-fix-raw_getname-leak.patch
+irda-fix-irda_getname-leak.patch
+appletalk-fix-atalk_getname-leak.patch
+netrom-fix-nr_getname-leak.patch
+econet-fix-econet_getname-leak.patch
+rose-fix-rose_getname-leak.patch
+net-llc-zero-sockaddr_llc-struct.patch
--- /dev/null
+From 7a0f0d951273eee889c2441846842348ebc00a2a Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 31 Jul 2009 10:40:22 -0400
+Subject: USB: EHCI: fix two new bugs related to Clear-TT-Buffer
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 7a0f0d951273eee889c2441846842348ebc00a2a upstream.
+
+This patch (as1273) fixes two(!) bugs introduced by the new
+Clear-TT-Buffer implementation in ehci-hcd.
+
+ It is now possible for an idle QH to have some URBs on its
+ queue -- this will happen if a Clear-TT-Buffer is pending for
+ the QH's endpoint. Consequently we should not issue a warning
+ when someone tries to unlink an URB from an idle QH; instead
+ we should process the request immediately.
+
+ The refcounts for QHs could get messed up, because
+ submit_async() would increment the refcount when calling
+ qh_link_async() and qh_link_async() would then refuse to link
+ the QH into the schedule if a Clear-TT-Buffer was pending.
+ Instead we should increment the refcount only when the QH
+ actually is added to the schedule. The current code tries to
+ be clever by leaving the refcount alone if an unlink is
+ immediately followed by a relink; the patch changes this to an
+ unconditional decrement and increment (although they occur in
+ the opposite order).
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: David Brownell <david-b@pacbell.net>
+Tested-by: Manuel Lauss <manuel.lauss@gmail.com>
+Tested-by: Matthijs Kooijman <matthijs@stdin.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-hcd.c | 3 ++-
+ drivers/usb/host/ehci-q.c | 6 +++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -903,7 +903,8 @@ static int ehci_urb_dequeue(struct usb_h
+ /* already started */
+ break;
+ case QH_STATE_IDLE:
+- WARN_ON(1);
++ /* QH might be waiting for a Clear-TT-Buffer */
++ qh_completions(ehci, qh);
+ break;
+ }
+ break;
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -938,6 +938,7 @@ static void qh_link_async (struct ehci_h
+ head->qh_next.qh = qh;
+ head->hw_next = dma;
+
++ qh_get(qh);
+ qh->xacterrs = QH_XACTERR_MAX;
+ qh->qh_state = QH_STATE_LINKED;
+ /* qtd completions reported later by interrupt */
+@@ -1078,7 +1079,7 @@ submit_async (
+ * the HC and TT handle it when the TT has a buffer ready.
+ */
+ if (likely (qh->qh_state == QH_STATE_IDLE))
+- qh_link_async (ehci, qh_get (qh));
++ qh_link_async(ehci, qh);
+ done:
+ spin_unlock_irqrestore (&ehci->lock, flags);
+ if (unlikely (qh == NULL))
+@@ -1113,8 +1114,6 @@ static void end_unlink_async (struct ehc
+ && HC_IS_RUNNING (ehci_to_hcd(ehci)->state))
+ qh_link_async (ehci, qh);
+ else {
+- qh_put (qh); // refcount from async list
+-
+ /* it's not free to turn the async schedule on/off; leave it
+ * active but idle for a while once it empties.
+ */
+@@ -1122,6 +1121,7 @@ static void end_unlink_async (struct ehc
+ && ehci->async->qh_next.qh == NULL)
+ timer_action (ehci, TIMER_ASYNC_OFF);
+ }
++ qh_put(qh); /* refcount from async list */
+
+ if (next) {
+ ehci->reclaim = NULL;
--- /dev/null
+From 914b701280a76f96890ad63eb0fa99bf204b961c Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 29 Jun 2009 10:47:30 -0400
+Subject: USB: EHCI: use the new clear_tt_buffer interface
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 914b701280a76f96890ad63eb0fa99bf204b961c upstream.
+
+This patch (as1256) changes ehci-hcd and all the other drivers in the
+EHCI family to make use of the new clear_tt_buffer callbacks. When a
+Clear-TT-Buffer request is in progress for a QH, the QH is not allowed
+to be linked into the async schedule until the request is finished.
+At that time, if there are any URBs queued for the QH, it is linked
+into the async schedule.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-au1xxx.c | 2
+ drivers/usb/host/ehci-fsl.c | 2
+ drivers/usb/host/ehci-hcd.c | 2
+ drivers/usb/host/ehci-ixp4xx.c | 2
+ drivers/usb/host/ehci-orion.c | 2
+ drivers/usb/host/ehci-pci.c | 2
+ drivers/usb/host/ehci-ppc-of.c | 2
+ drivers/usb/host/ehci-ps3.c | 2
+ drivers/usb/host/ehci-q.c | 91 ++++++++++++++++++++++++++++++-----------
+ drivers/usb/host/ehci.h | 2
+ 10 files changed, 86 insertions(+), 23 deletions(-)
+
+--- a/drivers/usb/host/ehci-au1xxx.c
++++ b/drivers/usb/host/ehci-au1xxx.c
+@@ -112,6 +112,8 @@ static const struct hc_driver ehci_au1xx
+ .bus_resume = ehci_bus_resume,
+ .relinquish_port = ehci_relinquish_port,
+ .port_handed_over = ehci_port_handed_over,
++
++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+ static int ehci_hcd_au1xxx_drv_probe(struct platform_device *pdev)
+--- a/drivers/usb/host/ehci-fsl.c
++++ b/drivers/usb/host/ehci-fsl.c
+@@ -324,6 +324,8 @@ static const struct hc_driver ehci_fsl_h
+ .bus_resume = ehci_bus_resume,
+ .relinquish_port = ehci_relinquish_port,
+ .port_handed_over = ehci_port_handed_over,
++
++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+ static int ehci_fsl_drv_probe(struct platform_device *pdev)
+--- a/drivers/usb/host/ehci.h
++++ b/drivers/usb/host/ehci.h
+@@ -353,7 +353,9 @@ struct ehci_qh {
+ unsigned short period; /* polling interval */
+ unsigned short start; /* where polling starts */
+ #define NO_FRAME ((unsigned short)~0) /* pick new start */
++
+ struct usb_device *dev; /* access to TT */
++ unsigned clearing_tt:1; /* Clear-TT-Buf in progress */
+ } __attribute__ ((aligned (32)));
+
+ /*-------------------------------------------------------------------------*/
+--- a/drivers/usb/host/ehci-hcd.c
++++ b/drivers/usb/host/ehci-hcd.c
+@@ -1003,6 +1003,8 @@ idle_timeout:
+ schedule_timeout_uninterruptible(1);
+ goto rescan;
+ case QH_STATE_IDLE: /* fully unlinked */
++ if (qh->clearing_tt)
++ goto idle_timeout;
+ if (list_empty (&qh->qtd_list)) {
+ qh_put (qh);
+ break;
+--- a/drivers/usb/host/ehci-ixp4xx.c
++++ b/drivers/usb/host/ehci-ixp4xx.c
+@@ -60,6 +60,8 @@ static const struct hc_driver ixp4xx_ehc
+ #endif
+ .relinquish_port = ehci_relinquish_port,
+ .port_handed_over = ehci_port_handed_over,
++
++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+ static int ixp4xx_ehci_probe(struct platform_device *pdev)
+--- a/drivers/usb/host/ehci-orion.c
++++ b/drivers/usb/host/ehci-orion.c
+@@ -164,6 +164,8 @@ static const struct hc_driver ehci_orion
+ .bus_resume = ehci_bus_resume,
+ .relinquish_port = ehci_relinquish_port,
+ .port_handed_over = ehci_port_handed_over,
++
++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+ static void __init
+--- a/drivers/usb/host/ehci-pci.c
++++ b/drivers/usb/host/ehci-pci.c
+@@ -408,6 +408,8 @@ static const struct hc_driver ehci_pci_h
+ .bus_resume = ehci_bus_resume,
+ .relinquish_port = ehci_relinquish_port,
+ .port_handed_over = ehci_port_handed_over,
++
++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+ /*-------------------------------------------------------------------------*/
+--- a/drivers/usb/host/ehci-ppc-of.c
++++ b/drivers/usb/host/ehci-ppc-of.c
+@@ -78,6 +78,8 @@ static const struct hc_driver ehci_ppc_o
+ #endif
+ .relinquish_port = ehci_relinquish_port,
+ .port_handed_over = ehci_port_handed_over,
++
++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+
+--- a/drivers/usb/host/ehci-ps3.c
++++ b/drivers/usb/host/ehci-ps3.c
+@@ -74,6 +74,8 @@ static const struct hc_driver ps3_ehci_h
+ #endif
+ .relinquish_port = ehci_relinquish_port,
+ .port_handed_over = ehci_port_handed_over,
++
++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+ static int ps3_ehci_probe(struct ps3_system_bus_device *dev)
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -139,6 +139,55 @@ qh_refresh (struct ehci_hcd *ehci, struc
+
+ /*-------------------------------------------------------------------------*/
+
++static void qh_link_async(struct ehci_hcd *ehci, struct ehci_qh *qh);
++
++static void ehci_clear_tt_buffer_complete(struct usb_hcd *hcd,
++ struct usb_host_endpoint *ep)
++{
++ struct ehci_hcd *ehci = hcd_to_ehci(hcd);
++ struct ehci_qh *qh = ep->hcpriv;
++ unsigned long flags;
++
++ spin_lock_irqsave(&ehci->lock, flags);
++ qh->clearing_tt = 0;
++ if (qh->qh_state == QH_STATE_IDLE && !list_empty(&qh->qtd_list)
++ && HC_IS_RUNNING(hcd->state))
++ qh_link_async(ehci, qh);
++ spin_unlock_irqrestore(&ehci->lock, flags);
++}
++
++static void ehci_clear_tt_buffer(struct ehci_hcd *ehci, struct ehci_qh *qh,
++ struct urb *urb, u32 token)
++{
++
++ /* If an async split transaction gets an error or is unlinked,
++ * the TT buffer may be left in an indeterminate state. We
++ * have to clear the TT buffer.
++ *
++ * Note: this routine is never called for Isochronous transfers.
++ */
++ if (urb->dev->tt && !usb_pipeint(urb->pipe) && !qh->clearing_tt) {
++#ifdef DEBUG
++ struct usb_device *tt = urb->dev->tt->hub;
++ dev_dbg(&tt->dev,
++ "clear tt buffer port %d, a%d ep%d t%08x\n",
++ urb->dev->ttport, urb->dev->devnum,
++ usb_pipeendpoint(urb->pipe), token);
++#endif /* DEBUG */
++ if (!ehci_is_TDI(ehci)
++ || urb->dev->tt->hub !=
++ ehci_to_hcd(ehci)->self.root_hub) {
++ if (usb_hub_clear_tt_buffer(urb) == 0)
++ qh->clearing_tt = 1;
++ } else {
++
++ /* REVISIT ARC-derived cores don't clear the root
++ * hub TT buffer in this way...
++ */
++ }
++ }
++}
++
+ static int qtd_copy_status (
+ struct ehci_hcd *ehci,
+ struct urb *urb,
+@@ -195,28 +244,6 @@ static int qtd_copy_status (
+ usb_pipeendpoint (urb->pipe),
+ usb_pipein (urb->pipe) ? "in" : "out",
+ token, status);
+-
+- /* if async CSPLIT failed, try cleaning out the TT buffer */
+- if (status != -EPIPE
+- && urb->dev->tt
+- && !usb_pipeint(urb->pipe)
+- && ((token & QTD_STS_MMF) != 0
+- || QTD_CERR(token) == 0)
+- && (!ehci_is_TDI(ehci)
+- || urb->dev->tt->hub !=
+- ehci_to_hcd(ehci)->self.root_hub)) {
+-#ifdef DEBUG
+- struct usb_device *tt = urb->dev->tt->hub;
+- dev_dbg (&tt->dev,
+- "clear tt buffer port %d, a%d ep%d t%08x\n",
+- urb->dev->ttport, urb->dev->devnum,
+- usb_pipeendpoint (urb->pipe), token);
+-#endif /* DEBUG */
+- /* REVISIT ARC-derived cores don't clear the root
+- * hub TT buffer in this way...
+- */
+- usb_hub_clear_tt_buffer(urb);
+- }
+ }
+
+ return status;
+@@ -407,9 +434,16 @@ qh_completions (struct ehci_hcd *ehci, s
+ /* qh unlinked; token in overlay may be most current */
+ if (state == QH_STATE_IDLE
+ && cpu_to_hc32(ehci, qtd->qtd_dma)
+- == qh->hw_current)
++ == qh->hw_current) {
+ token = hc32_to_cpu(ehci, qh->hw_token);
+
++ /* An unlink may leave an incomplete
++ * async transaction in the TT buffer.
++ * We have to clear it.
++ */
++ ehci_clear_tt_buffer(ehci, qh, urb, token);
++ }
++
+ /* force halt for unlinked or blocked qh, so we'll
+ * patch the qh later and so that completions can't
+ * activate it while we "know" it's stopped.
+@@ -435,6 +469,13 @@ halt:
+ && (qtd->hw_alt_next
+ & EHCI_LIST_END(ehci)))
+ last_status = -EINPROGRESS;
++
++ /* As part of low/full-speed endpoint-halt processing
++ * we must clear the TT buffer (11.17.5).
++ */
++ if (unlikely(last_status != -EINPROGRESS &&
++ last_status != -EREMOTEIO))
++ ehci_clear_tt_buffer(ehci, qh, urb, token);
+ }
+
+ /* if we're removing something not at the queue head,
+@@ -864,6 +905,10 @@ static void qh_link_async (struct ehci_h
+ __hc32 dma = QH_NEXT(ehci, qh->qh_dma);
+ struct ehci_qh *head;
+
++ /* Don't link a QH if there's a Clear-TT-Buffer pending */
++ if (unlikely(qh->clearing_tt))
++ return;
++
+ /* (re)start the async schedule? */
+ head = ehci->async;
+ timer_action_done (ehci, TIMER_ASYNC_OFF);
--- /dev/null
+From cb88a1b887bb8908f6e00ce29e893ea52b074940 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 29 Jun 2009 10:43:32 -0400
+Subject: USB: fix the clear_tt_buffer interface
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit cb88a1b887bb8908f6e00ce29e893ea52b074940 upstream.
+
+This patch (as1255) updates the interface for calling
+usb_hub_clear_tt_buffer(). Even the name of the function is changed!
+
+When an async URB (i.e., Control or Bulk) going through a high-speed
+hub to a non-high-speed device is cancelled or fails, the hub's
+Transaction Translator buffer may be left busy still trying to
+complete the transaction. The buffer has to be cleared; that's what
+usb_hub_clear_tt_buffer() does.
+
+It isn't safe to send any more URBs to the same endpoint until the TT
+buffer is fully clear. Therefore the HCD needs to be told when the
+Clear-TT-Buffer request has finished. This patch adds a callback
+method to struct hc_driver for that purpose, and makes the hub driver
+invoke the callback at the proper time.
+
+The patch also changes a couple of names; "hub_tt_kevent" and
+"tt.kevent" now look rather antiquated.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/hcd.h | 4 ++++
+ drivers/usb/core/hub.c | 40 ++++++++++++++++++++++++++--------------
+ drivers/usb/core/hub.h | 6 ++++--
+ drivers/usb/host/ehci-q.c | 2 +-
+ 4 files changed, 35 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/core/hcd.h
++++ b/drivers/usb/core/hcd.h
+@@ -224,6 +224,10 @@ struct hc_driver {
+ void (*relinquish_port)(struct usb_hcd *, int);
+ /* has a port been handed over to a companion? */
+ int (*port_handed_over)(struct usb_hcd *, int);
++
++ /* CLEAR_TT_BUFFER completion callback */
++ void (*clear_tt_buffer_complete)(struct usb_hcd *,
++ struct usb_host_endpoint *);
+ };
+
+ extern int usb_hcd_link_urb_to_ep(struct usb_hcd *hcd, struct urb *urb);
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -448,10 +448,10 @@ hub_clear_tt_buffer (struct usb_device *
+ * talking to TTs must queue control transfers (not just bulk and iso), so
+ * both can talk to the same hub concurrently.
+ */
+-static void hub_tt_kevent (struct work_struct *work)
++static void hub_tt_work(struct work_struct *work)
+ {
+ struct usb_hub *hub =
+- container_of(work, struct usb_hub, tt.kevent);
++ container_of(work, struct usb_hub, tt.clear_work);
+ unsigned long flags;
+ int limit = 100;
+
+@@ -460,6 +460,7 @@ static void hub_tt_kevent (struct work_s
+ struct list_head *temp;
+ struct usb_tt_clear *clear;
+ struct usb_device *hdev = hub->hdev;
++ const struct hc_driver *drv;
+ int status;
+
+ temp = hub->tt.clear_list.next;
+@@ -469,21 +470,25 @@ static void hub_tt_kevent (struct work_s
+ /* drop lock so HCD can concurrently report other TT errors */
+ spin_unlock_irqrestore (&hub->tt.lock, flags);
+ status = hub_clear_tt_buffer (hdev, clear->devinfo, clear->tt);
+- spin_lock_irqsave (&hub->tt.lock, flags);
+-
+ if (status)
+ dev_err (&hdev->dev,
+ "clear tt %d (%04x) error %d\n",
+ clear->tt, clear->devinfo, status);
++
++ /* Tell the HCD, even if the operation failed */
++ drv = clear->hcd->driver;
++ if (drv->clear_tt_buffer_complete)
++ (drv->clear_tt_buffer_complete)(clear->hcd, clear->ep);
++
+ kfree(clear);
++ spin_lock_irqsave(&hub->tt.lock, flags);
+ }
+ spin_unlock_irqrestore (&hub->tt.lock, flags);
+ }
+
+ /**
+- * usb_hub_tt_clear_buffer - clear control/bulk TT state in high speed hub
+- * @udev: the device whose split transaction failed
+- * @pipe: identifies the endpoint of the failed transaction
++ * usb_hub_clear_tt_buffer - clear control/bulk TT state in high speed hub
++ * @urb: an URB associated with the failed or incomplete split transaction
+ *
+ * High speed HCDs use this to tell the hub driver that some split control or
+ * bulk transaction failed in a way that requires clearing internal state of
+@@ -493,8 +498,10 @@ static void hub_tt_kevent (struct work_s
+ * It may not be possible for that hub to handle additional full (or low)
+ * speed transactions until that state is fully cleared out.
+ */
+-void usb_hub_tt_clear_buffer (struct usb_device *udev, int pipe)
++int usb_hub_clear_tt_buffer(struct urb *urb)
+ {
++ struct usb_device *udev = urb->dev;
++ int pipe = urb->pipe;
+ struct usb_tt *tt = udev->tt;
+ unsigned long flags;
+ struct usb_tt_clear *clear;
+@@ -506,7 +513,7 @@ void usb_hub_tt_clear_buffer (struct usb
+ if ((clear = kmalloc (sizeof *clear, GFP_ATOMIC)) == NULL) {
+ dev_err (&udev->dev, "can't save CLEAR_TT_BUFFER state\n");
+ /* FIXME recover somehow ... RESET_TT? */
+- return;
++ return -ENOMEM;
+ }
+
+ /* info that CLEAR_TT_BUFFER needs */
+@@ -518,14 +525,19 @@ void usb_hub_tt_clear_buffer (struct usb
+ : (USB_ENDPOINT_XFER_BULK << 11);
+ if (usb_pipein (pipe))
+ clear->devinfo |= 1 << 15;
+-
++
++ /* info for completion callback */
++ clear->hcd = bus_to_hcd(udev->bus);
++ clear->ep = urb->ep;
++
+ /* tell keventd to clear state for this TT */
+ spin_lock_irqsave (&tt->lock, flags);
+ list_add_tail (&clear->clear_list, &tt->clear_list);
+- schedule_work (&tt->kevent);
++ schedule_work(&tt->clear_work);
+ spin_unlock_irqrestore (&tt->lock, flags);
++ return 0;
+ }
+-EXPORT_SYMBOL_GPL(usb_hub_tt_clear_buffer);
++EXPORT_SYMBOL_GPL(usb_hub_clear_tt_buffer);
+
+ /* If do_delay is false, return the number of milliseconds the caller
+ * needs to delay.
+@@ -816,7 +828,7 @@ static void hub_quiesce(struct usb_hub *
+ if (hub->has_indicators)
+ cancel_delayed_work_sync(&hub->leds);
+ if (hub->tt.hub)
+- cancel_work_sync(&hub->tt.kevent);
++ cancel_work_sync(&hub->tt.clear_work);
+ }
+
+ /* caller has locked the hub device */
+@@ -933,7 +945,7 @@ static int hub_configure(struct usb_hub
+
+ spin_lock_init (&hub->tt.lock);
+ INIT_LIST_HEAD (&hub->tt.clear_list);
+- INIT_WORK (&hub->tt.kevent, hub_tt_kevent);
++ INIT_WORK(&hub->tt.clear_work, hub_tt_work);
+ switch (hdev->descriptor.bDeviceProtocol) {
+ case 0:
+ break;
+--- a/drivers/usb/core/hub.h
++++ b/drivers/usb/core/hub.h
+@@ -185,16 +185,18 @@ struct usb_tt {
+ /* for control/bulk error recovery (CLEAR_TT_BUFFER) */
+ spinlock_t lock;
+ struct list_head clear_list; /* of usb_tt_clear */
+- struct work_struct kevent;
++ struct work_struct clear_work;
+ };
+
+ struct usb_tt_clear {
+ struct list_head clear_list;
+ unsigned tt;
+ u16 devinfo;
++ struct usb_hcd *hcd;
++ struct usb_host_endpoint *ep;
+ };
+
+-extern void usb_hub_tt_clear_buffer(struct usb_device *dev, int pipe);
++extern int usb_hub_clear_tt_buffer(struct urb *urb);
+ extern void usb_ep0_reinit(struct usb_device *);
+
+ #endif /* __LINUX_HUB_H */
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -215,7 +215,7 @@ static int qtd_copy_status (
+ /* REVISIT ARC-derived cores don't clear the root
+ * hub TT buffer in this way...
+ */
+- usb_hub_tt_clear_buffer (urb->dev, urb->pipe);
++ usb_hub_clear_tt_buffer(urb);
+ }
+ }
+
--- /dev/null
+From 0a80fb10239b04c45e5e80aad8d4b2ca5ac407b2 Mon Sep 17 00:00:00 2001
+From: Jeremy Fitzhardinge <jeremy@goop.org>
+Date: Thu, 27 Aug 2009 12:22:43 -0700
+Subject: xenfb: connect to backend before registering fb
+
+From: Jeremy Fitzhardinge <jeremy@goop.org>
+
+commit 0a80fb10239b04c45e5e80aad8d4b2ca5ac407b2 upstream.
+
+As soon as the framebuffer is registered, our methods may be called by the
+kernel. This leads to a crash as xenfb_refresh() gets called before we have
+the irq.
+
+Connect to the backend before registering our framebuffer with the kernel.
+
+[ Fixes bug http://bugzilla.kernel.org/show_bug.cgi?id=14059 ]
+
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/xen-fbfront.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/xen-fbfront.c
++++ b/drivers/video/xen-fbfront.c
+@@ -454,6 +454,10 @@ static int __devinit xenfb_probe(struct
+
+ xenfb_init_shared_page(info, fb_info);
+
++ ret = xenfb_connect_backend(dev, info);
++ if (ret < 0)
++ goto error;
++
+ ret = register_framebuffer(fb_info);
+ if (ret) {
+ fb_deferred_io_cleanup(fb_info);
+@@ -464,10 +468,6 @@ static int __devinit xenfb_probe(struct
+ }
+ info->fb_info = fb_info;
+
+- ret = xenfb_connect_backend(dev, info);
+- if (ret < 0)
+- goto error;
+-
+ xenfb_make_preferred_console();
+ return 0;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
