--- /dev/null
+From 8c0c59a9a1700e84d7b1d1e1a1077a26cb7f8ac7 Mon Sep 17 00:00:00 2001
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Mon, 11 Feb 2013 08:22:22 +0000
+Subject: bridge: set priority of STP packets
+
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 547b4e718115eea74087e28d7fa70aec619200db ]
+
+Spanning Tree Protocol packets should have always been marked as
+control packets, this causes them to get queued in the high prirority
+FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge
+gets overloaded and can't communicate. This is a long-standing bug back
+to the first versions of Linux bridge.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_stp_bpdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -16,6 +16,7 @@
+ #include <linux/etherdevice.h>
+ #include <linux/llc.h>
+ #include <linux/slab.h>
++#include <linux/pkt_sched.h>
+ #include <net/net_namespace.h>
+ #include <net/llc.h>
+ #include <net/llc_pdu.h>
+@@ -40,6 +41,7 @@ static void br_send_bpdu(struct net_brid
+
+ skb->dev = p->dev;
+ skb->protocol = htons(ETH_P_802_2);
++ skb->priority = TC_PRIO_CONTROL;
+
+ skb_reserve(skb, LLC_RESERVE);
+ memcpy(__skb_put(skb, length), data, length);
--- /dev/null
+From c419fcfd071cf34ba00f9f65282583772d2655e7 Mon Sep 17 00:00:00 2001
+From: Maciej Sosnowski <maciej.sosnowski@intel.com>
+Date: Wed, 23 May 2012 17:27:07 +0200
+Subject: dca: check against empty dca_domains list before unregister provider
+
+From: Maciej Sosnowski <maciej.sosnowski@intel.com>
+
+commit c419fcfd071cf34ba00f9f65282583772d2655e7 upstream.
+
+When providers get blocked unregister_dca_providers() is called ending up
+with dca_providers and dca_domain lists emptied. Dca should be prevented from
+trying to unregister any provider if dca_domain list is found empty.
+
+Reported-by: Jiang Liu <jiang.liu@huawei.com>
+Tested-by: Gaohuai Han <hangaohuai@huawei.com>
+Signed-off-by: Maciej Sosnowski <maciej.sosnowski@intel.com>
+Signed-off-by: Dan Williams <djbw@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dca/dca-core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/dca/dca-core.c
++++ b/drivers/dca/dca-core.c
+@@ -420,6 +420,11 @@ void unregister_dca_provider(struct dca_
+
+ raw_spin_lock_irqsave(&dca_lock, flags);
+
++ if (list_empty(&dca_domains)) {
++ raw_spin_unlock_irqrestore(&dca_lock, flags);
++ return;
++ }
++
+ list_del(&dca->node);
+
+ pci_rc = dca_pci_rc_from_dev(dev);
--- /dev/null
+From 0325063977212e09fb5cdaa8fb7d05d3b000bd7e Mon Sep 17 00:00:00 2001
+From: Li Wei <lw@cn.fujitsu.com>
+Date: Thu, 21 Feb 2013 00:09:54 +0000
+Subject: ipv4: fix a bug in ping_err().
+
+
+From: Li Wei <lw@cn.fujitsu.com>
+
+[ Upstream commit b531ed61a2a2a77eeb2f7c88b49aa5ec7d9880d8 ]
+
+We should get 'type' and 'code' from the outer ICMP header.
+
+Signed-off-by: Li Wei <lw@cn.fujitsu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ping.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -321,8 +321,8 @@ void ping_err(struct sk_buff *skb, u32 i
+ struct iphdr *iph = (struct iphdr *)skb->data;
+ struct icmphdr *icmph = (struct icmphdr *)(skb->data+(iph->ihl<<2));
+ struct inet_sock *inet_sock;
+- int type = icmph->type;
+- int code = icmph->code;
++ int type = icmp_hdr(skb)->type;
++ int code = icmp_hdr(skb)->code;
+ struct net *net = dev_net(skb->dev);
+ struct sock *sk;
+ int harderr;
--- /dev/null
+From a4a16926f7dd10e0c7edf990588b218d56625b25 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 21 Feb 2013 12:18:52 +0000
+Subject: ipv6: use a stronger hash for tcp
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 08dcdbf6a7b9d14c2302c5bd0c5390ddf122f664 ]
+
+It looks like its possible to open thousands of TCP IPv6
+sessions on a server, all landing in a single slot of TCP hash
+table. Incoming packets have to lookup sockets in a very
+long list.
+
+We should hash all bits from foreign IPv6 addresses, using
+a salt and hash mix, not a simple XOR.
+
+inet6_ehashfn() can also separately use the ports, instead
+of xoring them.
+
+Reported-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet6_hashtables.h | 8 ++++----
+ include/net/inet_sock.h | 1 +
+ include/net/ipv6.h | 12 ++++++++++++
+ net/ipv4/af_inet.c | 9 +++++++--
+ 4 files changed, 24 insertions(+), 6 deletions(-)
+
+--- a/include/net/inet6_hashtables.h
++++ b/include/net/inet6_hashtables.h
+@@ -28,16 +28,16 @@
+
+ struct inet_hashinfo;
+
+-/* I have no idea if this is a good hash for v6 or not. -DaveM */
+ static inline unsigned int inet6_ehashfn(struct net *net,
+ const struct in6_addr *laddr, const u16 lport,
+ const struct in6_addr *faddr, const __be16 fport)
+ {
+- u32 ports = (lport ^ (__force u16)fport);
++ u32 ports = (((u32)lport) << 16) | (__force u32)fport;
+
+ return jhash_3words((__force u32)laddr->s6_addr32[3],
+- (__force u32)faddr->s6_addr32[3],
+- ports, inet_ehash_secret + net_hash_mix(net));
++ ipv6_addr_jhash(faddr),
++ ports,
++ inet_ehash_secret + net_hash_mix(net));
+ }
+
+ static inline int inet6_sk_ehashfn(const struct sock *sk)
+--- a/include/net/inet_sock.h
++++ b/include/net/inet_sock.h
+@@ -202,6 +202,7 @@ static inline void inet_sk_copy_descenda
+ extern int inet_sk_rebuild_header(struct sock *sk);
+
+ extern u32 inet_ehash_secret;
++extern u32 ipv6_hash_secret;
+ extern void build_ehash_secret(void);
+
+ static inline unsigned int inet_ehashfn(struct net *net,
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -15,6 +15,7 @@
+
+ #include <linux/ipv6.h>
+ #include <linux/hardirq.h>
++#include <linux/jhash.h>
+ #include <net/if_inet6.h>
+ #include <net/ndisc.h>
+ #include <net/flow.h>
+@@ -390,6 +391,17 @@ struct ip6_create_arg {
+ void ip6_frag_init(struct inet_frag_queue *q, void *a);
+ int ip6_frag_match(struct inet_frag_queue *q, void *a);
+
++/* more secured version of ipv6_addr_hash() */
++static inline u32 ipv6_addr_jhash(const struct in6_addr *a)
++{
++ u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1];
++
++ return jhash_3words(v,
++ (__force u32)a->s6_addr32[2],
++ (__force u32)a->s6_addr32[3],
++ ipv6_hash_secret);
++}
++
+ static inline int ipv6_addr_any(const struct in6_addr *a)
+ {
+ return (a->s6_addr32[0] | a->s6_addr32[1] |
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -227,8 +227,12 @@ EXPORT_SYMBOL(inet_listen);
+ u32 inet_ehash_secret __read_mostly;
+ EXPORT_SYMBOL(inet_ehash_secret);
+
++u32 ipv6_hash_secret __read_mostly;
++EXPORT_SYMBOL(ipv6_hash_secret);
++
+ /*
+- * inet_ehash_secret must be set exactly once
++ * inet_ehash_secret must be set exactly once, and to a non nul value
++ * ipv6_hash_secret must be set exactly once.
+ */
+ void build_ehash_secret(void)
+ {
+@@ -238,7 +242,8 @@ void build_ehash_secret(void)
+ get_random_bytes(&rnd, sizeof(rnd));
+ } while (rnd == 0);
+
+- cmpxchg(&inet_ehash_secret, 0, rnd);
++ if (cmpxchg(&inet_ehash_secret, 0, rnd) == 0)
++ get_random_bytes(&ipv6_hash_secret, sizeof(ipv6_hash_secret));
+ }
+ EXPORT_SYMBOL(build_ehash_secret);
+
--- /dev/null
+From 8225ca67767a0a2533f1e7c06ac00091222e7f44 Mon Sep 17 00:00:00 2001
+From: Ying Xue <ying.xue@windriver.com>
+Date: Fri, 15 Feb 2013 22:28:25 +0000
+Subject: net: fix a compile error when SOCK_REFCNT_DEBUG is enabled
+
+
+From: Ying Xue <ying.xue@windriver.com>
+
+[ Upstream commit dec34fb0f5b7873de45132a84a3af29e61084a6b ]
+
+When SOCK_REFCNT_DEBUG is enabled, below build error is met:
+
+kernel/sysctl_binary.o: In function `sk_refcnt_debug_release':
+include/net/sock.h:1025: multiple definition of `sk_refcnt_debug_release'
+kernel/sysctl.o:include/net/sock.h:1025: first defined here
+kernel/audit.o: In function `sk_refcnt_debug_release':
+include/net/sock.h:1025: multiple definition of `sk_refcnt_debug_release'
+kernel/sysctl.o:include/net/sock.h:1025: first defined here
+make[1]: *** [kernel/built-in.o] Error 1
+make: *** [kernel] Error 2
+
+So we decide to make sk_refcnt_debug_release static to eliminate
+the error.
+
+Signed-off-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -944,7 +944,7 @@ static inline void sk_refcnt_debug_dec(s
+ sk->sk_prot->name, sk, atomic_read(&sk->sk_prot->socks));
+ }
+
+-inline void sk_refcnt_debug_release(const struct sock *sk)
++static inline void sk_refcnt_debug_release(const struct sock *sk)
+ {
+ if (atomic_read(&sk->sk_refcnt) != 1)
+ printk(KERN_DEBUG "Destruction of the %s socket %p delayed, refcnt=%d\n",
--- /dev/null
+From e71d1b0262074b61e1baf580579fa522146945b2 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 12 Feb 2013 06:16:53 +0000
+Subject: net: fix infinite loop in __skb_recv_datagram()
+
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 77c1090f94d1b0b5186fb13a1b71b47b1343f87f ]
+
+Tommi was fuzzing with trinity and reported the following problem :
+
+commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram)
+missed that a raw socket receive queue can contain skbs with no payload.
+
+We can loop in __skb_recv_datagram() with MSG_PEEK mode, because
+wait_for_packet() is not prepared to skip these skbs.
+
+[ 83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {}
+(detected by 0, t=26002 jiffies, g=27673, c=27672, q=75)
+[ 83.541011] INFO: Stall ended before state dump start
+[ 108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847]
+...
+[ 108.067010] Call Trace:
+[ 108.067010] [<ffffffff818cc103>] __skb_recv_datagram+0x1a3/0x3b0
+[ 108.067010] [<ffffffff818cc33d>] skb_recv_datagram+0x2d/0x30
+[ 108.067010] [<ffffffff819ed43d>] rawv6_recvmsg+0xad/0x240
+[ 108.067010] [<ffffffff818c4b04>] sock_common_recvmsg+0x34/0x50
+[ 108.067010] [<ffffffff818bc8ec>] sock_recvmsg+0xbc/0xf0
+[ 108.067010] [<ffffffff818bf31e>] sys_recvfrom+0xde/0x150
+[ 108.067010] [<ffffffff81ca4329>] system_call_fastpath+0x16/0x1b
+
+Reported-by: Tommi Rantala <tt.rantala@gmail.com>
+Tested-by: Tommi Rantala <tt.rantala@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Acked-by: Pavel Emelyanov <xemul@parallels.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/datagram.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -187,7 +187,7 @@ struct sk_buff *__skb_recv_datagram(stru
+ skb_queue_walk(queue, skb) {
+ *peeked = skb->peeked;
+ if (flags & MSG_PEEK) {
+- if (*off >= skb->len) {
++ if (*off >= skb->len && skb->len) {
+ *off -= skb->len;
+ continue;
+ }
fb-yet-another-band-aid-for-fixing-lockdep-mess.patch
mmc-sdhci-esdhc-imx-fix-host-version-read.patch
hid-wiimote-fix-nunchuck-button-parser.patch
+bridge-set-priority-of-stp-packets.patch
+net-fix-infinite-loop-in-__skb_recv_datagram.patch
+xen-netback-correctly-return-errors-from-netbk_count_requests.patch
+xen-netback-cancel-the-credit-timer-when-taking-the-vif-down.patch
+net-fix-a-compile-error-when-sock_refcnt_debug-is-enabled.patch
+ipv4-fix-a-bug-in-ping_err.patch
+ipv6-use-a-stronger-hash-for-tcp.patch
+sock_diag-fix-out-of-bounds-access-to-sock_diag_handlers.patch
+vlan-adjust-vlan_set_encap_proto-for-its-callers.patch
+usb-ehci-omap-don-t-free-gpios-that-we-didn-t-request.patch
+dca-check-against-empty-dca_domains-list-before-unregister-provider.patch
+usb-option-add-and-update-alcatel-modems.patch
+usb-option-add-yota-megafon-m100-1-4g-modem.patch
+usb-option-add-huawei-acm-devices-using-protocol-vendor.patch
+usb-ehci-omap-fix-autoloading-of-module.patch
+usb-storage-properly-handle-the-endian-issues-of-idproduct.patch
+usb-usb-storage-unusual_devs-update-for-super-top-sata-bridge.patch
--- /dev/null
+From 21091b1c3592f7dc9f7287305c47b2f801dfdd35 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 23 Feb 2013 01:13:47 +0000
+Subject: sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
+
+
+From: Mathias Krause <minipli@googlemail.com>
+
+[ Upstream commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 ]
+
+Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
+with a family greater or equal then AF_MAX -- the array size of
+sock_diag_handlers[]. The current code does not test for this
+condition therefore is vulnerable to an out-of-bound access opening
+doors for a privilege escalation.
+
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_diag.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -126,6 +126,9 @@ static int __sock_diag_rcv_msg(struct sk
+ if (nlmsg_len(nlh) < sizeof(*req))
+ return -EINVAL;
+
++ if (req->sdiag_family >= AF_MAX)
++ return -EINVAL;
++
+ hndl = sock_diag_lock_handler(req->sdiag_family);
+ if (hndl == NULL)
+ err = -ENOENT;
--- /dev/null
+From 428525f97153505e83983460a8d08a3210aa6b8a Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Thu, 14 Feb 2013 17:08:08 +0200
+Subject: USB: ehci-omap: Don't free gpios that we didn't request
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 428525f97153505e83983460a8d08a3210aa6b8a upstream.
+
+This driver does not request any gpios so don't free them.
+Fixes L3 bus error on multiple modprobe/rmmod of ehci_hcd
+with ehci-omap in use.
+
+Without this patch, EHCI will break on repeated insmod/rmmod
+of ehci_hcd for all OMAP2+ platforms that use EHCI and
+set 'phy_reset = true' in usbhs_omap_board_data.
+i.e.
+
+board-3430sdp.c: .phy_reset = true,
+board-3630sdp.c: .phy_reset = true,
+board-am3517crane.c: .phy_reset = true,
+board-am3517evm.c: .phy_reset = true,
+board-cm-t3517.c: .phy_reset = true,
+board-cm-t35.c: .phy_reset = true,
+board-devkit8000.c: .phy_reset = true,
+board-igep0020.c: .phy_reset = true,
+board-igep0020.c: .phy_reset = true,
+board-omap3beagle.c: .phy_reset = true,
+board-omap3evm.c: .phy_reset = true,
+board-omap3pandora.c: .phy_reset = true,
+board-omap3stalker.c: .phy_reset = true,
+board-omap3touchbook.c: .phy_reset = true,
+board-omap4panda.c: .phy_reset = false,
+board-overo.c: .phy_reset = true,
+board-zoom.c: .phy_reset = true,
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Reviewed-by: Felipe Balbi <balbi@ti.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ehci-omap.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/usb/host/ehci-omap.c
++++ b/drivers/usb/host/ehci-omap.c
+@@ -288,7 +288,6 @@ static int ehci_hcd_omap_remove(struct p
+ {
+ struct device *dev = &pdev->dev;
+ struct usb_hcd *hcd = dev_get_drvdata(dev);
+- struct ehci_hcd_omap_platform_data *pdata = dev->platform_data;
+
+ usb_remove_hcd(hcd);
+ disable_put_regulator(dev->platform_data);
+@@ -297,13 +296,6 @@ static int ehci_hcd_omap_remove(struct p
+ pm_runtime_put_sync(dev);
+ pm_runtime_disable(dev);
+
+- if (pdata->phy_reset) {
+- if (gpio_is_valid(pdata->reset_gpio_port[0]))
+- gpio_free(pdata->reset_gpio_port[0]);
+-
+- if (gpio_is_valid(pdata->reset_gpio_port[1]))
+- gpio_free(pdata->reset_gpio_port[1]);
+- }
+ return 0;
+ }
+
--- /dev/null
+From 04753523266629b1cd0518091da1658755787198 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Thu, 14 Feb 2013 17:08:09 +0200
+Subject: USB: ehci-omap: Fix autoloading of module
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 04753523266629b1cd0518091da1658755787198 upstream.
+
+The module alias should be "ehci-omap" and not
+"omap-ehci" to match the platform device name.
+The omap-ehci module should now autoload correctly.
+
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ehci-omap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ehci-omap.c
++++ b/drivers/usb/host/ehci-omap.c
+@@ -363,7 +363,7 @@ static const struct hc_driver ehci_omap_
+ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete,
+ };
+
+-MODULE_ALIAS("platform:omap-ehci");
++MODULE_ALIAS("platform:ehci-omap");
+ MODULE_AUTHOR("Texas Instruments, Inc.");
+ MODULE_AUTHOR("Felipe Balbi <felipe.balbi@nokia.com>");
+
--- /dev/null
+From f8f0302bbcbd1b14655bef29f6996a2152be559d Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Wed, 23 Jan 2013 10:44:36 +0100
+Subject: USB: option: add and update Alcatel modems
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit f8f0302bbcbd1b14655bef29f6996a2152be559d upstream.
+
+Adding three currently unsupported modems based on information
+from .inf driver files:
+
+ Diag VID_1BBB&PID_0052&MI_00
+ AGPS VID_1BBB&PID_0052&MI_01
+ VOICE VID_1BBB&PID_0052&MI_02
+ AT VID_1BBB&PID_0052&MI_03
+ Modem VID_1BBB&PID_0052&MI_05
+ wwan VID_1BBB&PID_0052&MI_06
+
+ Diag VID_1BBB&PID_00B6&MI_00
+ AT VID_1BBB&PID_00B6&MI_01
+ Modem VID_1BBB&PID_00B6&MI_02
+ wwan VID_1BBB&PID_00B6&MI_03
+
+ Diag VID_1BBB&PID_00B7&MI_00
+ AGPS VID_1BBB&PID_00B7&MI_01
+ VOICE VID_1BBB&PID_00B7&MI_02
+ AT VID_1BBB&PID_00B7&MI_03
+ Modem VID_1BBB&PID_00B7&MI_04
+ wwan VID_1BBB&PID_00B7&MI_05
+
+Updating the blacklist info for the X060S_X200 and X220_X500D,
+reserving interfaces for a wwan driver, based on
+
+ wwan VID_1BBB&PID_0000&MI_04
+ wwan VID_1BBB&PID_0017&MI_06
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -479,6 +479,7 @@ static const struct option_blacklist_inf
+
+ static const struct option_blacklist_info alcatel_x200_blacklist = {
+ .sendsetup = BIT(0) | BIT(1),
++ .reserved = BIT(4),
+ };
+
+ static const struct option_blacklist_info zte_0037_blacklist = {
+@@ -1215,7 +1216,14 @@ static const struct usb_device_id option
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
+ .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist
+ },
+- { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D) },
++ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D),
++ .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
++ { USB_DEVICE(ALCATEL_VENDOR_ID, 0x0052),
++ .driver_info = (kernel_ulong_t)&net_intf6_blacklist },
++ { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b6),
++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
++ { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b7),
++ .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
+ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L100V),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) },
--- /dev/null
+From 1f3f687722fd9b29a0c2a85b4844e3b2a3585c63 Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Wed, 13 Feb 2013 23:41:34 +0100
+Subject: USB: option: add Huawei "ACM" devices using protocol = vendor
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit 1f3f687722fd9b29a0c2a85b4844e3b2a3585c63 upstream.
+
+The USB device descriptor of one identity presented by a few
+Huawei morphing devices have serial functions with class codes
+02/02/ff, indicating CDC ACM with a vendor specific protocol. This
+combination is often used for MSFT RNDIS functions, and the CDC
+ACM class driver will therefore ignore such functions.
+
+The CDC ACM class driver cannot support functions with only 2
+endpoints. The underlying serial functions of these modems are
+also believed to be the same as for alternate device identities
+already supported by the option driver. Letting the same driver
+handle these functions independently of the current identity
+ensures consistent handling and user experience.
+
+There is no need to blacklist these devices in the rndis_host
+driver. Huawei serial functions will either have only 2 endpoints
+or a CDC ACM functional descriptor with bmCapabilities != 0, making
+them correctly ignored as "non RNDIS" by that driver.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -578,8 +578,12 @@ static const struct usb_device_id option
+ { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLE) },
+ { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c05, USB_CLASS_COMM, 0x02, 0xff) },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) },
++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff),
--- /dev/null
+From cd565279e51bedee1b2988e84f9b3bef485adeb6 Mon Sep 17 00:00:00 2001
+From: Bjørn Mork <bjorn@mork.no>
+Date: Tue, 12 Feb 2013 13:42:24 +0100
+Subject: USB: option: add Yota / Megafon M100-1 4g modem
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit cd565279e51bedee1b2988e84f9b3bef485adeb6 upstream.
+
+Interface layout:
+
+ 00 CD-ROM
+ 01 debug COM port
+ 02 AP control port
+ 03 modem
+ 04 usb-ethernet
+
+Bus=01 Lev=02 Prnt=02 Port=01 Cnt=02 Dev#= 4 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=0408 ProdID=ea42 Rev= 0.00
+S: Manufacturer=Qualcomm, Incorporated
+S: Product=Qualcomm CDMA Technologies MSM
+S: SerialNumber=353568051xxxxxx
+C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=84(I) Atr=03(Int.) MxPS= 64 Ivl=2ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=2ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -576,6 +576,8 @@ static const struct usb_device_id option
+ { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLX) },
+ { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GKE) },
+ { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLE) },
++ { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42),
++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t) &net_intf1_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff),
--- /dev/null
+From cd060956c5e97931c3909e4a808508469c0bb9f6 Mon Sep 17 00:00:00 2001
+From: fangxiaozhi <huananhu@huawei.com>
+Date: Thu, 7 Feb 2013 15:32:07 +0800
+Subject: USB: storage: properly handle the endian issues of idProduct
+
+From: fangxiaozhi <huananhu@huawei.com>
+
+commit cd060956c5e97931c3909e4a808508469c0bb9f6 upstream.
+
+1. The idProduct is little endian, so make sure its value to be
+compatible with the current CPU. Make no break on big endian processors.
+
+Signed-off-by: fangxiaozhi <huananhu@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/initializers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/storage/initializers.c
++++ b/drivers/usb/storage/initializers.c
+@@ -147,7 +147,7 @@ static int usb_stor_huawei_dongles_pid(s
+ int idProduct;
+
+ idesc = &us->pusb_intf->cur_altsetting->desc;
+- idProduct = us->pusb_dev->descriptor.idProduct;
++ idProduct = le16_to_cpu(us->pusb_dev->descriptor.idProduct);
+ /* The first port is CDROM,
+ * means the dongle in the single port mode,
+ * and a switch command is required to be sent. */
+@@ -169,7 +169,7 @@ int usb_stor_huawei_init(struct us_data
+ int result = 0;
+
+ if (usb_stor_huawei_dongles_pid(us)) {
+- if (us->pusb_dev->descriptor.idProduct >= 0x1446)
++ if (le16_to_cpu(us->pusb_dev->descriptor.idProduct) >= 0x1446)
+ result = usb_stor_huawei_scsi_init(us);
+ else
+ result = usb_stor_huawei_feature_init(us);
--- /dev/null
+From 18e03310b5caa6d11c1a8c61b982c37047693fba Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@redhat.com>
+Date: Thu, 14 Feb 2013 09:39:09 -0500
+Subject: USB: usb-storage: unusual_devs update for Super TOP SATA bridge
+
+From: Josh Boyer <jwboyer@redhat.com>
+
+commit 18e03310b5caa6d11c1a8c61b982c37047693fba upstream.
+
+The current entry in unusual_cypress.h for the Super TOP SATA bridge devices
+seems to be causing corruption on newer revisions of this device. This has
+been reported in Arch Linux and Fedora. The original patch was tested on
+devices with bcdDevice of 1.60, whereas the newer devices report bcdDevice
+as 2.20. Limit the UNUSUAL_DEV entry to devices less than 2.20.
+
+This fixes https://bugzilla.redhat.com/show_bug.cgi?id=909591
+
+The Arch Forum post on this is here:
+ https://bbs.archlinux.org/viewtopic.php?id=152011
+
+Reported-by: Carsten S. <carsteniq@yahoo.com>
+Tested-by: Carsten S. <carsteniq@yahoo.com>
+Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_cypress.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_cypress.h
++++ b/drivers/usb/storage/unusual_cypress.h
+@@ -31,7 +31,7 @@ UNUSUAL_DEV( 0x04b4, 0x6831, 0x0000, 0x
+ "Cypress ISD-300LP",
+ USB_SC_CYP_ATACB, USB_PR_DEVICE, NULL, 0),
+
+-UNUSUAL_DEV( 0x14cd, 0x6116, 0x0000, 0x9999,
++UNUSUAL_DEV( 0x14cd, 0x6116, 0x0000, 0x0219,
+ "Super Top",
+ "USB 2.0 SATA BRIDGE",
+ USB_SC_CYP_ATACB, USB_PR_DEVICE, NULL, 0),
--- /dev/null
+From 1591b8595fd6cde710c399e5ab325fee269644a3 Mon Sep 17 00:00:00 2001
+From: Cong Wang <amwang@redhat.com>
+Date: Thu, 21 Feb 2013 23:32:27 +0000
+Subject: vlan: adjust vlan_set_encap_proto() for its callers
+
+
+From: Cong Wang <amwang@redhat.com>
+
+[ Upstream commit da8c87241c26aac81a64c7e4d21d438a33018f4e ]
+
+There are two places to call vlan_set_encap_proto():
+vlan_untag() and __pop_vlan_tci().
+
+vlan_untag() assumes skb->data points after mac addr, otherwise
+the following code
+
+ vhdr = (struct vlan_hdr *) skb->data;
+ vlan_tci = ntohs(vhdr->h_vlan_TCI);
+ __vlan_hwaccel_put_tag(skb, vlan_tci);
+
+ skb_pull_rcsum(skb, VLAN_HLEN);
+
+won't be correct. But __pop_vlan_tci() assumes points _before_
+mac addr.
+
+In vlan_set_encap_proto(), it looks for some magic L2 value
+after mac addr:
+
+ rawp = skb->data;
+ if (*(unsigned short *) rawp == 0xFFFF)
+ ...
+
+Therefore __pop_vlan_tci() is obviously wrong.
+
+A quick fix is avoiding using skb->data in vlan_set_encap_proto(),
+use 'vhdr+1' is always correct in both cases.
+
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Jesse Gross <jesse@nicira.com>
+Signed-off-by: Cong Wang <amwang@redhat.com>
+Acked-by: Jesse Gross <jesse@nicira.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_vlan.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -327,7 +327,7 @@ static inline void vlan_set_encap_proto(
+ struct vlan_hdr *vhdr)
+ {
+ __be16 proto;
+- unsigned char *rawp;
++ unsigned short *rawp;
+
+ /*
+ * Was a VLAN packet, grab the encapsulated protocol, which the layer
+@@ -340,8 +340,8 @@ static inline void vlan_set_encap_proto(
+ return;
+ }
+
+- rawp = skb->data;
+- if (*(unsigned short *) rawp == 0xFFFF)
++ rawp = (unsigned short *)(vhdr + 1);
++ if (*rawp == 0xFFFF)
+ /*
+ * This is a magic hack to spot IPX packets. Older Novell
+ * breaks the protocol design and runs IPX over 802.3 without
--- /dev/null
+From 740f825d8a83fcf430093e6ee7606f4380c66a3c Mon Sep 17 00:00:00 2001
+From: David Vrabel <david.vrabel@citrix.com>
+Date: Thu, 14 Feb 2013 03:18:58 +0000
+Subject: xen-netback: cancel the credit timer when taking the vif down
+
+
+From: David Vrabel <david.vrabel@citrix.com>
+
+[ Upstream commit 3e55f8b306cf305832a4ac78aa82e1b40e818ece ]
+
+If the credit timer is left armed after calling
+xen_netbk_remove_xenvif(), then it may fire and attempt to schedule
+the vif which will then oops as vif->netbk == NULL.
+
+This may happen both in the fatal error path and during normal
+disconnection from the front end.
+
+The sequencing during shutdown is critical to ensure that: a)
+vif->netbk doesn't become unexpectedly NULL; and b) the net device/vif
+is not freed.
+
+1. Mark as unschedulable (netif_carrier_off()).
+2. Synchronously cancel the timer.
+3. Remove the vif from the schedule list.
+4. Remove it from it netback thread group.
+5. Wait for vif->refcnt to become 0.
+
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Reported-by: Christopher S. Aker <caker@theshore.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/interface.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -132,6 +132,7 @@ static void xenvif_up(struct xenvif *vif
+ static void xenvif_down(struct xenvif *vif)
+ {
+ disable_irq(vif->irq);
++ del_timer_sync(&vif->credit_timeout);
+ xen_netbk_deschedule_xenvif(vif);
+ xen_netbk_remove_xenvif(vif);
+ }
+@@ -363,8 +364,6 @@ void xenvif_disconnect(struct xenvif *vi
+ atomic_dec(&vif->refcnt);
+ wait_event(vif->waiting_to_free, atomic_read(&vif->refcnt) == 0);
+
+- del_timer_sync(&vif->credit_timeout);
+-
+ if (vif->irq)
+ unbind_from_irqhandler(vif->irq, vif);
+
--- /dev/null
+From 0098acdb710d4f1d854e5ca39c78e9dd6fe346fd Mon Sep 17 00:00:00 2001
+From: David Vrabel <david.vrabel@citrix.com>
+Date: Thu, 14 Feb 2013 03:18:57 +0000
+Subject: xen-netback: correctly return errors from netbk_count_requests()
+
+
+From: David Vrabel <david.vrabel@citrix.com>
+
+[ Upstream commit 35876b5ffc154c357476b2c3bdab10feaf4bd8f0 ]
+
+netbk_count_requests() could detect an error, call
+netbk_fatal_tx_error() but return 0. The vif may then be used
+afterwards (e.g., in a call to netbk_tx_error().
+
+Since netbk_fatal_tx_error() could set vif->refcnt to 1, the vif may
+be freed immediately after the call to netbk_fatal_tx_error() (e.g.,
+if the vif is also removed).
+
+Netback thread Xenwatch thread
+-------------------------------------------
+netbk_fatal_tx_err() netback_remove()
+ xenvif_disconnect()
+ ...
+ free_netdev()
+netbk_tx_err() Oops!
+
+Signed-off-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: Jan Beulich <JBeulich@suse.com>
+Signed-off-by: David Vrabel <david.vrabel@citrix.com>
+Reported-by: Christopher S. Aker <caker@theshore.net>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/netback.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -883,13 +883,13 @@ static int netbk_count_requests(struct x
+ if (frags >= work_to_do) {
+ netdev_err(vif->dev, "Need more frags\n");
+ netbk_fatal_tx_err(vif);
+- return -frags;
++ return -ENODATA;
+ }
+
+ if (unlikely(frags >= MAX_SKB_FRAGS)) {
+ netdev_err(vif->dev, "Too many frags\n");
+ netbk_fatal_tx_err(vif);
+- return -frags;
++ return -E2BIG;
+ }
+
+ memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + frags),
+@@ -897,7 +897,7 @@ static int netbk_count_requests(struct x
+ if (txp->size > first->size) {
+ netdev_err(vif->dev, "Frag is bigger than frame.\n");
+ netbk_fatal_tx_err(vif);
+- return -frags;
++ return -EIO;
+ }
+
+ first->size -= txp->size;
+@@ -907,7 +907,7 @@ static int netbk_count_requests(struct x
+ netdev_err(vif->dev, "txp->offset: %x, size: %u\n",
+ txp->offset, txp->size);
+ netbk_fatal_tx_err(vif);
+- return -frags;
++ return -EINVAL;
+ }
+ } while ((txp++)->flags & XEN_NETTXF_more_data);
+ return frags;
projects / thirdparty / kernel / stable-queue.git / commitdiff
