--- /dev/null
+From 0f9f1ee9d1412d45a22bfd69dfd4d4324b506e9e Mon Sep 17 00:00:00 2001
+From: Luke Yelavich <luke.yelavich@canonical.com>
+Date: Tue, 21 Sep 2010 17:05:46 +1000
+Subject: ALSA: hda - Add Dell Latitude E6400 model quirk
+
+From: Luke Yelavich <luke.yelavich@canonical.com>
+
+commit 0f9f1ee9d1412d45a22bfd69dfd4d4324b506e9e upstream.
+
+BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/643891
+
+Set the Dell Latitude E6400 (1028:0233) SSID to use AD1984_DELL_DESKTOP
+
+Signed-off-by: Luke Yelavich <luke.yelavich@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/hda/patch_analog.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_analog.c
++++ b/sound/pci/hda/patch_analog.c
+@@ -3510,6 +3510,7 @@ static struct snd_pci_quirk ad1984_cfg_t
+ /* Lenovo Thinkpad T61/X61 */
+ SND_PCI_QUIRK_VENDOR(0x17aa, "Lenovo Thinkpad", AD1984_THINKPAD),
+ SND_PCI_QUIRK(0x1028, 0x0214, "Dell T3400", AD1984_DELL_DESKTOP),
++ SND_PCI_QUIRK(0x1028, 0x0233, "Dell Latitude E6400", AD1984_DELL_DESKTOP),
+ {}
+ };
+
--- /dev/null
+From 0873a5ae747847ee55a63db409dff3476e45bcd9 Mon Sep 17 00:00:00 2001
+From: Erik J. Staab <ejs@insightbb.com>
+Date: Wed, 22 Sep 2010 11:07:41 +0200
+Subject: ALSA: oxygen: fix analog capture on Claro halo cards
+
+From: Erik J. Staab <ejs@insightbb.com>
+
+commit 0873a5ae747847ee55a63db409dff3476e45bcd9 upstream.
+
+On the HT-Omega Claro halo card, the ADC data must be captured from the
+second I2S input. Using the default first input, which isn't connected
+to anything, would result in silence.
+
+Signed-off-by: Erik J. Staab <ejs@insightbb.com>
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/oxygen/oxygen.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/pci/oxygen/oxygen.c
++++ b/sound/pci/oxygen/oxygen.c
+@@ -393,6 +393,10 @@ static int __devinit get_oxygen_model(st
+ chip->model.suspend = claro_suspend;
+ chip->model.resume = claro_resume;
+ chip->model.set_adc_params = set_ak5385_params;
++ chip->model.device_config = PLAYBACK_0_TO_I2S |
++ PLAYBACK_1_TO_SPDIF |
++ CAPTURE_0_FROM_I2S_2 |
++ CAPTURE_1_FROM_SPDIF;
+ break;
+ }
+ if (id->driver_data == MODEL_MERIDIAN ||
--- /dev/null
+From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Tue, 28 Sep 2010 14:18:20 -0400
+Subject: ALSA: prevent heap corruption in snd_ctl_new()
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 5591bf07225523600450edd9e6ad258bb877b779 upstream.
+
+The snd_ctl_new() function in sound/core/control.c allocates space for a
+snd_kcontrol struct by performing arithmetic operations on a
+user-provided size without checking for integer overflow. If a user
+provides a large enough size, an overflow will occur, the allocated
+chunk will be too small, and a second user-influenced value will be
+written repeatedly past the bounds of this chunk. This code is
+reachable by unprivileged users who have permission to open
+a /dev/snd/controlC* device (on many distros, this is group "audio") via
+the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/core/control.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -31,6 +31,7 @@
+
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS 32
++#define MAX_CONTROL_COUNT 1028
+
+ struct snd_kctl_ioctl {
+ struct list_head list; /* list of all ioctls */
+@@ -190,6 +191,10 @@ static struct snd_kcontrol *snd_ctl_new(
+
+ if (snd_BUG_ON(!control || !control->count))
+ return NULL;
++
++ if (control->count > MAX_CONTROL_COUNT)
++ return NULL;
++
+ kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ if (kctl == NULL) {
+ snd_printk(KERN_ERR "Cannot allocate control instance\n");
--- /dev/null
+From aa73aec6c385e2c797ac25cc7ccf0318031de7c8 Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Fri, 15 Oct 2010 12:06:18 +0200
+Subject: ALSA: rawmidi: fix oops (use after free) when unloading a driver module
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit aa73aec6c385e2c797ac25cc7ccf0318031de7c8 upstream.
+
+When a driver module is unloaded and the last still open file is a raw
+MIDI device, the card and its devices will be actually freed in the
+snd_card_file_remove() call when that file is closed. Afterwards, rmidi
+and rmidi->card point into freed memory, so the module pointer is likely
+to be garbage.
+(This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.)
+
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Reported-by: Krzysztof Foltman <wdev@foltman.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/core/rawmidi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -530,13 +530,15 @@ static int snd_rawmidi_release(struct in
+ {
+ struct snd_rawmidi_file *rfile;
+ struct snd_rawmidi *rmidi;
++ struct module *module;
+
+ rfile = file->private_data;
+ rmidi = rfile->rmidi;
+ rawmidi_release_priv(rfile);
+ kfree(rfile);
++ module = rmidi->card->module;
+ snd_card_file_remove(rmidi->card, file);
+- module_put(rmidi->card->module);
++ module_put(module);
+ return 0;
+ }
+
--- /dev/null
+From e68d3b316ab7b02a074edc4f770e6a746390cb7d Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Sat, 25 Sep 2010 11:07:27 -0400
+Subject: ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit e68d3b316ab7b02a074edc4f770e6a746390cb7d upstream.
+
+The SNDRV_HDSP_IOCTL_GET_CONFIG_INFO and
+SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctls in hdspm.c and hdsp.c allow
+unprivileged users to read uninitialized kernel stack memory, because
+several fields of the hdsp{m}_config_info structs declared on the stack
+are not altered or zeroed before being copied back to the user. This
+patch takes care of it.
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/rme9652/hdsp.c | 1 +
+ sound/pci/rme9652/hdspm.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -4610,6 +4610,7 @@ static int snd_hdsp_hwdep_ioctl(struct s
+ if (err < 0)
+ return err;
+
++ memset(&info, 0, sizeof(info));
+ spin_lock_irqsave(&hdsp->lock, flags);
+ info.pref_sync_ref = (unsigned char)hdsp_pref_sync_ref(hdsp);
+ info.wordclock_sync_check = (unsigned char)hdsp_wc_sync_check(hdsp);
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -4127,6 +4127,7 @@ static int snd_hdspm_hwdep_ioctl(struct
+
+ case SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO:
+
++ memset(&info, 0, sizeof(info));
+ spin_lock_irq(&hdspm->lock);
+ info.pref_sync_ref = hdspm_pref_sync_ref(hdspm);
+ info.wordclock_sync_check = hdspm_wc_sync_check(hdspm);
--- /dev/null
+From bb7ab785ad05a97a2c9ffb3a06547ed39f3133e8 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@redhat.com>
+Date: Tue, 21 Sep 2010 03:26:35 -0400
+Subject: oprofile: Add Support for Intel CPU Family 6 / Model 29
+
+From: Jiri Olsa <jolsa@redhat.com>
+
+commit bb7ab785ad05a97a2c9ffb3a06547ed39f3133e8 upstream.
+
+This patch adds CPU type detection for dunnington processor (Family 6
+/ Model 29) to be identified as core 2 family cpu type (wikipedia
+source).
+
+I tested oprofile on Intel(R) Xeon(R) CPU E7440 reporting itself as
+model 29, and it runs without an issue.
+
+Spec:
+
+ http://www.intel.com/Assets/en_US/PDF/specupdate/320336.pdf
+
+Signed-off-by: Jiri Olsa <jolsa@redhat.com>
+Acked-by: Andi Kleen <ak@linux.intel.com>
+Signed-off-by: Robert Richter <robert.richter@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/oprofile/nmi_int.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/oprofile/nmi_int.c
++++ b/arch/x86/oprofile/nmi_int.c
+@@ -624,6 +624,7 @@ static int __init ppro_init(char **cpu_t
+ case 0x0f:
+ case 0x16:
+ case 0x17:
++ case 0x1d:
+ *cpu_type = "i386/core_2";
+ break;
+ case 0x1a:
--- /dev/null
+From bec658ff31453a5726b1c188674d587a5d40c482 Mon Sep 17 00:00:00 2001
+From: Steve Wise <swise@opengridcomputing.com>
+Date: Sat, 18 Sep 2010 19:38:21 -0500
+Subject: RDMA/cxgb3: Turn off RX coalescing for iWARP connections
+
+From: Steve Wise <swise@opengridcomputing.com>
+
+commit bec658ff31453a5726b1c188674d587a5d40c482 upstream.
+
+The HW by default has RX coalescing on. For iWARP connections, this
+causes a 100ms delay in connection establishement due to the ingress
+MPA Start message being stalled in HW. So explicitly turn RX
+coalescing off when setting up iWARP connections.
+
+This was causing very bad performance for NP64 gather operations using
+Open MPI, due to the way it sets up connections on larger jobs.
+
+Signed-off-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Roland Dreier <rolandd@cisco.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/infiniband/hw/cxgb3/iwch_cm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb3/iwch_cm.c
++++ b/drivers/infiniband/hw/cxgb3/iwch_cm.c
+@@ -486,7 +486,8 @@ static int send_connect(struct iwch_ep *
+ V_MSS_IDX(mtu_idx) |
+ V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx);
+ opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10);
+- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor);
++ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) |
++ V_CONG_CONTROL_FLAVOR(cong_flavor);
+ skb->priority = CPL_PRIORITY_SETUP;
+ set_arp_failure_handler(skb, act_open_req_arp_failure);
+
+@@ -1303,7 +1304,8 @@ static void accept_cr(struct iwch_ep *ep
+ V_MSS_IDX(mtu_idx) |
+ V_L2T_IDX(ep->l2t->idx) | V_TX_CHANNEL(ep->l2t->smt_idx);
+ opt0l = V_TOS((ep->tos >> 2) & M_TOS) | V_RCV_BUFSIZ(rcv_win>>10);
+- opt2 = V_FLAVORS_VALID(1) | V_CONG_CONTROL_FLAVOR(cong_flavor);
++ opt2 = F_RX_COALESCE_VALID | V_RX_COALESCE(0) | V_FLAVORS_VALID(1) |
++ V_CONG_CONTROL_FLAVOR(cong_flavor);
+
+ rpl = cplhdr(skb);
+ rpl->wr.wr_hi = htonl(V_WR_OP(FW_WROPCODE_FORWARD));
--- /dev/null
+From 0026e00523a85b90a92a93ddf6660939ecef3e54 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 21 Sep 2010 15:01:53 -0400
+Subject: USB: fix bug in initialization of interface minor numbers
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 0026e00523a85b90a92a93ddf6660939ecef3e54 upstream.
+
+Recent changes in the usbhid layer exposed a bug in usbcore. If
+CONFIG_USB_DYNAMIC_MINORS is enabled then an interface may be assigned
+a minor number of 0. However interfaces that aren't registered as USB
+class devices also have their minor number set to 0, during
+initialization. As a result usb_find_interface() may return the
+wrong interface, leading to a crash.
+
+This patch (as1418) fixes the problem by initializing every
+interface's minor number to -1. It also cleans up the
+usb_register_dev() function, which besides being somewhat awkwardly
+written, does not unwind completely on all its error paths.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Philip J. Turmel <philip@turmel.org>
+Tested-by: Gabriel Craciunescu <nix.or.die@googlemail.com>
+Tested-by: Alex Riesen <raa.lkml@gmail.com>
+Tested-by: Matthias Bayer <jackdachef@gmail.com>
+CC: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/file.c | 35 ++++++++++++++++-------------------
+ drivers/usb/core/message.c | 1 +
+ 2 files changed, 17 insertions(+), 19 deletions(-)
+
+--- a/drivers/usb/core/file.c
++++ b/drivers/usb/core/file.c
+@@ -159,9 +159,9 @@ void usb_major_cleanup(void)
+ int usb_register_dev(struct usb_interface *intf,
+ struct usb_class_driver *class_driver)
+ {
+- int retval = -EINVAL;
++ int retval;
+ int minor_base = class_driver->minor_base;
+- int minor = 0;
++ int minor;
+ char name[20];
+ char *temp;
+
+@@ -173,12 +173,17 @@ int usb_register_dev(struct usb_interfac
+ */
+ minor_base = 0;
+ #endif
+- intf->minor = -1;
+-
+- dbg ("looking for a minor, starting at %d", minor_base);
+
+ if (class_driver->fops == NULL)
+- goto exit;
++ return -EINVAL;
++ if (intf->minor >= 0)
++ return -EADDRINUSE;
++
++ retval = init_usb_class();
++ if (retval)
++ return retval;
++
++ dev_dbg(&intf->dev, "looking for a minor, starting at %d", minor_base);
+
+ down_write(&minor_rwsem);
+ for (minor = minor_base; minor < MAX_USB_MINORS; ++minor) {
+@@ -186,20 +191,12 @@ int usb_register_dev(struct usb_interfac
+ continue;
+
+ usb_minors[minor] = class_driver->fops;
+-
+- retval = 0;
++ intf->minor = minor;
+ break;
+ }
+ up_write(&minor_rwsem);
+-
+- if (retval)
+- goto exit;
+-
+- retval = init_usb_class();
+- if (retval)
+- goto exit;
+-
+- intf->minor = minor;
++ if (intf->minor < 0)
++ return -EXFULL;
+
+ /* create a usb class device for this usb interface */
+ snprintf(name, sizeof(name), class_driver->name, minor - minor_base);
+@@ -213,11 +210,11 @@ int usb_register_dev(struct usb_interfac
+ "%s", temp);
+ if (IS_ERR(intf->usb_dev)) {
+ down_write(&minor_rwsem);
+- usb_minors[intf->minor] = NULL;
++ usb_minors[minor] = NULL;
++ intf->minor = -1;
+ up_write(&minor_rwsem);
+ retval = PTR_ERR(intf->usb_dev);
+ }
+-exit:
+ return retval;
+ }
+ EXPORT_SYMBOL_GPL(usb_register_dev);
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -1792,6 +1792,7 @@ free_interfaces:
+ intf->dev.groups = usb_interface_groups;
+ intf->dev.dma_mask = dev->dev.dma_mask;
+ INIT_WORK(&intf->reset_ws, __usb_queue_reset_device);
++ intf->minor = -1;
+ device_initialize(&intf->dev);
+ mark_quiesced(intf);
+ dev_set_name(&intf->dev, "%d-%s:%d.%d",
--- /dev/null
+From bd2e74d657fc7d514881cc2117e323790b257914 Mon Sep 17 00:00:00 2001
+From: Ming Lei <tom.leiming@gmail.com>
+Date: Mon, 20 Sep 2010 10:32:01 +0300
+Subject: usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style
+
+From: Ming Lei <tom.leiming@gmail.com>
+
+commit bd2e74d657fc7d514881cc2117e323790b257914 upstream.
+
+For shared fifo hw endpoint(with FIFO_TXRX style), only ep_in
+field of musb_hw_ep is intialized in musb_g_init_endpoints, and
+ep_out is not initialized, but musb_g_rx and rxstate may access
+ep_out field of musb_hw_ep by the method below:
+
+ musb_ep = &musb->endpoints[epnum].ep_out
+
+which can cause the kernel panic[1] below, this patch fixes the issue
+by getting 'musb_ep' from '&musb->endpoints[epnum].ep_in' for shared fifo
+endpoint.
+
+[1], kernel panic
+[root@OMAP3EVM /]# musb_interrupt 1583: ** IRQ peripheral usb0008 tx0000 rx4000
+musb_stage0_irq 460: <== Power=f0, DevCtl=99, int_usb=0x8
+musb_g_rx 772: <== (null), rxcsr 4007 ffffffe8
+musb_g_rx 786: iso overrun on ffffffe8
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = c0004000
+[00000008] *pgd=00000000
+Internal error: Oops: 17 [#1] PREEMPT
+last sysfs file: /sys/devices/platform/musb_hdrc/usb1/usb_device/usbdev1.1/dev
+Modules linked in: g_zero
+CPU: 0 Tainted: G W (2.6.35-rc6-gkh-wl+ #92)
+PC is at musb_g_rx+0xfc/0x2ec
+LR is at vprintk+0x3f4/0x458
+pc : [<c02c07a4>] lr : [<c006ccb0>] psr: 20000193
+sp : c760bd78 ip : c03c9d70 fp : c760bdbc
+r10: 00000000 r9 : fa0ab1e0 r8 : 0000000e
+r7 : c7e80158 r6 : ffffffe8 r5 : 00000001 r4 : 00004003
+r3 : 00010003 r2 : c760bcd8 r1 : c03cd030 r0 : 0000002e
+Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
+Control: 10c5387d Table: 8778c019 DAC: 00000017
+Process kmemleak (pid: 421, stack limit = 0xc760a2e8)
+Stack: (0xc760bd78 to 0xc760c000)
+bd60: ffffffe8 c04b1b58
+bd80: ffffffe8 c7c01ac0 00000000 c7e80d24 c0084238 00000001 00000001 c7e80158
+bda0: 0000000e 00000008 00000099 000000f0 c760be04 c760bdc0 c02bcd68 c02c06b4
+bdc0: 00000099 00000008 00004000 c760bdd8 c03cc4f8 00000000 00000002 c7e80158
+bde0: c7d2e300 60000193 c760a000 0000005c 00000000 00000000 c760be24 c760be08
+be00: c02bcecc c02bc1ac c7d2e300 c7d2e300 0000005c c760a000 c760be54 c760be28
+be20: c00ad698 c02bce6c 00000000 c7d2e300 c067c258 0000005c c067c294 00000001
+be40: c760a000 00000000 c760be74 c760be58 c00af984 c00ad5fc 0000005c 00000000
+be60: 00000000 00000002 c760be8c c760be78 c0039080 c00af8d0 ffffffff fa200000
+be80: c760beec c760be90 c0039b6c c003900c 00000001 00000000 c7d1e240 00000000
+bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec
+bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff 00000000 c068bae8
+bee0: c760bf24 c760bef0 c00ff7d0 c0064ec4 00000001 00000000 c00ff700 00000000
+bf00: c0087f00 00000000 60000013 c0d76a70 c0e23795 00000001 c760bf4c c760bf28
+bf20: c00ffdd8 c00ff70c c068bb08 c068bae8 60000013 c0100938 c068bb30 00000000
+bf40: c760bf84 c760bf50 c010014c c00ffd84 00000001 00000000 c010000c 00012c00
+bf60: c7c33f04 00012c00 c7c33f04 00000000 c0100938 00000000 c760bf9c c760bf88
+bf80: c01009a8 c0100018 c760bfa8 c7c33f04 c760bff4 c760bfa0 c0088000 c0100944
+bfa0: c760bf98 00000000 00000000 00000001 dead4ead ffffffff ffffffff c08ba2bc
+bfc0: 00000000 c049e7fa 00000000 c0087f70 c760bfd0 c760bfd0 c7c33f04 c0087f70
+bfe0: c006f5e8 00000013 00000000 c760bff8 c006f5e8 c0087f7c 7f0004ff df2000ff
+Backtrace:
+[<c02c06a8>] (musb_g_rx+0x0/0x2ec) from [<c02bcd68>] (musb_interrupt+0xbc8/0xcc0)
+[<c02bc1a0>] (musb_interrupt+0x0/0xcc0) from [<c02bcecc>] (generic_interrupt+0x6c/0x84)
+[<c02bce60>] (generic_interrupt+0x0/0x84) from [<c00ad698>] (handle_IRQ_event+0xa8/0x1ec)
+ r7:c760a000 r6:0000005c r5:c7d2e300 r4:c7d2e300
+[<c00ad5f0>] (handle_IRQ_event+0x0/0x1ec) from [<c00af984>] (handle_level_irq+0xc0/0x13c)
+[<c00af8c4>] (handle_level_irq+0x0/0x13c) from [<c0039080>] (asm_do_IRQ+0x80/0xa0)
+ r7:00000002 r6:00000000 r5:00000000 r4:0000005c
+[<c0039000>] (asm_do_IRQ+0x0/0xa0) from [<c0039b6c>] (__irq_svc+0x4c/0xb4)
+Exception stack(0xc760be90 to 0xc760bed8)
+be80: 00000001 00000000 c7d1e240 00000000
+bea0: 00000000 c068bae8 00000000 60000013 00000001 00000000 00000000 c760beec
+bec0: c0064ecc c760bed8 c00ff7d0 c003a0a8 60000013 ffffffff
+ r5:fa200000 r4:ffffffff
+[<c0064eb8>] (sub_preempt_count+0x0/0x100) from [<c00ff7d0>] (find_and_get_object+0xd0/0x110)
+ r5:c068bae8 r4:00000000
+[<c00ff700>] (find_and_get_object+0x0/0x110) from [<c00ffdd8>] (scan_block+0x60/0x104)
+ r8:00000001 r7:c0e23795 r6:c0d76a70 r5:60000013 r4:00000000
+[<c00ffd78>] (scan_block+0x0/0x104) from [<c010014c>] (kmemleak_scan+0x140/0x484)
+[<c010000c>] (kmemleak_scan+0x0/0x484) from [<c01009a8>] (kmemleak_scan_thread+0x70/0xcc)
+ r8:00000000 r7:c0100938 r6:00000000 r5:c7c33f04 r4:00012c00
+[<c0100938>] (kmemleak_scan_thread+0x0/0xcc) from [<c0088000>] (kthread+0x90/0x98)
+ r5:c7c33f04 r4:c760bfa8
+[<c0087f70>] (kthread+0x0/0x98) from [<c006f5e8>] (do_exit+0x0/0x684)
+ r7:00000013 r6:c006f5e8 r5:c0087f70 r4:c7c33f04
+Code: e3002312 e58d6000 e2833e16 eb0422d5 (e5963020)
+---[ end trace f3d5e96f75c297b7 ]---
+
+Signed-off-by: Ming Lei <tom.leiming@gmail.com>
+Reviewed-by: Sergei Shtylyov <sshtylyov@mvista.com>
+Cc: David Brownell <dbrownell@users.sourceforge.net>
+Cc: Anand Gadiyar <gadiyar@ti.com>
+Cc: Mike Frysinger <vapier@gentoo.org>
+Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/musb/musb_gadget.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/musb/musb_gadget.c
++++ b/drivers/usb/musb/musb_gadget.c
+@@ -577,11 +577,19 @@ static void rxstate(struct musb *musb, s
+ {
+ const u8 epnum = req->epnum;
+ struct usb_request *request = &req->request;
+- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
++ struct musb_ep *musb_ep;
+ void __iomem *epio = musb->endpoints[epnum].regs;
+ unsigned fifo_count = 0;
+- u16 len = musb_ep->packet_sz;
++ u16 len;
+ u16 csr = musb_readw(epio, MUSB_RXCSR);
++ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
++
++ if (hw_ep->is_shared_fifo)
++ musb_ep = &hw_ep->ep_in;
++ else
++ musb_ep = &hw_ep->ep_out;
++
++ len = musb_ep->packet_sz;
+
+ /* We shouldn't get here while DMA is active, but we do... */
+ if (dma_channel_status(musb_ep->dma) == MUSB_DMA_STATUS_BUSY) {
+@@ -749,9 +757,15 @@ void musb_g_rx(struct musb *musb, u8 epn
+ u16 csr;
+ struct usb_request *request;
+ void __iomem *mbase = musb->mregs;
+- struct musb_ep *musb_ep = &musb->endpoints[epnum].ep_out;
++ struct musb_ep *musb_ep;
+ void __iomem *epio = musb->endpoints[epnum].regs;
+ struct dma_channel *dma;
++ struct musb_hw_ep *hw_ep = &musb->endpoints[epnum];
++
++ if (hw_ep->is_shared_fifo)
++ musb_ep = &hw_ep->ep_in;
++ else
++ musb_ep = &hw_ep->ep_out;
+
+ musb_ep_select(mbase, epnum);
+
--- /dev/null
+From a666e3e6098a9f56310e4ec2705f1dad124a34b5 Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Date: Sat, 11 Sep 2010 13:23:12 -0500
+Subject: usb: musb: gadget: restart request on clearing endpoint halt
+
+From: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+
+commit a666e3e6098a9f56310e4ec2705f1dad124a34b5 upstream.
+
+Commit 46034dca515bc4ddca0399ae58106d1f5f0d809f (USB: musb_gadget_ep0: stop
+abusing musb_gadget_set_halt()) forgot to restart a queued request after
+clearing the endpoint halt feature. This results in a couple of USB resets
+while enumerating the file-backed storage gadget due to CSW packet not being
+sent for the MODE SENSE(10) command.
+
+Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/musb/musb_gadget.c | 2 +-
+ drivers/usb/musb/musb_gadget.h | 2 ++
+ drivers/usb/musb/musb_gadget_ep0.c | 9 +++++++++
+ 3 files changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musb_gadget.c
++++ b/drivers/usb/musb/musb_gadget.c
+@@ -1088,7 +1088,7 @@ struct free_record {
+ /*
+ * Context: controller locked, IRQs blocked.
+ */
+-static void musb_ep_restart(struct musb *musb, struct musb_request *req)
++void musb_ep_restart(struct musb *musb, struct musb_request *req)
+ {
+ DBG(3, "<== %s request %p len %u on hw_ep%d\n",
+ req->tx ? "TX/IN" : "RX/OUT",
+--- a/drivers/usb/musb/musb_gadget.h
++++ b/drivers/usb/musb/musb_gadget.h
+@@ -105,4 +105,6 @@ extern void musb_g_giveback(struct musb_
+
+ extern int musb_gadget_set_halt(struct usb_ep *ep, int value);
+
++extern void musb_ep_restart(struct musb *, struct musb_request *);
++
+ #endif /* __MUSB_GADGET_H */
+--- a/drivers/usb/musb/musb_gadget_ep0.c
++++ b/drivers/usb/musb/musb_gadget_ep0.c
+@@ -369,6 +369,7 @@ stall:
+ ctrlrequest->wIndex & 0x0f;
+ struct musb_ep *musb_ep;
+ struct musb_hw_ep *ep;
++ struct musb_request *request;
+ void __iomem *regs;
+ int is_in;
+ u16 csr;
+@@ -411,6 +412,14 @@ stall:
+ csr);
+ }
+
++ /* Maybe start the first request in the queue */
++ request = to_musb_request(
++ next_request(musb_ep));
++ if (!musb_ep->busy && request) {
++ DBG(3, "restarting the request\n");
++ musb_ep_restart(musb, request);
++ }
++
+ /* select ep0 again */
+ musb_ep_select(mbase, 0);
+ handled = 1;
--- /dev/null
+From d900329e20f4476db6461752accebcf7935a8055 Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa@linux.intel.com>
+Date: Tue, 28 Sep 2010 15:35:01 -0700
+Subject: x86, cpu: After uncapping CPUID, re-run CPU feature detection
+
+From: H. Peter Anvin <hpa@linux.intel.com>
+
+commit d900329e20f4476db6461752accebcf7935a8055 upstream.
+
+After uncapping the CPUID level, we need to also re-run the CPU
+feature detection code.
+
+This resolves kernel bugzilla 16322.
+
+Reported-by: boris64 <bugzilla.kernel.org@boris64.net>
+LKML-Reference: <tip-@git.kernel.org>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/common.c | 2 +-
+ arch/x86/kernel/cpu/cpu.h | 1 +
+ arch/x86/kernel/cpu/intel.c | 1 +
+ 3 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -540,7 +540,7 @@ void __cpuinit cpu_detect(struct cpuinfo
+ }
+ }
+
+-static void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c)
++void __cpuinit get_cpu_cap(struct cpuinfo_x86 *c)
+ {
+ u32 tfms, xlvl;
+ u32 ebx;
+--- a/arch/x86/kernel/cpu/cpu.h
++++ b/arch/x86/kernel/cpu/cpu.h
+@@ -33,5 +33,6 @@ extern const struct cpu_dev *const __x86
+ *const __x86_cpu_dev_end[];
+
+ extern void display_cacheinfo(struct cpuinfo_x86 *c);
++extern void get_cpu_cap(struct cpuinfo_x86 *c);
+
+ #endif
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -40,6 +40,7 @@ static void __cpuinit early_init_intel(s
+ misc_enable &= ~MSR_IA32_MISC_ENABLE_LIMIT_CPUID;
+ wrmsrl(MSR_IA32_MISC_ENABLE, misc_enable);
+ c->cpuid_level = cpuid_eax(0);
++ get_cpu_cap(c);
+ }
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
