--- /dev/null
+From 7ee0fddfe05f105d3346aa8774695e7130697836 Mon Sep 17 00:00:00 2001
+From: J. K. Cliburn <jcliburn@gmail.com>
+Date: Tue, 11 Nov 2008 16:21:48 -0600
+Subject: atl1e: fix broken multicast by removing unnecessary crc inversion
+
+From: J. K. Cliburn <jcliburn@gmail.com>
+
+commit 7ee0fddfe05f105d3346aa8774695e7130697836 upstream.
+
+Inverting the crc after calling ether_crc_le() is unnecessary and breaks
+multicast. Remove it.
+
+Tested-by: David Madore <david.madore@ens.fr>
+Signed-off-by: Jay Cliburn <jcliburn@gmail.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/atl1e/atl1e_hw.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/net/atl1e/atl1e_hw.c
++++ b/drivers/net/atl1e/atl1e_hw.c
+@@ -163,9 +163,6 @@ int atl1e_read_mac_addr(struct atl1e_hw
+ * atl1e_hash_mc_addr
+ * purpose
+ * set hash value for a multicast address
+- * hash calcu processing :
+- * 1. calcu 32bit CRC for multicast address
+- * 2. reverse crc with MSB to LSB
+ */
+ u32 atl1e_hash_mc_addr(struct atl1e_hw *hw, u8 *mc_addr)
+ {
+@@ -174,7 +171,6 @@ u32 atl1e_hash_mc_addr(struct atl1e_hw *
+ int i;
+
+ crc32 = ether_crc_le(6, mc_addr);
+- crc32 = ~crc32;
+ for (i = 0; i < 32; i++)
+ value |= (((crc32 >> i) & 1) << (31 - i));
+
--- /dev/null
+From 33d283bef23132c48195eafc21449f8ba88fce6b Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Wed, 19 Nov 2008 15:36:48 -0800
+Subject: cgroups: fix a serious bug in cgroupstats
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+commit 33d283bef23132c48195eafc21449f8ba88fce6b upstream.
+
+Try this, and you'll get oops immediately:
+ # cd Documentation/accounting/
+ # gcc -o getdelays getdelays.c
+ # mount -t cgroup -o debug xxx /mnt
+ # ./getdelays -C /mnt/tasks
+
+Because a normal file's dentry->d_fsdata is a pointer to struct cftype,
+not struct cgroup.
+
+After the patch, it returns EINVAL if we try to get cgroupstats
+from a normal file.
+
+Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Acked-by: Paul Menage <menage@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/cgroup.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -2045,10 +2045,13 @@ int cgroupstats_build(struct cgroupstats
+ struct cgroup *cgrp;
+ struct cgroup_iter it;
+ struct task_struct *tsk;
++
+ /*
+- * Validate dentry by checking the superblock operations
++ * Validate dentry by checking the superblock operations,
++ * and make sure it's a directory.
+ */
+- if (dentry->d_sb->s_op != &cgroup_ops)
++ if (dentry->d_sb->s_op != &cgroup_ops ||
++ !S_ISDIR(dentry->d_inode->i_mode))
+ goto err;
+
+ ret = 0;
--- /dev/null
+From 700018e0a77b4113172257fcdaa1c58e27a5074f Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizf@cn.fujitsu.com>
+Date: Tue, 18 Nov 2008 14:02:03 +0800
+Subject: cpuset: fix regression when failed to generate sched domains
+
+From: Li Zefan <lizf@cn.fujitsu.com>
+
+commit 700018e0a77b4113172257fcdaa1c58e27a5074f upstream.
+
+Impact: properly rebuild sched-domains on kmalloc() failure
+
+When cpuset failed to generate sched domains due to kmalloc()
+failure, the scheduler should fallback to the single partition
+'fallback_doms' and rebuild sched domains, but now it only
+destroys but not rebuilds sched domains.
+
+The regression was introduced by:
+
+| commit dfb512ec4834116124da61d6c1ee10fd0aa32bd6
+| Author: Max Krasnyansky <maxk@qualcomm.com>
+| Date: Fri Aug 29 13:11:41 2008 -0700
+|
+| sched: arch_reinit_sched_domains() must destroy domains to force rebuild
+
+After the above commit, partition_sched_domains(0, NULL, NULL) will
+only destroy sched domains and partition_sched_domains(1, NULL, NULL)
+will create the default sched domain.
+
+Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
+Cc: Max Krasnyansky <maxk@qualcomm.com>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/cpuset.c | 12 ++++++++----
+ kernel/sched.c | 13 +++++++------
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+--- a/kernel/cpuset.c
++++ b/kernel/cpuset.c
+@@ -587,7 +587,6 @@ static int generate_sched_domains(cpumas
+ int ndoms; /* number of sched domains in result */
+ int nslot; /* next empty doms[] cpumask_t slot */
+
+- ndoms = 0;
+ doms = NULL;
+ dattr = NULL;
+ csa = NULL;
+@@ -674,10 +673,8 @@ restart:
+ * Convert <csn, csa> to <ndoms, doms> and populate cpu masks.
+ */
+ doms = kmalloc(ndoms * sizeof(cpumask_t), GFP_KERNEL);
+- if (!doms) {
+- ndoms = 0;
++ if (!doms)
+ goto done;
+- }
+
+ /*
+ * The rest of the code, including the scheduler, can deal with
+@@ -732,6 +729,13 @@ restart:
+ done:
+ kfree(csa);
+
++ /*
++ * Fallback to the default domain if kmalloc() failed.
++ * See comments in partition_sched_domains().
++ */
++ if (doms == NULL)
++ ndoms = 1;
++
+ *domains = doms;
+ *attributes = dattr;
+ return ndoms;
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -7692,13 +7692,14 @@ static int dattrs_equal(struct sched_dom
+ *
+ * The passed in 'doms_new' should be kmalloc'd. This routine takes
+ * ownership of it and will kfree it when done with it. If the caller
+- * failed the kmalloc call, then it can pass in doms_new == NULL,
+- * and partition_sched_domains() will fallback to the single partition
+- * 'fallback_doms', it also forces the domains to be rebuilt.
++ * failed the kmalloc call, then it can pass in doms_new == NULL &&
++ * ndoms_new == 1, and partition_sched_domains() will fallback to
++ * the single partition 'fallback_doms', it also forces the domains
++ * to be rebuilt.
+ *
+- * If doms_new==NULL it will be replaced with cpu_online_map.
+- * ndoms_new==0 is a special case for destroying existing domains.
+- * It will not create the default domain.
++ * If doms_new == NULL it will be replaced with cpu_online_map.
++ * ndoms_new == 0 is a special case for destroying existing domains,
++ * and it will not create the default domain.
+ *
+ * Call with hotplug lock held
+ */
--- /dev/null
+From ac97b9f9a2d0b83488e0bbcb8517b229d5c9b142 Mon Sep 17 00:00:00 2001
+From: Michael Halcrow <mhalcrow@us.ibm.com>
+Date: Wed, 19 Nov 2008 15:36:28 -0800
+Subject: eCryptfs: Allocate up to two scatterlists for crypto ops on keys
+
+From: Michael Halcrow <mhalcrow@us.ibm.com>
+
+commit ac97b9f9a2d0b83488e0bbcb8517b229d5c9b142 upstream.
+
+I have received some reports of out-of-memory errors on some older AMD
+architectures. These errors are what I would expect to see if
+crypt_stat->key were split between two separate pages. eCryptfs should
+not assume that any of the memory sent through virt_to_scatterlist() is
+all contained in a single page, and so this patch allocates two
+scatterlist structs instead of one when processing keys. I have received
+confirmation from one person affected by this bug that this patch resolves
+the issue for him, and so I am submitting it for inclusion in a future
+stable release.
+
+Note that virt_to_scatterlist() runs sg_init_table() on the scatterlist
+structs passed to it, so the calls to sg_init_table() in
+decrypt_passphrase_encrypted_session_key() are redundant.
+
+Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
+Reported-by: Paulo J. S. Silva <pjssilva@ime.usp.br>
+Cc: "Leon Woestenberg" <leon.woestenberg@gmail.com>
+Cc: Tim Gardner <tim.gardner@canonical.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ecryptfs/keystore.c | 31 ++++++++++++++-----------------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+--- a/fs/ecryptfs/keystore.c
++++ b/fs/ecryptfs/keystore.c
+@@ -1037,17 +1037,14 @@ static int
+ decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok,
+ struct ecryptfs_crypt_stat *crypt_stat)
+ {
+- struct scatterlist dst_sg;
+- struct scatterlist src_sg;
++ struct scatterlist dst_sg[2];
++ struct scatterlist src_sg[2];
+ struct mutex *tfm_mutex;
+ struct blkcipher_desc desc = {
+ .flags = CRYPTO_TFM_REQ_MAY_SLEEP
+ };
+ int rc = 0;
+
+- sg_init_table(&dst_sg, 1);
+- sg_init_table(&src_sg, 1);
+-
+ if (unlikely(ecryptfs_verbosity > 0)) {
+ ecryptfs_printk(
+ KERN_DEBUG, "Session key encryption key (size [%d]):\n",
+@@ -1066,8 +1063,8 @@ decrypt_passphrase_encrypted_session_key
+ }
+ rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key,
+ auth_tok->session_key.encrypted_key_size,
+- &src_sg, 1);
+- if (rc != 1) {
++ src_sg, 2);
++ if (rc < 1 || rc > 2) {
+ printk(KERN_ERR "Internal error whilst attempting to convert "
+ "auth_tok->session_key.encrypted_key to scatterlist; "
+ "expected rc = 1; got rc = [%d]. "
+@@ -1079,8 +1076,8 @@ decrypt_passphrase_encrypted_session_key
+ auth_tok->session_key.encrypted_key_size;
+ rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key,
+ auth_tok->session_key.decrypted_key_size,
+- &dst_sg, 1);
+- if (rc != 1) {
++ dst_sg, 2);
++ if (rc < 1 || rc > 2) {
+ printk(KERN_ERR "Internal error whilst attempting to convert "
+ "auth_tok->session_key.decrypted_key to scatterlist; "
+ "expected rc = 1; got rc = [%d]\n", rc);
+@@ -1096,7 +1093,7 @@ decrypt_passphrase_encrypted_session_key
+ rc = -EINVAL;
+ goto out;
+ }
+- rc = crypto_blkcipher_decrypt(&desc, &dst_sg, &src_sg,
++ rc = crypto_blkcipher_decrypt(&desc, dst_sg, src_sg,
+ auth_tok->session_key.encrypted_key_size);
+ mutex_unlock(tfm_mutex);
+ if (unlikely(rc)) {
+@@ -1541,8 +1538,8 @@ write_tag_3_packet(char *dest, size_t *r
+ size_t i;
+ size_t encrypted_session_key_valid = 0;
+ char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
+- struct scatterlist dst_sg;
+- struct scatterlist src_sg;
++ struct scatterlist dst_sg[2];
++ struct scatterlist src_sg[2];
+ struct mutex *tfm_mutex = NULL;
+ u8 cipher_code;
+ size_t packet_size_length;
+@@ -1621,8 +1618,8 @@ write_tag_3_packet(char *dest, size_t *r
+ ecryptfs_dump_hex(session_key_encryption_key, 16);
+ }
+ rc = virt_to_scatterlist(crypt_stat->key, key_rec->enc_key_size,
+- &src_sg, 1);
+- if (rc != 1) {
++ src_sg, 2);
++ if (rc < 1 || rc > 2) {
+ ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
+ "for crypt_stat session key; expected rc = 1; "
+ "got rc = [%d]. key_rec->enc_key_size = [%d]\n",
+@@ -1631,8 +1628,8 @@ write_tag_3_packet(char *dest, size_t *r
+ goto out;
+ }
+ rc = virt_to_scatterlist(key_rec->enc_key, key_rec->enc_key_size,
+- &dst_sg, 1);
+- if (rc != 1) {
++ dst_sg, 2);
++ if (rc < 1 || rc > 2) {
+ ecryptfs_printk(KERN_ERR, "Error generating scatterlist "
+ "for crypt_stat encrypted session key; "
+ "expected rc = 1; got rc = [%d]. "
+@@ -1653,7 +1650,7 @@ write_tag_3_packet(char *dest, size_t *r
+ rc = 0;
+ ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes of the key\n",
+ crypt_stat->key_size);
+- rc = crypto_blkcipher_encrypt(&desc, &dst_sg, &src_sg,
++ rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg,
+ (*key_rec).enc_key_size);
+ mutex_unlock(tfm_mutex);
+ if (rc) {
--- /dev/null
+From 393df744e056ba24e9531d0657d09fc3c7c0dd22 Mon Sep 17 00:00:00 2001
+From: Ned Forrester <nforrester@whoi.edu>
+Date: Wed, 19 Nov 2008 15:36:21 -0800
+Subject: pxa2xx_spi: bugfix full duplex dma data corruption
+
+From: Ned Forrester <nforrester@whoi.edu>
+
+commit 393df744e056ba24e9531d0657d09fc3c7c0dd22 upstream.
+
+Fixes a data corruption bug in pxa2xx_spi.c when operating in full duplex
+mode with DMA and using buffers that overlap.
+
+SPI transmit and receive buffers are allowed to be the same or to overlap.
+ However, this driver fails if such overlap is attempted in DMA mode
+because it maps the rx and tx buffers in the wrong order. By mapping
+DMA_FROM_DEVICE (read) before DMA_TO_DEVICE (write), it invalidates the
+cache before flushing it, thus discarding data which should have been
+transmitted.
+
+The patch corrects the order of mapping. This bug exists in all versions
+of pxa2xx_spi.c; similar bugs are in the drivers for two other SPI
+controllers (au1500, imx).
+
+A version of this patch has been tested on kernel 2.6.20 using
+verification of loopback data with: random transfer length, random
+bits-per-word, random positive offsets (both larger and smaller than
+transfer length) between the start of the rx and tx buffers, and varying
+clock rates.
+
+Signed-off-by: Ned Forrester <nforrester@whoi.edu>
+Cc: Vernon Sauder <vernoninhand@gmail.com>
+Cc: J. Scott Merritt <merrij3@rpi.edu>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/spi/pxa2xx_spi.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/spi/pxa2xx_spi.c
++++ b/drivers/spi/pxa2xx_spi.c
+@@ -348,21 +348,21 @@ static int map_dma_buffers(struct driver
+ } else
+ drv_data->tx_map_len = drv_data->len;
+
+- /* Stream map the rx buffer */
+- drv_data->rx_dma = dma_map_single(dev, drv_data->rx,
+- drv_data->rx_map_len,
+- DMA_FROM_DEVICE);
+- if (dma_mapping_error(dev, drv_data->rx_dma))
+- return 0;
+-
+- /* Stream map the tx buffer */
++ /* Stream map the tx buffer. Always do DMA_TO_DEVICE first
++ * so we flush the cache *before* invalidating it, in case
++ * the tx and rx buffers overlap.
++ */
+ drv_data->tx_dma = dma_map_single(dev, drv_data->tx,
+- drv_data->tx_map_len,
+- DMA_TO_DEVICE);
++ drv_data->tx_map_len, DMA_TO_DEVICE);
++ if (dma_mapping_error(dev, drv_data->tx_dma))
++ return 0;
+
+- if (dma_mapping_error(dev, drv_data->tx_dma)) {
+- dma_unmap_single(dev, drv_data->rx_dma,
++ /* Stream map the rx buffer */
++ drv_data->rx_dma = dma_map_single(dev, drv_data->rx,
+ drv_data->rx_map_len, DMA_FROM_DEVICE);
++ if (dma_mapping_error(dev, drv_data->rx_dma)) {
++ dma_unmap_single(dev, drv_data->tx_dma,
++ drv_data->tx_map_len, DMA_TO_DEVICE);
+ return 0;
+ }
+
--- /dev/null
+usb-gadget-rndis-send-notifications.patch
+usb-gadget-rndis-stop-windows-self-immolation.patch
+usb-usbmon-fix-read.patch
+usb-fix-sb700-usb-subsystem-hang-bug.patch
+usb-fix-sb600-usb-subsystem-hang-bug.patch
+atl1e-fix-broken-multicast-by-removing-unnecessary-crc-inversion.patch
+cpuset-fix-regression-when-failed-to-generate-sched-domains.patch
+cgroups-fix-a-serious-bug-in-cgroupstats.patch
+ecryptfs-allocate-up-to-two-scatterlists-for-crypto-ops-on-keys.patch
+pxa2xx_spi-bugfix-full-duplex-dma-data-corruption.patch
--- /dev/null
+From 0a99e8ac430a27825bd055719765fd0d65cd797f Mon Sep 17 00:00:00 2001
+From: Shane Huang <shane.huang@amd.com>
+Date: Tue, 25 Nov 2008 15:12:33 +0800
+Subject: USB: fix SB600 USB subsystem hang bug
+
+From: Shane Huang <shane.huang@amd.com>
+
+commit 0a99e8ac430a27825bd055719765fd0d65cd797f upstream.
+
+This patch is required for all AMD SB600 revisions to avoid USB subsystem hang
+symptom. The USB subsystem hang symptom is observed when the system has
+multiple USB devices connected to it. In some cases a USB hub may be required
+to observe this symptom.
+
+Reported in bugzilla as #11599, the similar patch for SB700 old revision is:
+commit b09bc6cbae4dd3a2d35722668ef2c502a7b8b093
+
+Reported-by: raffaele <ralfconn@tele2.it>
+Tested-by: Roman Mamedov <roman@rm.pp.ru>
+Signed-off-by: Shane Huang <shane.huang@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-pci.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/ehci-pci.c
++++ b/drivers/usb/host/ehci-pci.c
+@@ -169,18 +169,21 @@ static int ehci_pci_setup(struct usb_hcd
+ }
+ break;
+ case PCI_VENDOR_ID_ATI:
+- /* SB700 old version has a bug in EHCI controller,
++ /* SB600 and old version of SB700 have a bug in EHCI controller,
+ * which causes usb devices lose response in some cases.
+ */
+- if (pdev->device == 0x4396) {
++ if ((pdev->device == 0x4386) || (pdev->device == 0x4396)) {
+ p_smbus = pci_get_device(PCI_VENDOR_ID_ATI,
+ PCI_DEVICE_ID_ATI_SBX00_SMBUS,
+ NULL);
+ if (!p_smbus)
+ break;
+ rev = p_smbus->revision;
+- if ((rev == 0x3a) || (rev == 0x3b)) {
++ if ((pdev->device == 0x4386) || (rev == 0x3a)
++ || (rev == 0x3b)) {
+ u8 tmp;
++ ehci_info(ehci, "applying AMD SB600/SB700 USB "
++ "freeze workaround\n");
+ pci_read_config_byte(pdev, 0x53, &tmp);
+ pci_write_config_byte(pdev, 0x53, tmp | (1<<3));
+ }
--- /dev/null
+From b09bc6cbae4dd3a2d35722668ef2c502a7b8b093 Mon Sep 17 00:00:00 2001
+From: Andiry Xu <andiry.xu@amd.com>
+Date: Fri, 14 Nov 2008 11:42:29 +0800
+Subject: USB: fix SB700 usb subsystem hang bug
+
+From: Andiry Xu <andiry.xu@amd.com>
+
+commit b09bc6cbae4dd3a2d35722668ef2c502a7b8b093 upstream.
+
+This patch is required for AMD SB700 south bridge revision A12 and A13 to avoid
+USB subsystem hang symptom. The USB subsystem hang symptom is observed when the
+system has multiple USB devices connected to it. In some cases a USB hub may be
+required to observe this symptom.
+
+This patch works around the problem by correcting the internal register setting
+that will help by changing the behavior of the internal logic to avoid the
+USB subsystem hang issue. The change in the behavior of the logic does not
+impact the normal operation of the USB subsystem.
+
+Reported-by: Volker Armin Hemmann <volker.armin.hemmann@tu-clausthal.de>
+Tested-by: Volker Armin Hemmann <volker.armin.hemmann@tu-clausthal.de>
+Signed-off-by: Andiry Xu <andiry.xu@amd.com>
+Signed-off-by: Libin Yang <libin.yang@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-pci.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/usb/host/ehci-pci.c
++++ b/drivers/usb/host/ehci-pci.c
+@@ -66,6 +66,8 @@ static int ehci_pci_setup(struct usb_hcd
+ {
+ struct ehci_hcd *ehci = hcd_to_ehci(hcd);
+ struct pci_dev *pdev = to_pci_dev(hcd->self.controller);
++ struct pci_dev *p_smbus;
++ u8 rev;
+ u32 temp;
+ int retval;
+
+@@ -166,6 +168,25 @@ static int ehci_pci_setup(struct usb_hcd
+ pci_write_config_byte(pdev, 0x4b, tmp | 0x20);
+ }
+ break;
++ case PCI_VENDOR_ID_ATI:
++ /* SB700 old version has a bug in EHCI controller,
++ * which causes usb devices lose response in some cases.
++ */
++ if (pdev->device == 0x4396) {
++ p_smbus = pci_get_device(PCI_VENDOR_ID_ATI,
++ PCI_DEVICE_ID_ATI_SBX00_SMBUS,
++ NULL);
++ if (!p_smbus)
++ break;
++ rev = p_smbus->revision;
++ if ((rev == 0x3a) || (rev == 0x3b)) {
++ u8 tmp;
++ pci_read_config_byte(pdev, 0x53, &tmp);
++ pci_write_config_byte(pdev, 0x53, tmp | (1<<3));
++ }
++ pci_dev_put(p_smbus);
++ }
++ break;
+ }
+
+ ehci_reset(ehci);
--- /dev/null
+From ff3495052af48f7a2bf7961b131dc9e161dae19c Mon Sep 17 00:00:00 2001
+From: Richard Röjfors <richard.rojfors@endian.se>
+Date: Sat, 15 Nov 2008 19:53:24 -0800
+Subject: USB: gadget rndis: send notifications
+
+From: Richard Röjfors <richard.rojfors@endian.se>
+
+commit ff3495052af48f7a2bf7961b131dc9e161dae19c upstream.
+
+It turns out that atomic_inc_return() returns the *new* value
+not the original one, so the logic in rndis_response_available()
+kept the first RNDIS response notification from getting out.
+This prevented interoperation with MS-Windows (but not Linux).
+
+Fix this to make RNDIS behave again.
+
+Signed-off-by: Richard Röjfors <richard.rojfors@endian.se>
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/gadget/f_rndis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/f_rndis.c
++++ b/drivers/usb/gadget/f_rndis.c
+@@ -303,7 +303,7 @@ static void rndis_response_available(voi
+ __le32 *data = req->buf;
+ int status;
+
+- if (atomic_inc_return(&rndis->notify_count))
++ if (atomic_inc_return(&rndis->notify_count) != 1)
+ return;
+
+ /* Send RNDIS RESPONSE_AVAILABLE notification; a
--- /dev/null
+From 9c264521a9f836541c122b00f505cfd60cc5bbb5 Mon Sep 17 00:00:00 2001
+From: David Brownell <dbrownell@users.sourceforge.net>
+Date: Sat, 15 Nov 2008 19:53:21 -0800
+Subject: USB: gadget rndis: stop windows self-immolation
+
+From: David Brownell <dbrownell@users.sourceforge.net>
+
+commit 9c264521a9f836541c122b00f505cfd60cc5bbb5 upstream.
+
+Somewhere in the conversion of the RNDIS gadget code to the new
+framework, the descriptor of its data interface seems to have
+been copied from the CDC Ethernet driver. Unfortunately that
+means it got a nonzero altsetting ... which is incorrect. Issue
+uncovered by Richard Röjfors <richard.rojfors@endian.se>.
+
+This patch fixes that problem, and resolves at least some cases
+of Windows XP bluescreening itself.
+
+Tested-by: Richard Röjfors <richard.rojfors@endian.se>.
+Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/gadget/f_rndis.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/gadget/f_rndis.c
++++ b/drivers/usb/gadget/f_rndis.c
+@@ -172,7 +172,6 @@ static struct usb_interface_descriptor r
+ .bDescriptorType = USB_DT_INTERFACE,
+
+ /* .bInterfaceNumber = DYNAMIC */
+- .bAlternateSetting = 1,
+ .bNumEndpoints = 2,
+ .bInterfaceClass = USB_CLASS_CDC_DATA,
+ .bInterfaceSubClass = 0,
--- /dev/null
+From f1c0a2a3aff53698f4855968d576464041d49b39 Mon Sep 17 00:00:00 2001
+From: Pete Zaitcev <zaitcev@redhat.com>
+Date: Fri, 14 Nov 2008 09:47:41 -0700
+Subject: USB: usbmon: fix read(2)
+
+From: Pete Zaitcev <zaitcev@redhat.com>
+
+commit f1c0a2a3aff53698f4855968d576464041d49b39 upstream.
+
+There's a bug in the usbmon binary reader: When using read() to fetch
+the packets and a packet's data is partially read, the next read call
+will once again return up to len_cap bytes of data. The b_read counter
+is not regarded when determining the remaining chunk size.
+
+So, when dumping USB data with "cat /dev/usbmon0 > usbmon.trace" while
+reading from a USB storage device and analyzing the dump file
+afterwards it will get out of sync after a couple of packets.
+
+Signed-off-by: Ingo van Lil <inguin@gmx.de>
+Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/mon/mon_bin.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/mon/mon_bin.c
++++ b/drivers/usb/mon/mon_bin.c
+@@ -687,7 +687,10 @@ static ssize_t mon_bin_read(struct file
+ }
+
+ if (rp->b_read >= sizeof(struct mon_bin_hdr)) {
+- step_len = min(nbytes, (size_t)ep->len_cap);
++ step_len = ep->len_cap;
++ step_len -= rp->b_read - sizeof(struct mon_bin_hdr);
++ if (step_len > nbytes)
++ step_len = nbytes;
+ offset = rp->b_out + PKT_SIZE;
+ offset += rp->b_read - sizeof(struct mon_bin_hdr);
+ if (offset >= rp->b_size)
projects / thirdparty / kernel / stable-queue.git / commitdiff
