From: Greg Kroah-Hartman Date: Tue, 26 Feb 2013 23:07:48 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.7.10~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8d94b84da685de09873a16b1fd5aa6ca84013ff;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: bridge-set-priority-of-stp-packets.patch dca-check-against-empty-dca_domains-list-before-unregister-provider.patch ipv4-fix-a-bug-in-ping_err.patch ipv6-use-a-stronger-hash-for-tcp.patch net-fix-a-compile-error-when-sock_refcnt_debug-is-enabled.patch net-fix-infinite-loop-in-__skb_recv_datagram.patch sock_diag-fix-out-of-bounds-access-to-sock_diag_handlers.patch usb-ehci-omap-don-t-free-gpios-that-we-didn-t-request.patch usb-ehci-omap-fix-autoloading-of-module.patch usb-option-add-and-update-alcatel-modems.patch usb-option-add-huawei-acm-devices-using-protocol-vendor.patch usb-option-add-yota-megafon-m100-1-4g-modem.patch usb-storage-properly-handle-the-endian-issues-of-idproduct.patch usb-usb-storage-unusual_devs-update-for-super-top-sata-bridge.patch vlan-adjust-vlan_set_encap_proto-for-its-callers.patch xen-netback-cancel-the-credit-timer-when-taking-the-vif-down.patch xen-netback-correctly-return-errors-from-netbk_count_requests.patch --- diff --git a/queue-3.4/bridge-set-priority-of-stp-packets.patch b/queue-3.4/bridge-set-priority-of-stp-packets.patch new file mode 100644 index 00000000000..2dd6027e9a3 --- /dev/null +++ b/queue-3.4/bridge-set-priority-of-stp-packets.patch @@ -0,0 +1,41 @@ +From 8c0c59a9a1700e84d7b1d1e1a1077a26cb7f8ac7 Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Mon, 11 Feb 2013 08:22:22 +0000 +Subject: bridge: set priority of STP packets + + +From: Stephen Hemminger + +[ Upstream commit 547b4e718115eea74087e28d7fa70aec619200db ] + +Spanning Tree Protocol packets should have always been marked as +control packets, this causes them to get queued in the high prirority +FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge +gets overloaded and can't communicate. This is a long-standing bug back +to the first versions of Linux bridge. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_stp_bpdu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bridge/br_stp_bpdu.c ++++ b/net/bridge/br_stp_bpdu.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -40,6 +41,7 @@ static void br_send_bpdu(struct net_brid + + skb->dev = p->dev; + skb->protocol = htons(ETH_P_802_2); ++ skb->priority = TC_PRIO_CONTROL; + + skb_reserve(skb, LLC_RESERVE); + memcpy(__skb_put(skb, length), data, length); diff --git a/queue-3.4/dca-check-against-empty-dca_domains-list-before-unregister-provider.patch b/queue-3.4/dca-check-against-empty-dca_domains-list-before-unregister-provider.patch new file mode 100644 index 00000000000..3caaa50098f --- /dev/null +++ b/queue-3.4/dca-check-against-empty-dca_domains-list-before-unregister-provider.patch @@ -0,0 +1,37 @@ +From c419fcfd071cf34ba00f9f65282583772d2655e7 Mon Sep 17 00:00:00 2001 +From: Maciej Sosnowski +Date: Wed, 23 May 2012 17:27:07 +0200 +Subject: dca: check against empty dca_domains list before unregister provider + +From: Maciej Sosnowski + +commit c419fcfd071cf34ba00f9f65282583772d2655e7 upstream. + +When providers get blocked unregister_dca_providers() is called ending up +with dca_providers and dca_domain lists emptied. Dca should be prevented from +trying to unregister any provider if dca_domain list is found empty. + +Reported-by: Jiang Liu +Tested-by: Gaohuai Han +Signed-off-by: Maciej Sosnowski +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dca/dca-core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/dca/dca-core.c ++++ b/drivers/dca/dca-core.c +@@ -420,6 +420,11 @@ void unregister_dca_provider(struct dca_ + + raw_spin_lock_irqsave(&dca_lock, flags); + ++ if (list_empty(&dca_domains)) { ++ raw_spin_unlock_irqrestore(&dca_lock, flags); ++ return; ++ } ++ + list_del(&dca->node); + + pci_rc = dca_pci_rc_from_dev(dev); diff --git a/queue-3.4/ipv4-fix-a-bug-in-ping_err.patch b/queue-3.4/ipv4-fix-a-bug-in-ping_err.patch new file mode 100644 index 00000000000..7e85c3a6d1f --- /dev/null +++ b/queue-3.4/ipv4-fix-a-bug-in-ping_err.patch @@ -0,0 +1,32 @@ +From 0325063977212e09fb5cdaa8fb7d05d3b000bd7e Mon Sep 17 00:00:00 2001 +From: Li Wei +Date: Thu, 21 Feb 2013 00:09:54 +0000 +Subject: ipv4: fix a bug in ping_err(). + + +From: Li Wei + +[ Upstream commit b531ed61a2a2a77eeb2f7c88b49aa5ec7d9880d8 ] + +We should get 'type' and 'code' from the outer ICMP header. + +Signed-off-by: Li Wei +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ping.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -321,8 +321,8 @@ void ping_err(struct sk_buff *skb, u32 i + struct iphdr *iph = (struct iphdr *)skb->data; + struct icmphdr *icmph = (struct icmphdr *)(skb->data+(iph->ihl<<2)); + struct inet_sock *inet_sock; +- int type = icmph->type; +- int code = icmph->code; ++ int type = icmp_hdr(skb)->type; ++ int code = icmp_hdr(skb)->code; + struct net *net = dev_net(skb->dev); + struct sock *sk; + int harderr; diff --git a/queue-3.4/ipv6-use-a-stronger-hash-for-tcp.patch b/queue-3.4/ipv6-use-a-stronger-hash-for-tcp.patch new file mode 100644 index 00000000000..ccbc685a672 --- /dev/null +++ b/queue-3.4/ipv6-use-a-stronger-hash-for-tcp.patch @@ -0,0 +1,120 @@ +From a4a16926f7dd10e0c7edf990588b218d56625b25 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 21 Feb 2013 12:18:52 +0000 +Subject: ipv6: use a stronger hash for tcp + + +From: Eric Dumazet + +[ Upstream commit 08dcdbf6a7b9d14c2302c5bd0c5390ddf122f664 ] + +It looks like its possible to open thousands of TCP IPv6 +sessions on a server, all landing in a single slot of TCP hash +table. Incoming packets have to lookup sockets in a very +long list. + +We should hash all bits from foreign IPv6 addresses, using +a salt and hash mix, not a simple XOR. + +inet6_ehashfn() can also separately use the ports, instead +of xoring them. + +Reported-by: Neal Cardwell +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/inet6_hashtables.h | 8 ++++---- + include/net/inet_sock.h | 1 + + include/net/ipv6.h | 12 ++++++++++++ + net/ipv4/af_inet.c | 9 +++++++-- + 4 files changed, 24 insertions(+), 6 deletions(-) + +--- a/include/net/inet6_hashtables.h ++++ b/include/net/inet6_hashtables.h +@@ -28,16 +28,16 @@ + + struct inet_hashinfo; + +-/* I have no idea if this is a good hash for v6 or not. -DaveM */ + static inline unsigned int inet6_ehashfn(struct net *net, + const struct in6_addr *laddr, const u16 lport, + const struct in6_addr *faddr, const __be16 fport) + { +- u32 ports = (lport ^ (__force u16)fport); ++ u32 ports = (((u32)lport) << 16) | (__force u32)fport; + + return jhash_3words((__force u32)laddr->s6_addr32[3], +- (__force u32)faddr->s6_addr32[3], +- ports, inet_ehash_secret + net_hash_mix(net)); ++ ipv6_addr_jhash(faddr), ++ ports, ++ inet_ehash_secret + net_hash_mix(net)); + } + + static inline int inet6_sk_ehashfn(const struct sock *sk) +--- a/include/net/inet_sock.h ++++ b/include/net/inet_sock.h +@@ -202,6 +202,7 @@ static inline void inet_sk_copy_descenda + extern int inet_sk_rebuild_header(struct sock *sk); + + extern u32 inet_ehash_secret; ++extern u32 ipv6_hash_secret; + extern void build_ehash_secret(void); + + static inline unsigned int inet_ehashfn(struct net *net, +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -15,6 +15,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -390,6 +391,17 @@ struct ip6_create_arg { + void ip6_frag_init(struct inet_frag_queue *q, void *a); + int ip6_frag_match(struct inet_frag_queue *q, void *a); + ++/* more secured version of ipv6_addr_hash() */ ++static inline u32 ipv6_addr_jhash(const struct in6_addr *a) ++{ ++ u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1]; ++ ++ return jhash_3words(v, ++ (__force u32)a->s6_addr32[2], ++ (__force u32)a->s6_addr32[3], ++ ipv6_hash_secret); ++} ++ + static inline int ipv6_addr_any(const struct in6_addr *a) + { + return (a->s6_addr32[0] | a->s6_addr32[1] | +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -227,8 +227,12 @@ EXPORT_SYMBOL(inet_listen); + u32 inet_ehash_secret __read_mostly; + EXPORT_SYMBOL(inet_ehash_secret); + ++u32 ipv6_hash_secret __read_mostly; ++EXPORT_SYMBOL(ipv6_hash_secret); ++ + /* +- * inet_ehash_secret must be set exactly once ++ * inet_ehash_secret must be set exactly once, and to a non nul value ++ * ipv6_hash_secret must be set exactly once. + */ + void build_ehash_secret(void) + { +@@ -238,7 +242,8 @@ void build_ehash_secret(void) + get_random_bytes(&rnd, sizeof(rnd)); + } while (rnd == 0); + +- cmpxchg(&inet_ehash_secret, 0, rnd); ++ if (cmpxchg(&inet_ehash_secret, 0, rnd) == 0) ++ get_random_bytes(&ipv6_hash_secret, sizeof(ipv6_hash_secret)); + } + EXPORT_SYMBOL(build_ehash_secret); + diff --git a/queue-3.4/net-fix-a-compile-error-when-sock_refcnt_debug-is-enabled.patch b/queue-3.4/net-fix-a-compile-error-when-sock_refcnt_debug-is-enabled.patch new file mode 100644 index 00000000000..1206fa8e34b --- /dev/null +++ b/queue-3.4/net-fix-a-compile-error-when-sock_refcnt_debug-is-enabled.patch @@ -0,0 +1,42 @@ +From 8225ca67767a0a2533f1e7c06ac00091222e7f44 Mon Sep 17 00:00:00 2001 +From: Ying Xue +Date: Fri, 15 Feb 2013 22:28:25 +0000 +Subject: net: fix a compile error when SOCK_REFCNT_DEBUG is enabled + + +From: Ying Xue + +[ Upstream commit dec34fb0f5b7873de45132a84a3af29e61084a6b ] + +When SOCK_REFCNT_DEBUG is enabled, below build error is met: + +kernel/sysctl_binary.o: In function `sk_refcnt_debug_release': +include/net/sock.h:1025: multiple definition of `sk_refcnt_debug_release' +kernel/sysctl.o:include/net/sock.h:1025: first defined here +kernel/audit.o: In function `sk_refcnt_debug_release': +include/net/sock.h:1025: multiple definition of `sk_refcnt_debug_release' +kernel/sysctl.o:include/net/sock.h:1025: first defined here +make[1]: *** [kernel/built-in.o] Error 1 +make: *** [kernel] Error 2 + +So we decide to make sk_refcnt_debug_release static to eliminate +the error. + +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -944,7 +944,7 @@ static inline void sk_refcnt_debug_dec(s + sk->sk_prot->name, sk, atomic_read(&sk->sk_prot->socks)); + } + +-inline void sk_refcnt_debug_release(const struct sock *sk) ++static inline void sk_refcnt_debug_release(const struct sock *sk) + { + if (atomic_read(&sk->sk_refcnt) != 1) + printk(KERN_DEBUG "Destruction of the %s socket %p delayed, refcnt=%d\n", diff --git a/queue-3.4/net-fix-infinite-loop-in-__skb_recv_datagram.patch b/queue-3.4/net-fix-infinite-loop-in-__skb_recv_datagram.patch new file mode 100644 index 00000000000..3d33000ee17 --- /dev/null +++ b/queue-3.4/net-fix-infinite-loop-in-__skb_recv_datagram.patch @@ -0,0 +1,54 @@ +From e71d1b0262074b61e1baf580579fa522146945b2 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 12 Feb 2013 06:16:53 +0000 +Subject: net: fix infinite loop in __skb_recv_datagram() + + +From: Eric Dumazet + +[ Upstream commit 77c1090f94d1b0b5186fb13a1b71b47b1343f87f ] + +Tommi was fuzzing with trinity and reported the following problem : + +commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram) +missed that a raw socket receive queue can contain skbs with no payload. + +We can loop in __skb_recv_datagram() with MSG_PEEK mode, because +wait_for_packet() is not prepared to skip these skbs. + +[ 83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {} +(detected by 0, t=26002 jiffies, g=27673, c=27672, q=75) +[ 83.541011] INFO: Stall ended before state dump start +[ 108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847] +... +[ 108.067010] Call Trace: +[ 108.067010] [] __skb_recv_datagram+0x1a3/0x3b0 +[ 108.067010] [] skb_recv_datagram+0x2d/0x30 +[ 108.067010] [] rawv6_recvmsg+0xad/0x240 +[ 108.067010] [] sock_common_recvmsg+0x34/0x50 +[ 108.067010] [] sock_recvmsg+0xbc/0xf0 +[ 108.067010] [] sys_recvfrom+0xde/0x150 +[ 108.067010] [] system_call_fastpath+0x16/0x1b + +Reported-by: Tommi Rantala +Tested-by: Tommi Rantala +Signed-off-by: Eric Dumazet +Cc: Pavel Emelyanov +Acked-by: Pavel Emelyanov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/datagram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -187,7 +187,7 @@ struct sk_buff *__skb_recv_datagram(stru + skb_queue_walk(queue, skb) { + *peeked = skb->peeked; + if (flags & MSG_PEEK) { +- if (*off >= skb->len) { ++ if (*off >= skb->len && skb->len) { + *off -= skb->len; + continue; + } diff --git a/queue-3.4/series b/queue-3.4/series index ddc9d3a8924..95ec735d7a6 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -67,3 +67,20 @@ fb-rework-locking-to-fix-lock-ordering-on-takeover.patch fb-yet-another-band-aid-for-fixing-lockdep-mess.patch mmc-sdhci-esdhc-imx-fix-host-version-read.patch hid-wiimote-fix-nunchuck-button-parser.patch +bridge-set-priority-of-stp-packets.patch +net-fix-infinite-loop-in-__skb_recv_datagram.patch +xen-netback-correctly-return-errors-from-netbk_count_requests.patch +xen-netback-cancel-the-credit-timer-when-taking-the-vif-down.patch +net-fix-a-compile-error-when-sock_refcnt_debug-is-enabled.patch +ipv4-fix-a-bug-in-ping_err.patch +ipv6-use-a-stronger-hash-for-tcp.patch +sock_diag-fix-out-of-bounds-access-to-sock_diag_handlers.patch +vlan-adjust-vlan_set_encap_proto-for-its-callers.patch +usb-ehci-omap-don-t-free-gpios-that-we-didn-t-request.patch +dca-check-against-empty-dca_domains-list-before-unregister-provider.patch +usb-option-add-and-update-alcatel-modems.patch +usb-option-add-yota-megafon-m100-1-4g-modem.patch +usb-option-add-huawei-acm-devices-using-protocol-vendor.patch +usb-ehci-omap-fix-autoloading-of-module.patch +usb-storage-properly-handle-the-endian-issues-of-idproduct.patch +usb-usb-storage-unusual_devs-update-for-super-top-sata-bridge.patch diff --git a/queue-3.4/sock_diag-fix-out-of-bounds-access-to-sock_diag_handlers.patch b/queue-3.4/sock_diag-fix-out-of-bounds-access-to-sock_diag_handlers.patch new file mode 100644 index 00000000000..05af4cda578 --- /dev/null +++ b/queue-3.4/sock_diag-fix-out-of-bounds-access-to-sock_diag_handlers.patch @@ -0,0 +1,36 @@ +From 21091b1c3592f7dc9f7287305c47b2f801dfdd35 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 23 Feb 2013 01:13:47 +0000 +Subject: sock_diag: Fix out-of-bounds access to sock_diag_handlers[] + + +From: Mathias Krause + +[ Upstream commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 ] + +Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY +with a family greater or equal then AF_MAX -- the array size of +sock_diag_handlers[]. The current code does not test for this +condition therefore is vulnerable to an out-of-bound access opening +doors for a privilege escalation. + +Signed-off-by: Mathias Krause +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/sock_diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -126,6 +126,9 @@ static int __sock_diag_rcv_msg(struct sk + if (nlmsg_len(nlh) < sizeof(*req)) + return -EINVAL; + ++ if (req->sdiag_family >= AF_MAX) ++ return -EINVAL; ++ + hndl = sock_diag_lock_handler(req->sdiag_family); + if (hndl == NULL) + err = -ENOENT; diff --git a/queue-3.4/usb-ehci-omap-don-t-free-gpios-that-we-didn-t-request.patch b/queue-3.4/usb-ehci-omap-don-t-free-gpios-that-we-didn-t-request.patch new file mode 100644 index 00000000000..b4622af9456 --- /dev/null +++ b/queue-3.4/usb-ehci-omap-don-t-free-gpios-that-we-didn-t-request.patch @@ -0,0 +1,69 @@ +From 428525f97153505e83983460a8d08a3210aa6b8a Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Thu, 14 Feb 2013 17:08:08 +0200 +Subject: USB: ehci-omap: Don't free gpios that we didn't request + +From: Roger Quadros + +commit 428525f97153505e83983460a8d08a3210aa6b8a upstream. + +This driver does not request any gpios so don't free them. +Fixes L3 bus error on multiple modprobe/rmmod of ehci_hcd +with ehci-omap in use. + +Without this patch, EHCI will break on repeated insmod/rmmod +of ehci_hcd for all OMAP2+ platforms that use EHCI and +set 'phy_reset = true' in usbhs_omap_board_data. +i.e. + +board-3430sdp.c: .phy_reset = true, +board-3630sdp.c: .phy_reset = true, +board-am3517crane.c: .phy_reset = true, +board-am3517evm.c: .phy_reset = true, +board-cm-t3517.c: .phy_reset = true, +board-cm-t35.c: .phy_reset = true, +board-devkit8000.c: .phy_reset = true, +board-igep0020.c: .phy_reset = true, +board-igep0020.c: .phy_reset = true, +board-omap3beagle.c: .phy_reset = true, +board-omap3evm.c: .phy_reset = true, +board-omap3pandora.c: .phy_reset = true, +board-omap3stalker.c: .phy_reset = true, +board-omap3touchbook.c: .phy_reset = true, +board-omap4panda.c: .phy_reset = false, +board-overo.c: .phy_reset = true, +board-zoom.c: .phy_reset = true, + +Signed-off-by: Roger Quadros +Reviewed-by: Felipe Balbi +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-omap.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/usb/host/ehci-omap.c ++++ b/drivers/usb/host/ehci-omap.c +@@ -288,7 +288,6 @@ static int ehci_hcd_omap_remove(struct p + { + struct device *dev = &pdev->dev; + struct usb_hcd *hcd = dev_get_drvdata(dev); +- struct ehci_hcd_omap_platform_data *pdata = dev->platform_data; + + usb_remove_hcd(hcd); + disable_put_regulator(dev->platform_data); +@@ -297,13 +296,6 @@ static int ehci_hcd_omap_remove(struct p + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); + +- if (pdata->phy_reset) { +- if (gpio_is_valid(pdata->reset_gpio_port[0])) +- gpio_free(pdata->reset_gpio_port[0]); +- +- if (gpio_is_valid(pdata->reset_gpio_port[1])) +- gpio_free(pdata->reset_gpio_port[1]); +- } + return 0; + } + diff --git a/queue-3.4/usb-ehci-omap-fix-autoloading-of-module.patch b/queue-3.4/usb-ehci-omap-fix-autoloading-of-module.patch new file mode 100644 index 00000000000..8759d703a97 --- /dev/null +++ b/queue-3.4/usb-ehci-omap-fix-autoloading-of-module.patch @@ -0,0 +1,32 @@ +From 04753523266629b1cd0518091da1658755787198 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Thu, 14 Feb 2013 17:08:09 +0200 +Subject: USB: ehci-omap: Fix autoloading of module + +From: Roger Quadros + +commit 04753523266629b1cd0518091da1658755787198 upstream. + +The module alias should be "ehci-omap" and not +"omap-ehci" to match the platform device name. +The omap-ehci module should now autoload correctly. + +Signed-off-by: Roger Quadros +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-omap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/ehci-omap.c ++++ b/drivers/usb/host/ehci-omap.c +@@ -363,7 +363,7 @@ static const struct hc_driver ehci_omap_ + .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + +-MODULE_ALIAS("platform:omap-ehci"); ++MODULE_ALIAS("platform:ehci-omap"); + MODULE_AUTHOR("Texas Instruments, Inc."); + MODULE_AUTHOR("Felipe Balbi "); + diff --git a/queue-3.4/usb-option-add-and-update-alcatel-modems.patch b/queue-3.4/usb-option-add-and-update-alcatel-modems.patch new file mode 100644 index 00000000000..74fdc61b316 --- /dev/null +++ b/queue-3.4/usb-option-add-and-update-alcatel-modems.patch @@ -0,0 +1,70 @@ +From f8f0302bbcbd1b14655bef29f6996a2152be559d Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Wed, 23 Jan 2013 10:44:36 +0100 +Subject: USB: option: add and update Alcatel modems + +From: Bjørn Mork + +commit f8f0302bbcbd1b14655bef29f6996a2152be559d upstream. + +Adding three currently unsupported modems based on information +from .inf driver files: + + Diag VID_1BBB&PID_0052&MI_00 + AGPS VID_1BBB&PID_0052&MI_01 + VOICE VID_1BBB&PID_0052&MI_02 + AT VID_1BBB&PID_0052&MI_03 + Modem VID_1BBB&PID_0052&MI_05 + wwan VID_1BBB&PID_0052&MI_06 + + Diag VID_1BBB&PID_00B6&MI_00 + AT VID_1BBB&PID_00B6&MI_01 + Modem VID_1BBB&PID_00B6&MI_02 + wwan VID_1BBB&PID_00B6&MI_03 + + Diag VID_1BBB&PID_00B7&MI_00 + AGPS VID_1BBB&PID_00B7&MI_01 + VOICE VID_1BBB&PID_00B7&MI_02 + AT VID_1BBB&PID_00B7&MI_03 + Modem VID_1BBB&PID_00B7&MI_04 + wwan VID_1BBB&PID_00B7&MI_05 + +Updating the blacklist info for the X060S_X200 and X220_X500D, +reserving interfaces for a wwan driver, based on + + wwan VID_1BBB&PID_0000&MI_04 + wwan VID_1BBB&PID_0017&MI_06 + +Signed-off-by: Bjørn Mork +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -479,6 +479,7 @@ static const struct option_blacklist_inf + + static const struct option_blacklist_info alcatel_x200_blacklist = { + .sendsetup = BIT(0) | BIT(1), ++ .reserved = BIT(4), + }; + + static const struct option_blacklist_info zte_0037_blacklist = { +@@ -1215,7 +1216,14 @@ static const struct usb_device_id option + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200), + .driver_info = (kernel_ulong_t)&alcatel_x200_blacklist + }, +- { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D) }, ++ { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D), ++ .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ { USB_DEVICE(ALCATEL_VENDOR_ID, 0x0052), ++ .driver_info = (kernel_ulong_t)&net_intf6_blacklist }, ++ { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b6), ++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, ++ { USB_DEVICE(ALCATEL_VENDOR_ID, 0x00b7), ++ .driver_info = (kernel_ulong_t)&net_intf5_blacklist }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_L100V), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) }, diff --git a/queue-3.4/usb-option-add-huawei-acm-devices-using-protocol-vendor.patch b/queue-3.4/usb-option-add-huawei-acm-devices-using-protocol-vendor.patch new file mode 100644 index 00000000000..08192fb3388 --- /dev/null +++ b/queue-3.4/usb-option-add-huawei-acm-devices-using-protocol-vendor.patch @@ -0,0 +1,49 @@ +From 1f3f687722fd9b29a0c2a85b4844e3b2a3585c63 Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Wed, 13 Feb 2013 23:41:34 +0100 +Subject: USB: option: add Huawei "ACM" devices using protocol = vendor + +From: Bjørn Mork + +commit 1f3f687722fd9b29a0c2a85b4844e3b2a3585c63 upstream. + +The USB device descriptor of one identity presented by a few +Huawei morphing devices have serial functions with class codes +02/02/ff, indicating CDC ACM with a vendor specific protocol. This +combination is often used for MSFT RNDIS functions, and the CDC +ACM class driver will therefore ignore such functions. + +The CDC ACM class driver cannot support functions with only 2 +endpoints. The underlying serial functions of these modems are +also believed to be the same as for alternate device identities +already supported by the option driver. Letting the same driver +handle these functions independently of the current identity +ensures consistent handling and user experience. + +There is no need to blacklist these devices in the rndis_host +driver. Huawei serial functions will either have only 2 endpoints +or a CDC ACM functional descriptor with bmCapabilities != 0, making +them correctly ignored as "non RNDIS" by that driver. + +Signed-off-by: Bjørn Mork +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -578,8 +578,12 @@ static const struct usb_device_id option + { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLE) }, + { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c05, USB_CLASS_COMM, 0x02, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &huawei_cdc12_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K3765, 0xff, 0xff, 0xff), diff --git a/queue-3.4/usb-option-add-yota-megafon-m100-1-4g-modem.patch b/queue-3.4/usb-option-add-yota-megafon-m100-1-4g-modem.patch new file mode 100644 index 00000000000..812f7d09e36 --- /dev/null +++ b/queue-3.4/usb-option-add-yota-megafon-m100-1-4g-modem.patch @@ -0,0 +1,60 @@ +From cd565279e51bedee1b2988e84f9b3bef485adeb6 Mon Sep 17 00:00:00 2001 +From: Bjørn Mork +Date: Tue, 12 Feb 2013 13:42:24 +0100 +Subject: USB: option: add Yota / Megafon M100-1 4g modem + +From: Bjørn Mork + +commit cd565279e51bedee1b2988e84f9b3bef485adeb6 upstream. + +Interface layout: + + 00 CD-ROM + 01 debug COM port + 02 AP control port + 03 modem + 04 usb-ethernet + +Bus=01 Lev=02 Prnt=02 Port=01 Cnt=02 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=0408 ProdID=ea42 Rev= 0.00 +S: Manufacturer=Qualcomm, Incorporated +S: Product=Qualcomm CDMA Technologies MSM +S: SerialNumber=353568051xxxxxx +C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=84(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=2ms +E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms + +Signed-off-by: Bjørn Mork +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -576,6 +576,8 @@ static const struct usb_device_id option + { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLX) }, + { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GKE) }, + { USB_DEVICE(QUANTA_VENDOR_ID, QUANTA_PRODUCT_GLE) }, ++ { USB_DEVICE(QUANTA_VENDOR_ID, 0xea42), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff), diff --git a/queue-3.4/usb-storage-properly-handle-the-endian-issues-of-idproduct.patch b/queue-3.4/usb-storage-properly-handle-the-endian-issues-of-idproduct.patch new file mode 100644 index 00000000000..bea89b92543 --- /dev/null +++ b/queue-3.4/usb-storage-properly-handle-the-endian-issues-of-idproduct.patch @@ -0,0 +1,39 @@ +From cd060956c5e97931c3909e4a808508469c0bb9f6 Mon Sep 17 00:00:00 2001 +From: fangxiaozhi +Date: Thu, 7 Feb 2013 15:32:07 +0800 +Subject: USB: storage: properly handle the endian issues of idProduct + +From: fangxiaozhi + +commit cd060956c5e97931c3909e4a808508469c0bb9f6 upstream. + +1. The idProduct is little endian, so make sure its value to be +compatible with the current CPU. Make no break on big endian processors. + +Signed-off-by: fangxiaozhi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/initializers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/storage/initializers.c ++++ b/drivers/usb/storage/initializers.c +@@ -147,7 +147,7 @@ static int usb_stor_huawei_dongles_pid(s + int idProduct; + + idesc = &us->pusb_intf->cur_altsetting->desc; +- idProduct = us->pusb_dev->descriptor.idProduct; ++ idProduct = le16_to_cpu(us->pusb_dev->descriptor.idProduct); + /* The first port is CDROM, + * means the dongle in the single port mode, + * and a switch command is required to be sent. */ +@@ -169,7 +169,7 @@ int usb_stor_huawei_init(struct us_data + int result = 0; + + if (usb_stor_huawei_dongles_pid(us)) { +- if (us->pusb_dev->descriptor.idProduct >= 0x1446) ++ if (le16_to_cpu(us->pusb_dev->descriptor.idProduct) >= 0x1446) + result = usb_stor_huawei_scsi_init(us); + else + result = usb_stor_huawei_feature_init(us); diff --git a/queue-3.4/usb-usb-storage-unusual_devs-update-for-super-top-sata-bridge.patch b/queue-3.4/usb-usb-storage-unusual_devs-update-for-super-top-sata-bridge.patch new file mode 100644 index 00000000000..92a0ff44d02 --- /dev/null +++ b/queue-3.4/usb-usb-storage-unusual_devs-update-for-super-top-sata-bridge.patch @@ -0,0 +1,40 @@ +From 18e03310b5caa6d11c1a8c61b982c37047693fba Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Thu, 14 Feb 2013 09:39:09 -0500 +Subject: USB: usb-storage: unusual_devs update for Super TOP SATA bridge + +From: Josh Boyer + +commit 18e03310b5caa6d11c1a8c61b982c37047693fba upstream. + +The current entry in unusual_cypress.h for the Super TOP SATA bridge devices +seems to be causing corruption on newer revisions of this device. This has +been reported in Arch Linux and Fedora. The original patch was tested on +devices with bcdDevice of 1.60, whereas the newer devices report bcdDevice +as 2.20. Limit the UNUSUAL_DEV entry to devices less than 2.20. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=909591 + +The Arch Forum post on this is here: + https://bbs.archlinux.org/viewtopic.php?id=152011 + +Reported-by: Carsten S. +Tested-by: Carsten S. +Signed-off-by: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_cypress.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/unusual_cypress.h ++++ b/drivers/usb/storage/unusual_cypress.h +@@ -31,7 +31,7 @@ UNUSUAL_DEV( 0x04b4, 0x6831, 0x0000, 0x + "Cypress ISD-300LP", + USB_SC_CYP_ATACB, USB_PR_DEVICE, NULL, 0), + +-UNUSUAL_DEV( 0x14cd, 0x6116, 0x0000, 0x9999, ++UNUSUAL_DEV( 0x14cd, 0x6116, 0x0000, 0x0219, + "Super Top", + "USB 2.0 SATA BRIDGE", + USB_SC_CYP_ATACB, USB_PR_DEVICE, NULL, 0), diff --git a/queue-3.4/vlan-adjust-vlan_set_encap_proto-for-its-callers.patch b/queue-3.4/vlan-adjust-vlan_set_encap_proto-for-its-callers.patch new file mode 100644 index 00000000000..3216d7fe955 --- /dev/null +++ b/queue-3.4/vlan-adjust-vlan_set_encap_proto-for-its-callers.patch @@ -0,0 +1,69 @@ +From 1591b8595fd6cde710c399e5ab325fee269644a3 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Thu, 21 Feb 2013 23:32:27 +0000 +Subject: vlan: adjust vlan_set_encap_proto() for its callers + + +From: Cong Wang + +[ Upstream commit da8c87241c26aac81a64c7e4d21d438a33018f4e ] + +There are two places to call vlan_set_encap_proto(): +vlan_untag() and __pop_vlan_tci(). + +vlan_untag() assumes skb->data points after mac addr, otherwise +the following code + + vhdr = (struct vlan_hdr *) skb->data; + vlan_tci = ntohs(vhdr->h_vlan_TCI); + __vlan_hwaccel_put_tag(skb, vlan_tci); + + skb_pull_rcsum(skb, VLAN_HLEN); + +won't be correct. But __pop_vlan_tci() assumes points _before_ +mac addr. + +In vlan_set_encap_proto(), it looks for some magic L2 value +after mac addr: + + rawp = skb->data; + if (*(unsigned short *) rawp == 0xFFFF) + ... + +Therefore __pop_vlan_tci() is obviously wrong. + +A quick fix is avoiding using skb->data in vlan_set_encap_proto(), +use 'vhdr+1' is always correct in both cases. + +Cc: David S. Miller +Cc: Jesse Gross +Signed-off-by: Cong Wang +Acked-by: Jesse Gross +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_vlan.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -327,7 +327,7 @@ static inline void vlan_set_encap_proto( + struct vlan_hdr *vhdr) + { + __be16 proto; +- unsigned char *rawp; ++ unsigned short *rawp; + + /* + * Was a VLAN packet, grab the encapsulated protocol, which the layer +@@ -340,8 +340,8 @@ static inline void vlan_set_encap_proto( + return; + } + +- rawp = skb->data; +- if (*(unsigned short *) rawp == 0xFFFF) ++ rawp = (unsigned short *)(vhdr + 1); ++ if (*rawp == 0xFFFF) + /* + * This is a magic hack to spot IPX packets. Older Novell + * breaks the protocol design and runs IPX over 802.3 without diff --git a/queue-3.4/xen-netback-cancel-the-credit-timer-when-taking-the-vif-down.patch b/queue-3.4/xen-netback-cancel-the-credit-timer-when-taking-the-vif-down.patch new file mode 100644 index 00000000000..490af983d61 --- /dev/null +++ b/queue-3.4/xen-netback-cancel-the-credit-timer-when-taking-the-vif-down.patch @@ -0,0 +1,55 @@ +From 740f825d8a83fcf430093e6ee7606f4380c66a3c Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Thu, 14 Feb 2013 03:18:58 +0000 +Subject: xen-netback: cancel the credit timer when taking the vif down + + +From: David Vrabel + +[ Upstream commit 3e55f8b306cf305832a4ac78aa82e1b40e818ece ] + +If the credit timer is left armed after calling +xen_netbk_remove_xenvif(), then it may fire and attempt to schedule +the vif which will then oops as vif->netbk == NULL. + +This may happen both in the fatal error path and during normal +disconnection from the front end. + +The sequencing during shutdown is critical to ensure that: a) +vif->netbk doesn't become unexpectedly NULL; and b) the net device/vif +is not freed. + +1. Mark as unschedulable (netif_carrier_off()). +2. Synchronously cancel the timer. +3. Remove the vif from the schedule list. +4. Remove it from it netback thread group. +5. Wait for vif->refcnt to become 0. + +Signed-off-by: David Vrabel +Acked-by: Ian Campbell +Reported-by: Christopher S. Aker +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/interface.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -132,6 +132,7 @@ static void xenvif_up(struct xenvif *vif + static void xenvif_down(struct xenvif *vif) + { + disable_irq(vif->irq); ++ del_timer_sync(&vif->credit_timeout); + xen_netbk_deschedule_xenvif(vif); + xen_netbk_remove_xenvif(vif); + } +@@ -363,8 +364,6 @@ void xenvif_disconnect(struct xenvif *vi + atomic_dec(&vif->refcnt); + wait_event(vif->waiting_to_free, atomic_read(&vif->refcnt) == 0); + +- del_timer_sync(&vif->credit_timeout); +- + if (vif->irq) + unbind_from_irqhandler(vif->irq, vif); + diff --git a/queue-3.4/xen-netback-correctly-return-errors-from-netbk_count_requests.patch b/queue-3.4/xen-netback-correctly-return-errors-from-netbk_count_requests.patch new file mode 100644 index 00000000000..9e54cfee7fe --- /dev/null +++ b/queue-3.4/xen-netback-correctly-return-errors-from-netbk_count_requests.patch @@ -0,0 +1,73 @@ +From 0098acdb710d4f1d854e5ca39c78e9dd6fe346fd Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Thu, 14 Feb 2013 03:18:57 +0000 +Subject: xen-netback: correctly return errors from netbk_count_requests() + + +From: David Vrabel + +[ Upstream commit 35876b5ffc154c357476b2c3bdab10feaf4bd8f0 ] + +netbk_count_requests() could detect an error, call +netbk_fatal_tx_error() but return 0. The vif may then be used +afterwards (e.g., in a call to netbk_tx_error(). + +Since netbk_fatal_tx_error() could set vif->refcnt to 1, the vif may +be freed immediately after the call to netbk_fatal_tx_error() (e.g., +if the vif is also removed). + +Netback thread Xenwatch thread +------------------------------------------- +netbk_fatal_tx_err() netback_remove() + xenvif_disconnect() + ... + free_netdev() +netbk_tx_err() Oops! + +Signed-off-by: Wei Liu +Signed-off-by: Jan Beulich +Signed-off-by: David Vrabel +Reported-by: Christopher S. Aker +Acked-by: Ian Campbell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -883,13 +883,13 @@ static int netbk_count_requests(struct x + if (frags >= work_to_do) { + netdev_err(vif->dev, "Need more frags\n"); + netbk_fatal_tx_err(vif); +- return -frags; ++ return -ENODATA; + } + + if (unlikely(frags >= MAX_SKB_FRAGS)) { + netdev_err(vif->dev, "Too many frags\n"); + netbk_fatal_tx_err(vif); +- return -frags; ++ return -E2BIG; + } + + memcpy(txp, RING_GET_REQUEST(&vif->tx, cons + frags), +@@ -897,7 +897,7 @@ static int netbk_count_requests(struct x + if (txp->size > first->size) { + netdev_err(vif->dev, "Frag is bigger than frame.\n"); + netbk_fatal_tx_err(vif); +- return -frags; ++ return -EIO; + } + + first->size -= txp->size; +@@ -907,7 +907,7 @@ static int netbk_count_requests(struct x + netdev_err(vif->dev, "txp->offset: %x, size: %u\n", + txp->offset, txp->size); + netbk_fatal_tx_err(vif); +- return -frags; ++ return -EINVAL; + } + } while ((txp++)->flags & XEN_NETTXF_more_data); + return frags;