From a8c71350e6ba8fa8dc1a8b882f77a746c43a926c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 3 Sep 2009 16:12:47 -0700 Subject: [PATCH] more .30 patches --- .../appletalk-fix-atalk_getname-leak.patch | 29 ++ ...-fix-read-write-outside-array-bounds.patch | 44 +++ queue-2.6.30/can-fix-raw_getname-leak.patch | 33 +++ .../econet-fix-econet_getname-leak.patch | 29 ++ ...ppend_data-handle-null-routing-table.patch | 29 ++ queue-2.6.30/irda-fix-irda_getname-leak.patch | 29 ++ .../net-llc-zero-sockaddr_llc-struct.patch | 30 ++ queue-2.6.30/netrom-fix-nr_getname-leak.patch | 29 ++ ...rtc-ps3-platform-device-registration.patch | 42 +++ queue-2.6.30/rose-fix-rose_getname-leak.patch | 29 ++ queue-2.6.30/series | 14 + ...-new-bugs-related-to-clear-tt-buffer.patch | 88 ++++++ ...se-the-new-clear_tt_buffer-interface.patch | 262 ++++++++++++++++++ ...sb-fix-the-clear_tt_buffer-interface.patch | 200 +++++++++++++ ...ect-to-backend-before-registering-fb.patch | 50 ++++ 15 files changed, 937 insertions(+) create mode 100644 queue-2.6.30/appletalk-fix-atalk_getname-leak.patch create mode 100644 queue-2.6.30/ar9170-fix-read-write-outside-array-bounds.patch create mode 100644 queue-2.6.30/can-fix-raw_getname-leak.patch create mode 100644 queue-2.6.30/econet-fix-econet_getname-leak.patch create mode 100644 queue-2.6.30/ipv4-make-ip_append_data-handle-null-routing-table.patch create mode 100644 queue-2.6.30/irda-fix-irda_getname-leak.patch create mode 100644 queue-2.6.30/net-llc-zero-sockaddr_llc-struct.patch create mode 100644 queue-2.6.30/netrom-fix-nr_getname-leak.patch create mode 100644 queue-2.6.30/powerpc-ps3-add-missing-check-for-ps3-to-rtc-ps3-platform-device-registration.patch create mode 100644 queue-2.6.30/rose-fix-rose_getname-leak.patch create mode 100644 queue-2.6.30/usb-ehci-fix-two-new-bugs-related-to-clear-tt-buffer.patch create mode 100644 queue-2.6.30/usb-ehci-use-the-new-clear_tt_buffer-interface.patch create mode 100644 queue-2.6.30/usb-fix-the-clear_tt_buffer-interface.patch create mode 100644 queue-2.6.30/xenfb-connect-to-backend-before-registering-fb.patch diff --git a/queue-2.6.30/appletalk-fix-atalk_getname-leak.patch b/queue-2.6.30/appletalk-fix-atalk_getname-leak.patch new file mode 100644 index 00000000000..77c8e6a05e0 --- /dev/null +++ b/queue-2.6.30/appletalk-fix-atalk_getname-leak.patch @@ -0,0 +1,29 @@ +From 3d392475c873c10c10d6d96b94d092a34ebd4791 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Aug 2009 02:27:43 +0000 +Subject: appletalk: fix atalk_getname() leak + +From: Eric Dumazet + +commit 3d392475c873c10c10d6d96b94d092a34ebd4791 upstream. + +atalk_getname() can leak 8 bytes of kernel memory to user + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/appletalk/ddp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1242,6 +1242,7 @@ static int atalk_getname(struct socket * + return -ENOBUFS; + + *uaddr_len = sizeof(struct sockaddr_at); ++ memset(&sat.sat_zero, 0, sizeof(sat.sat_zero)); + + if (peer) { + if (sk->sk_state != TCP_ESTABLISHED) diff --git a/queue-2.6.30/ar9170-fix-read-write-outside-array-bounds.patch b/queue-2.6.30/ar9170-fix-read-write-outside-array-bounds.patch new file mode 100644 index 00000000000..3d30c4f983e --- /dev/null +++ b/queue-2.6.30/ar9170-fix-read-write-outside-array-bounds.patch @@ -0,0 +1,44 @@ +From e9d126cdfa60b575f1b5b02024c4faee27dccf07 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 9 Aug 2009 14:24:09 +0200 +Subject: ar9170: fix read & write outside array bounds + +From: Dan Carpenter + +commit e9d126cdfa60b575f1b5b02024c4faee27dccf07 upstream. + +Backport done by Christian Lamparter + +queue == __AR9170_NUM_TXQ would cause a bug on the next line. + +found by Smatch ( http://repo.or.cz/w/smatch.git ). + +Reported-by: Dan Carpenter +Signed-off-by: Dan Carpenter +Signed-off-by: Christian Lamparter +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ar9170/main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ar9170/main.c ++++ b/drivers/net/wireless/ar9170/main.c +@@ -1486,13 +1486,14 @@ static int ar9170_conf_tx(struct ieee802 + int ret; + + mutex_lock(&ar->mutex); +- if ((param) && !(queue > ar->hw->queues)) { ++ if (queue < __AR9170_NUM_TXQ) { + memcpy(&ar->edcf[ar9170_qos_hwmap[queue]], + param, sizeof(*param)); + + ret = ar9170_set_qos(ar); +- } else ++ } else { + ret = -EINVAL; ++ } + + mutex_unlock(&ar->mutex); + return ret; diff --git a/queue-2.6.30/can-fix-raw_getname-leak.patch b/queue-2.6.30/can-fix-raw_getname-leak.patch new file mode 100644 index 00000000000..1e46088a0a4 --- /dev/null +++ b/queue-2.6.30/can-fix-raw_getname-leak.patch @@ -0,0 +1,33 @@ +From e84b90ae5eb3c112d1f208964df1d8156a538289 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Aug 2009 20:27:04 +0000 +Subject: can: Fix raw_getname() leak + +From: Eric Dumazet + +commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream. + +raw_getname() can leak 10 bytes of kernel memory to user + +(two bytes hole between can_family and can_ifindex, +8 bytes at the end of sockaddr_can structure) + +Signed-off-by: Eric Dumazet +Acked-by: Oliver Hartkopp +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/can/raw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -397,6 +397,7 @@ static int raw_getname(struct socket *so + if (peer) + return -EOPNOTSUPP; + ++ memset(addr, 0, sizeof(*addr)); + addr->can_family = AF_CAN; + addr->can_ifindex = ro->ifindex; + diff --git a/queue-2.6.30/econet-fix-econet_getname-leak.patch b/queue-2.6.30/econet-fix-econet_getname-leak.patch new file mode 100644 index 00000000000..86419f36efa --- /dev/null +++ b/queue-2.6.30/econet-fix-econet_getname-leak.patch @@ -0,0 +1,29 @@ +From 80922bbb12a105f858a8f0abb879cb4302d0ecaa Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Aug 2009 03:48:36 +0000 +Subject: econet: Fix econet_getname() leak + +From: Eric Dumazet + +commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa upstream. + +econet_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/econet/af_econet.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/econet/af_econet.c ++++ b/net/econet/af_econet.c +@@ -520,6 +520,7 @@ static int econet_getname(struct socket + if (peer) + return -EOPNOTSUPP; + ++ memset(sec, 0, sizeof(*sec)); + mutex_lock(&econet_mutex); + + sk = sock->sk; diff --git a/queue-2.6.30/ipv4-make-ip_append_data-handle-null-routing-table.patch b/queue-2.6.30/ipv4-make-ip_append_data-handle-null-routing-table.patch new file mode 100644 index 00000000000..6ece50364d7 --- /dev/null +++ b/queue-2.6.30/ipv4-make-ip_append_data-handle-null-routing-table.patch @@ -0,0 +1,29 @@ +From 788d908f2879a17e5f80924f3da2e23f1034482d Mon Sep 17 00:00:00 2001 +From: Julien TINNES +Date: Thu, 27 Aug 2009 15:26:58 +0200 +Subject: ipv4: make ip_append_data() handle NULL routing table + +From: Julien TINNES + +commit 788d908f2879a17e5f80924f3da2e23f1034482d upstream. + +Add a check in ip_append_data() for NULL *rtp to prevent future bugs in +callers from being exploitable. + +Signed-off-by: Julien Tinnes +Signed-off-by: Tavis Ormandy +Acked-by: David S. Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -813,6 +813,8 @@ int ip_append_data(struct sock *sk, + inet->cork.addr = ipc->addr; + } + rt = *rtp; ++ if (unlikely(!rt)) ++ return -EFAULT; + /* + * We steal reference to this route, caller should not release it + */ diff --git a/queue-2.6.30/irda-fix-irda_getname-leak.patch b/queue-2.6.30/irda-fix-irda_getname-leak.patch new file mode 100644 index 00000000000..1935fbc74d8 --- /dev/null +++ b/queue-2.6.30/irda-fix-irda_getname-leak.patch @@ -0,0 +1,29 @@ +From 09384dfc76e526c3993c09c42e016372dc9dd22c Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Aug 2009 03:55:04 +0000 +Subject: irda: Fix irda_getname() leak + +From: Eric Dumazet + +commit 09384dfc76e526c3993c09c42e016372dc9dd22c upstream. + +irda_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/irda/af_irda.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -714,6 +714,7 @@ static int irda_getname(struct socket *s + struct sock *sk = sock->sk; + struct irda_sock *self = irda_sk(sk); + ++ memset(&saddr, 0, sizeof(saddr)); + if (peer) { + if (sk->sk_state != TCP_ESTABLISHED) + return -ENOTCONN; diff --git a/queue-2.6.30/net-llc-zero-sockaddr_llc-struct.patch b/queue-2.6.30/net-llc-zero-sockaddr_llc-struct.patch new file mode 100644 index 00000000000..c7d34f71b7d --- /dev/null +++ b/queue-2.6.30/net-llc-zero-sockaddr_llc-struct.patch @@ -0,0 +1,30 @@ +From 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Sun, 23 Aug 2009 22:55:51 -0700 +Subject: NET: llc, zero sockaddr_llc struct + +From: Jiri Slaby + +commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc upstream. + +sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc +before copying to the above layer's structure. + +Signed-off-by: Jiri Slaby +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/llc/af_llc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -914,6 +914,7 @@ static int llc_ui_getname(struct socket + struct llc_sock *llc = llc_sk(sk); + int rc = 0; + ++ memset(&sllc, 0, sizeof(sllc)); + lock_sock(sk); + if (sock_flag(sk, SOCK_ZAPPED)) + goto out; diff --git a/queue-2.6.30/netrom-fix-nr_getname-leak.patch b/queue-2.6.30/netrom-fix-nr_getname-leak.patch new file mode 100644 index 00000000000..d5dab667b6e --- /dev/null +++ b/queue-2.6.30/netrom-fix-nr_getname-leak.patch @@ -0,0 +1,29 @@ +From f6b97b29513950bfbf621a83d85b6f86b39ec8db Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Aug 2009 03:31:07 +0000 +Subject: netrom: Fix nr_getname() leak + +From: Eric Dumazet + +commit f6b97b29513950bfbf621a83d85b6f86b39ec8db upstream. + +nr_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netrom/af_netrom.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -848,6 +848,7 @@ static int nr_getname(struct socket *soc + sax->fsa_ax25.sax25_family = AF_NETROM; + sax->fsa_ax25.sax25_ndigis = 1; + sax->fsa_ax25.sax25_call = nr->user_addr; ++ memset(sax->fsa_digipeater, 0, sizeof(sax->fsa_digipeater)); + sax->fsa_digipeater[0] = nr->dest_addr; + *uaddr_len = sizeof(struct full_sockaddr_ax25); + } else { diff --git a/queue-2.6.30/powerpc-ps3-add-missing-check-for-ps3-to-rtc-ps3-platform-device-registration.patch b/queue-2.6.30/powerpc-ps3-add-missing-check-for-ps3-to-rtc-ps3-platform-device-registration.patch new file mode 100644 index 00000000000..dd4467b531b --- /dev/null +++ b/queue-2.6.30/powerpc-ps3-add-missing-check-for-ps3-to-rtc-ps3-platform-device-registration.patch @@ -0,0 +1,42 @@ +From 7b6a09f3d6aedeaac923824af2a5df30300b56e9 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Sun, 23 Aug 2009 22:54:32 +0000 +Subject: powerpc/ps3: Add missing check for PS3 to rtc-ps3 platform device registration + +From: Geert Uytterhoeven + +commit 7b6a09f3d6aedeaac923824af2a5df30300b56e9 upstream. + +On non-PS3, we get: + +| kernel BUG at drivers/rtc/rtc-ps3.c:36! + +because the rtc-ps3 platform device is registered unconditionally in a kernel +with builtin support for PS3. + +Reported-by: Sachin Sant +Signed-off-by: Geert Uytterhoeven +Acked-by: Geoff Levand +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- a/arch/powerpc/platforms/ps3/time.c ++++ b/arch/powerpc/platforms/ps3/time.c +@@ -21,6 +21,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -84,6 +85,9 @@ static int __init ps3_rtc_init(void) + { + struct platform_device *pdev; + ++ if (!firmware_has_feature(FW_FEATURE_PS3_LV1)) ++ return -ENODEV; ++ + pdev = platform_device_register_simple("rtc-ps3", -1, NULL, 0); + if (IS_ERR(pdev)) + return PTR_ERR(pdev); diff --git a/queue-2.6.30/rose-fix-rose_getname-leak.patch b/queue-2.6.30/rose-fix-rose_getname-leak.patch new file mode 100644 index 00000000000..2b018e767d0 --- /dev/null +++ b/queue-2.6.30/rose-fix-rose_getname-leak.patch @@ -0,0 +1,29 @@ +From 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 6 Aug 2009 03:34:06 +0000 +Subject: rose: Fix rose_getname() leak + +From: Eric Dumazet + +commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 upstream. + +rose_getname() can leak kernel memory to user. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rose/af_rose.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -957,6 +957,7 @@ static int rose_getname(struct socket *s + struct rose_sock *rose = rose_sk(sk); + int n; + ++ memset(srose, 0, sizeof(*srose)); + if (peer != 0) { + if (sk->sk_state != TCP_ESTABLISHED) + return -ENOTCONN; diff --git a/queue-2.6.30/series b/queue-2.6.30/series index 4fc2c189726..f1601bb52b6 100644 --- a/queue-2.6.30/series +++ b/queue-2.6.30/series @@ -56,3 +56,17 @@ xfs-fix-spin_is_locked-assert-on-uni-processor-builds.patch gspca-ov534-fix-ov772x.patch kthreads-fix-kthread_create-vs-kthread_stop-race.patch ipv6-fix-commit-63d9950b08184e6531adceb65f64b429909cc101.patch +usb-fix-the-clear_tt_buffer-interface.patch +usb-ehci-use-the-new-clear_tt_buffer-interface.patch +usb-ehci-fix-two-new-bugs-related-to-clear-tt-buffer.patch +powerpc-ps3-add-missing-check-for-ps3-to-rtc-ps3-platform-device-registration.patch +ipv4-make-ip_append_data-handle-null-routing-table.patch +ar9170-fix-read-write-outside-array-bounds.patch +xenfb-connect-to-backend-before-registering-fb.patch +can-fix-raw_getname-leak.patch +irda-fix-irda_getname-leak.patch +appletalk-fix-atalk_getname-leak.patch +netrom-fix-nr_getname-leak.patch +econet-fix-econet_getname-leak.patch +rose-fix-rose_getname-leak.patch +net-llc-zero-sockaddr_llc-struct.patch diff --git a/queue-2.6.30/usb-ehci-fix-two-new-bugs-related-to-clear-tt-buffer.patch b/queue-2.6.30/usb-ehci-fix-two-new-bugs-related-to-clear-tt-buffer.patch new file mode 100644 index 00000000000..4f0f73bd8e6 --- /dev/null +++ b/queue-2.6.30/usb-ehci-fix-two-new-bugs-related-to-clear-tt-buffer.patch @@ -0,0 +1,88 @@ +From 7a0f0d951273eee889c2441846842348ebc00a2a Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 31 Jul 2009 10:40:22 -0400 +Subject: USB: EHCI: fix two new bugs related to Clear-TT-Buffer + +From: Alan Stern + +commit 7a0f0d951273eee889c2441846842348ebc00a2a upstream. + +This patch (as1273) fixes two(!) bugs introduced by the new +Clear-TT-Buffer implementation in ehci-hcd. + + It is now possible for an idle QH to have some URBs on its + queue -- this will happen if a Clear-TT-Buffer is pending for + the QH's endpoint. Consequently we should not issue a warning + when someone tries to unlink an URB from an idle QH; instead + we should process the request immediately. + + The refcounts for QHs could get messed up, because + submit_async() would increment the refcount when calling + qh_link_async() and qh_link_async() would then refuse to link + the QH into the schedule if a Clear-TT-Buffer was pending. + Instead we should increment the refcount only when the QH + actually is added to the schedule. The current code tries to + be clever by leaving the refcount alone if an unlink is + immediately followed by a relink; the patch changes this to an + unconditional decrement and increment (although they occur in + the opposite order). + +Signed-off-by: Alan Stern +CC: David Brownell +Tested-by: Manuel Lauss +Tested-by: Matthijs Kooijman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hcd.c | 3 ++- + drivers/usb/host/ehci-q.c | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -903,7 +903,8 @@ static int ehci_urb_dequeue(struct usb_h + /* already started */ + break; + case QH_STATE_IDLE: +- WARN_ON(1); ++ /* QH might be waiting for a Clear-TT-Buffer */ ++ qh_completions(ehci, qh); + break; + } + break; +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -938,6 +938,7 @@ static void qh_link_async (struct ehci_h + head->qh_next.qh = qh; + head->hw_next = dma; + ++ qh_get(qh); + qh->xacterrs = QH_XACTERR_MAX; + qh->qh_state = QH_STATE_LINKED; + /* qtd completions reported later by interrupt */ +@@ -1078,7 +1079,7 @@ submit_async ( + * the HC and TT handle it when the TT has a buffer ready. + */ + if (likely (qh->qh_state == QH_STATE_IDLE)) +- qh_link_async (ehci, qh_get (qh)); ++ qh_link_async(ehci, qh); + done: + spin_unlock_irqrestore (&ehci->lock, flags); + if (unlikely (qh == NULL)) +@@ -1113,8 +1114,6 @@ static void end_unlink_async (struct ehc + && HC_IS_RUNNING (ehci_to_hcd(ehci)->state)) + qh_link_async (ehci, qh); + else { +- qh_put (qh); // refcount from async list +- + /* it's not free to turn the async schedule on/off; leave it + * active but idle for a while once it empties. + */ +@@ -1122,6 +1121,7 @@ static void end_unlink_async (struct ehc + && ehci->async->qh_next.qh == NULL) + timer_action (ehci, TIMER_ASYNC_OFF); + } ++ qh_put(qh); /* refcount from async list */ + + if (next) { + ehci->reclaim = NULL; diff --git a/queue-2.6.30/usb-ehci-use-the-new-clear_tt_buffer-interface.patch b/queue-2.6.30/usb-ehci-use-the-new-clear_tt_buffer-interface.patch new file mode 100644 index 00000000000..f640d6eafb7 --- /dev/null +++ b/queue-2.6.30/usb-ehci-use-the-new-clear_tt_buffer-interface.patch @@ -0,0 +1,262 @@ +From 914b701280a76f96890ad63eb0fa99bf204b961c Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 29 Jun 2009 10:47:30 -0400 +Subject: USB: EHCI: use the new clear_tt_buffer interface + +From: Alan Stern + +commit 914b701280a76f96890ad63eb0fa99bf204b961c upstream. + +This patch (as1256) changes ehci-hcd and all the other drivers in the +EHCI family to make use of the new clear_tt_buffer callbacks. When a +Clear-TT-Buffer request is in progress for a QH, the QH is not allowed +to be linked into the async schedule until the request is finished. +At that time, if there are any URBs queued for the QH, it is linked +into the async schedule. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-au1xxx.c | 2 + drivers/usb/host/ehci-fsl.c | 2 + drivers/usb/host/ehci-hcd.c | 2 + drivers/usb/host/ehci-ixp4xx.c | 2 + drivers/usb/host/ehci-orion.c | 2 + drivers/usb/host/ehci-pci.c | 2 + drivers/usb/host/ehci-ppc-of.c | 2 + drivers/usb/host/ehci-ps3.c | 2 + drivers/usb/host/ehci-q.c | 91 ++++++++++++++++++++++++++++++----------- + drivers/usb/host/ehci.h | 2 + 10 files changed, 86 insertions(+), 23 deletions(-) + +--- a/drivers/usb/host/ehci-au1xxx.c ++++ b/drivers/usb/host/ehci-au1xxx.c +@@ -112,6 +112,8 @@ static const struct hc_driver ehci_au1xx + .bus_resume = ehci_bus_resume, + .relinquish_port = ehci_relinquish_port, + .port_handed_over = ehci_port_handed_over, ++ ++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + + static int ehci_hcd_au1xxx_drv_probe(struct platform_device *pdev) +--- a/drivers/usb/host/ehci-fsl.c ++++ b/drivers/usb/host/ehci-fsl.c +@@ -324,6 +324,8 @@ static const struct hc_driver ehci_fsl_h + .bus_resume = ehci_bus_resume, + .relinquish_port = ehci_relinquish_port, + .port_handed_over = ehci_port_handed_over, ++ ++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + + static int ehci_fsl_drv_probe(struct platform_device *pdev) +--- a/drivers/usb/host/ehci.h ++++ b/drivers/usb/host/ehci.h +@@ -353,7 +353,9 @@ struct ehci_qh { + unsigned short period; /* polling interval */ + unsigned short start; /* where polling starts */ + #define NO_FRAME ((unsigned short)~0) /* pick new start */ ++ + struct usb_device *dev; /* access to TT */ ++ unsigned clearing_tt:1; /* Clear-TT-Buf in progress */ + } __attribute__ ((aligned (32))); + + /*-------------------------------------------------------------------------*/ +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -1003,6 +1003,8 @@ idle_timeout: + schedule_timeout_uninterruptible(1); + goto rescan; + case QH_STATE_IDLE: /* fully unlinked */ ++ if (qh->clearing_tt) ++ goto idle_timeout; + if (list_empty (&qh->qtd_list)) { + qh_put (qh); + break; +--- a/drivers/usb/host/ehci-ixp4xx.c ++++ b/drivers/usb/host/ehci-ixp4xx.c +@@ -60,6 +60,8 @@ static const struct hc_driver ixp4xx_ehc + #endif + .relinquish_port = ehci_relinquish_port, + .port_handed_over = ehci_port_handed_over, ++ ++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + + static int ixp4xx_ehci_probe(struct platform_device *pdev) +--- a/drivers/usb/host/ehci-orion.c ++++ b/drivers/usb/host/ehci-orion.c +@@ -164,6 +164,8 @@ static const struct hc_driver ehci_orion + .bus_resume = ehci_bus_resume, + .relinquish_port = ehci_relinquish_port, + .port_handed_over = ehci_port_handed_over, ++ ++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + + static void __init +--- a/drivers/usb/host/ehci-pci.c ++++ b/drivers/usb/host/ehci-pci.c +@@ -408,6 +408,8 @@ static const struct hc_driver ehci_pci_h + .bus_resume = ehci_bus_resume, + .relinquish_port = ehci_relinquish_port, + .port_handed_over = ehci_port_handed_over, ++ ++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + + /*-------------------------------------------------------------------------*/ +--- a/drivers/usb/host/ehci-ppc-of.c ++++ b/drivers/usb/host/ehci-ppc-of.c +@@ -78,6 +78,8 @@ static const struct hc_driver ehci_ppc_o + #endif + .relinquish_port = ehci_relinquish_port, + .port_handed_over = ehci_port_handed_over, ++ ++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + + +--- a/drivers/usb/host/ehci-ps3.c ++++ b/drivers/usb/host/ehci-ps3.c +@@ -74,6 +74,8 @@ static const struct hc_driver ps3_ehci_h + #endif + .relinquish_port = ehci_relinquish_port, + .port_handed_over = ehci_port_handed_over, ++ ++ .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, + }; + + static int ps3_ehci_probe(struct ps3_system_bus_device *dev) +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -139,6 +139,55 @@ qh_refresh (struct ehci_hcd *ehci, struc + + /*-------------------------------------------------------------------------*/ + ++static void qh_link_async(struct ehci_hcd *ehci, struct ehci_qh *qh); ++ ++static void ehci_clear_tt_buffer_complete(struct usb_hcd *hcd, ++ struct usb_host_endpoint *ep) ++{ ++ struct ehci_hcd *ehci = hcd_to_ehci(hcd); ++ struct ehci_qh *qh = ep->hcpriv; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&ehci->lock, flags); ++ qh->clearing_tt = 0; ++ if (qh->qh_state == QH_STATE_IDLE && !list_empty(&qh->qtd_list) ++ && HC_IS_RUNNING(hcd->state)) ++ qh_link_async(ehci, qh); ++ spin_unlock_irqrestore(&ehci->lock, flags); ++} ++ ++static void ehci_clear_tt_buffer(struct ehci_hcd *ehci, struct ehci_qh *qh, ++ struct urb *urb, u32 token) ++{ ++ ++ /* If an async split transaction gets an error or is unlinked, ++ * the TT buffer may be left in an indeterminate state. We ++ * have to clear the TT buffer. ++ * ++ * Note: this routine is never called for Isochronous transfers. ++ */ ++ if (urb->dev->tt && !usb_pipeint(urb->pipe) && !qh->clearing_tt) { ++#ifdef DEBUG ++ struct usb_device *tt = urb->dev->tt->hub; ++ dev_dbg(&tt->dev, ++ "clear tt buffer port %d, a%d ep%d t%08x\n", ++ urb->dev->ttport, urb->dev->devnum, ++ usb_pipeendpoint(urb->pipe), token); ++#endif /* DEBUG */ ++ if (!ehci_is_TDI(ehci) ++ || urb->dev->tt->hub != ++ ehci_to_hcd(ehci)->self.root_hub) { ++ if (usb_hub_clear_tt_buffer(urb) == 0) ++ qh->clearing_tt = 1; ++ } else { ++ ++ /* REVISIT ARC-derived cores don't clear the root ++ * hub TT buffer in this way... ++ */ ++ } ++ } ++} ++ + static int qtd_copy_status ( + struct ehci_hcd *ehci, + struct urb *urb, +@@ -195,28 +244,6 @@ static int qtd_copy_status ( + usb_pipeendpoint (urb->pipe), + usb_pipein (urb->pipe) ? "in" : "out", + token, status); +- +- /* if async CSPLIT failed, try cleaning out the TT buffer */ +- if (status != -EPIPE +- && urb->dev->tt +- && !usb_pipeint(urb->pipe) +- && ((token & QTD_STS_MMF) != 0 +- || QTD_CERR(token) == 0) +- && (!ehci_is_TDI(ehci) +- || urb->dev->tt->hub != +- ehci_to_hcd(ehci)->self.root_hub)) { +-#ifdef DEBUG +- struct usb_device *tt = urb->dev->tt->hub; +- dev_dbg (&tt->dev, +- "clear tt buffer port %d, a%d ep%d t%08x\n", +- urb->dev->ttport, urb->dev->devnum, +- usb_pipeendpoint (urb->pipe), token); +-#endif /* DEBUG */ +- /* REVISIT ARC-derived cores don't clear the root +- * hub TT buffer in this way... +- */ +- usb_hub_clear_tt_buffer(urb); +- } + } + + return status; +@@ -407,9 +434,16 @@ qh_completions (struct ehci_hcd *ehci, s + /* qh unlinked; token in overlay may be most current */ + if (state == QH_STATE_IDLE + && cpu_to_hc32(ehci, qtd->qtd_dma) +- == qh->hw_current) ++ == qh->hw_current) { + token = hc32_to_cpu(ehci, qh->hw_token); + ++ /* An unlink may leave an incomplete ++ * async transaction in the TT buffer. ++ * We have to clear it. ++ */ ++ ehci_clear_tt_buffer(ehci, qh, urb, token); ++ } ++ + /* force halt for unlinked or blocked qh, so we'll + * patch the qh later and so that completions can't + * activate it while we "know" it's stopped. +@@ -435,6 +469,13 @@ halt: + && (qtd->hw_alt_next + & EHCI_LIST_END(ehci))) + last_status = -EINPROGRESS; ++ ++ /* As part of low/full-speed endpoint-halt processing ++ * we must clear the TT buffer (11.17.5). ++ */ ++ if (unlikely(last_status != -EINPROGRESS && ++ last_status != -EREMOTEIO)) ++ ehci_clear_tt_buffer(ehci, qh, urb, token); + } + + /* if we're removing something not at the queue head, +@@ -864,6 +905,10 @@ static void qh_link_async (struct ehci_h + __hc32 dma = QH_NEXT(ehci, qh->qh_dma); + struct ehci_qh *head; + ++ /* Don't link a QH if there's a Clear-TT-Buffer pending */ ++ if (unlikely(qh->clearing_tt)) ++ return; ++ + /* (re)start the async schedule? */ + head = ehci->async; + timer_action_done (ehci, TIMER_ASYNC_OFF); diff --git a/queue-2.6.30/usb-fix-the-clear_tt_buffer-interface.patch b/queue-2.6.30/usb-fix-the-clear_tt_buffer-interface.patch new file mode 100644 index 00000000000..6eb4ff9e145 --- /dev/null +++ b/queue-2.6.30/usb-fix-the-clear_tt_buffer-interface.patch @@ -0,0 +1,200 @@ +From cb88a1b887bb8908f6e00ce29e893ea52b074940 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 29 Jun 2009 10:43:32 -0400 +Subject: USB: fix the clear_tt_buffer interface + +From: Alan Stern + +commit cb88a1b887bb8908f6e00ce29e893ea52b074940 upstream. + +This patch (as1255) updates the interface for calling +usb_hub_clear_tt_buffer(). Even the name of the function is changed! + +When an async URB (i.e., Control or Bulk) going through a high-speed +hub to a non-high-speed device is cancelled or fails, the hub's +Transaction Translator buffer may be left busy still trying to +complete the transaction. The buffer has to be cleared; that's what +usb_hub_clear_tt_buffer() does. + +It isn't safe to send any more URBs to the same endpoint until the TT +buffer is fully clear. Therefore the HCD needs to be told when the +Clear-TT-Buffer request has finished. This patch adds a callback +method to struct hc_driver for that purpose, and makes the hub driver +invoke the callback at the proper time. + +The patch also changes a couple of names; "hub_tt_kevent" and +"tt.kevent" now look rather antiquated. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd.h | 4 ++++ + drivers/usb/core/hub.c | 40 ++++++++++++++++++++++++++-------------- + drivers/usb/core/hub.h | 6 ++++-- + drivers/usb/host/ehci-q.c | 2 +- + 4 files changed, 35 insertions(+), 17 deletions(-) + +--- a/drivers/usb/core/hcd.h ++++ b/drivers/usb/core/hcd.h +@@ -224,6 +224,10 @@ struct hc_driver { + void (*relinquish_port)(struct usb_hcd *, int); + /* has a port been handed over to a companion? */ + int (*port_handed_over)(struct usb_hcd *, int); ++ ++ /* CLEAR_TT_BUFFER completion callback */ ++ void (*clear_tt_buffer_complete)(struct usb_hcd *, ++ struct usb_host_endpoint *); + }; + + extern int usb_hcd_link_urb_to_ep(struct usb_hcd *hcd, struct urb *urb); +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -448,10 +448,10 @@ hub_clear_tt_buffer (struct usb_device * + * talking to TTs must queue control transfers (not just bulk and iso), so + * both can talk to the same hub concurrently. + */ +-static void hub_tt_kevent (struct work_struct *work) ++static void hub_tt_work(struct work_struct *work) + { + struct usb_hub *hub = +- container_of(work, struct usb_hub, tt.kevent); ++ container_of(work, struct usb_hub, tt.clear_work); + unsigned long flags; + int limit = 100; + +@@ -460,6 +460,7 @@ static void hub_tt_kevent (struct work_s + struct list_head *temp; + struct usb_tt_clear *clear; + struct usb_device *hdev = hub->hdev; ++ const struct hc_driver *drv; + int status; + + temp = hub->tt.clear_list.next; +@@ -469,21 +470,25 @@ static void hub_tt_kevent (struct work_s + /* drop lock so HCD can concurrently report other TT errors */ + spin_unlock_irqrestore (&hub->tt.lock, flags); + status = hub_clear_tt_buffer (hdev, clear->devinfo, clear->tt); +- spin_lock_irqsave (&hub->tt.lock, flags); +- + if (status) + dev_err (&hdev->dev, + "clear tt %d (%04x) error %d\n", + clear->tt, clear->devinfo, status); ++ ++ /* Tell the HCD, even if the operation failed */ ++ drv = clear->hcd->driver; ++ if (drv->clear_tt_buffer_complete) ++ (drv->clear_tt_buffer_complete)(clear->hcd, clear->ep); ++ + kfree(clear); ++ spin_lock_irqsave(&hub->tt.lock, flags); + } + spin_unlock_irqrestore (&hub->tt.lock, flags); + } + + /** +- * usb_hub_tt_clear_buffer - clear control/bulk TT state in high speed hub +- * @udev: the device whose split transaction failed +- * @pipe: identifies the endpoint of the failed transaction ++ * usb_hub_clear_tt_buffer - clear control/bulk TT state in high speed hub ++ * @urb: an URB associated with the failed or incomplete split transaction + * + * High speed HCDs use this to tell the hub driver that some split control or + * bulk transaction failed in a way that requires clearing internal state of +@@ -493,8 +498,10 @@ static void hub_tt_kevent (struct work_s + * It may not be possible for that hub to handle additional full (or low) + * speed transactions until that state is fully cleared out. + */ +-void usb_hub_tt_clear_buffer (struct usb_device *udev, int pipe) ++int usb_hub_clear_tt_buffer(struct urb *urb) + { ++ struct usb_device *udev = urb->dev; ++ int pipe = urb->pipe; + struct usb_tt *tt = udev->tt; + unsigned long flags; + struct usb_tt_clear *clear; +@@ -506,7 +513,7 @@ void usb_hub_tt_clear_buffer (struct usb + if ((clear = kmalloc (sizeof *clear, GFP_ATOMIC)) == NULL) { + dev_err (&udev->dev, "can't save CLEAR_TT_BUFFER state\n"); + /* FIXME recover somehow ... RESET_TT? */ +- return; ++ return -ENOMEM; + } + + /* info that CLEAR_TT_BUFFER needs */ +@@ -518,14 +525,19 @@ void usb_hub_tt_clear_buffer (struct usb + : (USB_ENDPOINT_XFER_BULK << 11); + if (usb_pipein (pipe)) + clear->devinfo |= 1 << 15; +- ++ ++ /* info for completion callback */ ++ clear->hcd = bus_to_hcd(udev->bus); ++ clear->ep = urb->ep; ++ + /* tell keventd to clear state for this TT */ + spin_lock_irqsave (&tt->lock, flags); + list_add_tail (&clear->clear_list, &tt->clear_list); +- schedule_work (&tt->kevent); ++ schedule_work(&tt->clear_work); + spin_unlock_irqrestore (&tt->lock, flags); ++ return 0; + } +-EXPORT_SYMBOL_GPL(usb_hub_tt_clear_buffer); ++EXPORT_SYMBOL_GPL(usb_hub_clear_tt_buffer); + + /* If do_delay is false, return the number of milliseconds the caller + * needs to delay. +@@ -816,7 +828,7 @@ static void hub_quiesce(struct usb_hub * + if (hub->has_indicators) + cancel_delayed_work_sync(&hub->leds); + if (hub->tt.hub) +- cancel_work_sync(&hub->tt.kevent); ++ cancel_work_sync(&hub->tt.clear_work); + } + + /* caller has locked the hub device */ +@@ -933,7 +945,7 @@ static int hub_configure(struct usb_hub + + spin_lock_init (&hub->tt.lock); + INIT_LIST_HEAD (&hub->tt.clear_list); +- INIT_WORK (&hub->tt.kevent, hub_tt_kevent); ++ INIT_WORK(&hub->tt.clear_work, hub_tt_work); + switch (hdev->descriptor.bDeviceProtocol) { + case 0: + break; +--- a/drivers/usb/core/hub.h ++++ b/drivers/usb/core/hub.h +@@ -185,16 +185,18 @@ struct usb_tt { + /* for control/bulk error recovery (CLEAR_TT_BUFFER) */ + spinlock_t lock; + struct list_head clear_list; /* of usb_tt_clear */ +- struct work_struct kevent; ++ struct work_struct clear_work; + }; + + struct usb_tt_clear { + struct list_head clear_list; + unsigned tt; + u16 devinfo; ++ struct usb_hcd *hcd; ++ struct usb_host_endpoint *ep; + }; + +-extern void usb_hub_tt_clear_buffer(struct usb_device *dev, int pipe); ++extern int usb_hub_clear_tt_buffer(struct urb *urb); + extern void usb_ep0_reinit(struct usb_device *); + + #endif /* __LINUX_HUB_H */ +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -215,7 +215,7 @@ static int qtd_copy_status ( + /* REVISIT ARC-derived cores don't clear the root + * hub TT buffer in this way... + */ +- usb_hub_tt_clear_buffer (urb->dev, urb->pipe); ++ usb_hub_clear_tt_buffer(urb); + } + } + diff --git a/queue-2.6.30/xenfb-connect-to-backend-before-registering-fb.patch b/queue-2.6.30/xenfb-connect-to-backend-before-registering-fb.patch new file mode 100644 index 00000000000..f1fbf04ff57 --- /dev/null +++ b/queue-2.6.30/xenfb-connect-to-backend-before-registering-fb.patch @@ -0,0 +1,50 @@ +From 0a80fb10239b04c45e5e80aad8d4b2ca5ac407b2 Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge +Date: Thu, 27 Aug 2009 12:22:43 -0700 +Subject: xenfb: connect to backend before registering fb + +From: Jeremy Fitzhardinge + +commit 0a80fb10239b04c45e5e80aad8d4b2ca5ac407b2 upstream. + +As soon as the framebuffer is registered, our methods may be called by the +kernel. This leads to a crash as xenfb_refresh() gets called before we have +the irq. + +Connect to the backend before registering our framebuffer with the kernel. + +[ Fixes bug http://bugzilla.kernel.org/show_bug.cgi?id=14059 ] + +Signed-off-by: Michal Schmidt +Signed-off-by: Jeremy Fitzhardinge +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/xen-fbfront.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/video/xen-fbfront.c ++++ b/drivers/video/xen-fbfront.c +@@ -454,6 +454,10 @@ static int __devinit xenfb_probe(struct + + xenfb_init_shared_page(info, fb_info); + ++ ret = xenfb_connect_backend(dev, info); ++ if (ret < 0) ++ goto error; ++ + ret = register_framebuffer(fb_info); + if (ret) { + fb_deferred_io_cleanup(fb_info); +@@ -464,10 +468,6 @@ static int __devinit xenfb_probe(struct + } + info->fb_info = fb_info; + +- ret = xenfb_connect_backend(dev, info); +- if (ret < 0) +- goto error; +- + xenfb_make_preferred_console(); + return 0; + -- 2.47.2