From e09414b6f52b5c416a2e6059b71c70bf8bdcaaaa Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu, 4 Mar 2010 16:15:57 -0800
Subject: [PATCH] more .27 patches

---
 ...x86-emulator-limit-insns-to-15-bytes.patch | 52 ++++++++++++++
 queue-2.6.27/series                           |  2 +
 ...ounting-of-transaction-error-retries.patch | 72 +++++++++++++++++++
 3 files changed, 126 insertions(+)
 create mode 100644 queue-2.6.27/kvm-x86-emulator-limit-insns-to-15-bytes.patch
 create mode 100644 queue-2.6.27/usb-ehci-fix-counting-of-transaction-error-retries.patch

diff --git a/queue-2.6.27/kvm-x86-emulator-limit-insns-to-15-bytes.patch b/queue-2.6.27/kvm-x86-emulator-limit-insns-to-15-bytes.patch
new file mode 100644
index 00000000000..e6af575f26e
--- /dev/null
+++ b/queue-2.6.27/kvm-x86-emulator-limit-insns-to-15-bytes.patch
@@ -0,0 +1,52 @@
+From: Avi Kivity <avi@redhat.com>
+Date: Tue, 24 Nov 2009 13:20:15 +0000 (+0200)
+Subject: KVM: x86 emulator: limit instructions to 15 bytes
+
+commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb upstream
+
+[ <cebbert@redhat.com>: backport to 2.6.27 ]
+
+While we are never normally passed an instruction that exceeds 15 bytes,
+smp games can cause us to attempt to interpret one, which will cause
+large latencies in non-preempt hosts.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kvm/x86_emulate.c        |    5 ++++-
+ include/asm-x86/kvm_x86_emulate.h |    2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/x86_emulate.c
++++ b/arch/x86/kvm/x86_emulate.c
+@@ -581,6 +581,9 @@ static int do_insn_fetch(struct x86_emul
+ {
+ 	int rc = 0;
+ 
++	/* x86 instructions are limited to 15 bytes. */
++	if (eip + size - ctxt->decode.eip_orig > 15)
++		return X86EMUL_UNHANDLEABLE;
+ 	eip += ctxt->cs_base;
+ 	while (size--) {
+ 		rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++);
+@@ -839,7 +842,7 @@ x86_decode_insn(struct x86_emulate_ctxt
+ 	/* Shadow copy of register state. Committed on successful emulation. */
+ 
+ 	memset(c, 0, sizeof(struct decode_cache));
+-	c->eip = ctxt->vcpu->arch.rip;
++	c->eip = c->eip_orig = ctxt->vcpu->arch.rip;
+ 	ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS);
+ 	memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs);
+ 
+--- a/include/asm-x86/kvm_x86_emulate.h
++++ b/include/asm-x86/kvm_x86_emulate.h
+@@ -128,7 +128,7 @@ struct decode_cache {
+ 	u8 seg_override;
+ 	unsigned int d;
+ 	unsigned long regs[NR_VCPU_REGS];
+-	unsigned long eip;
++	unsigned long eip, eip_orig;
+ 	/* modrm */
+ 	u8 modrm;
+ 	u8 modrm_mod;
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index aaed9b5851c..6f84bf4c677 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -22,3 +22,5 @@ i2c-do-not-use-device-name-after-device_unregister.patch
 serial-8250-add-serial-transmitter-fully-empty-test.patch
 usb-usbfs-only-copy-the-actual-data-received.patch
 usb-usbfs-properly-clean-up-the-as-structure-on-error-paths.patch
+usb-ehci-fix-counting-of-transaction-error-retries.patch
+kvm-x86-emulator-limit-insns-to-15-bytes.patch
diff --git a/queue-2.6.27/usb-ehci-fix-counting-of-transaction-error-retries.patch b/queue-2.6.27/usb-ehci-fix-counting-of-transaction-error-retries.patch
new file mode 100644
index 00000000000..a06a07cb246
--- /dev/null
+++ b/queue-2.6.27/usb-ehci-fix-counting-of-transaction-error-retries.patch
@@ -0,0 +1,72 @@
+From ef4638f955f2c4a667c8af20769d03f5ed3781ca Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Fri, 31 Jul 2009 10:41:40 -0400
+Subject: USB: EHCI: fix counting of transaction error retries
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit ef4638f955f2c4a667c8af20769d03f5ed3781ca upstream.
+
+This patch (as1274) simplifies the counting of transaction-error
+retries.  Now we will count up from 0 to QH_XACTERR_MAX instead of
+down from QH_XACTERR_MAX to 0.
+
+The patch also fixes a small bug: qh->xacterr was not getting
+initialized for interrupt endpoints.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Matthijs Kooijman <matthijs@stdin.nl>
+Cc: Reinoud Koornstra <koornstra@hp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-q.c     |   11 +++++------
+ drivers/usb/host/ehci-sched.c |    1 +
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -346,12 +346,11 @@ qh_completions (struct ehci_hcd *ehci, s
+ 				 */
+ 				if ((token & QTD_STS_XACT) &&
+ 						QTD_CERR(token) == 0 &&
+-						--qh->xacterrs > 0 &&
++						++qh->xacterrs < QH_XACTERR_MAX &&
+ 						!urb->unlinked) {
+ 					ehci_dbg(ehci,
+-	"detected XactErr len %d/%d retry %d\n",
+-	qtd->length - QTD_LENGTH(token), qtd->length,
+-	QH_XACTERR_MAX - qh->xacterrs);
++	"detected XactErr len %zu/%zu retry %d\n",
++	qtd->length - QTD_LENGTH(token), qtd->length, qh->xacterrs);
+ 
+ 					/* reset the token in the qtd and the
+ 					 * qh overlay (which still contains
+@@ -451,7 +450,7 @@ halt:
+ 		last = qtd;
+ 
+ 		/* reinit the xacterr counter for the next qtd */
+-		qh->xacterrs = QH_XACTERR_MAX;
++		qh->xacterrs = 0;
+ 	}
+ 
+ 	/* last urb's completion might still need calling */
+@@ -898,7 +897,7 @@ static void qh_link_async (struct ehci_h
+ 	head->qh_next.qh = qh;
+ 	head->hw_next = dma;
+ 
+-	qh->xacterrs = QH_XACTERR_MAX;
++	qh->xacterrs = 0;
+ 	qh->qh_state = QH_STATE_LINKED;
+ 	/* qtd completions reported later by interrupt */
+ }
+--- a/drivers/usb/host/ehci-sched.c
++++ b/drivers/usb/host/ehci-sched.c
+@@ -542,6 +542,7 @@ static int qh_link_periodic (struct ehci
+ 		}
+ 	}
+ 	qh->qh_state = QH_STATE_LINKED;
++	qh->xacterrs = 0;
+ 	qh_get (qh);
+ 
+ 	/* update per-qh bandwidth for usbfs */
-- 
2.47.3