From ec84dad0a2a90515e3bf2bd26cc61679f3f69a92 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 2 Dec 2008 15:23:40 -0800 Subject: [PATCH] start up the 2.6.27 queue --- ...y-removing-unnecessary-crc-inversion.patch | 41 ++++++ ...ups-fix-a-serious-bug-in-cgroupstats.patch | 50 +++++++ ...hen-failed-to-generate-sched-domains.patch | 97 +++++++++++++ ...-scatterlists-for-crypto-ops-on-keys.patch | 130 ++++++++++++++++++ ...gfix-full-duplex-dma-data-corruption.patch | 77 +++++++++++ queue-2.6.27/series | 10 ++ ...usb-fix-sb600-usb-subsystem-hang-bug.patch | 53 +++++++ ...usb-fix-sb700-usb-subsystem-hang-bug.patch | 66 +++++++++ .../usb-gadget-rndis-send-notifications.patch | 35 +++++ ...t-rndis-stop-windows-self-immolation.patch | 36 +++++ queue-2.6.27/usb-usbmon-fix-read.patch | 40 ++++++ 11 files changed, 635 insertions(+) create mode 100644 queue-2.6.27/atl1e-fix-broken-multicast-by-removing-unnecessary-crc-inversion.patch create mode 100644 queue-2.6.27/cgroups-fix-a-serious-bug-in-cgroupstats.patch create mode 100644 queue-2.6.27/cpuset-fix-regression-when-failed-to-generate-sched-domains.patch create mode 100644 queue-2.6.27/ecryptfs-allocate-up-to-two-scatterlists-for-crypto-ops-on-keys.patch create mode 100644 queue-2.6.27/pxa2xx_spi-bugfix-full-duplex-dma-data-corruption.patch create mode 100644 queue-2.6.27/series create mode 100644 queue-2.6.27/usb-fix-sb600-usb-subsystem-hang-bug.patch create mode 100644 queue-2.6.27/usb-fix-sb700-usb-subsystem-hang-bug.patch create mode 100644 queue-2.6.27/usb-gadget-rndis-send-notifications.patch create mode 100644 queue-2.6.27/usb-gadget-rndis-stop-windows-self-immolation.patch create mode 100644 queue-2.6.27/usb-usbmon-fix-read.patch diff --git a/queue-2.6.27/atl1e-fix-broken-multicast-by-removing-unnecessary-crc-inversion.patch b/queue-2.6.27/atl1e-fix-broken-multicast-by-removing-unnecessary-crc-inversion.patch new file mode 100644 index 00000000000..bfb30b43ec5 --- /dev/null +++ b/queue-2.6.27/atl1e-fix-broken-multicast-by-removing-unnecessary-crc-inversion.patch @@ -0,0 +1,41 @@ +From 7ee0fddfe05f105d3346aa8774695e7130697836 Mon Sep 17 00:00:00 2001 +From: J. K. Cliburn +Date: Tue, 11 Nov 2008 16:21:48 -0600 +Subject: atl1e: fix broken multicast by removing unnecessary crc inversion + +From: J. K. Cliburn + +commit 7ee0fddfe05f105d3346aa8774695e7130697836 upstream. + +Inverting the crc after calling ether_crc_le() is unnecessary and breaks +multicast. Remove it. + +Tested-by: David Madore +Signed-off-by: Jay Cliburn +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/atl1e/atl1e_hw.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/atl1e/atl1e_hw.c ++++ b/drivers/net/atl1e/atl1e_hw.c +@@ -163,9 +163,6 @@ int atl1e_read_mac_addr(struct atl1e_hw + * atl1e_hash_mc_addr + * purpose + * set hash value for a multicast address +- * hash calcu processing : +- * 1. calcu 32bit CRC for multicast address +- * 2. reverse crc with MSB to LSB + */ + u32 atl1e_hash_mc_addr(struct atl1e_hw *hw, u8 *mc_addr) + { +@@ -174,7 +171,6 @@ u32 atl1e_hash_mc_addr(struct atl1e_hw * + int i; + + crc32 = ether_crc_le(6, mc_addr); +- crc32 = ~crc32; + for (i = 0; i < 32; i++) + value |= (((crc32 >> i) & 1) << (31 - i)); + diff --git a/queue-2.6.27/cgroups-fix-a-serious-bug-in-cgroupstats.patch b/queue-2.6.27/cgroups-fix-a-serious-bug-in-cgroupstats.patch new file mode 100644 index 00000000000..5cecb13b7bc --- /dev/null +++ b/queue-2.6.27/cgroups-fix-a-serious-bug-in-cgroupstats.patch @@ -0,0 +1,50 @@ +From 33d283bef23132c48195eafc21449f8ba88fce6b Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Wed, 19 Nov 2008 15:36:48 -0800 +Subject: cgroups: fix a serious bug in cgroupstats + +From: Li Zefan + +commit 33d283bef23132c48195eafc21449f8ba88fce6b upstream. + +Try this, and you'll get oops immediately: + # cd Documentation/accounting/ + # gcc -o getdelays getdelays.c + # mount -t cgroup -o debug xxx /mnt + # ./getdelays -C /mnt/tasks + +Because a normal file's dentry->d_fsdata is a pointer to struct cftype, +not struct cgroup. + +After the patch, it returns EINVAL if we try to get cgroupstats +from a normal file. + +Cc: Balbir Singh +Signed-off-by: Li Zefan +Acked-by: Paul Menage +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -2045,10 +2045,13 @@ int cgroupstats_build(struct cgroupstats + struct cgroup *cgrp; + struct cgroup_iter it; + struct task_struct *tsk; ++ + /* +- * Validate dentry by checking the superblock operations ++ * Validate dentry by checking the superblock operations, ++ * and make sure it's a directory. + */ +- if (dentry->d_sb->s_op != &cgroup_ops) ++ if (dentry->d_sb->s_op != &cgroup_ops || ++ !S_ISDIR(dentry->d_inode->i_mode)) + goto err; + + ret = 0; diff --git a/queue-2.6.27/cpuset-fix-regression-when-failed-to-generate-sched-domains.patch b/queue-2.6.27/cpuset-fix-regression-when-failed-to-generate-sched-domains.patch new file mode 100644 index 00000000000..a20a83719f1 --- /dev/null +++ b/queue-2.6.27/cpuset-fix-regression-when-failed-to-generate-sched-domains.patch @@ -0,0 +1,97 @@ +From 700018e0a77b4113172257fcdaa1c58e27a5074f Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Tue, 18 Nov 2008 14:02:03 +0800 +Subject: cpuset: fix regression when failed to generate sched domains + +From: Li Zefan + +commit 700018e0a77b4113172257fcdaa1c58e27a5074f upstream. + +Impact: properly rebuild sched-domains on kmalloc() failure + +When cpuset failed to generate sched domains due to kmalloc() +failure, the scheduler should fallback to the single partition +'fallback_doms' and rebuild sched domains, but now it only +destroys but not rebuilds sched domains. + +The regression was introduced by: + +| commit dfb512ec4834116124da61d6c1ee10fd0aa32bd6 +| Author: Max Krasnyansky +| Date: Fri Aug 29 13:11:41 2008 -0700 +| +| sched: arch_reinit_sched_domains() must destroy domains to force rebuild + +After the above commit, partition_sched_domains(0, NULL, NULL) will +only destroy sched domains and partition_sched_domains(1, NULL, NULL) +will create the default sched domain. + +Signed-off-by: Li Zefan +Cc: Max Krasnyansky +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cpuset.c | 12 ++++++++---- + kernel/sched.c | 13 +++++++------ + 2 files changed, 15 insertions(+), 10 deletions(-) + +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -587,7 +587,6 @@ static int generate_sched_domains(cpumas + int ndoms; /* number of sched domains in result */ + int nslot; /* next empty doms[] cpumask_t slot */ + +- ndoms = 0; + doms = NULL; + dattr = NULL; + csa = NULL; +@@ -674,10 +673,8 @@ restart: + * Convert to and populate cpu masks. + */ + doms = kmalloc(ndoms * sizeof(cpumask_t), GFP_KERNEL); +- if (!doms) { +- ndoms = 0; ++ if (!doms) + goto done; +- } + + /* + * The rest of the code, including the scheduler, can deal with +@@ -732,6 +729,13 @@ restart: + done: + kfree(csa); + ++ /* ++ * Fallback to the default domain if kmalloc() failed. ++ * See comments in partition_sched_domains(). ++ */ ++ if (doms == NULL) ++ ndoms = 1; ++ + *domains = doms; + *attributes = dattr; + return ndoms; +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -7692,13 +7692,14 @@ static int dattrs_equal(struct sched_dom + * + * The passed in 'doms_new' should be kmalloc'd. This routine takes + * ownership of it and will kfree it when done with it. If the caller +- * failed the kmalloc call, then it can pass in doms_new == NULL, +- * and partition_sched_domains() will fallback to the single partition +- * 'fallback_doms', it also forces the domains to be rebuilt. ++ * failed the kmalloc call, then it can pass in doms_new == NULL && ++ * ndoms_new == 1, and partition_sched_domains() will fallback to ++ * the single partition 'fallback_doms', it also forces the domains ++ * to be rebuilt. + * +- * If doms_new==NULL it will be replaced with cpu_online_map. +- * ndoms_new==0 is a special case for destroying existing domains. +- * It will not create the default domain. ++ * If doms_new == NULL it will be replaced with cpu_online_map. ++ * ndoms_new == 0 is a special case for destroying existing domains, ++ * and it will not create the default domain. + * + * Call with hotplug lock held + */ diff --git a/queue-2.6.27/ecryptfs-allocate-up-to-two-scatterlists-for-crypto-ops-on-keys.patch b/queue-2.6.27/ecryptfs-allocate-up-to-two-scatterlists-for-crypto-ops-on-keys.patch new file mode 100644 index 00000000000..42b187a64fa --- /dev/null +++ b/queue-2.6.27/ecryptfs-allocate-up-to-two-scatterlists-for-crypto-ops-on-keys.patch @@ -0,0 +1,130 @@ +From ac97b9f9a2d0b83488e0bbcb8517b229d5c9b142 Mon Sep 17 00:00:00 2001 +From: Michael Halcrow +Date: Wed, 19 Nov 2008 15:36:28 -0800 +Subject: eCryptfs: Allocate up to two scatterlists for crypto ops on keys + +From: Michael Halcrow + +commit ac97b9f9a2d0b83488e0bbcb8517b229d5c9b142 upstream. + +I have received some reports of out-of-memory errors on some older AMD +architectures. These errors are what I would expect to see if +crypt_stat->key were split between two separate pages. eCryptfs should +not assume that any of the memory sent through virt_to_scatterlist() is +all contained in a single page, and so this patch allocates two +scatterlist structs instead of one when processing keys. I have received +confirmation from one person affected by this bug that this patch resolves +the issue for him, and so I am submitting it for inclusion in a future +stable release. + +Note that virt_to_scatterlist() runs sg_init_table() on the scatterlist +structs passed to it, so the calls to sg_init_table() in +decrypt_passphrase_encrypted_session_key() are redundant. + +Signed-off-by: Michael Halcrow +Reported-by: Paulo J. S. Silva +Cc: "Leon Woestenberg" +Cc: Tim Gardner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/keystore.c | 31 ++++++++++++++----------------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -1037,17 +1037,14 @@ static int + decrypt_passphrase_encrypted_session_key(struct ecryptfs_auth_tok *auth_tok, + struct ecryptfs_crypt_stat *crypt_stat) + { +- struct scatterlist dst_sg; +- struct scatterlist src_sg; ++ struct scatterlist dst_sg[2]; ++ struct scatterlist src_sg[2]; + struct mutex *tfm_mutex; + struct blkcipher_desc desc = { + .flags = CRYPTO_TFM_REQ_MAY_SLEEP + }; + int rc = 0; + +- sg_init_table(&dst_sg, 1); +- sg_init_table(&src_sg, 1); +- + if (unlikely(ecryptfs_verbosity > 0)) { + ecryptfs_printk( + KERN_DEBUG, "Session key encryption key (size [%d]):\n", +@@ -1066,8 +1063,8 @@ decrypt_passphrase_encrypted_session_key + } + rc = virt_to_scatterlist(auth_tok->session_key.encrypted_key, + auth_tok->session_key.encrypted_key_size, +- &src_sg, 1); +- if (rc != 1) { ++ src_sg, 2); ++ if (rc < 1 || rc > 2) { + printk(KERN_ERR "Internal error whilst attempting to convert " + "auth_tok->session_key.encrypted_key to scatterlist; " + "expected rc = 1; got rc = [%d]. " +@@ -1079,8 +1076,8 @@ decrypt_passphrase_encrypted_session_key + auth_tok->session_key.encrypted_key_size; + rc = virt_to_scatterlist(auth_tok->session_key.decrypted_key, + auth_tok->session_key.decrypted_key_size, +- &dst_sg, 1); +- if (rc != 1) { ++ dst_sg, 2); ++ if (rc < 1 || rc > 2) { + printk(KERN_ERR "Internal error whilst attempting to convert " + "auth_tok->session_key.decrypted_key to scatterlist; " + "expected rc = 1; got rc = [%d]\n", rc); +@@ -1096,7 +1093,7 @@ decrypt_passphrase_encrypted_session_key + rc = -EINVAL; + goto out; + } +- rc = crypto_blkcipher_decrypt(&desc, &dst_sg, &src_sg, ++ rc = crypto_blkcipher_decrypt(&desc, dst_sg, src_sg, + auth_tok->session_key.encrypted_key_size); + mutex_unlock(tfm_mutex); + if (unlikely(rc)) { +@@ -1541,8 +1538,8 @@ write_tag_3_packet(char *dest, size_t *r + size_t i; + size_t encrypted_session_key_valid = 0; + char session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES]; +- struct scatterlist dst_sg; +- struct scatterlist src_sg; ++ struct scatterlist dst_sg[2]; ++ struct scatterlist src_sg[2]; + struct mutex *tfm_mutex = NULL; + u8 cipher_code; + size_t packet_size_length; +@@ -1621,8 +1618,8 @@ write_tag_3_packet(char *dest, size_t *r + ecryptfs_dump_hex(session_key_encryption_key, 16); + } + rc = virt_to_scatterlist(crypt_stat->key, key_rec->enc_key_size, +- &src_sg, 1); +- if (rc != 1) { ++ src_sg, 2); ++ if (rc < 1 || rc > 2) { + ecryptfs_printk(KERN_ERR, "Error generating scatterlist " + "for crypt_stat session key; expected rc = 1; " + "got rc = [%d]. key_rec->enc_key_size = [%d]\n", +@@ -1631,8 +1628,8 @@ write_tag_3_packet(char *dest, size_t *r + goto out; + } + rc = virt_to_scatterlist(key_rec->enc_key, key_rec->enc_key_size, +- &dst_sg, 1); +- if (rc != 1) { ++ dst_sg, 2); ++ if (rc < 1 || rc > 2) { + ecryptfs_printk(KERN_ERR, "Error generating scatterlist " + "for crypt_stat encrypted session key; " + "expected rc = 1; got rc = [%d]. " +@@ -1653,7 +1650,7 @@ write_tag_3_packet(char *dest, size_t *r + rc = 0; + ecryptfs_printk(KERN_DEBUG, "Encrypting [%d] bytes of the key\n", + crypt_stat->key_size); +- rc = crypto_blkcipher_encrypt(&desc, &dst_sg, &src_sg, ++ rc = crypto_blkcipher_encrypt(&desc, dst_sg, src_sg, + (*key_rec).enc_key_size); + mutex_unlock(tfm_mutex); + if (rc) { diff --git a/queue-2.6.27/pxa2xx_spi-bugfix-full-duplex-dma-data-corruption.patch b/queue-2.6.27/pxa2xx_spi-bugfix-full-duplex-dma-data-corruption.patch new file mode 100644 index 00000000000..a8e16ef0795 --- /dev/null +++ b/queue-2.6.27/pxa2xx_spi-bugfix-full-duplex-dma-data-corruption.patch @@ -0,0 +1,77 @@ +From 393df744e056ba24e9531d0657d09fc3c7c0dd22 Mon Sep 17 00:00:00 2001 +From: Ned Forrester +Date: Wed, 19 Nov 2008 15:36:21 -0800 +Subject: pxa2xx_spi: bugfix full duplex dma data corruption + +From: Ned Forrester + +commit 393df744e056ba24e9531d0657d09fc3c7c0dd22 upstream. + +Fixes a data corruption bug in pxa2xx_spi.c when operating in full duplex +mode with DMA and using buffers that overlap. + +SPI transmit and receive buffers are allowed to be the same or to overlap. + However, this driver fails if such overlap is attempted in DMA mode +because it maps the rx and tx buffers in the wrong order. By mapping +DMA_FROM_DEVICE (read) before DMA_TO_DEVICE (write), it invalidates the +cache before flushing it, thus discarding data which should have been +transmitted. + +The patch corrects the order of mapping. This bug exists in all versions +of pxa2xx_spi.c; similar bugs are in the drivers for two other SPI +controllers (au1500, imx). + +A version of this patch has been tested on kernel 2.6.20 using +verification of loopback data with: random transfer length, random +bits-per-word, random positive offsets (both larger and smaller than +transfer length) between the start of the rx and tx buffers, and varying +clock rates. + +Signed-off-by: Ned Forrester +Cc: Vernon Sauder +Cc: J. Scott Merritt +Signed-off-by: David Brownell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/pxa2xx_spi.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/drivers/spi/pxa2xx_spi.c ++++ b/drivers/spi/pxa2xx_spi.c +@@ -348,21 +348,21 @@ static int map_dma_buffers(struct driver + } else + drv_data->tx_map_len = drv_data->len; + +- /* Stream map the rx buffer */ +- drv_data->rx_dma = dma_map_single(dev, drv_data->rx, +- drv_data->rx_map_len, +- DMA_FROM_DEVICE); +- if (dma_mapping_error(dev, drv_data->rx_dma)) +- return 0; +- +- /* Stream map the tx buffer */ ++ /* Stream map the tx buffer. Always do DMA_TO_DEVICE first ++ * so we flush the cache *before* invalidating it, in case ++ * the tx and rx buffers overlap. ++ */ + drv_data->tx_dma = dma_map_single(dev, drv_data->tx, +- drv_data->tx_map_len, +- DMA_TO_DEVICE); ++ drv_data->tx_map_len, DMA_TO_DEVICE); ++ if (dma_mapping_error(dev, drv_data->tx_dma)) ++ return 0; + +- if (dma_mapping_error(dev, drv_data->tx_dma)) { +- dma_unmap_single(dev, drv_data->rx_dma, ++ /* Stream map the rx buffer */ ++ drv_data->rx_dma = dma_map_single(dev, drv_data->rx, + drv_data->rx_map_len, DMA_FROM_DEVICE); ++ if (dma_mapping_error(dev, drv_data->rx_dma)) { ++ dma_unmap_single(dev, drv_data->tx_dma, ++ drv_data->tx_map_len, DMA_TO_DEVICE); + return 0; + } + diff --git a/queue-2.6.27/series b/queue-2.6.27/series new file mode 100644 index 00000000000..396c8b089e4 --- /dev/null +++ b/queue-2.6.27/series @@ -0,0 +1,10 @@ +usb-gadget-rndis-send-notifications.patch +usb-gadget-rndis-stop-windows-self-immolation.patch +usb-usbmon-fix-read.patch +usb-fix-sb700-usb-subsystem-hang-bug.patch +usb-fix-sb600-usb-subsystem-hang-bug.patch +atl1e-fix-broken-multicast-by-removing-unnecessary-crc-inversion.patch +cpuset-fix-regression-when-failed-to-generate-sched-domains.patch +cgroups-fix-a-serious-bug-in-cgroupstats.patch +ecryptfs-allocate-up-to-two-scatterlists-for-crypto-ops-on-keys.patch +pxa2xx_spi-bugfix-full-duplex-dma-data-corruption.patch diff --git a/queue-2.6.27/usb-fix-sb600-usb-subsystem-hang-bug.patch b/queue-2.6.27/usb-fix-sb600-usb-subsystem-hang-bug.patch new file mode 100644 index 00000000000..279e751d943 --- /dev/null +++ b/queue-2.6.27/usb-fix-sb600-usb-subsystem-hang-bug.patch @@ -0,0 +1,53 @@ +From 0a99e8ac430a27825bd055719765fd0d65cd797f Mon Sep 17 00:00:00 2001 +From: Shane Huang +Date: Tue, 25 Nov 2008 15:12:33 +0800 +Subject: USB: fix SB600 USB subsystem hang bug + +From: Shane Huang + +commit 0a99e8ac430a27825bd055719765fd0d65cd797f upstream. + +This patch is required for all AMD SB600 revisions to avoid USB subsystem hang +symptom. The USB subsystem hang symptom is observed when the system has +multiple USB devices connected to it. In some cases a USB hub may be required +to observe this symptom. + +Reported in bugzilla as #11599, the similar patch for SB700 old revision is: +commit b09bc6cbae4dd3a2d35722668ef2c502a7b8b093 + +Reported-by: raffaele +Tested-by: Roman Mamedov +Signed-off-by: Shane Huang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-pci.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/ehci-pci.c ++++ b/drivers/usb/host/ehci-pci.c +@@ -169,18 +169,21 @@ static int ehci_pci_setup(struct usb_hcd + } + break; + case PCI_VENDOR_ID_ATI: +- /* SB700 old version has a bug in EHCI controller, ++ /* SB600 and old version of SB700 have a bug in EHCI controller, + * which causes usb devices lose response in some cases. + */ +- if (pdev->device == 0x4396) { ++ if ((pdev->device == 0x4386) || (pdev->device == 0x4396)) { + p_smbus = pci_get_device(PCI_VENDOR_ID_ATI, + PCI_DEVICE_ID_ATI_SBX00_SMBUS, + NULL); + if (!p_smbus) + break; + rev = p_smbus->revision; +- if ((rev == 0x3a) || (rev == 0x3b)) { ++ if ((pdev->device == 0x4386) || (rev == 0x3a) ++ || (rev == 0x3b)) { + u8 tmp; ++ ehci_info(ehci, "applying AMD SB600/SB700 USB " ++ "freeze workaround\n"); + pci_read_config_byte(pdev, 0x53, &tmp); + pci_write_config_byte(pdev, 0x53, tmp | (1<<3)); + } diff --git a/queue-2.6.27/usb-fix-sb700-usb-subsystem-hang-bug.patch b/queue-2.6.27/usb-fix-sb700-usb-subsystem-hang-bug.patch new file mode 100644 index 00000000000..e3972bec38a --- /dev/null +++ b/queue-2.6.27/usb-fix-sb700-usb-subsystem-hang-bug.patch @@ -0,0 +1,66 @@ +From b09bc6cbae4dd3a2d35722668ef2c502a7b8b093 Mon Sep 17 00:00:00 2001 +From: Andiry Xu +Date: Fri, 14 Nov 2008 11:42:29 +0800 +Subject: USB: fix SB700 usb subsystem hang bug + +From: Andiry Xu + +commit b09bc6cbae4dd3a2d35722668ef2c502a7b8b093 upstream. + +This patch is required for AMD SB700 south bridge revision A12 and A13 to avoid +USB subsystem hang symptom. The USB subsystem hang symptom is observed when the +system has multiple USB devices connected to it. In some cases a USB hub may be +required to observe this symptom. + +This patch works around the problem by correcting the internal register setting +that will help by changing the behavior of the internal logic to avoid the +USB subsystem hang issue. The change in the behavior of the logic does not +impact the normal operation of the USB subsystem. + +Reported-by: Volker Armin Hemmann +Tested-by: Volker Armin Hemmann +Signed-off-by: Andiry Xu +Signed-off-by: Libin Yang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-pci.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/drivers/usb/host/ehci-pci.c ++++ b/drivers/usb/host/ehci-pci.c +@@ -66,6 +66,8 @@ static int ehci_pci_setup(struct usb_hcd + { + struct ehci_hcd *ehci = hcd_to_ehci(hcd); + struct pci_dev *pdev = to_pci_dev(hcd->self.controller); ++ struct pci_dev *p_smbus; ++ u8 rev; + u32 temp; + int retval; + +@@ -166,6 +168,25 @@ static int ehci_pci_setup(struct usb_hcd + pci_write_config_byte(pdev, 0x4b, tmp | 0x20); + } + break; ++ case PCI_VENDOR_ID_ATI: ++ /* SB700 old version has a bug in EHCI controller, ++ * which causes usb devices lose response in some cases. ++ */ ++ if (pdev->device == 0x4396) { ++ p_smbus = pci_get_device(PCI_VENDOR_ID_ATI, ++ PCI_DEVICE_ID_ATI_SBX00_SMBUS, ++ NULL); ++ if (!p_smbus) ++ break; ++ rev = p_smbus->revision; ++ if ((rev == 0x3a) || (rev == 0x3b)) { ++ u8 tmp; ++ pci_read_config_byte(pdev, 0x53, &tmp); ++ pci_write_config_byte(pdev, 0x53, tmp | (1<<3)); ++ } ++ pci_dev_put(p_smbus); ++ } ++ break; + } + + ehci_reset(ehci); diff --git a/queue-2.6.27/usb-gadget-rndis-send-notifications.patch b/queue-2.6.27/usb-gadget-rndis-send-notifications.patch new file mode 100644 index 00000000000..98e0775cdfa --- /dev/null +++ b/queue-2.6.27/usb-gadget-rndis-send-notifications.patch @@ -0,0 +1,35 @@ +From ff3495052af48f7a2bf7961b131dc9e161dae19c Mon Sep 17 00:00:00 2001 +From: Richard Röjfors +Date: Sat, 15 Nov 2008 19:53:24 -0800 +Subject: USB: gadget rndis: send notifications + +From: Richard Röjfors + +commit ff3495052af48f7a2bf7961b131dc9e161dae19c upstream. + +It turns out that atomic_inc_return() returns the *new* value +not the original one, so the logic in rndis_response_available() +kept the first RNDIS response notification from getting out. +This prevented interoperation with MS-Windows (but not Linux). + +Fix this to make RNDIS behave again. + +Signed-off-by: Richard Röjfors +Signed-off-by: David Brownell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/f_rndis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/f_rndis.c ++++ b/drivers/usb/gadget/f_rndis.c +@@ -303,7 +303,7 @@ static void rndis_response_available(voi + __le32 *data = req->buf; + int status; + +- if (atomic_inc_return(&rndis->notify_count)) ++ if (atomic_inc_return(&rndis->notify_count) != 1) + return; + + /* Send RNDIS RESPONSE_AVAILABLE notification; a diff --git a/queue-2.6.27/usb-gadget-rndis-stop-windows-self-immolation.patch b/queue-2.6.27/usb-gadget-rndis-stop-windows-self-immolation.patch new file mode 100644 index 00000000000..77fe1be67bf --- /dev/null +++ b/queue-2.6.27/usb-gadget-rndis-stop-windows-self-immolation.patch @@ -0,0 +1,36 @@ +From 9c264521a9f836541c122b00f505cfd60cc5bbb5 Mon Sep 17 00:00:00 2001 +From: David Brownell +Date: Sat, 15 Nov 2008 19:53:21 -0800 +Subject: USB: gadget rndis: stop windows self-immolation + +From: David Brownell + +commit 9c264521a9f836541c122b00f505cfd60cc5bbb5 upstream. + +Somewhere in the conversion of the RNDIS gadget code to the new +framework, the descriptor of its data interface seems to have +been copied from the CDC Ethernet driver. Unfortunately that +means it got a nonzero altsetting ... which is incorrect. Issue +uncovered by Richard Röjfors . + +This patch fixes that problem, and resolves at least some cases +of Windows XP bluescreening itself. + +Tested-by: Richard Röjfors . +Signed-off-by: David Brownell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/f_rndis.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/gadget/f_rndis.c ++++ b/drivers/usb/gadget/f_rndis.c +@@ -172,7 +172,6 @@ static struct usb_interface_descriptor r + .bDescriptorType = USB_DT_INTERFACE, + + /* .bInterfaceNumber = DYNAMIC */ +- .bAlternateSetting = 1, + .bNumEndpoints = 2, + .bInterfaceClass = USB_CLASS_CDC_DATA, + .bInterfaceSubClass = 0, diff --git a/queue-2.6.27/usb-usbmon-fix-read.patch b/queue-2.6.27/usb-usbmon-fix-read.patch new file mode 100644 index 00000000000..df8cad7855d --- /dev/null +++ b/queue-2.6.27/usb-usbmon-fix-read.patch @@ -0,0 +1,40 @@ +From f1c0a2a3aff53698f4855968d576464041d49b39 Mon Sep 17 00:00:00 2001 +From: Pete Zaitcev +Date: Fri, 14 Nov 2008 09:47:41 -0700 +Subject: USB: usbmon: fix read(2) + +From: Pete Zaitcev + +commit f1c0a2a3aff53698f4855968d576464041d49b39 upstream. + +There's a bug in the usbmon binary reader: When using read() to fetch +the packets and a packet's data is partially read, the next read call +will once again return up to len_cap bytes of data. The b_read counter +is not regarded when determining the remaining chunk size. + +So, when dumping USB data with "cat /dev/usbmon0 > usbmon.trace" while +reading from a USB storage device and analyzing the dump file +afterwards it will get out of sync after a couple of packets. + +Signed-off-by: Ingo van Lil +Signed-off-by: Pete Zaitcev +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/mon/mon_bin.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -687,7 +687,10 @@ static ssize_t mon_bin_read(struct file + } + + if (rp->b_read >= sizeof(struct mon_bin_hdr)) { +- step_len = min(nbytes, (size_t)ep->len_cap); ++ step_len = ep->len_cap; ++ step_len -= rp->b_read - sizeof(struct mon_bin_hdr); ++ if (step_len > nbytes) ++ step_len = nbytes; + offset = rp->b_out + PKT_SIZE; + offset += rp->b_read - sizeof(struct mon_bin_hdr); + if (offset >= rp->b_size) -- 2.47.3