--- /dev/null
+From b5a3b3d985493c173925907adfebf3edab236fe7 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 16 Mar 2011 10:57:15 -0400
+Subject: ehci-hcd: Bug fix: don't set a QH's Halt bit
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit b5a3b3d985493c173925907adfebf3edab236fe7 upstream.
+
+This patch (as1453) fixes a long-standing bug in the ehci-hcd driver.
+
+There is no need to set the Halt bit in the overlay region for an
+unlinked or blocked QH. Contrary to what the comment says, setting
+the Halt bit does not cause the QH to be patched later; that decision
+(made in qh_refresh()) depends only on whether the QH is currently
+pointing to a valid qTD. Likewise, setting the Halt bit does not
+prevent completions from activating the QH while it is "stopped"; they
+are prevented by the fact that qh_completions() temporarily changes
+qh->qh_state to QH_STATE_COMPLETING.
+
+On the other hand, there are circumstances in which the QH will be
+reactivated _without_ being patched; this happens after an URB beyond
+the head of the queue is unlinked. Setting the Halt bit will then
+cause the hardware to see the QH with both the Active and Halt bits
+set, an invalid combination that will prevent the queue from
+advancing and may even crash some controllers.
+
+Apparently the only reason this hasn't been reported before is that
+unlinking URBs from the middle of a running queue is quite uncommon.
+However Test 17, recently added to the usbtest driver, does exactly
+this, and it confirms the presence of the bug.
+
+In short, there is no reason to set the Halt bit for an unlinked or
+blocked QH, and there is a very good reason not to set it. Therefore
+the code that sets it is removed.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Andiry Xu <andiry.xu@amd.com>
+CC: David Brownell <david-b@pacbell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-q.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -315,7 +315,6 @@ qh_completions (struct ehci_hcd *ehci, s
+ int stopped;
+ unsigned count = 0;
+ u8 state;
+- const __le32 halt = HALT_BIT(ehci);
+ struct ehci_qh_hw *hw = qh->hw;
+
+ if (unlikely (list_empty (&qh->qtd_list)))
+@@ -422,7 +421,6 @@ qh_completions (struct ehci_hcd *ehci, s
+ && !(qtd->hw_alt_next
+ & EHCI_LIST_END(ehci))) {
+ stopped = 1;
+- goto halt;
+ }
+
+ /* stop scanning when we reach qtds the hc is using */
+@@ -456,16 +454,6 @@ qh_completions (struct ehci_hcd *ehci, s
+ */
+ ehci_clear_tt_buffer(ehci, qh, urb, token);
+ }
+-
+- /* force halt for unlinked or blocked qh, so we'll
+- * patch the qh later and so that completions can't
+- * activate it while we "know" it's stopped.
+- */
+- if ((halt & hw->hw_token) == 0) {
+-halt:
+- hw->hw_token |= halt;
+- wmb ();
+- }
+ }
+
+ /* unless we already know the urb's status, collect qtd status
--- /dev/null
+From 95f28604a65b1c40b6c6cd95e58439cd7ded3add Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Thu, 17 Mar 2011 11:13:12 +0100
+Subject: fs: assign sb->s_bdi to default_backing_dev_info if the bdi is going away
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit 95f28604a65b1c40b6c6cd95e58439cd7ded3add upstream.
+
+We don't have proper reference counting for this yet, so we run into
+cases where the device is pulled and we OOPS on flushing the fs data.
+This happens even though the dirty inodes have already been
+migrated to the default_backing_dev_info.
+
+Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Tested-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/super.c | 2 ++
+ fs/sync.c | 4 ++--
+ mm/backing-dev.c | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -70,6 +70,7 @@ static struct super_block *alloc_super(s
+ #else
+ INIT_LIST_HEAD(&s->s_files);
+ #endif
++ s->s_bdi = &default_backing_dev_info;
+ INIT_LIST_HEAD(&s->s_instances);
+ INIT_HLIST_HEAD(&s->s_anon);
+ INIT_LIST_HEAD(&s->s_inodes);
+@@ -996,6 +997,7 @@ vfs_kern_mount(struct file_system_type *
+ }
+ BUG_ON(!mnt->mnt_sb);
+ WARN_ON(!mnt->mnt_sb->s_bdi);
++ WARN_ON(mnt->mnt_sb->s_bdi == &default_backing_dev_info);
+ mnt->mnt_sb->s_flags |= MS_BORN;
+
+ error = security_sb_kern_mount(mnt->mnt_sb, flags, secdata);
+--- a/fs/sync.c
++++ b/fs/sync.c
+@@ -33,7 +33,7 @@ static int __sync_filesystem(struct supe
+ * This should be safe, as we require bdi backing to actually
+ * write out data in the first place
+ */
+- if (!sb->s_bdi || sb->s_bdi == &noop_backing_dev_info)
++ if (sb->s_bdi == &noop_backing_dev_info)
+ return 0;
+
+ if (sb->s_qcop && sb->s_qcop->quota_sync)
+@@ -79,7 +79,7 @@ EXPORT_SYMBOL_GPL(sync_filesystem);
+
+ static void sync_one_sb(struct super_block *sb, void *arg)
+ {
+- if (!(sb->s_flags & MS_RDONLY) && sb->s_bdi)
++ if (!(sb->s_flags & MS_RDONLY))
+ __sync_filesystem(sb, *(int *)arg);
+ }
+ /*
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -604,7 +604,7 @@ static void bdi_prune_sb(struct backing_
+ spin_lock(&sb_lock);
+ list_for_each_entry(sb, &super_blocks, s_list) {
+ if (sb->s_bdi == bdi)
+- sb->s_bdi = NULL;
++ sb->s_bdi = &default_backing_dev_info;
+ }
+ spin_unlock(&sb_lock);
+ }
nfsd4-minor-nfs4state.c-reshuffling.patch
nfsd4-fix-struct-file-leak.patch
nfsd-wrong-index-used-in-inner-loop.patch
+uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch
+uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch
+sh-fix-ptrace-fpu-state-initialisation.patch
+sh-fix-ptrace-hw_breakpoint-handling.patch
+usb-do-not-pass-negative-length-to-snoop_urb.patch
+ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch
+usb-uss720-fixup-refcount-position.patch
+usb-fix-bad-dma-problem-on-wdm-device-disconnect.patch
+usb-cdc-acm-fix-memory-corruption-panic.patch
+usb-cdc-acm-fix-potential-null-pointer-dereference.patch
+usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch
+fs-assign-sb-s_bdi-to-default_backing_dev_info-if-the-bdi-is-going-away.patch
--- /dev/null
+From c49b6ecf0870e78fa40497cd8b142915c1d5c7c9 Mon Sep 17 00:00:00 2001
+From: Phil Edworthy <Phil.Edworthy@renesas.com>
+Date: Fri, 18 Mar 2011 14:16:31 +0000
+Subject: sh: Fix ptrace fpu state initialisation
+
+From: Phil Edworthy <Phil.Edworthy@renesas.com>
+
+commit c49b6ecf0870e78fa40497cd8b142915c1d5c7c9 upstream.
+
+Commit 0ea820cf introduced the PTRACE_GETFPREGS/SETFPREGS cmds,
+but gdb-server still accesses the FPU state using the
+PTRACE_PEEKUSR/POKEUSR commands. In this case, xstate was not
+initialised.
+
+Signed-off-by: Phil Edworthy <phil.edworthy@renesas.com>
+Signed-off-by: Paul Mundt <lethal@linux-sh.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sh/kernel/ptrace_32.c | 6 ++++++
+ arch/sh/kernel/ptrace_64.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/arch/sh/kernel/ptrace_32.c
++++ b/arch/sh/kernel/ptrace_32.c
+@@ -392,6 +392,9 @@ long arch_ptrace(struct task_struct *chi
+ tmp = 0;
+ } else {
+ unsigned long index;
++ ret = init_fpu(child);
++ if (ret)
++ break;
+ index = addr - offsetof(struct user, fpu);
+ tmp = ((unsigned long *)child->thread.xstate)
+ [index >> 2];
+@@ -423,6 +426,9 @@ long arch_ptrace(struct task_struct *chi
+ else if (addr >= offsetof(struct user, fpu) &&
+ addr < offsetof(struct user, u_fpvalid)) {
+ unsigned long index;
++ ret = init_fpu(child);
++ if (ret)
++ break;
+ index = addr - offsetof(struct user, fpu);
+ set_stopped_child_used_math(child);
+ ((unsigned long *)child->thread.xstate)
+--- a/arch/sh/kernel/ptrace_64.c
++++ b/arch/sh/kernel/ptrace_64.c
+@@ -403,6 +403,9 @@ long arch_ptrace(struct task_struct *chi
+ else if ((addr >= offsetof(struct user, fpu)) &&
+ (addr < offsetof(struct user, u_fpvalid))) {
+ unsigned long index;
++ ret = init_fpu(child);
++ if (ret)
++ break;
+ index = addr - offsetof(struct user, fpu);
+ tmp = get_fpu_long(child, index);
+ } else if (addr == offsetof(struct user, u_fpvalid)) {
+@@ -442,6 +445,9 @@ long arch_ptrace(struct task_struct *chi
+ else if ((addr >= offsetof(struct user, fpu)) &&
+ (addr < offsetof(struct user, u_fpvalid))) {
+ unsigned long index;
++ ret = init_fpu(child);
++ if (ret)
++ break;
+ index = addr - offsetof(struct user, fpu);
+ ret = put_fpu_long(child, index, data);
+ }
--- /dev/null
+From fb7f045ace0624f1e59a7db8497e460bd54b1cbc Mon Sep 17 00:00:00 2001
+From: David Engraf <david.engraf@sysgo.com>
+Date: Wed, 23 Mar 2011 11:35:42 +0000
+Subject: sh: Fix ptrace hw_breakpoint handling
+
+From: David Engraf <david.engraf@sysgo.com>
+
+commit fb7f045ace0624f1e59a7db8497e460bd54b1cbc upstream.
+
+Since commit 34d0b5af50a063cded842716633501b38ff815fb it is no longer
+possible to debug an application using singlestep. The old commit
+converted singlestep handling via ptrace to hw_breakpoints. The
+hw_breakpoint is disabled when an event is triggered and not re-enabled
+again. This patch re-enables the existing hw_breakpoint before the
+existing breakpoint is reused.
+
+Signed-off-by: David Engraf <david.engraf@sysgo.com>
+Signed-off-by: Paul Mundt <lethal@linux-sh.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/sh/kernel/ptrace_32.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/sh/kernel/ptrace_32.c
++++ b/arch/sh/kernel/ptrace_32.c
+@@ -101,6 +101,8 @@ static int set_single_step(struct task_s
+
+ attr = bp->attr;
+ attr.bp_addr = addr;
++ /* reenable breakpoint */
++ attr.disabled = false;
+ err = modify_user_hw_breakpoint(bp, &attr);
+ if (unlikely(err))
+ return err;
--- /dev/null
+From 23b80550e2aa61d0ba3af98b831b9195be0db9ee Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 22 Mar 2011 11:12:09 +0100
+Subject: USB: cdc-acm: fix memory corruption / panic
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 23b80550e2aa61d0ba3af98b831b9195be0db9ee upstream.
+
+Prevent read urbs from being resubmitted from tasklet after port close.
+
+The receive tasklet was not disabled on port close, which could lead to
+corruption of receive lists on consecutive port open. In particular,
+read urbs could be re-submitted before port open, added to free list in
+open, and then added a second time to the free list in the completion
+handler.
+
+cdc-acm.c: Entering acm_tty_open.
+cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0
+cdc-acm.c: Entering acm_rx_tasklet
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64
+cdc-acm.c: set line: 115200 0 0 8
+cdc-acm.c: acm_control_msg: rq: 0x20 val: 0x0 len: 0x7 result: 7
+cdc-acm.c: acm_tty_close
+cdc-acm.c: acm_port_down
+cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x0 len: 0x0 result: 0
+cdc-acm.c: acm_ctrl_irq - urb shutting down with status: -2
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50
+cdc-acm.c: Entering acm_read_bulk with status -2
+cdc_acm 4-1:1.1: Aborting, acm not ready
+cdc-acm.c: Entering acm_read_bulk with status -2
+cdc_acm 4-1:1.1: Aborting, acm not ready
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da400, rcv 0xf57fbbe8, buf 0xf57fbd28
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da480, rcv 0xf57fbbd4, buf 0xf57fbd14
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da900, rcv 0xf57fbbc0, buf 0xf57fbd00
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da980, rcv 0xf57fbbac, buf 0xf57fbcec
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa00, rcv 0xf57fbb98, buf 0xf57fbcd8
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa80, rcv 0xf57fbb84, buf 0xf57fbcc4
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab00, rcv 0xf57fbb70, buf 0xf57fbcb0
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab80, rcv 0xf57fbb5c, buf 0xf57fbc9c
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac00, rcv 0xf57fbb48, buf 0xf57fbc88
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac80, rcv 0xf57fbb34, buf 0xf57fbc74
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad00, rcv 0xf57fbb20, buf 0xf57fbc60
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad80, rcv 0xf57fbb0c, buf 0xf57fbc4c
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da880, rcv 0xf57fbaf8, buf 0xf57fbc38
+cdc-acm.c: Entering acm_tty_open.
+cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0
+cdc-acm.c: Entering acm_rx_tasklet
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64
+cdc-acm.c: Entering acm_tty_write to write 3 bytes,
+cdc-acm.c: Get 3 bytes...
+cdc-acm.c: acm_write_start susp_count: 0
+cdc-acm.c: Entering acm_read_bulk with status 0
+------------[ cut here ]------------
+WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120()
+Hardware name: Vostro 1520
+list_del corruption. next->prev should be f57fbc10, but was f57fbaf8
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Not tainted 2.6.37+ #39
+Call Trace:
+ [<c103c7e2>] warn_slowpath_common+0x72/0xa0
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
+ [<c11dd8ac>] list_del+0x10c/0x120
+ [<f8051dbf>] acm_rx_tasklet+0xef/0x3e0 [cdc_acm]
+ [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+---[ end trace efd9a11434f0082e ]---
+------------[ cut here ]------------
+WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120()
+Hardware name: Vostro 1520
+list_del corruption. next->prev should be f57fbd50, but was f57fbdb0
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39
+Call Trace:
+ [<c103c7e2>] warn_slowpath_common+0x72/0xa0
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
+ [<c11dd8ac>] list_del+0x10c/0x120
+ [<f8051dd6>] acm_rx_tasklet+0x106/0x3e0 [cdc_acm]
+ [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+---[ end trace efd9a11434f0082f ]---
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50
+cdc-acm.c: disconnected from network
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c
+cdc-acm.c: Entering acm_rx_tasklet
+------------[ cut here ]------------
+WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:48 list_del+0xd5/0x120()
+Hardware name: Vostro 1520
+list_del corruption, next is LIST_POISON1 (00100100)
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39
+Call Trace:
+ [<c103c7e2>] warn_slowpath_common+0x72/0xa0
+ [<c11dd875>] ? list_del+0xd5/0x120
+ [<c11dd875>] ? list_del+0xd5/0x120
+ [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
+ [<c11dd875>] list_del+0xd5/0x120
+ [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
+ [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
+ [<c1042b30>] ? tasklet_action+0x60/0x140
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+---[ end trace efd9a11434f00830 ]---
+BUG: unable to handle kernel paging request at 00200200
+IP: [<c11dd7bd>] list_del+0x1d/0x120
+*pde = 00000000
+Oops: 0000 [#1] PREEMPT SMP
+last sysfs file: /sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.0/tty/ttyACM0/uevent
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.37+ #39 0T816J/Vostro 1520
+EIP: 0060:[<c11dd7bd>] EFLAGS: 00010046 CPU: 0
+EIP is at list_del+0x1d/0x120
+EAX: f57fbd3c EBX: f57fb800 ECX: ffff8000 EDX: 00200200
+ESI: f57fbe90 EDI: f57fbd3c EBP: f600bf54 ESP: f600bf3c
+ DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
+Process ksoftirqd/0 (pid: 3, ti=f600a000 task=f60791c0 task.ti=f6082000)
+Stack:
+ c1527e84 00000030 c1527e54 00100100 f57fb800 f57fbd3c f600bf98 f8051fac
+ f8053104 f8052b94 f600bf6c c106dbab f600bf80 00000286 f60791c0 c1042b30
+ f57fbda8 f57f5800 f57fbdb0 f57fbd80 f57fbe7c c1656b04 00000000 f600bfb0
+Call Trace:
+ [<f8051fac>] ? acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
+ [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
+ [<c1042b30>] ? tasklet_action+0x60/0x140
+ [<c1042bb6>] ? tasklet_action+0xe6/0x140
+ [<c104342f>] ? __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ>
+ [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+Code: ff 48 14 e9 57 ff ff ff 90 90 90 90 90 90 55 89 e5 83 ec 18 81 38 00 01 10 00 0f 84 9c 00 00 00 8b 50 04 81 fa 00 02 20 00 74 33 <8b> 12 39 d0 75 5c 8b 10 8b 4a 04 39 c8 0f 85 b5 00 00 00 8b 48
+EIP: [<c11dd7bd>] list_del+0x1d/0x120 SS:ESP 0068:f600bf3c
+CR2: 0000000000200200
+---[ end trace efd9a11434f00831 ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+Pid: 3, comm: ksoftirqd/0 Tainted: G D W 2.6.37+ #39
+Call Trace:
+ [<c13fede1>] ? printk+0x1d/0x24
+ [<c13fecce>] panic+0x66/0x15c
+ [<c10067df>] oops_end+0x8f/0x90
+ [<c1025476>] no_context+0xc6/0x160
+ [<c10255a8>] __bad_area_nosemaphore+0x98/0x140
+ [<c103cf68>] ? release_console_sem+0x1d8/0x210
+ [<c1025667>] bad_area_nosemaphore+0x17/0x20
+ [<c1025a49>] do_page_fault+0x279/0x420
+ [<c1006a8f>] ? show_trace+0x1f/0x30
+ [<c13fede1>] ? printk+0x1d/0x24
+ [<c10257d0>] ? do_page_fault+0x0/0x420
+ [<c140333b>] error_code+0x5f/0x64
+ [<c103007b>] ? select_task_rq_fair+0x37b/0x6a0
+ [<c10257d0>] ? do_page_fault+0x0/0x420
+ [<c11dd7bd>] ? list_del+0x1d/0x120
+ [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
+ [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
+ [<c1042b30>] ? tasklet_action+0x60/0x140
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ> [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+panic occurred, switching back to text console
+------------[ cut here ]------------
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -646,8 +646,10 @@ static void acm_port_down(struct acm *ac
+ usb_kill_urb(acm->ctrlurb);
+ for (i = 0; i < ACM_NW; i++)
+ usb_kill_urb(acm->wb[i].urb);
++ tasklet_disable(&acm->urb_task);
+ for (i = 0; i < nr; i++)
+ usb_kill_urb(acm->ru[i].urb);
++ tasklet_enable(&acm->urb_task);
+ acm->control->needs_remote_wakeup = 0;
+ usb_autopm_put_interface(acm->control);
+ }
--- /dev/null
+From 7e7797e7f6f7bfab73fca02c65e40eaa5bb9000c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 22 Mar 2011 11:12:11 +0100
+Subject: USB: cdc-acm: fix potential null-pointer dereference on disconnect
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 7e7797e7f6f7bfab73fca02c65e40eaa5bb9000c upstream.
+
+Fix potential null-pointer exception on disconnect introduced by commit
+11ea859d64b69a747d6b060b9ed1520eab1161fe (USB: additional power savings
+for cdc-acm devices that support remote wakeup).
+
+Only access acm->dev after making sure it is non-null in control urb
+completion handler.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -297,6 +297,8 @@ static void acm_ctrl_irq(struct urb *urb
+ if (!ACM_READY(acm))
+ goto exit;
+
++ usb_mark_last_busy(acm->dev);
++
+ data = (unsigned char *)(dr + 1);
+ switch (dr->bNotificationType) {
+ case USB_CDC_NOTIFY_NETWORK_CONNECTION:
+@@ -336,7 +338,6 @@ static void acm_ctrl_irq(struct urb *urb
+ break;
+ }
+ exit:
+- usb_mark_last_busy(acm->dev);
+ retval = usb_submit_urb(urb, GFP_ATOMIC);
+ if (retval)
+ dev_err(&urb->dev->dev, "%s - usb_submit_urb failed with "
--- /dev/null
+From 15e5bee33ffc11d0e5c6f819a65e7881c5c407be Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 22 Mar 2011 11:12:10 +0100
+Subject: USB: cdc-acm: fix potential null-pointer dereference
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 15e5bee33ffc11d0e5c6f819a65e7881c5c407be upstream.
+
+Must check return value of tty_port_tty_get.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -533,6 +533,8 @@ static void acm_softint(struct work_stru
+ if (!ACM_READY(acm))
+ return;
+ tty = tty_port_tty_get(&acm->port);
++ if (!tty)
++ return;
+ tty_wakeup(tty);
+ tty_kref_put(tty);
+ }
--- /dev/null
+From 9d02b42614149ebccf12c9c580601ed01bd83070 Mon Sep 17 00:00:00 2001
+From: Michal Sojka <sojkam1@fel.cvut.cz>
+Date: Tue, 15 Mar 2011 16:41:47 +0100
+Subject: USB: Do not pass negative length to snoop_urb()
+
+From: Michal Sojka <sojkam1@fel.cvut.cz>
+
+commit 9d02b42614149ebccf12c9c580601ed01bd83070 upstream.
+
+When `echo Y > /sys/module/usbcore/parameters/usbfs_snoop` and
+usb_control_msg() returns error, a lot of kernel memory is dumped to dmesg
+until unhandled kernel paging request occurs.
+
+Signed-off-by: Michal Sojka <sojkam1@fel.cvut.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/core/devio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -802,7 +802,7 @@ static int proc_control(struct dev_state
+ tbuf, ctrl.wLength, tmo);
+ usb_lock_device(dev);
+ snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
+- tbuf, i);
++ tbuf, max(i, 0));
+ if ((i > 0) && ctrl.wLength) {
+ if (copy_to_user(ctrl.data, tbuf, i)) {
+ free_page((unsigned long)tbuf);
--- /dev/null
+From 878b753e32ca765cd346a5d3038d630178ec78ff Mon Sep 17 00:00:00 2001
+From: Robert Lukassen <Robert.Lukassen@tomtom.com>
+Date: Wed, 16 Mar 2011 12:13:34 +0100
+Subject: USB: Fix 'bad dma' problem on WDM device disconnect
+
+From: Robert Lukassen <Robert.Lukassen@tomtom.com>
+
+commit 878b753e32ca765cd346a5d3038d630178ec78ff upstream.
+
+In the WDM class driver a disconnect event leads to calls to
+usb_free_coherent to put back two USB DMA buffers allocated earlier.
+The call to usb_free_coherent uses a different size parameter
+(desc->wMaxCommand) than the corresponding call to usb_alloc_coherent
+(desc->bMaxPacketSize0).
+
+When a disconnect event occurs, this leads to 'bad dma' complaints
+from usb core because the USB DMA buffer is being pushed back to the
+'buffer-2048' pool from which it has not been allocated.
+
+This patch against the most recent linux-2.6 kernel ensures that the
+parameters used by usb_alloc_coherent & usb_free_coherent calls in
+cdc-wdm.c match.
+
+Signed-off-by: Robert Lukassen <robert.lukassen@tomtom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-wdm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -281,7 +281,7 @@ static void cleanup(struct wdm_device *d
+ desc->sbuf,
+ desc->validity->transfer_dma);
+ usb_free_coherent(interface_to_usbdev(desc->intf),
+- desc->wMaxCommand,
++ desc->bMaxPacketSize0,
+ desc->inbuf,
+ desc->response->transfer_dma);
+ kfree(desc->orq);
--- /dev/null
+From adaa3c6342b249548ea830fe8e02aa5b45be8688 Mon Sep 17 00:00:00 2001
+From: Peter Holik <peter@holik.at>
+Date: Fri, 18 Mar 2011 18:47:44 +0100
+Subject: USB: uss720 fixup refcount position
+
+From: Peter Holik <peter@holik.at>
+
+commit adaa3c6342b249548ea830fe8e02aa5b45be8688 upstream.
+
+My testprog do a lot of bitbang - after hours i got following warning and my machine lockups:
+WARNING: at /build/buildd/linux-2.6.38/lib/kref.c:34
+After debugging uss720 driver i discovered that the completion callback was called before
+usb_submit_urb returns. The callback frees the request structure that is krefed on return by
+usb_submit_urb.
+
+Signed-off-by: Peter Holik <peter@holik.at>
+Acked-by: Thomas Sailer <t.sailer@alumni.ethz.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/uss720.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/misc/uss720.c
++++ b/drivers/usb/misc/uss720.c
+@@ -177,12 +177,11 @@ static struct uss720_async_request *subm
+ spin_lock_irqsave(&priv->asynclock, flags);
+ list_add_tail(&rq->asynclist, &priv->asynclist);
+ spin_unlock_irqrestore(&priv->asynclock, flags);
++ kref_get(&rq->ref_count);
+ ret = usb_submit_urb(rq->urb, mem_flags);
+- if (!ret) {
+- kref_get(&rq->ref_count);
++ if (!ret)
+ return rq;
+- }
+- kref_put(&rq->ref_count, destroy_async);
++ destroy_async(&rq->ref_count);
+ err("submit_async_request submit_urb failed with %d", ret);
+ return NULL;
+ }
--- /dev/null
+From 4093a5c4a3f59cba1a085bbf87b6ffdddc5a443d Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Wed, 23 Feb 2011 11:19:17 -0300
+Subject: [media] uvcvideo: Fix descriptor parsing for video output devices
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+commit 4093a5c4a3f59cba1a085bbf87b6ffdddc5a443d upstream.
+
+Commit 4057ac6ca9a77c4275b34b5925ab5c99557913b1
+
+ V4L/DVB (13505): uvcvideo: Refactor chain scan
+
+broke output terminals parsing. Fix it.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_driver.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/media/video/uvc/uvc_driver.c
++++ b/drivers/media/video/uvc/uvc_driver.c
+@@ -1264,6 +1264,14 @@ static int uvc_scan_chain_entity(struct
+
+ break;
+
++ case UVC_OTT_VENDOR_SPECIFIC:
++ case UVC_OTT_DISPLAY:
++ case UVC_OTT_MEDIA_TRANSPORT_OUTPUT:
++ if (uvc_trace_param & UVC_TRACE_PROBE)
++ printk(" OT %d", entity->id);
++
++ break;
++
+ case UVC_TT_STREAMING:
+ if (UVC_ENTITY_IS_ITERM(entity)) {
+ if (uvc_trace_param & UVC_TRACE_PROBE)
--- /dev/null
+From 38a66824d96de8aeeb915e6f46f0d3fe55828eb1 Mon Sep 17 00:00:00 2001
+From: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com>
+Date: Thu, 27 Jan 2011 23:04:33 -0300
+Subject: [media] uvcvideo: Fix uvc_fixup_video_ctrl() format search
+
+From: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com>
+
+commit 38a66824d96de8aeeb915e6f46f0d3fe55828eb1 upstream.
+
+The scheme used to index format in uvc_fixup_video_ctrl() is not robust:
+format index is based on descriptor ordering, which does not necessarily
+match bFormatIndex ordering. Searching for first matching format will
+prevent uvc_fixup_video_ctrl() from using the wrong format/frame to make
+adjustments.
+
+Signed-off-by: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_video.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/video/uvc/uvc_video.c
++++ b/drivers/media/video/uvc/uvc_video.c
+@@ -89,15 +89,19 @@ int uvc_query_ctrl(struct uvc_device *de
+ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
+ struct uvc_streaming_control *ctrl)
+ {
+- struct uvc_format *format;
++ struct uvc_format *format = NULL;
+ struct uvc_frame *frame = NULL;
+ unsigned int i;
+
+- if (ctrl->bFormatIndex <= 0 ||
+- ctrl->bFormatIndex > stream->nformats)
+- return;
++ for (i = 0; i < stream->nformats; ++i) {
++ if (stream->format[i].index == ctrl->bFormatIndex) {
++ format = &stream->format[i];
++ break;
++ }
++ }
+
+- format = &stream->format[ctrl->bFormatIndex - 1];
++ if (format == NULL)
++ return;
+
+ for (i = 0; i < format->nframes; ++i) {
+ if (format->frame[i].bFrameIndex == ctrl->bFrameIndex) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
