rpms/kernel/FC-6 linux-2.6-futex-fix-traversal.patch, NONE, 1.1 linux-2.6-usb-allow-1-byte-replies.patch, NONE, 1.1 linux-2.6-usb-fixup-interval-lengths.patch, NONE, 1.1 linux-2.6-usb-linked-list-insertion.patch, NONE, 1.1 kernel-2.6.spec, 1.3022, 1.3023

Thu Sep 13 22:21:35 UTC 2007

Author: cebbert

Update of /cvs/dist/rpms/kernel/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv11408

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6-futex-fix-traversal.patch 
	linux-2.6-usb-allow-1-byte-replies.patch 
	linux-2.6-usb-fixup-interval-lengths.patch 
	linux-2.6-usb-linked-list-insertion.patch 
Log Message:
* Thu Sep 13 2007 Chuck Ebbert <cebbert at redhat.com>
- USB: three trivial fixes
- futex: fix compat list traversal


linux-2.6-futex-fix-traversal.patch:
 futex_compat.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE linux-2.6-futex-fix-traversal.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=179c85ea53bef807621f335767e41e23f86f01df
Commit:     179c85ea53bef807621f335767e41e23f86f01df
Parent:     a570ab6f10462b062c28188b64377b8034235761
Author:     Arnd Bergmann <arnd at arndb.de>
AuthorDate: Tue Sep 11 15:23:49 2007 -0700
Committer:  Linus Torvalds <torvalds at woody.linux-foundation.org>
CommitDate: Tue Sep 11 17:21:20 2007 -0700

    futex_compat: fix list traversal bugs
    
    The futex list traversal on the compat side appears to have
    a bug.
    
    It's loop termination condition compares:
    
            while (compat_ptr(uentry) != &head->list)
    
    But that can't be right because "uentry" has the special
    "pi" indicator bit still potentially set at bit 0.  This
    is cleared by fetch_robust_entry() into the "entry"
    return value.
    
    What this seems to mean is that the list won't terminate
    when list iteration gets back to the the head.  And we'll
    also process the list head like a normal entry, which could
    cause all kinds of problems.
    
    So we should check for equality with "entry".  That pointer
    is of the non-compat type so we have to do a little casting
    to keep the compiler and sparse happy.
    
    The same problem can in theory occur with the 'pending'
    variable, although that has not been reported from users
    so far.
    
    Based on the original patch from David Miller.
    
    Acked-by: Ingo Molnar <mingo at elte.hu>
    Cc: Thomas Gleixner <tglx at linutronix.de>
    Cc: David Miller <davem at davemloft.net>
    Signed-off-by: Arnd Bergmann <arnd at arndb.de>
    Cc: <stable at kernel.org>
    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
---
 kernel/futex_compat.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
index f792136..7e52eb0 100644
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -61,10 +61,10 @@ void compat_exit_robust_list(struct task_struct *curr)
 	if (fetch_robust_entry(&upending, &pending,
 			       &head->list_op_pending, &pip))
 		return;
-	if (upending)
+	if (pending)
 		handle_futex_death((void __user *)pending + futex_offset, curr, pip);
 
-	while (compat_ptr(uentry) != &head->list) {
+	while (entry != (struct robust_list __user *) &head->list) {
 		/*
 		 * A pending lock might already be on the list, so
 		 * dont process it twice:

linux-2.6-usb-allow-1-byte-replies.patch:
 hub.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE linux-2.6-usb-allow-1-byte-replies.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=46dede4690bbb23a2c9d60561e2e4fdc3e6bee61
Commit:     46dede4690bbb23a2c9d60561e2e4fdc3e6bee61
Parent:     f095137e799ddb6a7c2bf0e4c73cda193ab9df41
Author:     Alan Stern <stern at rowland.harvard.edu>
AuthorDate: Tue Aug 14 10:56:10 2007 -0400
Committer:  Greg Kroah-Hartman <gregkh at suse.de>
CommitDate: Wed Aug 22 14:27:49 2007 -0700

    USB: accept 1-byte Device Status replies, fixing some b0rken devices
    
    Some devices have a bug which causes them to send a 1-byte reply to
    Get-Device-Status requests instead of 2 bytes as required by the
    spec.  This doesn't play well with autosuspend, since we look for a
    valid status reply to make sure the device is still present when it
    resumes.  Without both bytes, we assume the device has been
    disconnected.
    
    Lack of the second byte shouldn't matter much, since the spec requires
    it always to be equal to 0.  Hence this patch (as959) causes
    finish_port_resume() to accept a 1-byte reply as valid.
    
    Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
    Acked-by: David Brownell <david-b at pacbell.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>

    [<cebbert at redhat.com>: reworked for 2.6.22]
    [<cebbert at redhat.com>: made test more careful]
---
 drivers/usb/core/hub.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.22.noarch.orig/drivers/usb/core/hub.c
+++ linux-2.6.22.noarch/drivers/usb/core/hub.c
@@ -1719,7 +1719,7 @@ int usb_port_suspend(struct usb_device *
 static int finish_port_resume(struct usb_device *udev)
 {
 	int	status;
-	u16	devstatus;
+	u16	devstatus = 0;
 
 	/* caller owns the udev device lock */
 	dev_dbg(&udev->dev, "finish resume\n");
@@ -1739,7 +1739,7 @@ static int finish_port_resume(struct usb
 	 */
 	status = usb_get_status(udev, USB_RECIP_DEVICE, 0, &devstatus);
 	if (status >= 0)
-		status = (status == 2 ? 0 : -ENODEV);
+		status = (status == 2 || status == 1) ? 0 : -ENODEV;
 
 	if (status)
 		dev_dbg(&udev->dev,

linux-2.6-usb-fixup-interval-lengths.patch:
 config.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

--- NEW FILE linux-2.6-usb-fixup-interval-lengths.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=300871cd963e24a68aaa9b762f4a10403697d9be
Commit:     300871cd963e24a68aaa9b762f4a10403697d9be
Parent:     87d093e25d73249ae92b28ae88db92eaea7df70f
Author:     Laurent Pinchart <laurent.pinchart at skynet.be>
AuthorDate: Tue Jun 12 21:47:17 2007 +0200
Committer:  Greg Kroah-Hartman <gregkh at suse.de>
CommitDate: Thu Jul 12 16:34:37 2007 -0700

    USB: Fix up full-speed bInterval values in high-speed interrupt descriptor
    
    Many device manufacturers are using full-speed bInterval values in high-speed
    interrupt endpoint descriptors. If the bInterval value is greater than 16,
    assume the device uses full-speed descriptors and fix the value accordingly.
    
    Signed-off-by: Laurent Pinchart <laurent.pinchart at skynet.be>
    Acked-by: Alan Stern <stern at rowland.harvard.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 drivers/usb/core/config.c |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 9152e12..5e113db 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -85,15 +85,21 @@ static int usb_parse_endpoint(struct device *ddev, int cfgno, int inum,
 	memcpy(&endpoint->desc, d, n);
 	INIT_LIST_HEAD(&endpoint->urb_list);
 
-	/* If the bInterval value is outside the legal range,
-	 * set it to a default value: 32 ms */
+	/* Fix up bInterval values outside the legal range. Use 32 ms if no
+	 * proper value can be guessed. */
 	i = 0;		/* i = min, j = max, n = default */
 	j = 255;
 	if (usb_endpoint_xfer_int(d)) {
 		i = 1;
 		switch (to_usb_device(ddev)->speed) {
 		case USB_SPEED_HIGH:
-			n = 9;		/* 32 ms = 2^(9-1) uframes */
+			/* Many device manufacturers are using full-speed
+			 * bInterval values in high-speed interrupt endpoint
+			 * descriptors. Try to fix those and fall back to a
+			 * 32 ms default value otherwise. */
+			n = fls(d->bInterval*8);
+			if (n == 0)
+				n = 9;	/* 32 ms = 2^(9-1) uframes */
 			j = 16;
 			break;
 		default:		/* USB_SPEED_FULL or _LOW */

linux-2.6-usb-linked-list-insertion.patch:
 driver.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE linux-2.6-usb-linked-list-insertion.patch ---
Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e5dd01154c1e9ca2400f4682602d1a4fa54c25dd
Commit:     e5dd01154c1e9ca2400f4682602d1a4fa54c25dd
Parent:     ce05916f6bf9906fba88853078715f9a4d300237
Author:     Nathael Pajani <nathael.pajani at cpe.fr>
AuthorDate: Tue Sep 4 11:46:23 2007 +0200
Committer:  Greg Kroah-Hartman <gregkh at suse.de>
CommitDate: Tue Sep 11 07:48:15 2007 -0700

    USB: fix linked list insertion bugfix for usb core
    
    This patch fixes the order of list_add_tail() arguments in
    usb_store_new_id() so the list can have more than one single element.
    
    Signed-off-by: Nathael Pajani <nathael.pajani at cpe.fr>
    Cc: stable <stable at kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 drivers/usb/core/driver.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index a1ad11d..63b1243 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -60,7 +60,7 @@ ssize_t usb_store_new_id(struct usb_dynids *dynids,
 	dynid->id.match_flags = USB_DEVICE_ID_MATCH_DEVICE;
 
 	spin_lock(&dynids->lock);
-	list_add_tail(&dynids->list, &dynid->node);
+	list_add_tail(&dynid->node, &dynids->list);
 	spin_unlock(&dynids->lock);
 
 	if (get_driver(driver)) {


Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-6/kernel-2.6.spec,v
retrieving revision 1.3022
retrieving revision 1.3023
diff -u -r1.3022 -r1.3023
--- kernel-2.6.spec	13 Sep 2007 21:20:07 -0000	1.3022
+++ kernel-2.6.spec	13 Sep 2007 22:21:31 -0000	1.3023
@@ -617,7 +617,13 @@
 Patch742: linux-2.6-sdhci-clear-error-interrupt.patch
 Patch760: linux-2.6-v4l-dvb-fix-airstar-hd5000-tuner.patch
 Patch770: linux-2.6-irda-smc-remove-quirk.patch
+Patch771: linux-2.6-futex-fix-traversal.patch
+
 Patch780: linux-2.6-usb-storage-initialize-huawei-e220-properly.patch
+Patch781: linux-2.6-usb-allow-1-byte-replies.patch
+Patch782: linux-2.6-usb-fixup-interval-lengths.patch
+Patch783: linux-2.6-usb-linked-list-insertion.patch
+
 Patch800: linux-2.6-wakeups-hdaps.patch
 Patch801: linux-2.6-wakeups.patch
 Patch900: linux-2.6-sched-cfs-v2.6.22.5-v20.5.patch
@@ -1322,11 +1328,17 @@
 ApplyPatch linux-2.6-v4l-dvb-fix-airstar-hd5000-tuner.patch
 # irda: remove smc quirk that breaks hp 6000 notebooks
 ApplyPatch linux-2.6-irda-smc-remove-quirk.patch
+# futex: fix compat list traveral
+ApplyPatch linux-2.6-futex-fix-traversal.patch
 
 # USB
 #
 # fix init of huawei device
 ApplyPatch linux-2.6-usb-storage-initialize-huawei-e220-properly.patch
+# trivial USB fixes
+ApplyPatch linux-2.6-usb-allow-1-byte-replies.patch
+ApplyPatch linux-2.6-usb-fixup-interval-lengths.patch
+ApplyPatch linux-2.6-usb-linked-list-insertion.patch
 
 # timers
 
@@ -2268,6 +2280,10 @@
 
 %changelog
 * Thu Sep 13 2007 Chuck Ebbert <cebbert at redhat.com>
+- USB: three trivial fixes
+- futex: fix compat list traversal
+
+* Thu Sep 13 2007 Chuck Ebbert <cebbert at redhat.com>
 - Linux 2.6.22.6 (official)
 
 * Thu Sep 13 2007 Chuck Ebbert <cebbert at redhat.com>


