.33 patches

14 files changed, 851 insertions, 0 deletions

diff --git a/queue-2.6.33/ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch b/queue-2.6.33/ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch
new file mode 100644
index 0000000..e7c054e
--- /dev/null
+++ b/queue-2.6.33/ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch
@@ -0,0 +1,80 @@
+From b5a3b3d985493c173925907adfebf3edab236fe7 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 16 Mar 2011 10:57:15 -0400
+Subject: ehci-hcd: Bug fix: don't set a QH's Halt bit
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit b5a3b3d985493c173925907adfebf3edab236fe7 upstream.
+
+This patch (as1453) fixes a long-standing bug in the ehci-hcd driver.
+
+There is no need to set the Halt bit in the overlay region for an
+unlinked or blocked QH.  Contrary to what the comment says, setting
+the Halt bit does not cause the QH to be patched later; that decision
+(made in qh_refresh()) depends only on whether the QH is currently
+pointing to a valid qTD.  Likewise, setting the Halt bit does not
+prevent completions from activating the QH while it is "stopped"; they
+are prevented by the fact that qh_completions() temporarily changes
+qh->qh_state to QH_STATE_COMPLETING.
+
+On the other hand, there are circumstances in which the QH will be
+reactivated _without_ being patched; this happens after an URB beyond
+the head of the queue is unlinked.  Setting the Halt bit will then
+cause the hardware to see the QH with both the Active and Halt bits
+set, an invalid combination that will prevent the queue from
+advancing and may even crash some controllers.
+
+Apparently the only reason this hasn't been reported before is that
+unlinking URBs from the middle of a running queue is quite uncommon.
+However Test 17, recently added to the usbtest driver, does exactly
+this, and it confirms the presence of the bug.
+
+In short, there is no reason to set the Halt bit for an unlinked or
+blocked QH, and there is a very good reason not to set it.  Therefore
+the code that sets it is removed.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Tested-by: Andiry Xu <andiry.xu@amd.com>
+CC: David Brownell <david-b@pacbell.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/host/ehci-q.c |   12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/drivers/usb/host/ehci-q.c
++++ b/drivers/usb/host/ehci-q.c
+@@ -315,7 +315,6 @@ qh_completions (struct ehci_hcd *ehci, s
+ 	int			stopped;
+ 	unsigned		count = 0;
+ 	u8			state;
+-	const __le32		halt = HALT_BIT(ehci);
+ 	struct ehci_qh_hw	*hw = qh->hw;
+ 
+ 	if (unlikely (list_empty (&qh->qtd_list)))
+@@ -422,7 +421,6 @@ qh_completions (struct ehci_hcd *ehci, s
+ 					&& !(qtd->hw_alt_next
+ 						& EHCI_LIST_END(ehci))) {
+ 				stopped = 1;
+-				goto halt;
+ 			}
+ 
+ 		/* stop scanning when we reach qtds the hc is using */
+@@ -456,16 +454,6 @@ qh_completions (struct ehci_hcd *ehci, s
+ 				 */
+ 				ehci_clear_tt_buffer(ehci, qh, urb, token);
+ 			}
+-
+-			/* force halt for unlinked or blocked qh, so we'll
+-			 * patch the qh later and so that completions can't
+-			 * activate it while we "know" it's stopped.
+-			 */
+-			if ((halt & hw->hw_token) == 0) {
+-halt:
+-				hw->hw_token |= halt;
+-				wmb ();
+-			}
+ 		}
+ 
+ 		/* unless we already know the urb's status, collect qtd status
diff --git a/queue-2.6.33/ext3-skip-orphan-cleanup-on-rocompat-fs.patch b/queue-2.6.33/ext3-skip-orphan-cleanup-on-rocompat-fs.patch
new file mode 100644
index 0000000..e115f5a
--- /dev/null
+++ b/queue-2.6.33/ext3-skip-orphan-cleanup-on-rocompat-fs.patch
@@ -0,0 +1,41 @@
+From ce654b37f87980d95f339080e4c3bdb2370bdf22 Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Sat, 26 Feb 2011 22:40:19 +0200
+Subject: ext3: skip orphan cleanup on rocompat fs
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit ce654b37f87980d95f339080e4c3bdb2370bdf22 upstream.
+
+Orphan cleanup is currently executed even if the file system has some
+number of unknown ROCOMPAT features, which deletes inodes and frees
+blocks, which could be very bad for some RO_COMPAT features.
+
+This patch skips the orphan cleanup if it contains readonly compatible
+features not known by this ext3 implementation, which would prevent
+the fs from being mounted (or remounted) readwrite.
+
+Signed-off-by: Amir Goldstein <amir73il@users.sf.net>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext3/super.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -1440,6 +1440,13 @@ static void ext3_orphan_cleanup (struct
+ 		return;
+ 	}
+ 
++	/* Check if feature set allows readwrite operations */
++	if (EXT3_HAS_RO_COMPAT_FEATURE(sb, ~EXT3_FEATURE_RO_COMPAT_SUPP)) {
++		ext3_msg(sb, KERN_INFO, "Skipping orphan cleanup due to "
++			 "unknown ROCOMPAT features");
++		return;
++	}
++
+ 	if (EXT3_SB(sb)->s_mount_state & EXT3_ERROR_FS) {
+ 		if (es->s_last_orphan)
+ 			jbd_debug(1, "Errors on filesystem, "
diff --git a/queue-2.6.33/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch b/queue-2.6.33/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch
new file mode 100644
index 0000000..587e42f
--- /dev/null
+++ b/queue-2.6.33/fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch
@@ -0,0 +1,37 @@
+From d6244bc0ed0c52a795e6f4dcab3886daf3e74fac Mon Sep 17 00:00:00 2001
+From: Henry Nestler <henry.nestler@gmail.com>
+Date: Sun, 20 Feb 2011 20:50:56 +0000
+Subject: fbcon: Bugfix soft cursor detection in Tile Blitting
+
+From: Henry Nestler <henry.nestler@gmail.com>
+
+commit d6244bc0ed0c52a795e6f4dcab3886daf3e74fac upstream.
+
+Use mask 0x10 for "soft cursor" detection on in function tile_cursor.
+(Tile Blitting Operation in framebuffer console).
+
+The old mask 0x01 for vc_cursor_type detects CUR_NONE, CUR_LOWER_THIRD
+and every second mode value as "software cursor". This hides the cursor
+for these modes (cursor.mode = 0). But, only CUR_NONE or "software cursor"
+should hide the cursor.
+See also 0x10 in functions add_softcursor, bit_cursor and cw_cursor.
+
+Signed-off-by: Henry Nestler <henry.nestler@gmail.com>
+Signed-off-by: Paul Mundt <lethal@linux-sh.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/video/console/tileblit.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/console/tileblit.c
++++ b/drivers/video/console/tileblit.c
+@@ -83,7 +83,7 @@ static void tile_cursor(struct vc_data *
+ 			int softback_lines, int fg, int bg)
+ {
+ 	struct fb_tilecursor cursor;
+-	int use_sw = (vc->vc_cursor_type & 0x01);
++	int use_sw = (vc->vc_cursor_type & 0x10);
+ 
+ 	cursor.sx = vc->vc_x;
+ 	cursor.sy = vc->vc_y;
diff --git a/queue-2.6.33/nfsd-wrong-index-used-in-inner-loop.patch b/queue-2.6.33/nfsd-wrong-index-used-in-inner-loop.patch
new file mode 100644
index 0000000..a440a03
--- /dev/null
+++ b/queue-2.6.33/nfsd-wrong-index-used-in-inner-loop.patch
@@ -0,0 +1,49 @@
+From 5a02ab7c3c4580f94d13c683721039855b67cda6 Mon Sep 17 00:00:00 2001
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+Date: Fri, 11 Mar 2011 12:13:55 +0800
+Subject: nfsd: wrong index used in inner loop
+
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+
+commit 5a02ab7c3c4580f94d13c683721039855b67cda6 upstream.
+
+We must not use dummy for index.
+After the first index, READ32(dummy) will change dummy!!!!
+
+Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
+[bfields@redhat.com: Trond points out READ_BUF alone is sufficient.]
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs4xdr.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1106,7 +1106,7 @@ nfsd4_decode_create_session(struct nfsd4
+ 
+ 	u32 dummy;
+ 	char *machine_name;
+-	int i, j;
++	int i;
+ 	int nr_secflavs;
+ 
+ 	READ_BUF(16);
+@@ -1179,8 +1179,6 @@ nfsd4_decode_create_session(struct nfsd4
+ 			READ_BUF(4);
+ 			READ32(dummy);
+ 			READ_BUF(dummy * 4);
+-			for (j = 0; j < dummy; ++j)
+-				READ32(dummy);
+ 			break;
+ 		case RPC_AUTH_GSS:
+ 			dprintk("RPC_AUTH_GSS callback secflavor "
+@@ -1196,7 +1194,6 @@ nfsd4_decode_create_session(struct nfsd4
+ 			READ_BUF(4);
+ 			READ32(dummy);
+ 			READ_BUF(dummy);
+-			p += XDR_QUADLEN(dummy);
+ 			break;
+ 		default:
+ 			dprintk("Illegal callback secflavor\n");
diff --git a/queue-2.6.33/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch b/queue-2.6.33/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch
new file mode 100644
index 0000000..74f152c
--- /dev/null
+++ b/queue-2.6.33/nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch
@@ -0,0 +1,40 @@
+From 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 Mon Sep 17 00:00:00 2001
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+Date: Fri, 18 Feb 2011 09:08:31 +0800
+Subject: nfsd41: modify the members value of nfsd4_op_flags
+
+From: Mi Jinlong <mijinlong@cn.fujitsu.com>
+
+commit 5ece3cafbd88d4da5c734e1810c4a2e6474b57b2 upstream.
+
+The members of nfsd4_op_flags, (ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS)
+equals to  ALLOWED_AS_FIRST_OP, maybe that's not what we want.
+
+OP_PUTROOTFH with op_flags = ALLOWED_WITHOUT_FH | ALLOWED_ON_ABSENT_FS,
+can't appears as the first operation with out SEQUENCE ops.
+
+This patch modify the wrong value of ALLOWED_WITHOUT_FH etc which
+was introduced by f9bb94c4.
+
+Reviewed-by: Benny Halevy <bhalevy@panasas.com>
+Signed-off-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs4proc.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -953,8 +953,8 @@ typedef __be32(*nfsd4op_func)(struct svc
+ 			      void *);
+ enum nfsd4_op_flags {
+ 	ALLOWED_WITHOUT_FH = 1 << 0,	/* No current filehandle required */
+-	ALLOWED_ON_ABSENT_FS = 2 << 0,	/* ops processed on absent fs */
+-	ALLOWED_AS_FIRST_OP = 3 << 0,	/* ops reqired first in compound */
++	ALLOWED_ON_ABSENT_FS = 1 << 1,	/* ops processed on absent fs */
++	ALLOWED_AS_FIRST_OP = 1 << 2,	/* ops reqired first in compound */
+ };
+ 
+ struct nfsd4_operation {
diff --git a/queue-2.6.33/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch b/queue-2.6.33/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
new file mode 100644
index 0000000..ca77713
--- /dev/null
+++ b/queue-2.6.33/proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
@@ -0,0 +1,48 @@
+From 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees.cook@canonical.com>
+Date: Wed, 23 Mar 2011 16:42:53 -0700
+Subject: proc: protect mm start_code/end_code in /proc/pid/stat
+
+From: Kees Cook <kees.cook@canonical.com>
+
+commit 5883f57ca0008ffc93e09cbb9847a1928e50c6f3 upstream.
+
+While mm->start_stack was protected from cross-uid viewing (commit
+f83ce3e6b02d5 ("proc: avoid information leaks to non-privileged
+processes")), the start_code and end_code values were not.  This would
+allow the text location of a PIE binary to leak, defeating ASLR.
+
+Note that the value "1" is used instead of "0" for a protected value since
+"ps", "killall", and likely other readers of /proc/pid/stat, take
+start_code of "0" to mean a kernel thread and will misbehave.  Thanks to
+Brad Spengler for pointing this out.
+
+Addresses CVE-2011-0726
+
+Signed-off-by: Kees Cook <kees.cook@canonical.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/array.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -488,8 +488,8 @@ static int do_task_stat(struct seq_file
+ 		vsize,
+ 		mm ? get_mm_rss(mm) : 0,
+ 		rsslim,
+-		mm ? mm->start_code : 0,
+-		mm ? mm->end_code : 0,
++		mm ? (permitted ? mm->start_code : 1) : 0,
++		mm ? (permitted ? mm->end_code : 1) : 0,
+ 		(permitted && mm) ? mm->start_stack : 0,
+ 		esp,
+ 		eip,
diff --git a/queue-2.6.33/procfs-fix-proc-pid-maps-heap-check.patch b/queue-2.6.33/procfs-fix-proc-pid-maps-heap-check.patch
new file mode 100644
index 0000000..2cb4723
--- /dev/null
+++ b/queue-2.6.33/procfs-fix-proc-pid-maps-heap-check.patch
@@ -0,0 +1,127 @@
+From 0db0c01b53a1a421513f91573241aabafb87802a Mon Sep 17 00:00:00 2001
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+Date: Wed, 23 Mar 2011 16:42:50 -0700
+Subject: procfs: fix /proc/<pid>/maps heap check
+
+From: Aaro Koskinen <aaro.koskinen@nokia.com>
+
+commit 0db0c01b53a1a421513f91573241aabafb87802a upstream.
+
+The current code fails to print the "[heap]" marking if the heap is split
+into multiple mappings.
+
+Fix the check so that the marking is displayed in all possible cases:
+	1. vma matches exactly the heap
+	2. the heap vma is merged e.g. with bss
+	3. the heap vma is splitted e.g. due to locked pages
+
+Test cases. In all cases, the process should have mapping(s) with
+[heap] marking:
+
+	(1) vma matches exactly the heap
+
+	#include <stdio.h>
+	#include <unistd.h>
+	#include <sys/types.h>
+
+	int main (void)
+	{
+		if (sbrk(4096) != (void *)-1) {
+			printf("check /proc/%d/maps\n", (int)getpid());
+			while (1)
+				sleep(1);
+		}
+		return 0;
+	}
+
+	# ./test1
+	check /proc/553/maps
+	[1] + Stopped                    ./test1
+	# cat /proc/553/maps | head -4
+	00008000-00009000 r-xp 00000000 01:00 3113640    /test1
+	00010000-00011000 rw-p 00000000 01:00 3113640    /test1
+	00011000-00012000 rw-p 00000000 00:00 0          [heap]
+	4006f000-40070000 rw-p 00000000 00:00 0
+
+	(2) the heap vma is merged
+
+	#include <stdio.h>
+	#include <unistd.h>
+	#include <sys/types.h>
+
+	char foo[4096] = "foo";
+	char bar[4096];
+
+	int main (void)
+	{
+		if (sbrk(4096) != (void *)-1) {
+			printf("check /proc/%d/maps\n", (int)getpid());
+			while (1)
+				sleep(1);
+		}
+		return 0;
+	}
+
+	# ./test2
+	check /proc/556/maps
+	[2] + Stopped                    ./test2
+	# cat /proc/556/maps | head -4
+	00008000-00009000 r-xp 00000000 01:00 3116312    /test2
+	00010000-00012000 rw-p 00000000 01:00 3116312    /test2
+	00012000-00014000 rw-p 00000000 00:00 0          [heap]
+	4004a000-4004b000 rw-p 00000000 00:00 0
+
+	(3) the heap vma is splitted (this fails without the patch)
+
+	#include <stdio.h>
+	#include <unistd.h>
+	#include <sys/mman.h>
+	#include <sys/types.h>
+
+	int main (void)
+	{
+		if ((sbrk(4096) != (void *)-1) && !mlockall(MCL_FUTURE) &&
+		    (sbrk(4096) != (void *)-1)) {
+			printf("check /proc/%d/maps\n", (int)getpid());
+			while (1)
+				sleep(1);
+		}
+		return 0;
+	}
+
+	# ./test3
+	check /proc/559/maps
+	[1] + Stopped                    ./test3
+	# cat /proc/559/maps|head -4
+	00008000-00009000 r-xp 00000000 01:00 3119108    /test3
+	00010000-00011000 rw-p 00000000 01:00 3119108    /test3
+	00011000-00012000 rw-p 00000000 00:00 0          [heap]
+	00012000-00013000 rw-p 00000000 00:00 0          [heap]
+
+It looks like the bug has been there forever, and since it only results in
+some information missing from a procfile, it does not fulfil the -stable
+"critical issue" criteria.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@nokia.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/proc/task_mmu.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -243,8 +243,8 @@ static void show_map_vma(struct seq_file
+ 		const char *name = arch_vma_name(vma);
+ 		if (!name) {
+ 			if (mm) {
+-				if (vma->vm_start <= mm->start_brk &&
+-						vma->vm_end >= mm->brk) {
++				if (vma->vm_start <= mm->brk &&
++						vma->vm_end >= mm->start_brk) {
+ 					name = "[heap]";
+ 				} else if (vma->vm_start <= mm->start_stack &&
+ 					   vma->vm_end >= mm->start_stack) {
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index e46d842..8d054e9 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -15,3 +15,16 @@ xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch
 pci-return-correct-value-when-writing-to-the-reset-attribute.patch
 revert-intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch
 prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
+ext3-skip-orphan-cleanup-on-rocompat-fs.patch
+procfs-fix-proc-pid-maps-heap-check.patch
+proc-protect-mm-start_code-end_code-in-proc-pid-stat.patch
+fbcon-bugfix-soft-cursor-detection-in-tile-blitting.patch
+nfsd41-modify-the-members-value-of-nfsd4_op_flags.patch
+nfsd-wrong-index-used-in-inner-loop.patch
+uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch
+uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch
+ehci-hcd-bug-fix-don-t-set-a-qh-s-halt-bit.patch
+usb-uss720-fixup-refcount-position.patch
+usb-cdc-acm-fix-memory-corruption-panic.patch
+usb-cdc-acm-fix-potential-null-pointer-dereference.patch
+usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch
diff --git a/queue-2.6.33/usb-cdc-acm-fix-memory-corruption-panic.patch b/queue-2.6.33/usb-cdc-acm-fix-memory-corruption-panic.patch
new file mode 100644
index 0000000..1ca78c0
--- /dev/null
+++ b/queue-2.6.33/usb-cdc-acm-fix-memory-corruption-panic.patch
@@ -0,0 +1,214 @@
+From 23b80550e2aa61d0ba3af98b831b9195be0db9ee Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 22 Mar 2011 11:12:09 +0100
+Subject: USB: cdc-acm: fix memory corruption / panic
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 23b80550e2aa61d0ba3af98b831b9195be0db9ee upstream.
+
+Prevent read urbs from being resubmitted from tasklet after port close.
+
+The receive tasklet was not disabled on port close, which could lead to
+corruption of receive lists on consecutive port open. In particular,
+read urbs could be re-submitted before port open, added to free list in
+open, and then added a second time to the free list in the completion
+handler.
+
+cdc-acm.c: Entering acm_tty_open.
+cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0
+cdc-acm.c: Entering acm_rx_tasklet
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64
+cdc-acm.c: set line: 115200 0 0 8
+cdc-acm.c: acm_control_msg: rq: 0x20 val: 0x0 len: 0x7 result: 7
+cdc-acm.c: acm_tty_close
+cdc-acm.c: acm_port_down
+cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x0 len: 0x0 result: 0
+cdc-acm.c: acm_ctrl_irq - urb shutting down with status: -2
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50
+cdc-acm.c: Entering acm_read_bulk with status -2
+cdc_acm 4-1:1.1: Aborting, acm not ready
+cdc-acm.c: Entering acm_read_bulk with status -2
+cdc_acm 4-1:1.1: Aborting, acm not ready
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da400, rcv 0xf57fbbe8, buf 0xf57fbd28
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da480, rcv 0xf57fbbd4, buf 0xf57fbd14
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da900, rcv 0xf57fbbc0, buf 0xf57fbd00
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da980, rcv 0xf57fbbac, buf 0xf57fbcec
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa00, rcv 0xf57fbb98, buf 0xf57fbcd8
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50daa80, rcv 0xf57fbb84, buf 0xf57fbcc4
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab00, rcv 0xf57fbb70, buf 0xf57fbcb0
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dab80, rcv 0xf57fbb5c, buf 0xf57fbc9c
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac00, rcv 0xf57fbb48, buf 0xf57fbc88
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dac80, rcv 0xf57fbb34, buf 0xf57fbc74
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad00, rcv 0xf57fbb20, buf 0xf57fbc60
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50dad80, rcv 0xf57fbb0c, buf 0xf57fbc4c
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da880, rcv 0xf57fbaf8, buf 0xf57fbc38
+cdc-acm.c: Entering acm_tty_open.
+cdc-acm.c: acm_control_msg: rq: 0x22 val: 0x3 len: 0x0 result: 0
+cdc-acm.c: Entering acm_rx_tasklet
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da280, rcv 0xf57fbc24, buf 0xf57fbd64
+cdc-acm.c: Entering acm_tty_write to write 3 bytes,
+cdc-acm.c: Get 3 bytes...
+cdc-acm.c: acm_write_start susp_count: 0
+cdc-acm.c: Entering acm_read_bulk with status 0
+------------[ cut here ]------------
+WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120()
+Hardware name: Vostro 1520
+list_del corruption. next->prev should be f57fbc10, but was f57fbaf8
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Not tainted 2.6.37+ #39
+Call Trace:
+ [<c103c7e2>] warn_slowpath_common+0x72/0xa0
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
+ [<c11dd8ac>] list_del+0x10c/0x120
+ [<f8051dbf>] acm_rx_tasklet+0xef/0x3e0 [cdc_acm]
+ [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+---[ end trace efd9a11434f0082e ]---
+------------[ cut here ]------------
+WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:57 list_del+0x10c/0x120()
+Hardware name: Vostro 1520
+list_del corruption. next->prev should be f57fbd50, but was f57fbdb0
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Tainted: G        W   2.6.37+ #39
+Call Trace:
+ [<c103c7e2>] warn_slowpath_common+0x72/0xa0
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c11dd8ac>] ? list_del+0x10c/0x120
+ [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
+ [<c11dd8ac>] list_del+0x10c/0x120
+ [<f8051dd6>] acm_rx_tasklet+0x106/0x3e0 [cdc_acm]
+ [<c135465d>] ? net_rps_action_and_irq_enable+0x6d/0x80
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+---[ end trace efd9a11434f0082f ]---
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da300, rcv 0xf57fbc10, buf 0xf57fbd50
+cdc-acm.c: disconnected from network
+cdc-acm.c: acm_rx_tasklet: sending urb 0xf50da380, rcv 0xf57fbbfc, buf 0xf57fbd3c
+cdc-acm.c: Entering acm_rx_tasklet
+------------[ cut here ]------------
+WARNING: at /home/johan/src/linux/linux-2.6/lib/list_debug.c:48 list_del+0xd5/0x120()
+Hardware name: Vostro 1520
+list_del corruption, next is LIST_POISON1 (00100100)
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Tainted: G        W   2.6.37+ #39
+Call Trace:
+ [<c103c7e2>] warn_slowpath_common+0x72/0xa0
+ [<c11dd875>] ? list_del+0xd5/0x120
+ [<c11dd875>] ? list_del+0xd5/0x120
+ [<c103c8b3>] warn_slowpath_fmt+0x33/0x40
+ [<c11dd875>] list_del+0xd5/0x120
+ [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
+ [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
+ [<c1042b30>] ? tasklet_action+0x60/0x140
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+---[ end trace efd9a11434f00830 ]---
+BUG: unable to handle kernel paging request at 00200200
+IP: [<c11dd7bd>] list_del+0x1d/0x120
+*pde = 00000000
+Oops: 0000 [#1] PREEMPT SMP
+last sysfs file: /sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1:1.0/tty/ttyACM0/uevent
+Modules linked in: cdc_acm
+Pid: 3, comm: ksoftirqd/0 Tainted: G        W   2.6.37+ #39 0T816J/Vostro 1520
+EIP: 0060:[<c11dd7bd>] EFLAGS: 00010046 CPU: 0
+EIP is at list_del+0x1d/0x120
+EAX: f57fbd3c EBX: f57fb800 ECX: ffff8000 EDX: 00200200
+ESI: f57fbe90 EDI: f57fbd3c EBP: f600bf54 ESP: f600bf3c
+ DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
+Process ksoftirqd/0 (pid: 3, ti=f600a000 task=f60791c0 task.ti=f6082000)
+Stack:
+ c1527e84 00000030 c1527e54 00100100 f57fb800 f57fbd3c f600bf98 f8051fac
+ f8053104 f8052b94 f600bf6c c106dbab f600bf80 00000286 f60791c0 c1042b30
+ f57fbda8 f57f5800 f57fbdb0 f57fbd80 f57fbe7c c1656b04 00000000 f600bfb0
+Call Trace:
+ [<f8051fac>] ? acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
+ [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
+ [<c1042b30>] ? tasklet_action+0x60/0x140
+ [<c1042bb6>] ? tasklet_action+0xe6/0x140
+ [<c104342f>] ? __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ>
+ [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+Code: ff 48 14 e9 57 ff ff ff 90 90 90 90 90 90 55 89 e5 83 ec 18 81 38 00 01 10 00 0f 84 9c 00 00 00 8b 50 04 81 fa 00 02 20 00 74 33 <8b> 12 39 d0 75 5c 8b 10 8b 4a 04 39 c8 0f 85 b5 00 00 00 8b 48
+EIP: [<c11dd7bd>] list_del+0x1d/0x120 SS:ESP 0068:f600bf3c
+CR2: 0000000000200200
+---[ end trace efd9a11434f00831 ]---
+Kernel panic - not syncing: Fatal exception in interrupt
+Pid: 3, comm: ksoftirqd/0 Tainted: G      D W   2.6.37+ #39
+Call Trace:
+ [<c13fede1>] ? printk+0x1d/0x24
+ [<c13fecce>] panic+0x66/0x15c
+ [<c10067df>] oops_end+0x8f/0x90
+ [<c1025476>] no_context+0xc6/0x160
+ [<c10255a8>] __bad_area_nosemaphore+0x98/0x140
+ [<c103cf68>] ? release_console_sem+0x1d8/0x210
+ [<c1025667>] bad_area_nosemaphore+0x17/0x20
+ [<c1025a49>] do_page_fault+0x279/0x420
+ [<c1006a8f>] ? show_trace+0x1f/0x30
+ [<c13fede1>] ? printk+0x1d/0x24
+ [<c10257d0>] ? do_page_fault+0x0/0x420
+ [<c140333b>] error_code+0x5f/0x64
+ [<c103007b>] ? select_task_rq_fair+0x37b/0x6a0
+ [<c10257d0>] ? do_page_fault+0x0/0x420
+ [<c11dd7bd>] ? list_del+0x1d/0x120
+ [<f8051fac>] acm_rx_tasklet+0x2dc/0x3e0 [cdc_acm]
+ [<c106dbab>] ? trace_hardirqs_on+0xb/0x10
+ [<c1042b30>] ? tasklet_action+0x60/0x140
+ [<c1042bb6>] tasklet_action+0xe6/0x140
+ [<c104342f>] __do_softirq+0xaf/0x210
+ [<c1043380>] ? __do_softirq+0x0/0x210
+ <IRQ>  [<c1042c9a>] ? run_ksoftirqd+0x8a/0x1c0
+ [<c1042c10>] ? run_ksoftirqd+0x0/0x1c0
+ [<c105ac24>] ? kthread+0x74/0x80
+ [<c105abb0>] ? kthread+0x0/0x80
+ [<c100337a>] ? kernel_thread_helper+0x6/0x10
+panic occurred, switching back to text console
+------------[ cut here ]------------
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -652,8 +652,10 @@ static void acm_port_down(struct acm *ac
+ 		usb_kill_urb(acm->ctrlurb);
+ 		for (i = 0; i < ACM_NW; i++)
+ 			usb_kill_urb(acm->wb[i].urb);
++		tasklet_disable(&acm->urb_task);
+ 		for (i = 0; i < nr; i++)
+ 			usb_kill_urb(acm->ru[i].urb);
++		tasklet_enable(&acm->urb_task);
+ 		acm->control->needs_remote_wakeup = 0;
+ 		usb_autopm_put_interface(acm->control);
+ 	}
diff --git a/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch
new file mode 100644
index 0000000..04fac27
--- /dev/null
+++ b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference-on-disconnect.patch
@@ -0,0 +1,42 @@
+From 7e7797e7f6f7bfab73fca02c65e40eaa5bb9000c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 22 Mar 2011 11:12:11 +0100
+Subject: USB: cdc-acm: fix potential null-pointer dereference on disconnect
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 7e7797e7f6f7bfab73fca02c65e40eaa5bb9000c upstream.
+
+Fix potential null-pointer exception on disconnect introduced by commit
+11ea859d64b69a747d6b060b9ed1520eab1161fe (USB: additional power savings
+for cdc-acm devices that support remote wakeup).
+
+Only access acm->dev after making sure it is non-null in control urb
+completion handler.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -297,6 +297,8 @@ static void acm_ctrl_irq(struct urb *urb
+ 	if (!ACM_READY(acm))
+ 		goto exit;
+ 
++	usb_mark_last_busy(acm->dev);
++
+ 	data = (unsigned char *)(dr + 1);
+ 	switch (dr->bNotificationType) {
+ 	case USB_CDC_NOTIFY_NETWORK_CONNECTION:
+@@ -336,7 +338,6 @@ static void acm_ctrl_irq(struct urb *urb
+ 		break;
+ 	}
+ exit:
+-	usb_mark_last_busy(acm->dev);
+ 	retval = usb_submit_urb(urb, GFP_ATOMIC);
+ 	if (retval)
+ 		dev_err(&urb->dev->dev, "%s - usb_submit_urb failed with "
diff --git a/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference.patch b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference.patch
new file mode 100644
index 0000000..319539f
--- /dev/null
+++ b/queue-2.6.33/usb-cdc-acm-fix-potential-null-pointer-dereference.patch
@@ -0,0 +1,29 @@
+From 15e5bee33ffc11d0e5c6f819a65e7881c5c407be Mon Sep 17 00:00:00 2001
+From: Johan Hovold <jhovold@gmail.com>
+Date: Tue, 22 Mar 2011 11:12:10 +0100
+Subject: USB: cdc-acm: fix potential null-pointer dereference
+
+From: Johan Hovold <jhovold@gmail.com>
+
+commit 15e5bee33ffc11d0e5c6f819a65e7881c5c407be upstream.
+
+Must check return value of tty_port_tty_get.
+
+Signed-off-by: Johan Hovold <jhovold@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/class/cdc-acm.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -534,6 +534,8 @@ static void acm_softint(struct work_stru
+ 	if (!ACM_READY(acm))
+ 		return;
+ 	tty = tty_port_tty_get(&acm->port);
++	if (!tty)
++		return;
+ 	tty_wakeup(tty);
+ 	tty_kref_put(tty);
+ }
diff --git a/queue-2.6.33/usb-uss720-fixup-refcount-position.patch b/queue-2.6.33/usb-uss720-fixup-refcount-position.patch
new file mode 100644
index 0000000..88a9deb
--- /dev/null
+++ b/queue-2.6.33/usb-uss720-fixup-refcount-position.patch
@@ -0,0 +1,41 @@
+From adaa3c6342b249548ea830fe8e02aa5b45be8688 Mon Sep 17 00:00:00 2001
+From: Peter Holik <peter@holik.at>
+Date: Fri, 18 Mar 2011 18:47:44 +0100
+Subject: USB: uss720 fixup refcount position
+
+From: Peter Holik <peter@holik.at>
+
+commit adaa3c6342b249548ea830fe8e02aa5b45be8688 upstream.
+
+My testprog do a lot of bitbang - after hours i got following warning and my machine lockups:
+WARNING: at /build/buildd/linux-2.6.38/lib/kref.c:34
+After debugging uss720 driver i discovered that the completion callback was called before
+usb_submit_urb returns. The callback frees the request structure that is krefed on return by
+usb_submit_urb.
+
+Signed-off-by: Peter Holik <peter@holik.at>
+Acked-by: Thomas Sailer <t.sailer@alumni.ethz.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/misc/uss720.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/misc/uss720.c
++++ b/drivers/usb/misc/uss720.c
+@@ -176,12 +176,11 @@ static struct uss720_async_request *subm
+ 	spin_lock_irqsave(&priv->asynclock, flags);
+ 	list_add_tail(&rq->asynclist, &priv->asynclist);
+ 	spin_unlock_irqrestore(&priv->asynclock, flags);
++	kref_get(&rq->ref_count);
+ 	ret = usb_submit_urb(rq->urb, mem_flags);
+-	if (!ret) {
+-		kref_get(&rq->ref_count);
++	if (!ret)
+ 		return rq;
+-	}
+-	kref_put(&rq->ref_count, destroy_async);
++	destroy_async(&rq->ref_count);
+ 	err("submit_async_request submit_urb failed with %d", ret);
+ 	return NULL;
+ }
diff --git a/queue-2.6.33/uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch b/queue-2.6.33/uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch
new file mode 100644
index 0000000..671ce55
--- /dev/null
+++ b/queue-2.6.33/uvcvideo-fix-descriptor-parsing-for-video-output-devices.patch
@@ -0,0 +1,40 @@
+From 4093a5c4a3f59cba1a085bbf87b6ffdddc5a443d Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Wed, 23 Feb 2011 11:19:17 -0300
+Subject: [media] uvcvideo: Fix descriptor parsing for video output devices
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+commit 4093a5c4a3f59cba1a085bbf87b6ffdddc5a443d upstream.
+
+Commit 4057ac6ca9a77c4275b34b5925ab5c99557913b1
+
+    V4L/DVB (13505): uvcvideo: Refactor chain scan
+
+broke output terminals parsing. Fix it.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_driver.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/media/video/uvc/uvc_driver.c
++++ b/drivers/media/video/uvc/uvc_driver.c
+@@ -1260,6 +1260,14 @@ static int uvc_scan_chain_entity(struct
+ 
+ 		break;
+ 
++	case UVC_OTT_VENDOR_SPECIFIC:
++	case UVC_OTT_DISPLAY:
++	case UVC_OTT_MEDIA_TRANSPORT_OUTPUT:
++		if (uvc_trace_param & UVC_TRACE_PROBE)
++			printk(" OT %d", entity->id);
++
++		break;
++
+ 	case UVC_TT_STREAMING:
+ 		if (UVC_ENTITY_IS_ITERM(entity)) {
+ 			if (uvc_trace_param & UVC_TRACE_PROBE)
diff --git a/queue-2.6.33/uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch b/queue-2.6.33/uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch
new file mode 100644
index 0000000..acb839f
--- /dev/null
+++ b/queue-2.6.33/uvcvideo-fix-uvc_fixup_video_ctrl-format-search.patch
@@ -0,0 +1,50 @@
+From 38a66824d96de8aeeb915e6f46f0d3fe55828eb1 Mon Sep 17 00:00:00 2001
+From: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com>
+Date: Thu, 27 Jan 2011 23:04:33 -0300
+Subject: [media] uvcvideo: Fix uvc_fixup_video_ctrl() format search
+
+From: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com>
+
+commit 38a66824d96de8aeeb915e6f46f0d3fe55828eb1 upstream.
+
+The scheme used to index format in uvc_fixup_video_ctrl() is not robust:
+format index is based on descriptor ordering, which does not necessarily
+match bFormatIndex ordering.  Searching for first matching format will
+prevent uvc_fixup_video_ctrl() from using the wrong format/frame to make
+adjustments.
+
+Signed-off-by: Stephan Lachowsky <stephan.lachowsky@maxim-ic.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/media/video/uvc/uvc_video.c |   14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/video/uvc/uvc_video.c
++++ b/drivers/media/video/uvc/uvc_video.c
+@@ -64,15 +64,19 @@ int uvc_query_ctrl(struct uvc_device *de
+ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
+ 	struct uvc_streaming_control *ctrl)
+ {
+-	struct uvc_format *format;
++	struct uvc_format *format = NULL;
+ 	struct uvc_frame *frame = NULL;
+ 	unsigned int i;
+ 
+-	if (ctrl->bFormatIndex <= 0 ||
+-	    ctrl->bFormatIndex > stream->nformats)
+-		return;
++	for (i = 0; i < stream->nformats; ++i) {
++		if (stream->format[i].index == ctrl->bFormatIndex) {
++			format = &stream->format[i];
++			break;
++		}
++	}
+ 
+-	format = &stream->format[ctrl->bFormatIndex - 1];
++	if (format == NULL)
++		return;
+ 
+ 	for (i = 0; i < format->nframes; ++i) {
+ 		if (format->frame[i].bFrameIndex == ctrl->bFrameIndex) {