3.9-stable patches

added patches:
	spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch
	spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch

diff --git a/queue-3.9/series b/queue-3.9/series
index a7dbef970e750e1f82d1651bdc730e28f32a8114..7bfba6fccf67bc6add55239d2a8ff89f8863325c 100644 (file)
--- a/queue-3.9/series
+++ b/queue-3.9/series
@@ -91,3 +91,5 @@ rbd-use-the-correct-length-for-format-2-object-names.patch
 perf-fix-perf-mmap-bugs.patch
 perf-fix-mmap-accounting-hole.patch
 drivers-uio-fix-uio-device-registration-failure.patch
+spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch
+spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch

diff --git a/queue-3.9/spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch b/queue-3.9/spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch
new file mode 100644 (file)
index 0000000..2596310
--- /dev/null
+++ b/queue-3.9/spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch
@@ -0,0 +1,68 @@
+From cc0ee9873c6afafb387379ca1df25da78a08c603 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Thu, 20 Jun 2013 17:44:22 +0300
+Subject: spi/pxa2xx: fix memory corruption due to wrong size used in devm_kzalloc()
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit cc0ee9873c6afafb387379ca1df25da78a08c603 upstream.
+
+ACPI part of the driver accidentally used sizeof(*ssp) instead of the
+correct sizeof(*pdata). This leads to nasty memory corruptions like the one
+below:
+
+    BUG: unable to handle kernel paging request at 0000000749fd30b8
+    IP: [<ffffffff813fe8a1>] __list_del_entry+0x31/0xd0
+    PGD 0
+    Oops: 0000 [#1] PREEMPT SMP
+    Modules linked in:
+    CPU: 0 PID: 30 Comm: kworker/0:1 Not tainted 3.10.0-rc6v3.10-rc6_sdhci_modprobe+ #443
+    task: ffff8801483a0940 ti: ffff88014839e000 task.ti: ffff88014839e000
+    RIP: 0010:[<ffffffff813fe8a1>]  [<ffffffff813fe8a1>] __list_del_entry+0x31/0xd0
+    RSP: 0000:ffff88014839fde8  EFLAGS: 00010046
+    RAX: ffff880149fd30b0 RBX: ffff880149fd3040 RCX: dead000000200200
+    RDX: 0000000749fd30b0 RSI: ffff880149fd3058 RDI: ffff88014834d640
+    RBP: ffff88014839fde8 R08: ffff88014834d640 R09: 0000000000000001
+    R10: ffff8801483a0940 R11: 0000000000000001 R12: ffff880149fd3040
+    R13: ffffffff810e0b30 R14: ffff8801483a0940 R15: ffff88014834d640
+    FS:  0000000000000000(0000) GS:ffff880149e00000(0000) knlGS:0000000000000000
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: 0000000000000168 CR3: 0000000001e0b000 CR4: 00000000001407f0
+    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+    Stack:
+     ffff88014839fe48 ffffffff810e0baf ffffffff81120abd ffff88014839fe20
+     ffff8801483a0940 ffff8801483a0940 ffff8801483a0940 ffff8801486b1c90
+     ffff88014834d640 ffffffff810e0b30 0000000000000000 0000000000000000
+    Call Trace:
+     [<ffffffff810e0baf>] worker_thread+0x7f/0x390
+     [<ffffffff81120abd>] ? trace_hardirqs_on+0xd/0x10
+     [<ffffffff810e0b30>] ? manage_workers.isra.22+0x2b0/0x2b0
+     [<ffffffff810e6c09>] kthread+0xd9/0xe0
+     [<ffffffff810f93df>] ? local_clock+0x3f/0x50
+     [<ffffffff810e6b30>] ? kthread_create_on_node+0x110/0x110
+     [<ffffffff818c5dec>] ret_from_fork+0x7c/0xb0
+     [<ffffffff810e6b30>] ? kthread_create_on_node+0x110/0x110
+
+Fix this by using the right structure size in devm_kzalloc().
+
+Reported-by: Jerome Blin <jerome.blin@intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pxa2xx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pxa2xx.c
++++ b/drivers/spi/spi-pxa2xx.c
+@@ -1069,7 +1069,7 @@ pxa2xx_spi_acpi_get_pdata(struct platfor
+           acpi_bus_get_device(ACPI_HANDLE(&pdev->dev), &adev))
+               return NULL;
+ 
+-      pdata = devm_kzalloc(&pdev->dev, sizeof(*ssp), GFP_KERNEL);
++      pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL);
+       if (!pdata) {
+               dev_err(&pdev->dev,
+                       "failed to allocate memory for platform data\n");

diff --git a/queue-3.9/spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch b/queue-3.9/spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch
new file mode 100644 (file)
index 0000000..3be4fe7
--- /dev/null
+++ b/queue-3.9/spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch
@@ -0,0 +1,31 @@
+From 5548f98c46538d1da04eff179a52e50537d11465 Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Tue, 18 Jun 2013 17:29:44 +0300
+Subject: spi/pxa2xx: use GFP_ATOMIC in sg table allocation
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit 5548f98c46538d1da04eff179a52e50537d11465 upstream.
+
+pxa2xx_spi_map_dma_buffer() gets called in tasklet context so we can't
+sleep when we allocate a new sg table. Use GFP_ATOMIC here instead.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-pxa2xx-dma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pxa2xx-dma.c
++++ b/drivers/spi/spi-pxa2xx-dma.c
+@@ -59,7 +59,7 @@ static int pxa2xx_spi_map_dma_buffer(str
+               int ret;
+ 
+               sg_free_table(sgt);
+-              ret = sg_alloc_table(sgt, nents, GFP_KERNEL);
++              ret = sg_alloc_table(sgt, nents, GFP_ATOMIC);
+               if (ret)
+                       return ret;
+       }