+++ /dev/null
-From f12cb2893069495726c21a4b0178705dacfecfe0 Mon Sep 17 00:00:00 2001
-From: Pontus Fuchs <pontus.fuchs@gmail.com>
-Date: Thu, 16 Jan 2014 15:00:40 +0100
-Subject: nl80211: Reset split_start when netlink skb is exhausted
-
-From: Pontus Fuchs <pontus.fuchs@gmail.com>
-
-commit f12cb2893069495726c21a4b0178705dacfecfe0 upstream.
-
-When the netlink skb is exhausted split_start is left set. In the
-subsequent retry, with a larger buffer, the dump is continued from the
-failing point instead of from the beginning.
-
-This was causing my rt28xx based USB dongle to now show up when
-running "iw list" with an old iw version without split dump support.
-
-Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps")
-Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
-[avoid the entire workaround when state->split is set]
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/wireless/nl80211.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -1634,9 +1634,10 @@ static int nl80211_dump_wiphy(struct sk_
- * We can then retry with the larger buffer.
- */
- if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
-- !skb->len &&
-+ !skb->len && !state->split &&
- cb->min_dump_alloc < 4096) {
- cb->min_dump_alloc = 4096;
-+ state->split_start = 0;
- mutex_unlock(&cfg80211_mutex);
- return 1;
- }
ar5523-fix-usb-id-for-gigaset.patch
s390-dump-fix-dump-memory-detection.patch
s390-fix-kernel-crash-due-to-linkage-stack-instructions.patch
-nl80211-reset-split_start-when-netlink-skb-is-exhausted.patch
+spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
--- /dev/null
+From 1f802f8249a0da536877842c43c7204064c4de8b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+Date: Tue, 28 Jan 2014 10:33:03 +0100
+Subject: spi: Fix crash with double message finalisation on error handling
+
+From: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+
+commit 1f802f8249a0da536877842c43c7204064c4de8b upstream.
+
+This reverts commit e120cc0dcf2880a4c5c0a6cb27b655600a1cfa1d.
+
+It causes a NULL pointer dereference with drivers using the generic
+spi_transfer_one_message(), which always calls
+spi_finalize_current_message(), which zeroes master->cur_msg.
+
+Drivers implementing transfer_one_message() theirselves must always call
+spi_finalize_current_message(), even if the transfer failed:
+
+ * @transfer_one_message: the subsystem calls the driver to transfer a single
+ * message while queuing transfers that arrive in the meantime. When the
+ * driver is finished with this message, it must call
+ * spi_finalize_current_message() so the subsystem can issue the next
+ * transfer
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -584,9 +584,7 @@ static void spi_pump_messages(struct kth
+ ret = master->transfer_one_message(master, master->cur_msg);
+ if (ret) {
+ dev_err(&master->dev,
+- "failed to transfer one message from queue: %d\n", ret);
+- master->cur_msg->status = ret;
+- spi_finalize_current_message(master);
++ "failed to transfer one message from queue\n");
+ return;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
