--- /dev/null
+From 1c8158eeae0f37d0eee9f1fbe68080df6a408df2 Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizefan@huawei.com>
+Date: Tue, 18 Jun 2013 18:41:10 +0800
+Subject: cgroup: fix umount vs cgroup_event_remove() race
+
+From: Li Zefan <lizefan@huawei.com>
+
+commit 1c8158eeae0f37d0eee9f1fbe68080df6a408df2 upstream.
+
+ commit 5db9a4d99b0157a513944e9a44d29c9cec2e91dc
+ Author: Tejun Heo <tj@kernel.org>
+ Date: Sat Jul 7 16:08:18 2012 -0700
+
+ cgroup: fix cgroup hierarchy umount race
+
+This commit fixed a race caused by the dput() in css_dput_fn(), but
+the dput() in cgroup_event_remove() can also lead to the same BUG().
+
+Signed-off-by: Li Zefan <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -3773,6 +3773,23 @@ static int cgroup_write_notify_on_releas
+ }
+
+ /*
++ * When dput() is called asynchronously, if umount has been done and
++ * then deactivate_super() in cgroup_free_fn() kills the superblock,
++ * there's a small window that vfs will see the root dentry with non-zero
++ * refcnt and trigger BUG().
++ *
++ * That's why we hold a reference before dput() and drop it right after.
++ */
++static void cgroup_dput(struct cgroup *cgrp)
++{
++ struct super_block *sb = cgrp->root->sb;
++
++ atomic_inc(&sb->s_active);
++ dput(cgrp->dentry);
++ deactivate_super(sb);
++}
++
++/*
+ * Unregister event and free resources.
+ *
+ * Gets called from workqueue.
+@@ -3792,7 +3809,7 @@ static void cgroup_event_remove(struct w
+
+ eventfd_ctx_put(event->eventfd);
+ kfree(event);
+- dput(cgrp->dentry);
++ cgroup_dput(cgrp);
+ }
+
+ /*
+@@ -4075,12 +4092,8 @@ static void css_dput_fn(struct work_stru
+ {
+ struct cgroup_subsys_state *css =
+ container_of(work, struct cgroup_subsys_state, dput_work);
+- struct dentry *dentry = css->cgroup->dentry;
+- struct super_block *sb = dentry->d_sb;
+
+- atomic_inc(&sb->s_active);
+- dput(dentry);
+- deactivate_super(sb);
++ cgroup_dput(css->cgroup);
+ }
+
+ static void init_cgroup_css(struct cgroup_subsys_state *css,
--- /dev/null
+From 689c3db4d57a73bee6c5ad7797fce7b54d32a87c Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilovsky@samba.org>
+Date: Thu, 11 Jul 2013 11:17:45 +0400
+Subject: CIFS: Fix a deadlock when a file is reopened
+
+From: Pavel Shilovsky <pshilovsky@samba.org>
+
+commit 689c3db4d57a73bee6c5ad7797fce7b54d32a87c upstream.
+
+If we request reading or writing on a file that needs to be
+reopened, it causes the deadlock: we are already holding rw
+semaphore for reading and then we try to acquire it for writing
+in cifs_relock_file. Fix this by acquiring the semaphore for
+reading in cifs_relock_file due to we don't make any changes in
+locks and don't need a write access.
+
+Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
+Acked-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/file.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -557,11 +557,10 @@ cifs_relock_file(struct cifsFileInfo *cf
+ struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
+ int rc = 0;
+
+- /* we are going to update can_cache_brlcks here - need a write access */
+- down_write(&cinode->lock_sem);
++ down_read(&cinode->lock_sem);
+ if (cinode->can_cache_brlcks) {
+- /* can cache locks - no need to push them */
+- up_write(&cinode->lock_sem);
++ /* can cache locks - no need to relock */
++ up_read(&cinode->lock_sem);
+ return rc;
+ }
+
+@@ -572,7 +571,7 @@ cifs_relock_file(struct cifsFileInfo *cf
+ else
+ rc = tcon->ses->server->ops->push_mand_locks(cfile);
+
+- up_write(&cinode->lock_sem);
++ up_read(&cinode->lock_sem);
+ return rc;
+ }
+
--- /dev/null
+From 35848f68b07df3f917cb13fc3c134718669f569b Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 18 Jun 2013 13:04:23 +0800
+Subject: drivers: hv: switch to use mb() instead of smp_mb()
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 35848f68b07df3f917cb13fc3c134718669f569b upstream.
+
+Even if guest were compiled without SMP support, it could not assume that host
+wasn't. So switch to use mb() instead of smp_mb() to force memory barriers for
+UP guest.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hv/ring_buffer.c | 10 +++++-----
+ drivers/hv/vmbus_drv.c | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/hv/ring_buffer.c
++++ b/drivers/hv/ring_buffer.c
+@@ -32,7 +32,7 @@
+ void hv_begin_read(struct hv_ring_buffer_info *rbi)
+ {
+ rbi->ring_buffer->interrupt_mask = 1;
+- smp_mb();
++ mb();
+ }
+
+ u32 hv_end_read(struct hv_ring_buffer_info *rbi)
+@@ -41,7 +41,7 @@ u32 hv_end_read(struct hv_ring_buffer_in
+ u32 write;
+
+ rbi->ring_buffer->interrupt_mask = 0;
+- smp_mb();
++ mb();
+
+ /*
+ * Now check to see if the ring buffer is still empty.
+@@ -71,7 +71,7 @@ u32 hv_end_read(struct hv_ring_buffer_in
+
+ static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi)
+ {
+- smp_mb();
++ mb();
+ if (rbi->ring_buffer->interrupt_mask)
+ return false;
+
+@@ -442,7 +442,7 @@ int hv_ringbuffer_write(struct hv_ring_b
+ sizeof(u64));
+
+ /* Issue a full memory barrier before updating the write index */
+- smp_mb();
++ mb();
+
+ /* Now, update the write location */
+ hv_set_next_write_location(outring_info, next_write_location);
+@@ -549,7 +549,7 @@ int hv_ringbuffer_read(struct hv_ring_bu
+ /* Make sure all reads are done before we update the read index since */
+ /* the writer may start writing to the read area once the read index */
+ /*is updated */
+- smp_mb();
++ mb();
+
+ /* Update the read index */
+ hv_set_next_read_location(inring_info, next_read_location);
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -434,7 +434,7 @@ static void vmbus_on_msg_dpc(unsigned lo
+ * will not deliver any more messages since there is
+ * no empty slot
+ */
+- smp_mb();
++ mb();
+
+ if (msg->header.message_flags.msg_pending) {
+ /*
--- /dev/null
+From 64cb927371cd2ec43758d8a094a003d27bc3d0dc Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Mon, 1 Jul 2013 08:12:38 -0400
+Subject: ext3,ext4: don't mess with dir_file->f_pos in htree_dirblock_to_tree()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 64cb927371cd2ec43758d8a094a003d27bc3d0dc upstream.
+
+Both ext3 and ext4 htree_dirblock_to_tree() is just filling the
+in-core rbtree for use by call_filldir(). All updates of ->f_pos are
+done by the latter; bumping it here (on error) is obviously wrong - we
+might very well have it nowhere near the block we'd found an error in.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext3/namei.c | 7 ++-----
+ fs/ext4/namei.c | 7 ++-----
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+--- a/fs/ext3/namei.c
++++ b/fs/ext3/namei.c
+@@ -576,11 +576,8 @@ static int htree_dirblock_to_tree(struct
+ if (!ext3_check_dir_entry("htree_dirblock_to_tree", dir, de, bh,
+ (block<<EXT3_BLOCK_SIZE_BITS(dir->i_sb))
+ +((char *)de - bh->b_data))) {
+- /* On error, skip the f_pos to the next block. */
+- dir_file->f_pos = (dir_file->f_pos |
+- (dir->i_sb->s_blocksize - 1)) + 1;
+- brelse (bh);
+- return count;
++ /* silently ignore the rest of the block */
++ break;
+ }
+ ext3fs_dirhash(de->name, de->name_len, hinfo);
+ if ((hinfo->hash < start_hash) ||
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -917,11 +917,8 @@ static int htree_dirblock_to_tree(struct
+ bh->b_data, bh->b_size,
+ (block<<EXT4_BLOCK_SIZE_BITS(dir->i_sb))
+ + ((char *)de - bh->b_data))) {
+- /* On error, skip the f_pos to the next block. */
+- dir_file->f_pos = (dir_file->f_pos |
+- (dir->i_sb->s_blocksize - 1)) + 1;
+- brelse(bh);
+- return count;
++ /* silently ignore the rest of the block */
++ break;
+ }
+ ext4fs_dirhash(de->name, de->name_len, hinfo);
+ if ((hinfo->hash < start_hash) ||
--- /dev/null
+From 42c832debbbf819f6c4ad8601baa559c44105ba4 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 1 Jul 2013 08:12:39 -0400
+Subject: ext4: check error return from ext4_write_inline_data_end()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 42c832debbbf819f6c4ad8601baa559c44105ba4 upstream.
+
+The function ext4_write_inline_data_end() can return an error. So we
+need to assign it to a signed integer variable to check for an error
+return (since copied is an unsigned int).
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Cc: Zheng Liu <wenqing.lz@taobao.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1095,10 +1095,13 @@ static int ext4_generic_write_end(struct
+ struct inode *inode = mapping->host;
+ handle_t *handle = ext4_journal_current_handle();
+
+- if (ext4_has_inline_data(inode))
+- copied = ext4_write_inline_data_end(inode, pos, len,
+- copied, page);
+- else
++ if (ext4_has_inline_data(inode)) {
++ ret = ext4_write_inline_data_end(inode, pos, len,
++ copied, page);
++ if (ret < 0)
++ goto errout;
++ copied = ret;
++ } else
+ copied = block_write_end(file, mapping, pos,
+ len, copied, page, fsdata);
+
--- /dev/null
+From 6ca792edc13c409e8d4eb9001e048264c6a2eb64 Mon Sep 17 00:00:00 2001
+From: Maarten ter Huurne <maarten@treewalker.org>
+Date: Mon, 1 Jul 2013 08:12:08 -0400
+Subject: ext4: fix corruption when online resizing a fs with 1K block size
+
+From: Maarten ter Huurne <maarten@treewalker.org>
+
+commit 6ca792edc13c409e8d4eb9001e048264c6a2eb64 upstream.
+
+Subtracting the number of the first data block places the superblock
+backups one block too early, corrupting the file system. When the block
+size is larger than 1K, the first data block is 0, so the subtraction
+has no effect and no corruption occurs.
+
+Signed-off-by: Maarten ter Huurne <maarten@treewalker.org>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1656,12 +1656,10 @@ errout:
+ err = err2;
+
+ if (!err) {
+- ext4_fsblk_t first_block;
+- first_block = ext4_group_first_block_no(sb, 0);
+ if (test_opt(sb, DEBUG))
+ printk(KERN_DEBUG "EXT4-fs: extended group to %llu "
+ "blocks\n", ext4_blocks_count(es));
+- update_backups(sb, EXT4_SB(sb)->s_sbh->b_blocknr - first_block,
++ update_backups(sb, EXT4_SB(sb)->s_sbh->b_blocknr,
+ (char *)es, sizeof(struct ext4_super_block), 0);
+ }
+ return err;
--- /dev/null
+From 39c04153fda8c32e85b51c96eb5511a326ad7609 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 1 Jul 2013 08:12:40 -0400
+Subject: jbd2: fix theoretical race in jbd2__journal_restart
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 39c04153fda8c32e85b51c96eb5511a326ad7609 upstream.
+
+Once we decrement transaction->t_updates, if this is the last handle
+holding the transaction from closing, and once we release the
+t_handle_lock spinlock, it's possible for the transaction to commit
+and be released. In practice with normal kernels, this probably won't
+happen, since the commit happens in a separate kernel thread and it's
+unlikely this could all happen within the space of a few CPU cycles.
+
+On the other hand, with a real-time kernel, this could potentially
+happen, so save the tid found in transaction->t_tid before we release
+t_handle_lock. It would require an insane configuration, such as one
+where the jbd2 thread was set to a very high real-time priority,
+perhaps because a high priority real-time thread is trying to read or
+write to a file system. But some people who use real-time kernels
+have been known to do insane things, including controlling
+laser-wielding industrial robots. :-)
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/transaction.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -518,10 +518,10 @@ int jbd2__journal_restart(handle_t *hand
+ &transaction->t_outstanding_credits);
+ if (atomic_dec_and_test(&transaction->t_updates))
+ wake_up(&journal->j_wait_updates);
++ tid = transaction->t_tid;
+ spin_unlock(&transaction->t_handle_lock);
+
+ jbd_debug(2, "restarting handle %p\n", handle);
+- tid = transaction->t_tid;
+ need_to_start = !tid_geq(journal->j_commit_request, tid);
+ read_unlock(&journal->j_state_lock);
+ if (need_to_start)
--- /dev/null
+From fe52d17cdd343ac43c85cf72940a58865b9d3bfb Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Mon, 1 Jul 2013 08:12:38 -0400
+Subject: jbd2: move superblock checksum calculation to jbd2_write_superblock()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit fe52d17cdd343ac43c85cf72940a58865b9d3bfb upstream.
+
+Some of the functions which modify the jbd2 superblock were not
+updating the checksum before calling jbd2_write_superblock(). Move
+the call to jbd2_superblock_csum_set() to jbd2_write_superblock(), so
+that the checksum is calculated consistently.
+
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Cc: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/journal.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1320,6 +1320,7 @@ static int journal_reset(journal_t *jour
+ static void jbd2_write_superblock(journal_t *journal, int write_op)
+ {
+ struct buffer_head *bh = journal->j_sb_buffer;
++ journal_superblock_t *sb = journal->j_superblock;
+ int ret;
+
+ trace_jbd2_write_superblock(journal, write_op);
+@@ -1341,6 +1342,7 @@ static void jbd2_write_superblock(journa
+ clear_buffer_write_io_error(bh);
+ set_buffer_uptodate(bh);
+ }
++ jbd2_superblock_csum_set(journal, sb);
+ get_bh(bh);
+ bh->b_end_io = end_buffer_write_sync;
+ ret = submit_bh(write_op, bh);
+@@ -1437,7 +1439,6 @@ void jbd2_journal_update_sb_errno(journa
+ jbd_debug(1, "JBD2: updating superblock error (errno %d)\n",
+ journal->j_errno);
+ sb->s_errno = cpu_to_be32(journal->j_errno);
+- jbd2_superblock_csum_set(journal, sb);
+ read_unlock(&journal->j_state_lock);
+
+ jbd2_write_superblock(journal, WRITE_SYNC);
--- /dev/null
+From e39506b466edcda2a7e9d0174d7987ae654137b7 Mon Sep 17 00:00:00 2001
+From: Joachim Eastwood <manabian@gmail.com>
+Date: Thu, 6 Jun 2013 10:24:14 +0200
+Subject: pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status
+
+From: Joachim Eastwood <manabian@gmail.com>
+
+commit e39506b466edcda2a7e9d0174d7987ae654137b7 upstream.
+
+Commit 80af9e6d (pcmcia at91_cf: fix raw gpio number usage) forgot
+to change the parameter in gpio_get_value after adding gpio
+validation.
+
+Signed-off-by: Joachim Eastwood <manabian@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
+Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pcmcia/at91_cf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pcmcia/at91_cf.c
++++ b/drivers/pcmcia/at91_cf.c
+@@ -100,9 +100,9 @@ static int at91_cf_get_status(struct pcm
+ int vcc = gpio_is_valid(cf->board->vcc_pin);
+
+ *sp = SS_DETECT | SS_3VCARD;
+- if (!rdy || gpio_get_value(rdy))
++ if (!rdy || gpio_get_value(cf->board->irq_pin))
+ *sp |= SS_READY;
+- if (!vcc || gpio_get_value(vcc))
++ if (!vcc || gpio_get_value(cf->board->vcc_pin))
+ *sp |= SS_POWERON;
+ } else
+ *sp = 0;
--- /dev/null
+From 10d0b9030a3f86e1e26c710c7580524d7787d688 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Tue, 18 Jun 2013 13:25:05 -0500
+Subject: rtlwifi: rtl8192cu: Fix duplicate if test
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 10d0b9030a3f86e1e26c710c7580524d7787d688 upstream.
+
+A typo causes routine rtl92cu_phy_rf6052_set_cck_txpower() to test the
+same condition twice. The problem was found using cppcheck-1.49, and the
+proper fix was verified against the pre-mac80211 version of the code.
+
+This patch was originally included as commit 1288aa4, but was accidentally
+reverted in a later patch.
+
+Reported-by: David Binderman <dcb314@hotmail.com> [original report]
+Reported-by: Andrea Morello <andrea.merello@gmail.com> [report of accidental reversion]
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8192cu/rf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8192cu/rf.c
++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/rf.c
+@@ -104,7 +104,7 @@ void rtl92cu_phy_rf6052_set_cck_txpower(
+ tx_agc[RF90_PATH_A] = 0x10101010;
+ tx_agc[RF90_PATH_B] = 0x10101010;
+ } else if (rtlpriv->dm.dynamic_txhighpower_lvl ==
+- TXHIGHPWRLEVEL_LEVEL1) {
++ TXHIGHPWRLEVEL_LEVEL2) {
+ tx_agc[RF90_PATH_A] = 0x00000000;
+ tx_agc[RF90_PATH_B] = 0x00000000;
+ } else{
--- /dev/null
+From 73e088ed17c2880a963cc760a78af8a06d4a4d9d Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Sun, 23 Jun 2013 18:14:43 -0500
+Subject: rtlwifi: rtl8723ae: Fix typo in firmware names
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 73e088ed17c2880a963cc760a78af8a06d4a4d9d upstream.
+
+The driver loads its firmware from files rtlwifi/rtl8723fw*.bin, but the
+MODULE_FIRMWARE macros refer to rtlwifi/RTL8723aefw*.bin.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Reported-by: Axel Köllhofer <AxelKoellhofer@web.de>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/rtl8723ae/sw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/rtl8723ae/sw.c
++++ b/drivers/net/wireless/rtlwifi/rtl8723ae/sw.c
+@@ -251,7 +251,7 @@ static struct rtl_hal_cfg rtl8723ae_hal_
+ .bar_id = 2,
+ .write_readback = true,
+ .name = "rtl8723ae_pci",
+- .fw_name = "rtlwifi/rtl8723aefw.bin",
++ .fw_name = "rtlwifi/rtl8723fw.bin",
+ .ops = &rtl8723ae_hal_ops,
+ .mod_params = &rtl8723ae_mod_params,
+ .maps[SYS_ISO_CTRL] = REG_SYS_ISO_CTRL,
+@@ -353,8 +353,8 @@ MODULE_AUTHOR("Realtek WlanFAE <wlanfae@
+ MODULE_AUTHOR("Larry Finger <Larry.Finger@lwfinger.net>");
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Realtek 8723E 802.11n PCI wireless");
+-MODULE_FIRMWARE("rtlwifi/rtl8723aefw.bin");
+-MODULE_FIRMWARE("rtlwifi/rtl8723aefw_B.bin");
++MODULE_FIRMWARE("rtlwifi/rtl8723fw.bin");
++MODULE_FIRMWARE("rtlwifi/rtl8723fw_B.bin");
+
+ module_param_named(swenc, rtl8723ae_mod_params.sw_crypto, bool, 0444);
+ module_param_named(debug, rtl8723ae_mod_params.debug, int, 0444);
cifs-use-sensible-file-nlink-values-if-unprovided.patch
+cifs-fix-a-deadlock-when-a-file-is-reopened.patch
+rtlwifi-rtl8723ae-fix-typo-in-firmware-names.patch
+rtlwifi-rtl8192cu-fix-duplicate-if-test.patch
+jbd2-move-superblock-checksum-calculation-to-jbd2_write_superblock.patch
+jbd2-fix-theoretical-race-in-jbd2__journal_restart.patch
+ext4-fix-corruption-when-online-resizing-a-fs-with-1k-block-size.patch
+ext3-ext4-don-t-mess-with-dir_file-f_pos-in-htree_dirblock_to_tree.patch
+ext4-check-error-return-from-ext4_write_inline_data_end.patch
+usb-gadget-f_mass_storage-add-missing-memory-barrier-for-thread_wakeup_needed.patch
+xhci-check-for-failed-dma-pool-allocation.patch
+usb-host-xhci-plat-release-mem-region-while-removing-module.patch
+drivers-hv-switch-to-use-mb-instead-of-smp_mb.patch
+pcmcia-at91_cf-fix-gpio_get_value-in-at91_cf_get_status.patch
+cgroup-fix-umount-vs-cgroup_event_remove-race.patch
--- /dev/null
+From d68c277b501889b3a50c179d1c3d704db7947b83 Mon Sep 17 00:00:00 2001
+From: UCHINO Satoshi <satoshi.uchino@toshiba.co.jp>
+Date: Thu, 23 May 2013 11:10:11 +0900
+Subject: usb: gadget: f_mass_storage: add missing memory barrier for thread_wakeup_needed
+
+From: UCHINO Satoshi <satoshi.uchino@toshiba.co.jp>
+
+commit d68c277b501889b3a50c179d1c3d704db7947b83 upstream.
+
+Without this memory barrier, the file-storage thread may fail to
+escape from the following while loop, because it may observe new
+common->thread_wakeup_needed and old bh->state which are updated by
+the callback functions.
+
+ /* Wait for the CBW to arrive */
+ while (bh->state != BUF_STATE_FULL) {
+ rc = sleep_thread(common);
+ if (rc)
+ return rc;
+ }
+
+Signed-off-by: UCHINO Satoshi <satoshi.uchino@toshiba.co.jp>
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/f_mass_storage.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/gadget/f_mass_storage.c
++++ b/drivers/usb/gadget/f_mass_storage.c
+@@ -413,6 +413,7 @@ static int fsg_set_halt(struct fsg_dev *
+ /* Caller must hold fsg->lock */
+ static void wakeup_thread(struct fsg_common *common)
+ {
++ smp_wmb(); /* ensure the write of bh->state is complete */
+ /* Tell the main thread that something has happened */
+ common->thread_wakeup_needed = 1;
+ if (common->thread_task)
+@@ -632,6 +633,7 @@ static int sleep_thread(struct fsg_commo
+ }
+ __set_current_state(TASK_RUNNING);
+ common->thread_wakeup_needed = 0;
++ smp_rmb(); /* ensure the latest bh->state is visible */
+ return rc;
+ }
+
--- /dev/null
+From 5388a3a5faba8dfa69e5f06c3a415d373c1a4316 Mon Sep 17 00:00:00 2001
+From: George Cherian <george.cherian@ti.com>
+Date: Fri, 21 Jun 2013 13:59:08 +0530
+Subject: usb: host: xhci-plat: release mem region while removing module
+
+From: George Cherian <george.cherian@ti.com>
+
+commit 5388a3a5faba8dfa69e5f06c3a415d373c1a4316 upstream.
+
+Do a release_mem_region of the hcd resource. Without this the
+subsequent insertion of module fails in request_mem_region.
+
+Signed-off-by: George Cherian <george.cherian@ti.com>
+Acked-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-plat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -179,6 +179,7 @@ static int xhci_plat_remove(struct platf
+
+ usb_remove_hcd(hcd);
+ iounmap(hcd->regs);
++ release_mem_region(hcd->rsrc_start, hcd->rsrc_len);
+ usb_put_hcd(hcd);
+ kfree(xhci);
+
--- /dev/null
+From 025f880cb2e4d7218d0422d4b07bea1a68959c38 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Mon, 17 Jun 2013 09:56:33 -0700
+Subject: xhci: check for failed dma pool allocation
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 025f880cb2e4d7218d0422d4b07bea1a68959c38 upstream.
+
+Fail and free the container context in case dma_pool_alloc() can't allocate
+the raw context data part of it
+
+This patch should be backported to kernels as old as 2.6.31, that
+contain the commit d115b04818e57bdbc7ccde4d0660b15e33013dc8 "USB: xhci:
+Support for 64-byte contexts".
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
+Cc: John Youn <johnyoun@synopsys.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -369,6 +369,10 @@ static struct xhci_container_ctx *xhci_a
+ ctx->size += CTX_SIZE(xhci->hcc_params);
+
+ ctx->bytes = dma_pool_alloc(xhci->device_pool, flags, &ctx->dma);
++ if (!ctx->bytes) {
++ kfree(ctx);
++ return NULL;
++ }
+ memset(ctx->bytes, 0, ctx->size);
+ return ctx;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
