From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Jul 2015 17:33:56 +0000 (-0700)
Subject: 4.1-stable patches
X-Git-Tag: v4.0.8~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d9a1fc28aa8097906d723107e50a95487f5d70a;p=thirdparty%2Fkernel%2Fstable-queue.git

4.1-stable patches

added patches:
	usb-gadget-f_fs-add-extra-check-before-unregister_gadget_item.patch
---

diff --git a/queue-4.1/series b/queue-4.1/series
index 160a95b4ab0..2c09a0d32d4 100644
--- a/queue-4.1/series
+++ b/queue-4.1/series
@@ -23,3 +23,4 @@ amd-xgbe-add-the-__gfp_nowarn-flag-to-rx-buffer-allocation.patch
 net-mvneta-introduce-compatible-string-marvell-armada-xp-neta.patch
 arm-mvebu-update-ethernet-compatible-string-for-armada-xp.patch
 net-mvneta-disable-ip-checksum-with-jumbo-frames-for-armada-370.patch
+usb-gadget-f_fs-add-extra-check-before-unregister_gadget_item.patch
diff --git a/queue-4.1/usb-gadget-f_fs-add-extra-check-before-unregister_gadget_item.patch b/queue-4.1/usb-gadget-f_fs-add-extra-check-before-unregister_gadget_item.patch
new file mode 100644
index 00000000000..2dbfaa68251
--- /dev/null
+++ b/queue-4.1/usb-gadget-f_fs-add-extra-check-before-unregister_gadget_item.patch
@@ -0,0 +1,47 @@
+From f14e9ad17f46051b02bffffac2036486097de19e Mon Sep 17 00:00:00 2001
+From: Rui Miguel Silva <rui.silva@linaro.org>
+Date: Wed, 20 May 2015 14:52:40 +0100
+Subject: usb: gadget: f_fs: add extra check before unregister_gadget_item
+
+From: Rui Miguel Silva <rui.silva@linaro.org>
+
+commit f14e9ad17f46051b02bffffac2036486097de19e upstream.
+
+ffs_closed can race with configfs_rmdir which will call config_item_release, so
+add an extra check to avoid calling the unregister_gadget_item with an null
+gadget item.
+
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -3435,6 +3435,7 @@ done:
+ static void ffs_closed(struct ffs_data *ffs)
+ {
+ 	struct ffs_dev *ffs_obj;
++	struct f_fs_opts *opts;
+ 
+ 	ENTER();
+ 	ffs_dev_lock();
+@@ -3449,8 +3450,13 @@ static void ffs_closed(struct ffs_data *
+ 	    ffs_obj->ffs_closed_callback)
+ 		ffs_obj->ffs_closed_callback(ffs);
+ 
+-	if (!ffs_obj->opts || ffs_obj->opts->no_configfs
+-	    || !ffs_obj->opts->func_inst.group.cg_item.ci_parent)
++	if (ffs_obj->opts)
++		opts = ffs_obj->opts;
++	else
++		goto done;
++
++	if (opts->no_configfs || !opts->func_inst.group.cg_item.ci_parent
++	    || !atomic_read(&opts->func_inst.group.cg_item.ci_kref.refcount))
+ 		goto done;
+ 
+ 	unregister_gadget_item(ffs_obj->opts->