From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 20 Feb 2014 21:52:50 +0000 (-0800)
Subject: 3.10-stable patches
X-Git-Tag: v3.4.82~30
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4ae591c6ef065a9d84b7326b89b42d6f5338f2ea;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
---

diff --git a/queue-3.10/nl80211-reset-split_start-when-netlink-skb-is-exhausted.patch b/queue-3.10/nl80211-reset-split_start-when-netlink-skb-is-exhausted.patch
deleted file mode 100644
index d57292e1ed6..00000000000
--- a/queue-3.10/nl80211-reset-split_start-when-netlink-skb-is-exhausted.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From f12cb2893069495726c21a4b0178705dacfecfe0 Mon Sep 17 00:00:00 2001
-From: Pontus Fuchs <pontus.fuchs@gmail.com>
-Date: Thu, 16 Jan 2014 15:00:40 +0100
-Subject: nl80211: Reset split_start when netlink skb is exhausted
-
-From: Pontus Fuchs <pontus.fuchs@gmail.com>
-
-commit f12cb2893069495726c21a4b0178705dacfecfe0 upstream.
-
-When the netlink skb is exhausted split_start is left set. In the
-subsequent retry, with a larger buffer, the dump is continued from the
-failing point instead of from the beginning.
-
-This was causing my rt28xx based USB dongle to now show up when
-running "iw list" with an old iw version without split dump support.
-
-Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps")
-Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
-[avoid the entire workaround when state->split is set]
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- net/wireless/nl80211.c |    3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -1634,9 +1634,10 @@ static int nl80211_dump_wiphy(struct sk_
- 				 * We can then retry with the larger buffer.
- 				 */
- 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
--				    !skb->len &&
-+				    !skb->len && !state->split &&
- 				    cb->min_dump_alloc < 4096) {
- 					cb->min_dump_alloc = 4096;
-+					state->split_start = 0;
- 					mutex_unlock(&cfg80211_mutex);
- 					return 1;
- 				}
diff --git a/queue-3.10/series b/queue-3.10/series
index b1079bd4644..a0dce473d88 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -13,4 +13,4 @@ ath9k_htc-make-sta_rc_update-atomic-for-most-calls.patch
 ar5523-fix-usb-id-for-gigaset.patch
 s390-dump-fix-dump-memory-detection.patch
 s390-fix-kernel-crash-due-to-linkage-stack-instructions.patch
-nl80211-reset-split_start-when-netlink-skb-is-exhausted.patch
+spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
diff --git a/queue-3.10/spi-fix-crash-with-double-message-finalisation-on-error-handling.patch b/queue-3.10/spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
new file mode 100644
index 00000000000..6fc893d9ac5
--- /dev/null
+++ b/queue-3.10/spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
@@ -0,0 +1,45 @@
+From 1f802f8249a0da536877842c43c7204064c4de8b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+Date: Tue, 28 Jan 2014 10:33:03 +0100
+Subject: spi: Fix crash with double message finalisation on error handling
+
+From: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+
+commit 1f802f8249a0da536877842c43c7204064c4de8b upstream.
+
+This reverts commit e120cc0dcf2880a4c5c0a6cb27b655600a1cfa1d.
+
+It causes a NULL pointer dereference with drivers using the generic
+spi_transfer_one_message(), which always calls
+spi_finalize_current_message(), which zeroes master->cur_msg.
+
+Drivers implementing transfer_one_message() theirselves must always call
+spi_finalize_current_message(), even if the transfer failed:
+
+ * @transfer_one_message: the subsystem calls the driver to transfer a single
+ *      message while queuing transfers that arrive in the meantime. When the
+ *      driver is finished with this message, it must call
+ *      spi_finalize_current_message() so the subsystem can issue the next
+ *      transfer
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -584,9 +584,7 @@ static void spi_pump_messages(struct kth
+ 	ret = master->transfer_one_message(master, master->cur_msg);
+ 	if (ret) {
+ 		dev_err(&master->dev,
+-			"failed to transfer one message from queue: %d\n", ret);
+-		master->cur_msg->status = ret;
+-		spi_finalize_current_message(master);
++			"failed to transfer one message from queue\n");
+ 		return;
+ 	}
+ }