From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 20 Feb 2014 21:53:04 +0000 (-0800)
Subject: 3.4-stable patches
X-Git-Tag: v3.4.82~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc025151e6660d97dfffbe10ec61dc9df4bf0dcd;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
---

diff --git a/queue-3.4/series b/queue-3.4/series
index d16a60f77f1..51df4d47cba 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -3,3 +3,4 @@ fs-file.c-fdtable-avoid-triggering-ooms-from-alloc_fdmem.patch
 mac80211-fix-fragmentation-code-particularly-for-encryption.patch
 s390-dump-fix-dump-memory-detection.patch
 s390-fix-kernel-crash-due-to-linkage-stack-instructions.patch
+spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
diff --git a/queue-3.4/spi-fix-crash-with-double-message-finalisation-on-error-handling.patch b/queue-3.4/spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
new file mode 100644
index 00000000000..06a34e2eb91
--- /dev/null
+++ b/queue-3.4/spi-fix-crash-with-double-message-finalisation-on-error-handling.patch
@@ -0,0 +1,45 @@
+From 1f802f8249a0da536877842c43c7204064c4de8b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+Date: Tue, 28 Jan 2014 10:33:03 +0100
+Subject: spi: Fix crash with double message finalisation on error handling
+
+From: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+
+commit 1f802f8249a0da536877842c43c7204064c4de8b upstream.
+
+This reverts commit e120cc0dcf2880a4c5c0a6cb27b655600a1cfa1d.
+
+It causes a NULL pointer dereference with drivers using the generic
+spi_transfer_one_message(), which always calls
+spi_finalize_current_message(), which zeroes master->cur_msg.
+
+Drivers implementing transfer_one_message() theirselves must always call
+spi_finalize_current_message(), even if the transfer failed:
+
+ * @transfer_one_message: the subsystem calls the driver to transfer a single
+ *      message while queuing transfers that arrive in the meantime. When the
+ *      driver is finished with this message, it must call
+ *      spi_finalize_current_message() so the subsystem can issue the next
+ *      transfer
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+Signed-off-by: Mark Brown <broonie@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -572,9 +572,7 @@ static void spi_pump_messages(struct kth
+ 	ret = master->transfer_one_message(master, master->cur_msg);
+ 	if (ret) {
+ 		dev_err(&master->dev,
+-			"failed to transfer one message from queue: %d\n", ret);
+-		master->cur_msg->status = ret;
+-		spi_finalize_current_message(master);
++			"failed to transfer one message from queue\n");
+ 		return;
+ 	}
+ }