From b2dc38267505ea5a70a2d1c9b7a5972a723e09ce Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 17 Jul 2013 13:17:40 -0700 Subject: [PATCH] 3.9-stable patches added patches: cgroup-fix-umount-vs-cgroup_event_remove-race.patch cifs-fix-a-deadlock-when-a-file-is-reopened.patch drivers-hv-switch-to-use-mb-instead-of-smp_mb.patch ext3-ext4-don-t-mess-with-dir_file-f_pos-in-htree_dirblock_to_tree.patch ext4-check-error-return-from-ext4_write_inline_data_end.patch ext4-fix-corruption-when-online-resizing-a-fs-with-1k-block-size.patch jbd2-fix-theoretical-race-in-jbd2__journal_restart.patch jbd2-move-superblock-checksum-calculation-to-jbd2_write_superblock.patch pcmcia-at91_cf-fix-gpio_get_value-in-at91_cf_get_status.patch rtlwifi-rtl8192cu-fix-duplicate-if-test.patch rtlwifi-rtl8723ae-fix-typo-in-firmware-names.patch usb-gadget-f_mass_storage-add-missing-memory-barrier-for-thread_wakeup_needed.patch usb-host-xhci-plat-release-mem-region-while-removing-module.patch xhci-check-for-failed-dma-pool-allocation.patch --- ...x-umount-vs-cgroup_event_remove-race.patch | 75 +++++++++++++++++ ...x-a-deadlock-when-a-file-is-reopened.patch | 51 ++++++++++++ ...v-switch-to-use-mb-instead-of-smp_mb.patch | 81 +++++++++++++++++++ ...file-f_pos-in-htree_dirblock_to_tree.patch | 55 +++++++++++++ ...turn-from-ext4_write_inline_data_end.patch | 41 ++++++++++ ...ine-resizing-a-fs-with-1k-block-size.patch | 39 +++++++++ ...etical-race-in-jbd2__journal_restart.patch | 46 +++++++++++ ...calculation-to-jbd2_write_superblock.patch | 48 +++++++++++ ...gpio_get_value-in-at91_cf_get_status.patch | 36 +++++++++ ...wifi-rtl8192cu-fix-duplicate-if-test.patch | 37 +++++++++ ...rtl8723ae-fix-typo-in-firmware-names.patch | 43 ++++++++++ queue-3.9/series | 14 ++++ ...ory-barrier-for-thread_wakeup_needed.patch | 48 +++++++++++ ...ase-mem-region-while-removing-module.patch | 30 +++++++ ...check-for-failed-dma-pool-allocation.patch | 38 +++++++++ 15 files changed, 682 insertions(+) create mode 100644 queue-3.9/cgroup-fix-umount-vs-cgroup_event_remove-race.patch create mode 100644 queue-3.9/cifs-fix-a-deadlock-when-a-file-is-reopened.patch create mode 100644 queue-3.9/drivers-hv-switch-to-use-mb-instead-of-smp_mb.patch create mode 100644 queue-3.9/ext3-ext4-don-t-mess-with-dir_file-f_pos-in-htree_dirblock_to_tree.patch create mode 100644 queue-3.9/ext4-check-error-return-from-ext4_write_inline_data_end.patch create mode 100644 queue-3.9/ext4-fix-corruption-when-online-resizing-a-fs-with-1k-block-size.patch create mode 100644 queue-3.9/jbd2-fix-theoretical-race-in-jbd2__journal_restart.patch create mode 100644 queue-3.9/jbd2-move-superblock-checksum-calculation-to-jbd2_write_superblock.patch create mode 100644 queue-3.9/pcmcia-at91_cf-fix-gpio_get_value-in-at91_cf_get_status.patch create mode 100644 queue-3.9/rtlwifi-rtl8192cu-fix-duplicate-if-test.patch create mode 100644 queue-3.9/rtlwifi-rtl8723ae-fix-typo-in-firmware-names.patch create mode 100644 queue-3.9/usb-gadget-f_mass_storage-add-missing-memory-barrier-for-thread_wakeup_needed.patch create mode 100644 queue-3.9/usb-host-xhci-plat-release-mem-region-while-removing-module.patch create mode 100644 queue-3.9/xhci-check-for-failed-dma-pool-allocation.patch diff --git a/queue-3.9/cgroup-fix-umount-vs-cgroup_event_remove-race.patch b/queue-3.9/cgroup-fix-umount-vs-cgroup_event_remove-race.patch new file mode 100644 index 00000000000..117569ebef6 --- /dev/null +++ b/queue-3.9/cgroup-fix-umount-vs-cgroup_event_remove-race.patch @@ -0,0 +1,75 @@ +From 1c8158eeae0f37d0eee9f1fbe68080df6a408df2 Mon Sep 17 00:00:00 2001 +From: Li Zefan +Date: Tue, 18 Jun 2013 18:41:10 +0800 +Subject: cgroup: fix umount vs cgroup_event_remove() race + +From: Li Zefan + +commit 1c8158eeae0f37d0eee9f1fbe68080df6a408df2 upstream. + + commit 5db9a4d99b0157a513944e9a44d29c9cec2e91dc + Author: Tejun Heo + Date: Sat Jul 7 16:08:18 2012 -0700 + + cgroup: fix cgroup hierarchy umount race + +This commit fixed a race caused by the dput() in css_dput_fn(), but +the dput() in cgroup_event_remove() can also lead to the same BUG(). + +Signed-off-by: Li Zefan +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -3773,6 +3773,23 @@ static int cgroup_write_notify_on_releas + } + + /* ++ * When dput() is called asynchronously, if umount has been done and ++ * then deactivate_super() in cgroup_free_fn() kills the superblock, ++ * there's a small window that vfs will see the root dentry with non-zero ++ * refcnt and trigger BUG(). ++ * ++ * That's why we hold a reference before dput() and drop it right after. ++ */ ++static void cgroup_dput(struct cgroup *cgrp) ++{ ++ struct super_block *sb = cgrp->root->sb; ++ ++ atomic_inc(&sb->s_active); ++ dput(cgrp->dentry); ++ deactivate_super(sb); ++} ++ ++/* + * Unregister event and free resources. + * + * Gets called from workqueue. +@@ -3792,7 +3809,7 @@ static void cgroup_event_remove(struct w + + eventfd_ctx_put(event->eventfd); + kfree(event); +- dput(cgrp->dentry); ++ cgroup_dput(cgrp); + } + + /* +@@ -4075,12 +4092,8 @@ static void css_dput_fn(struct work_stru + { + struct cgroup_subsys_state *css = + container_of(work, struct cgroup_subsys_state, dput_work); +- struct dentry *dentry = css->cgroup->dentry; +- struct super_block *sb = dentry->d_sb; + +- atomic_inc(&sb->s_active); +- dput(dentry); +- deactivate_super(sb); ++ cgroup_dput(css->cgroup); + } + + static void init_cgroup_css(struct cgroup_subsys_state *css, diff --git a/queue-3.9/cifs-fix-a-deadlock-when-a-file-is-reopened.patch b/queue-3.9/cifs-fix-a-deadlock-when-a-file-is-reopened.patch new file mode 100644 index 00000000000..3433931a145 --- /dev/null +++ b/queue-3.9/cifs-fix-a-deadlock-when-a-file-is-reopened.patch @@ -0,0 +1,51 @@ +From 689c3db4d57a73bee6c5ad7797fce7b54d32a87c Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Thu, 11 Jul 2013 11:17:45 +0400 +Subject: CIFS: Fix a deadlock when a file is reopened + +From: Pavel Shilovsky + +commit 689c3db4d57a73bee6c5ad7797fce7b54d32a87c upstream. + +If we request reading or writing on a file that needs to be +reopened, it causes the deadlock: we are already holding rw +semaphore for reading and then we try to acquire it for writing +in cifs_relock_file. Fix this by acquiring the semaphore for +reading in cifs_relock_file due to we don't make any changes in +locks and don't need a write access. + +Signed-off-by: Pavel Shilovsky +Acked-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/file.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -557,11 +557,10 @@ cifs_relock_file(struct cifsFileInfo *cf + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + int rc = 0; + +- /* we are going to update can_cache_brlcks here - need a write access */ +- down_write(&cinode->lock_sem); ++ down_read(&cinode->lock_sem); + if (cinode->can_cache_brlcks) { +- /* can cache locks - no need to push them */ +- up_write(&cinode->lock_sem); ++ /* can cache locks - no need to relock */ ++ up_read(&cinode->lock_sem); + return rc; + } + +@@ -572,7 +571,7 @@ cifs_relock_file(struct cifsFileInfo *cf + else + rc = tcon->ses->server->ops->push_mand_locks(cfile); + +- up_write(&cinode->lock_sem); ++ up_read(&cinode->lock_sem); + return rc; + } + diff --git a/queue-3.9/drivers-hv-switch-to-use-mb-instead-of-smp_mb.patch b/queue-3.9/drivers-hv-switch-to-use-mb-instead-of-smp_mb.patch new file mode 100644 index 00000000000..6f1944d8c45 --- /dev/null +++ b/queue-3.9/drivers-hv-switch-to-use-mb-instead-of-smp_mb.patch @@ -0,0 +1,81 @@ +From 35848f68b07df3f917cb13fc3c134718669f569b Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 18 Jun 2013 13:04:23 +0800 +Subject: drivers: hv: switch to use mb() instead of smp_mb() + +From: Jason Wang + +commit 35848f68b07df3f917cb13fc3c134718669f569b upstream. + +Even if guest were compiled without SMP support, it could not assume that host +wasn't. So switch to use mb() instead of smp_mb() to force memory barriers for +UP guest. + +Signed-off-by: Jason Wang +Cc: Haiyang Zhang +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/ring_buffer.c | 10 +++++----- + drivers/hv/vmbus_drv.c | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/hv/ring_buffer.c ++++ b/drivers/hv/ring_buffer.c +@@ -32,7 +32,7 @@ + void hv_begin_read(struct hv_ring_buffer_info *rbi) + { + rbi->ring_buffer->interrupt_mask = 1; +- smp_mb(); ++ mb(); + } + + u32 hv_end_read(struct hv_ring_buffer_info *rbi) +@@ -41,7 +41,7 @@ u32 hv_end_read(struct hv_ring_buffer_in + u32 write; + + rbi->ring_buffer->interrupt_mask = 0; +- smp_mb(); ++ mb(); + + /* + * Now check to see if the ring buffer is still empty. +@@ -71,7 +71,7 @@ u32 hv_end_read(struct hv_ring_buffer_in + + static bool hv_need_to_signal(u32 old_write, struct hv_ring_buffer_info *rbi) + { +- smp_mb(); ++ mb(); + if (rbi->ring_buffer->interrupt_mask) + return false; + +@@ -442,7 +442,7 @@ int hv_ringbuffer_write(struct hv_ring_b + sizeof(u64)); + + /* Issue a full memory barrier before updating the write index */ +- smp_mb(); ++ mb(); + + /* Now, update the write location */ + hv_set_next_write_location(outring_info, next_write_location); +@@ -549,7 +549,7 @@ int hv_ringbuffer_read(struct hv_ring_bu + /* Make sure all reads are done before we update the read index since */ + /* the writer may start writing to the read area once the read index */ + /*is updated */ +- smp_mb(); ++ mb(); + + /* Update the read index */ + hv_set_next_read_location(inring_info, next_read_location); +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -434,7 +434,7 @@ static void vmbus_on_msg_dpc(unsigned lo + * will not deliver any more messages since there is + * no empty slot + */ +- smp_mb(); ++ mb(); + + if (msg->header.message_flags.msg_pending) { + /* diff --git a/queue-3.9/ext3-ext4-don-t-mess-with-dir_file-f_pos-in-htree_dirblock_to_tree.patch b/queue-3.9/ext3-ext4-don-t-mess-with-dir_file-f_pos-in-htree_dirblock_to_tree.patch new file mode 100644 index 00000000000..181c2b636e5 --- /dev/null +++ b/queue-3.9/ext3-ext4-don-t-mess-with-dir_file-f_pos-in-htree_dirblock_to_tree.patch @@ -0,0 +1,55 @@ +From 64cb927371cd2ec43758d8a094a003d27bc3d0dc Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Mon, 1 Jul 2013 08:12:38 -0400 +Subject: ext3,ext4: don't mess with dir_file->f_pos in htree_dirblock_to_tree() + +From: Al Viro + +commit 64cb927371cd2ec43758d8a094a003d27bc3d0dc upstream. + +Both ext3 and ext4 htree_dirblock_to_tree() is just filling the +in-core rbtree for use by call_filldir(). All updates of ->f_pos are +done by the latter; bumping it here (on error) is obviously wrong - we +might very well have it nowhere near the block we'd found an error in. + +Signed-off-by: Al Viro +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext3/namei.c | 7 ++----- + fs/ext4/namei.c | 7 ++----- + 2 files changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/ext3/namei.c ++++ b/fs/ext3/namei.c +@@ -576,11 +576,8 @@ static int htree_dirblock_to_tree(struct + if (!ext3_check_dir_entry("htree_dirblock_to_tree", dir, de, bh, + (block<i_sb)) + +((char *)de - bh->b_data))) { +- /* On error, skip the f_pos to the next block. */ +- dir_file->f_pos = (dir_file->f_pos | +- (dir->i_sb->s_blocksize - 1)) + 1; +- brelse (bh); +- return count; ++ /* silently ignore the rest of the block */ ++ break; + } + ext3fs_dirhash(de->name, de->name_len, hinfo); + if ((hinfo->hash < start_hash) || +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -917,11 +917,8 @@ static int htree_dirblock_to_tree(struct + bh->b_data, bh->b_size, + (block<i_sb)) + + ((char *)de - bh->b_data))) { +- /* On error, skip the f_pos to the next block. */ +- dir_file->f_pos = (dir_file->f_pos | +- (dir->i_sb->s_blocksize - 1)) + 1; +- brelse(bh); +- return count; ++ /* silently ignore the rest of the block */ ++ break; + } + ext4fs_dirhash(de->name, de->name_len, hinfo); + if ((hinfo->hash < start_hash) || diff --git a/queue-3.9/ext4-check-error-return-from-ext4_write_inline_data_end.patch b/queue-3.9/ext4-check-error-return-from-ext4_write_inline_data_end.patch new file mode 100644 index 00000000000..86229632833 --- /dev/null +++ b/queue-3.9/ext4-check-error-return-from-ext4_write_inline_data_end.patch @@ -0,0 +1,41 @@ +From 42c832debbbf819f6c4ad8601baa559c44105ba4 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 1 Jul 2013 08:12:39 -0400 +Subject: ext4: check error return from ext4_write_inline_data_end() + +From: Theodore Ts'o + +commit 42c832debbbf819f6c4ad8601baa559c44105ba4 upstream. + +The function ext4_write_inline_data_end() can return an error. So we +need to assign it to a signed integer variable to check for an error +return (since copied is an unsigned int). + +Signed-off-by: "Theodore Ts'o" +Cc: Zheng Liu +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1095,10 +1095,13 @@ static int ext4_generic_write_end(struct + struct inode *inode = mapping->host; + handle_t *handle = ext4_journal_current_handle(); + +- if (ext4_has_inline_data(inode)) +- copied = ext4_write_inline_data_end(inode, pos, len, +- copied, page); +- else ++ if (ext4_has_inline_data(inode)) { ++ ret = ext4_write_inline_data_end(inode, pos, len, ++ copied, page); ++ if (ret < 0) ++ goto errout; ++ copied = ret; ++ } else + copied = block_write_end(file, mapping, pos, + len, copied, page, fsdata); + diff --git a/queue-3.9/ext4-fix-corruption-when-online-resizing-a-fs-with-1k-block-size.patch b/queue-3.9/ext4-fix-corruption-when-online-resizing-a-fs-with-1k-block-size.patch new file mode 100644 index 00000000000..b89b141f883 --- /dev/null +++ b/queue-3.9/ext4-fix-corruption-when-online-resizing-a-fs-with-1k-block-size.patch @@ -0,0 +1,39 @@ +From 6ca792edc13c409e8d4eb9001e048264c6a2eb64 Mon Sep 17 00:00:00 2001 +From: Maarten ter Huurne +Date: Mon, 1 Jul 2013 08:12:08 -0400 +Subject: ext4: fix corruption when online resizing a fs with 1K block size + +From: Maarten ter Huurne + +commit 6ca792edc13c409e8d4eb9001e048264c6a2eb64 upstream. + +Subtracting the number of the first data block places the superblock +backups one block too early, corrupting the file system. When the block +size is larger than 1K, the first data block is 0, so the subtraction +has no effect and no corruption occurs. + +Signed-off-by: Maarten ter Huurne +Signed-off-by: "Theodore Ts'o" +Reviewed-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1656,12 +1656,10 @@ errout: + err = err2; + + if (!err) { +- ext4_fsblk_t first_block; +- first_block = ext4_group_first_block_no(sb, 0); + if (test_opt(sb, DEBUG)) + printk(KERN_DEBUG "EXT4-fs: extended group to %llu " + "blocks\n", ext4_blocks_count(es)); +- update_backups(sb, EXT4_SB(sb)->s_sbh->b_blocknr - first_block, ++ update_backups(sb, EXT4_SB(sb)->s_sbh->b_blocknr, + (char *)es, sizeof(struct ext4_super_block), 0); + } + return err; diff --git a/queue-3.9/jbd2-fix-theoretical-race-in-jbd2__journal_restart.patch b/queue-3.9/jbd2-fix-theoretical-race-in-jbd2__journal_restart.patch new file mode 100644 index 00000000000..7c3e47f162d --- /dev/null +++ b/queue-3.9/jbd2-fix-theoretical-race-in-jbd2__journal_restart.patch @@ -0,0 +1,46 @@ +From 39c04153fda8c32e85b51c96eb5511a326ad7609 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 1 Jul 2013 08:12:40 -0400 +Subject: jbd2: fix theoretical race in jbd2__journal_restart + +From: Theodore Ts'o + +commit 39c04153fda8c32e85b51c96eb5511a326ad7609 upstream. + +Once we decrement transaction->t_updates, if this is the last handle +holding the transaction from closing, and once we release the +t_handle_lock spinlock, it's possible for the transaction to commit +and be released. In practice with normal kernels, this probably won't +happen, since the commit happens in a separate kernel thread and it's +unlikely this could all happen within the space of a few CPU cycles. + +On the other hand, with a real-time kernel, this could potentially +happen, so save the tid found in transaction->t_tid before we release +t_handle_lock. It would require an insane configuration, such as one +where the jbd2 thread was set to a very high real-time priority, +perhaps because a high priority real-time thread is trying to read or +write to a file system. But some people who use real-time kernels +have been known to do insane things, including controlling +laser-wielding industrial robots. :-) + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -518,10 +518,10 @@ int jbd2__journal_restart(handle_t *hand + &transaction->t_outstanding_credits); + if (atomic_dec_and_test(&transaction->t_updates)) + wake_up(&journal->j_wait_updates); ++ tid = transaction->t_tid; + spin_unlock(&transaction->t_handle_lock); + + jbd_debug(2, "restarting handle %p\n", handle); +- tid = transaction->t_tid; + need_to_start = !tid_geq(journal->j_commit_request, tid); + read_unlock(&journal->j_state_lock); + if (need_to_start) diff --git a/queue-3.9/jbd2-move-superblock-checksum-calculation-to-jbd2_write_superblock.patch b/queue-3.9/jbd2-move-superblock-checksum-calculation-to-jbd2_write_superblock.patch new file mode 100644 index 00000000000..2d1fb9e4c04 --- /dev/null +++ b/queue-3.9/jbd2-move-superblock-checksum-calculation-to-jbd2_write_superblock.patch @@ -0,0 +1,48 @@ +From fe52d17cdd343ac43c85cf72940a58865b9d3bfb Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 1 Jul 2013 08:12:38 -0400 +Subject: jbd2: move superblock checksum calculation to jbd2_write_superblock() + +From: Theodore Ts'o + +commit fe52d17cdd343ac43c85cf72940a58865b9d3bfb upstream. + +Some of the functions which modify the jbd2 superblock were not +updating the checksum before calling jbd2_write_superblock(). Move +the call to jbd2_superblock_csum_set() to jbd2_write_superblock(), so +that the checksum is calculated consistently. + +Signed-off-by: "Theodore Ts'o" +Cc: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/journal.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1320,6 +1320,7 @@ static int journal_reset(journal_t *jour + static void jbd2_write_superblock(journal_t *journal, int write_op) + { + struct buffer_head *bh = journal->j_sb_buffer; ++ journal_superblock_t *sb = journal->j_superblock; + int ret; + + trace_jbd2_write_superblock(journal, write_op); +@@ -1341,6 +1342,7 @@ static void jbd2_write_superblock(journa + clear_buffer_write_io_error(bh); + set_buffer_uptodate(bh); + } ++ jbd2_superblock_csum_set(journal, sb); + get_bh(bh); + bh->b_end_io = end_buffer_write_sync; + ret = submit_bh(write_op, bh); +@@ -1437,7 +1439,6 @@ void jbd2_journal_update_sb_errno(journa + jbd_debug(1, "JBD2: updating superblock error (errno %d)\n", + journal->j_errno); + sb->s_errno = cpu_to_be32(journal->j_errno); +- jbd2_superblock_csum_set(journal, sb); + read_unlock(&journal->j_state_lock); + + jbd2_write_superblock(journal, WRITE_SYNC); diff --git a/queue-3.9/pcmcia-at91_cf-fix-gpio_get_value-in-at91_cf_get_status.patch b/queue-3.9/pcmcia-at91_cf-fix-gpio_get_value-in-at91_cf_get_status.patch new file mode 100644 index 00000000000..3fb40a3fe86 --- /dev/null +++ b/queue-3.9/pcmcia-at91_cf-fix-gpio_get_value-in-at91_cf_get_status.patch @@ -0,0 +1,36 @@ +From e39506b466edcda2a7e9d0174d7987ae654137b7 Mon Sep 17 00:00:00 2001 +From: Joachim Eastwood +Date: Thu, 6 Jun 2013 10:24:14 +0200 +Subject: pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status + +From: Joachim Eastwood + +commit e39506b466edcda2a7e9d0174d7987ae654137b7 upstream. + +Commit 80af9e6d (pcmcia at91_cf: fix raw gpio number usage) forgot +to change the parameter in gpio_get_value after adding gpio +validation. + +Signed-off-by: Joachim Eastwood +Signed-off-by: Nicolas Ferre +Acked-by: Jean-Christophe PLAGNIOL-VILLARD +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pcmcia/at91_cf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pcmcia/at91_cf.c ++++ b/drivers/pcmcia/at91_cf.c +@@ -100,9 +100,9 @@ static int at91_cf_get_status(struct pcm + int vcc = gpio_is_valid(cf->board->vcc_pin); + + *sp = SS_DETECT | SS_3VCARD; +- if (!rdy || gpio_get_value(rdy)) ++ if (!rdy || gpio_get_value(cf->board->irq_pin)) + *sp |= SS_READY; +- if (!vcc || gpio_get_value(vcc)) ++ if (!vcc || gpio_get_value(cf->board->vcc_pin)) + *sp |= SS_POWERON; + } else + *sp = 0; diff --git a/queue-3.9/rtlwifi-rtl8192cu-fix-duplicate-if-test.patch b/queue-3.9/rtlwifi-rtl8192cu-fix-duplicate-if-test.patch new file mode 100644 index 00000000000..339a2e7debf --- /dev/null +++ b/queue-3.9/rtlwifi-rtl8192cu-fix-duplicate-if-test.patch @@ -0,0 +1,37 @@ +From 10d0b9030a3f86e1e26c710c7580524d7787d688 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Tue, 18 Jun 2013 13:25:05 -0500 +Subject: rtlwifi: rtl8192cu: Fix duplicate if test + +From: Larry Finger + +commit 10d0b9030a3f86e1e26c710c7580524d7787d688 upstream. + +A typo causes routine rtl92cu_phy_rf6052_set_cck_txpower() to test the +same condition twice. The problem was found using cppcheck-1.49, and the +proper fix was verified against the pre-mac80211 version of the code. + +This patch was originally included as commit 1288aa4, but was accidentally +reverted in a later patch. + +Reported-by: David Binderman [original report] +Reported-by: Andrea Morello [report of accidental reversion] +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/rf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/rf.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/rf.c +@@ -104,7 +104,7 @@ void rtl92cu_phy_rf6052_set_cck_txpower( + tx_agc[RF90_PATH_A] = 0x10101010; + tx_agc[RF90_PATH_B] = 0x10101010; + } else if (rtlpriv->dm.dynamic_txhighpower_lvl == +- TXHIGHPWRLEVEL_LEVEL1) { ++ TXHIGHPWRLEVEL_LEVEL2) { + tx_agc[RF90_PATH_A] = 0x00000000; + tx_agc[RF90_PATH_B] = 0x00000000; + } else{ diff --git a/queue-3.9/rtlwifi-rtl8723ae-fix-typo-in-firmware-names.patch b/queue-3.9/rtlwifi-rtl8723ae-fix-typo-in-firmware-names.patch new file mode 100644 index 00000000000..d6234ea19a3 --- /dev/null +++ b/queue-3.9/rtlwifi-rtl8723ae-fix-typo-in-firmware-names.patch @@ -0,0 +1,43 @@ +From 73e088ed17c2880a963cc760a78af8a06d4a4d9d Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 23 Jun 2013 18:14:43 -0500 +Subject: rtlwifi: rtl8723ae: Fix typo in firmware names + +From: Larry Finger + +commit 73e088ed17c2880a963cc760a78af8a06d4a4d9d upstream. + +The driver loads its firmware from files rtlwifi/rtl8723fw*.bin, but the +MODULE_FIRMWARE macros refer to rtlwifi/RTL8723aefw*.bin. + +Signed-off-by: Larry Finger +Reported-by: Axel Köllhofer +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8723ae/sw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8723ae/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8723ae/sw.c +@@ -251,7 +251,7 @@ static struct rtl_hal_cfg rtl8723ae_hal_ + .bar_id = 2, + .write_readback = true, + .name = "rtl8723ae_pci", +- .fw_name = "rtlwifi/rtl8723aefw.bin", ++ .fw_name = "rtlwifi/rtl8723fw.bin", + .ops = &rtl8723ae_hal_ops, + .mod_params = &rtl8723ae_mod_params, + .maps[SYS_ISO_CTRL] = REG_SYS_ISO_CTRL, +@@ -353,8 +353,8 @@ MODULE_AUTHOR("Realtek WlanFAE "); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Realtek 8723E 802.11n PCI wireless"); +-MODULE_FIRMWARE("rtlwifi/rtl8723aefw.bin"); +-MODULE_FIRMWARE("rtlwifi/rtl8723aefw_B.bin"); ++MODULE_FIRMWARE("rtlwifi/rtl8723fw.bin"); ++MODULE_FIRMWARE("rtlwifi/rtl8723fw_B.bin"); + + module_param_named(swenc, rtl8723ae_mod_params.sw_crypto, bool, 0444); + module_param_named(debug, rtl8723ae_mod_params.debug, int, 0444); diff --git a/queue-3.9/series b/queue-3.9/series index f1c5d1dfa7b..5f40419a78c 100644 --- a/queue-3.9/series +++ b/queue-3.9/series @@ -1 +1,15 @@ cifs-use-sensible-file-nlink-values-if-unprovided.patch +cifs-fix-a-deadlock-when-a-file-is-reopened.patch +rtlwifi-rtl8723ae-fix-typo-in-firmware-names.patch +rtlwifi-rtl8192cu-fix-duplicate-if-test.patch +jbd2-move-superblock-checksum-calculation-to-jbd2_write_superblock.patch +jbd2-fix-theoretical-race-in-jbd2__journal_restart.patch +ext4-fix-corruption-when-online-resizing-a-fs-with-1k-block-size.patch +ext3-ext4-don-t-mess-with-dir_file-f_pos-in-htree_dirblock_to_tree.patch +ext4-check-error-return-from-ext4_write_inline_data_end.patch +usb-gadget-f_mass_storage-add-missing-memory-barrier-for-thread_wakeup_needed.patch +xhci-check-for-failed-dma-pool-allocation.patch +usb-host-xhci-plat-release-mem-region-while-removing-module.patch +drivers-hv-switch-to-use-mb-instead-of-smp_mb.patch +pcmcia-at91_cf-fix-gpio_get_value-in-at91_cf_get_status.patch +cgroup-fix-umount-vs-cgroup_event_remove-race.patch diff --git a/queue-3.9/usb-gadget-f_mass_storage-add-missing-memory-barrier-for-thread_wakeup_needed.patch b/queue-3.9/usb-gadget-f_mass_storage-add-missing-memory-barrier-for-thread_wakeup_needed.patch new file mode 100644 index 00000000000..335d2d3ca85 --- /dev/null +++ b/queue-3.9/usb-gadget-f_mass_storage-add-missing-memory-barrier-for-thread_wakeup_needed.patch @@ -0,0 +1,48 @@ +From d68c277b501889b3a50c179d1c3d704db7947b83 Mon Sep 17 00:00:00 2001 +From: UCHINO Satoshi +Date: Thu, 23 May 2013 11:10:11 +0900 +Subject: usb: gadget: f_mass_storage: add missing memory barrier for thread_wakeup_needed + +From: UCHINO Satoshi + +commit d68c277b501889b3a50c179d1c3d704db7947b83 upstream. + +Without this memory barrier, the file-storage thread may fail to +escape from the following while loop, because it may observe new +common->thread_wakeup_needed and old bh->state which are updated by +the callback functions. + + /* Wait for the CBW to arrive */ + while (bh->state != BUF_STATE_FULL) { + rc = sleep_thread(common); + if (rc) + return rc; + } + +Signed-off-by: UCHINO Satoshi +Acked-by: Michal Nazarewicz +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/f_mass_storage.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/f_mass_storage.c ++++ b/drivers/usb/gadget/f_mass_storage.c +@@ -413,6 +413,7 @@ static int fsg_set_halt(struct fsg_dev * + /* Caller must hold fsg->lock */ + static void wakeup_thread(struct fsg_common *common) + { ++ smp_wmb(); /* ensure the write of bh->state is complete */ + /* Tell the main thread that something has happened */ + common->thread_wakeup_needed = 1; + if (common->thread_task) +@@ -632,6 +633,7 @@ static int sleep_thread(struct fsg_commo + } + __set_current_state(TASK_RUNNING); + common->thread_wakeup_needed = 0; ++ smp_rmb(); /* ensure the latest bh->state is visible */ + return rc; + } + diff --git a/queue-3.9/usb-host-xhci-plat-release-mem-region-while-removing-module.patch b/queue-3.9/usb-host-xhci-plat-release-mem-region-while-removing-module.patch new file mode 100644 index 00000000000..1a0cebcca0e --- /dev/null +++ b/queue-3.9/usb-host-xhci-plat-release-mem-region-while-removing-module.patch @@ -0,0 +1,30 @@ +From 5388a3a5faba8dfa69e5f06c3a415d373c1a4316 Mon Sep 17 00:00:00 2001 +From: George Cherian +Date: Fri, 21 Jun 2013 13:59:08 +0530 +Subject: usb: host: xhci-plat: release mem region while removing module + +From: George Cherian + +commit 5388a3a5faba8dfa69e5f06c3a415d373c1a4316 upstream. + +Do a release_mem_region of the hcd resource. Without this the +subsequent insertion of module fails in request_mem_region. + +Signed-off-by: George Cherian +Acked-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-plat.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -179,6 +179,7 @@ static int xhci_plat_remove(struct platf + + usb_remove_hcd(hcd); + iounmap(hcd->regs); ++ release_mem_region(hcd->rsrc_start, hcd->rsrc_len); + usb_put_hcd(hcd); + kfree(xhci); + diff --git a/queue-3.9/xhci-check-for-failed-dma-pool-allocation.patch b/queue-3.9/xhci-check-for-failed-dma-pool-allocation.patch new file mode 100644 index 00000000000..0111b5715b7 --- /dev/null +++ b/queue-3.9/xhci-check-for-failed-dma-pool-allocation.patch @@ -0,0 +1,38 @@ +From 025f880cb2e4d7218d0422d4b07bea1a68959c38 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 17 Jun 2013 09:56:33 -0700 +Subject: xhci: check for failed dma pool allocation + +From: Mathias Nyman + +commit 025f880cb2e4d7218d0422d4b07bea1a68959c38 upstream. + +Fail and free the container context in case dma_pool_alloc() can't allocate +the raw context data part of it + +This patch should be backported to kernels as old as 2.6.31, that +contain the commit d115b04818e57bdbc7ccde4d0660b15e33013dc8 "USB: xhci: +Support for 64-byte contexts". + +Signed-off-by: Mathias Nyman +Signed-off-by: Sarah Sharp +Cc: John Youn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-mem.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -369,6 +369,10 @@ static struct xhci_container_ctx *xhci_a + ctx->size += CTX_SIZE(xhci->hcc_params); + + ctx->bytes = dma_pool_alloc(xhci->device_pool, flags, &ctx->dma); ++ if (!ctx->bytes) { ++ kfree(ctx); ++ return NULL; ++ } + memset(ctx->bytes, 0, ctx->size); + return ctx; + } -- 2.47.3