The original code set "str_info->decode_ibuf" to NULL so the kfree() is
no-op.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Harsha Priya <priya.harsha@intel.com>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
PollingCnt is 20 and that means we loop 20 times and then run the
timeout code. After the end of the loop PollingCnt should be -1 but
because it's an unsigned char, it's actually 255 and the timeout
code never runs.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This driver issues a kernel panic over conditions that do not
justify such drastic action. Change these to log entries with
a stack dump.
This patch fixes the system crash reported in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
Cc: Stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
input_unregister_device() releases "quickstart_input" so the
input_free_device() is a double free. Also I noticed that there is a
memory leak if the call to input_register_device() fails.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
input_unregister_device() frees the device so the call to
input_free_device() is a double free.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Markus Grabner <grabner@icg.tugraz.at>
Cc: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Nitin Gupta <ngupta@vflare.org>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bernie Thompson <bernie@plugable.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jonathan Cameron <jic23@cam.ac.uk>
Cc: Barry Song <Barry.Song@analog.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Taht <d@teklibre.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jakub Schmidtke <sjakub@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Drivers don't need to include <linux/i2c-id.h>, especially not when
they don't use anything that header file provides.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Michael Hunold <michael@mihu.de>
Acked-by: Mauro Carvalho Chehab <mchehab@redhat.com>
A few new i2c-drivers came into the kernel which clear the clientdata-pointer
on exit. This is obsolete meanwhile, so fix it and hope the word will spread.
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Acked-by: Alan Cox <alan@linux.intel.com>
Acked-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
This is a big revert of a lot of -rc1 tidspbridge patches in order to
get the driver back into a working state. It also includes a OMAP patch
that was approved by the OMAP maintainer.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
On 2.6.37-rc1, omap platform internals for SCM have changed,
so the build is broken again.
drivers/staging/tidspbridge/core/tiomap3430.c:26:
fatal error: plat/control.h: No such file or directory
This is a totally ugly layer violation, but needed until
omap_ctrl_set_dsp_boot*() are provided.
Signed-off-by: Felipe Contreras <felipe.contreras@gmail.com>
Signed-off-by: Omar Ramirez Luna <omar.ramirez@ti.com>
There was commented out transfer_flags initialization.
And i think memset should fill entire structure, not only length of
pointer to it.
This makes the driver work properly now on my hardware.
Signed-off-by: Konstantin Katuev <kkatuev@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch fixes bug #13820 from bugzilla.kernel.org.
Quote: "If ETHTOOL_GLINK is not defined, the end for switch case is not
to be found."
Signed-off-by: Maximiliano David Bustos <md.bustos90@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commit e31b82136d ("cfg80211/mac80211:
allow per-station GTKs") changed the signatures of these operations
but did not update the staging drivers.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Remove unnecessary cast of firmware base address to integer before
adding an offset.
Fix direct use of sk_buff::network_header which is an offset rather
than a pointer on 64-bit architectures.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Whenever the mac address of an batman interface is changed
check_known_mac_addr() is called to print a warning if the newly added
mac address exists an another batman interface. While looping through
the batman interface list check_known_mac_addr() only compares mac
addresses and does not make sure they belong to different interfaces,
thus always printing a warning.
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
55d1666b521cbed95924c8d4775fe272c103f08c incidentally disabled bonding
of packets first entering the mesh along with also disabling interface
alternating regardless of where the packet came from. This re-enables
these options.
Signed-off-by: Chris Lang <clang@gateworks.com>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Unmap the rx buffer before mapping the new one in rtl8192_rx.
Failing to do so quickly exhausts the IOMMU memory during downloads:
[...] DMA: Out of SW-IOMMU space for 9100 bytes at device ...
Using "iommu=off mem=4g" also fixes the problem because
then pci_map_single does not allocate memory.
Tested on my personal laptop with a RTL8192E device. Without this
patch the kernel quickly runs out of IOMMU memory (downloading 5 MB
of data is sufficient to trigger it), with this patch applied
I haven't experienced any issues so far.
Signed-off-by: Daniel Lichtenberger <daniel.lichtenberger@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Identation says that copy_to_user() should be called only iff
wrq->u.essid.pointer is not zero. Also it is useless to call copy_to_user(0, ...).
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Add new USB ID for FT2870 for Belkin F6D4050 v1
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported- and Tested-by: James Long <crogonint@yahoo.com>
Cc: Stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Delete successive assignments to the same location. dhd_ops_virt contains
a subset of the definitions of dhd_ops_pri.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@@
expression i;
@@
*i = ...;
i = ...;
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Delete successive assignments to the same location. In three of the cases,
the two assignments are identical. In the case of the file
rt2860/common/cmm_aes.c, the assigned variable i is never used, so both
assignments are dropped.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@@
expression i;
@@
*i = ...;
i = ...;
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This fixes some places that dereference user pointers directly instead
of using get_user().
Please especially check my changes to IOCTL_BCM_GET_CURRENT_STATUS. The
original code modified the struct which "arg" was pointing to. I think
this was a bug in the original code and that we only wanted to write to
the OutputBuffer. Also with the original code you could read as much
memory as you wanted so I had to put a cap on OutputLength. The only
value of OutputLength that makes sense is sizeof(LINK_STATE) so now if
OutputLength is not sizeof(LINK_STATE) it returns -EINVAL.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This silences all the sparse warnings in intel_sst_app_interface.c.
It was just a matter of adding __user annotations, I didn't find any
real bugs here. Quite a few of these were needed for stuff I added
earlier, sorry about that.
I removed a couple casts to (void *) that caused a warning like:
drivers/staging/intel_sst/intel_sst_app_interface.c:606:27:
warning: cast removes address space of expression
For example sst_drv_ctx->mailbox is already declared as
"void __iomem *mailbox" so casting it to void pointer isn't necessary
and it makes sparse complain because it removes the __user attribute.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
There were some places in intel_sst_mmap_play_capture() that
dereferenced user pointers instead of copying the data to the kernel.
I removed the BUG_ON(!mmap_buf) and BUG_ON(!buf_entry) since those are
never possible in the current code.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Vinod Koul <vinod.koul@intel.com>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This is another patch about copying data to the kernel before using it.
SNDRV_SST_STREAM_DECODE is sort of tricky because we need to do a
copy_from_user() that gives us another two pointers and we have copy
those. Those again give us some more pointers that we have to copy.
Besides those problems, the code had a stack overflow:
- struct snd_sst_buff_entry ibuf_temp[param->ibufs->entries],
- obuf_temp[param->obufs->entries];
param->ibufs->entries comes from the user.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This is another patch about making a copy of the data into kernel space
before using it. It is easy to trigger a kernel oops in the original
code. If you passed a NULL to SNDRV_SST_SET_TARGET_DEVICE then it
called BUG_ON(). And SNDRV_SST_DRIVER_INFO would let you write the
information to arbitrary memory locations which is a security violation.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>