Commit Graph

21837 Commits

Author SHA1 Message Date
Al Viro
b2f42cfeeb lustre: don't open-code kernel_recvmsg()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-04-01 23:19:33 -04:00
Al Viro
480f40de91 lustre: switch to kernel_sendmsg()
(casts are due to misannotations in lustre; it uses iovec where kvec would be
correct type; too much noise to properly annotate right now).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-04-01 23:19:31 -04:00
Al Viro
4efcc9ffcd lustre: generic_readlink() is just fine there, TYVM...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-04-01 23:19:15 -04:00
Al Viro
964ea96eba usbip: don't open-code sockfd_lookup/sockfd_put
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-04-01 23:19:09 -04:00
Salva Peiró
084b6e7765 staging/cxt1e1/linux.c: Correct arbitrary memory write in c4_ioctl()
The function c4_ioctl() writes data from user in ifr->ifr_data
to the kernel struct data arg, without any iolen bounds checking.
This can lead to a arbitrary write outside of the struct data arg.
Corrected by adding bounds-checking of iolen before the copy_from_user().

Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-04 16:20:01 -08:00
Greg Kroah-Hartman
d3dae4ad18 Fourth set of IIO fixes for the 3.14 kernel.
A single line patch fixing a regression that was introduced in 3.13 in the
 reworking of the mxs touch screen and ADC drivers to be interrupt rather
 than polling driven.  It resulted in a stray double reporting of the release
 coordinate in the touch screen driver.  The bug lay in the adc side
 of the driver which left the statemachine in the wrong state.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTDOB3AAoJEFSFNJnE9BaIv18P/2qrsuN54bvZSMm5MreGgpPV
 71iDVmlgHohUAawv5mb8/vOYY8+pBcouplp50K3P2ghqOXBoVhTLykPSlkB1obuX
 BsV9I1R7P85yJujy5Xo7e85VznhRUkZwlZsGF4gjR31PTH59PCIvp9QOEynm85gx
 MNNrg3PXXLKgQNfn/X5y/mw/kJPayLnABOgP7PirHBB3SdUV93y0tSl0Kq95Xgsx
 D5Ov5oSPoomXJjtQgINDikTnpsudRsENj37Qr6EykqFz9SmYsSsmO6O/s2l/QiUZ
 HgJqoYpXz023Ir5p2dzLipE3pA2/j27JEvWYz5+uchihnWb6j8CovZy1LHWMoI+I
 YL5T1Kq5fE0xrgDg8I/g2EJxbzRv7It/Yuiiz2jejgUoBgT4kHjA8WlbO6RX4A+t
 Cy1bF686gvpPop35PIiACw41hIE4cOfAMLpSJuP51lyasSWDFI4qvOs8p5MjDXvF
 I+BJ70yalCrZTbYmGuiip9PWUpGDFDhnwIuZ6vJ72cSNQ4VBmS8Ns9YWvj5vXunO
 z9HTFp57CHePcXYj2Y1gw9BdM+saBTTMeRYrjXJXHil5kusovebVsnihICyFaq0g
 i9noEPMVwLuDYRELTsmODwvtaaA+HqFvg8Q+37LCCRxat15s2H34n7BBx41gKmMd
 3ggMpeW3y+X2TVUqM3Fj
 =NZzD
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-3.14d' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus

Jonathan writes:

Fourth set of IIO fixes for the 3.14 kernel.

A single line patch fixing a regression that was introduced in 3.13 in the
reworking of the mxs touch screen and ADC drivers to be interrupt rather
than polling driven.  It resulted in a stray double reporting of the release
coordinate in the touch screen driver.  The bug lay in the adc side
of the driver which left the statemachine in the wrong state.
2014-02-28 17:08:03 -08:00
Manu Gupta
260ea9c2e2 staging: r8188eu: Add new device ID
The D-Link DWA-123 REV D1 with USB ID 2001:3310 uses this driver.

Signed-off-by: Manu Gupta <manugupt1@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-24 17:02:31 -08:00
Juergen Beisert
760dbe1dcb staging:iio:adc:MXS:LRADC: fix touchscreen statemachine
Releasing the touchscreen lets the internal statemachine left in a wrong state.
Due to this the release coordinate will be reported again by accident when the next
touchscreen event happens. This change sets up the correct state when waiting
for the next touchscreen event.

This has led to reported issues with calibrating the touchscreen.
Bug was introduced somewhere in the series that began with
18da755de5
Staging/iio/adc/touchscreen/MXS: add proper clock handling
in which the way this driver worked was substantially changed
to be interrupt driven rather than relying on a busy loop.
This was a regression in the 3.13 kernel.

Signed-off-by: Juergen Beisert <jbe@pengutronix.de>
Tested-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-24 21:55:50 +00:00
Linus Torvalds
b9c2b05022 Staging tree fix for 3.14-rc4
Here is a single android driver fix for 3.14-rc4 that fixes a reported
 problem in the binder driver.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlMJLckACgkQMUfUDdst+ynaDwCfVtgwCfLL//Ck5rsI+dPcNoH4
 A4IAnjukxtAABpGDXAezROVpPSvnchRZ
 =zWji
 -----END PGP SIGNATURE-----

Merge tag 'staging-3.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging tree fix from Greg KH:
 "Here is a single android driver fix for 3.14-rc4 that fixes a reported
  problem in the binder driver"

* tag 'staging-3.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: binder: Fix death notifications
2014-02-23 10:39:21 -08:00
Arve Hjønnevåg
e194fd8a5d staging: binder: Fix death notifications
The change (008fa749e0) that moved the
node release code to a separate function broke death notifications in
some cases. When it encountered a reference without a death
notification request, it would skip looking at the remaining
references, and therefore fail to send death notifications for them.

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Cc: stable <stable@vger.kernel.org> # 3.10
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-21 12:30:54 -08:00
Linus Torvalds
b0d3f6d47e Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) kvaser CAN driver has fixed limits of some of it's table, validate
    that we won't exceed those limits at probe time.  Fix from Olivier
    Sobrie.

 2) Fix rtl8192ce disabling interrupts for too long, from Olivier
    Langlois.

 3) Fix botched shift in ath5k driver, from Dan Carpenter.

 4) Fix corruption of deferred packets in TIPC, from Erik Hugne.

 5) Fix newlink error path in macvlan driver, from Cong Wang.

 6) Fix netpoll deadlock in bonding, from Ding Tianhong.

 7) Handle GSO packets properly in forwarding path when fragmentation is
    necessary on egress, from Florian Westphal.

 8) Fix axienet build errors, from Michal Simek.

 9) Fix refcounting of ubufs on tx in vhost net driver, from Michael S
    Tsirkin.

10) Carrier status isn't set properly in hyperv driver, from Haiyang
    Zhang.

11) Missing pci_disable_device() in tulip_remove_one), from Ingo Molnar.

12) AF_PACKET qdisc bypass mode doesn't adhere to driver provided TX
    queue selection method.  Add a fallback method mechanism to fix this
    bug, from Daniel Borkmann.

13) Fix regression in link local route handling on GRE tunnels, from
    Nicolas Dichtel.

14) Bonding can assign dup aggregator IDs in some sequences of
    configuration, fix by making the allocation counter per-bond instead
    of global.  From Jiri Bohac.

15) sctp_connectx() needs compat translations, from Daniel Borkmann.

16) Fix of_mdio PHY interrupt parsing, from Ben Dooks

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (62 commits)
  MAINTAINERS: add entry for the PHY library
  of_mdio: fix phy interrupt passing
  net: ethernet: update dependency and help text of mvneta
  NET: fec: only enable napi if we are successful
  af_packet: remove a stray tab in packet_set_ring()
  net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode
  ipv4: fix counter in_slow_tot
  irtty-sir.c: Do not set_termios() on irtty_close()
  bonding: 802.3ad: make aggregator_identifier bond-private
  usbnet: remove generic hard_header_len check
  gre: add link local route when local addr is any
  batman-adv: fix potential kernel paging error for unicast transmissions
  batman-adv: avoid double free when orig_node initialization fails
  batman-adv: free skb on TVLV parsing success
  batman-adv: fix TT CRC computation by ensuring byte order
  batman-adv: fix potential orig_node reference leak
  batman-adv: avoid potential race condition when adding a new neighbour
  batman-adv: properly check pskb_may_pull return value
  batman-adv: release vlan object after checking the CRC
  batman-adv: fix TT-TVLV parsing on OGM reception
  ...
2014-02-18 15:52:43 -08:00
Daniel Borkmann
99932d4fc0 netdevice: add queue selection fallback handler for ndo_select_queue
Add a new argument for ndo_select_queue() callback that passes a
fallback handler. This gets invoked through netdev_pick_tx();
fallback handler is currently __netdev_pick_tx() as most drivers
invoke this function within their customized implementation in
case for skbs that don't need any special handling. This fallback
handler can then be replaced on other call-sites with different
queue selection methods (e.g. in packet sockets, pktgen etc).

This also has the nice side-effect that __netdev_pick_tx() is
then only invoked from netdev_pick_tx() and export of that
function to modules can be undone.

Suggested-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-02-17 00:36:34 -05:00
Linus Torvalds
e2e481d66c Staging driver fixes for 3.14-rc3
Here are a number (lots, I know) of fixes for staging drivers to resolve
 a bunch of reported issues.
 
 The largest patches here is one revert of a patch that is in 3.14-rc1 to
 fix reported problems, and a sync of a usb host driver that required
 some ARM patches to go in before it could be accepted (which is why it
 missed -rc1).
 
 All of these have been in linux-next for a while with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlL+h+MACgkQMUfUDdst+ymAigCeNfR2pmw6lcNLokbdUJDOBHhX
 tXwAoL4rzSeaRCu1hbTe0q7lXiZDM+yN
 =aMFY
 -----END PGP SIGNATURE-----

Merge tag 'staging-3.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
 "Here are a number (lots, I know) of fixes for staging drivers to
  resolve a bunch of reported issues.

  The largest patches here is one revert of a patch that is in 3.14-rc1
  to fix reported problems, and a sync of a usb host driver that
  required some ARM patches to go in before it could be accepted (which
  is why it missed -rc1)

  All of these have been in linux-next for a while with no reported
  issues"

* tag 'staging-3.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (56 commits)
  staging/rtl8821ae: fix build, depends on MAC80211
  iio: max1363: Use devm_regulator_get_optional for optional regulator
  iio:accel:bma180: Use modifier instead of index in channel specification
  iio: adis16400: Set timestamp as the last element in chan_spec
  iio: ak8975: Fix calculation formula for convert micro tesla to gauss unit
  staging:iio:ad799x fix typo in ad799x_events[]
  iio: mxs-lradc: remove useless scale_available files
  iio: mxs-lradc: fix buffer overflow
  iio:magnetometer:mag3110: Fix output of decimal digits in show_int_plus_micros()
  iio:magnetometer:mag3110: Report busy in _read_raw() / write_raw() when buffer is enabled
  wlags49_h2: Fix overflow in wireless_set_essid()
  xlr_net: Fix missing trivial allocation check
  staging: r8188eu: overflow in rtw_p2p_get_go_device_address()
  staging: r8188eu: array overflow in rtw_mp_ioctl_hdl()
  staging: r8188eu: Fix typo in USB_DEVICE list
  usbip/userspace/libsrc/names.c: memory leak
  gpu: ion: dereferencing an ERR_PTR
  staging: comedi: usbduxsigma: fix unaligned dereferences
  staging: comedi: fix too early cleanup in comedi_auto_config()
  staging: android: ion: dummy: fix an error code
  ...
2014-02-14 16:14:11 -08:00
Randy Dunlap
ddf5eb564d staging/rtl8821ae: fix build, depends on MAC80211
rtl8821ae uses ieee80211 interfaces so it should depend on
MAC80211.  Fixes these build errors:

ERROR: "ieee80211_rx_irqsafe" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_beacon_get_tim" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_unregister_hw" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "rate_control_send_low" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_stop_queue" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_rate_control_register" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "wiphy_to_ieee80211_hw" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_stop_tx_ba_cb_irqsafe" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_tx_status_irqsafe" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_find_sta" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_wake_queue" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_rate_control_unregister" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_register_hw" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_start_tx_ba_session" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_alloc_hw" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_free_hw" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_connection_loss" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!
ERROR: "ieee80211_start_tx_ba_cb_irqsafe" [drivers/staging/rtl8821ae/rtl8821ae.ko] undefined!

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-11 15:57:40 -08:00
Hartmut Knaack
d180371d41 staging:iio:ad799x fix typo in ad799x_events[]
This patch fixes a typo in ad799x_events[], which caused the error "Failed to register event set".

Signed-off-by: Hartmut Knaack <knaack.h@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08 10:12:28 +00:00
Alexandre Belloni
5af473c17a iio: mxs-lradc: remove useless scale_available files
in_voltage8_scale_available and in_voltage9_scale_available are exposed to
userspace but useless as in_voltage8_raw and in_voltage9_raw are not available.

Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08 10:06:33 +00:00
Alexandre Belloni
d4bf105bb6 iio: mxs-lradc: fix buffer overflow
Fixes:
drivers/staging/iio/adc/mxs-lradc.c:1556 mxs_lradc_probe() error: buffer
overflow 'iio->channels' 15 <= 15

The reported available scales for in_voltage15 were also wrong.

The realbits lookup is not necessary as all the channels of the LRADC have the
same resolution, use LRADC_RESOLUTION instead.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08 10:06:30 +00:00
Maurizio Lombardi
6b89db36b3 wlags49_h2: Fix overflow in wireless_set_essid()
This patch prevents the wireless_set_essid() function from overwriting
the last byte of the NetworkName buffer which must be NULL.

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:10:08 -08:00
Alan Cox
ad3815a595 xlr_net: Fix missing trivial allocation check
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:10:08 -08:00
Dan Carpenter
e6ff3f4e6d staging: r8188eu: overflow in rtw_p2p_get_go_device_address()
The go_devadd_str[] array is two characters too small to hold the
address so we corrupt memory.

I've changed the user space API slightly and I don't have a way to test
if this breaks anything.  In the original code we truncated away the
last digit of the address and the NUL terminator so it was already a bit
broken.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:10:08 -08:00
Dan Carpenter
893134b084 staging: r8188eu: array overflow in rtw_mp_ioctl_hdl()
MAX_MP_IOCTL_SUBCODE (35) and mp_ioctl_hdl (32 elements) are no longer
in sync.  It leads to a bogus pointer dereference.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:10:08 -08:00
Larry Finger
08951f10ae staging: r8188eu: Fix typo in USB_DEVICE list
There is a typo in the device list that interchanges the vendor and
product codes for one of the entries. This exchange was determined
by noticing that the vendor code is 0x07b8 for Abocom at
http://www.linux-usb.org/usb.ids.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:10:08 -08:00
Heinrich Schuchardt
2a7470d9ff usbip/userspace/libsrc/names.c: memory leak
revised patch

p is freed if NULL.
p is leaked if second calloc fails.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:08:46 -08:00
Dan Carpenter
54de9af9f0 gpu: ion: dereferencing an ERR_PTR
We dereference "heap->task" before checking if it's an ERR_PTR.

Fixes: ea313b5f88 ('gpu: ion: Also shrink memory cached in the deferred free list')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:08:46 -08:00
Ian Abbott
791771e4e0 staging: comedi: usbduxsigma: fix unaligned dereferences
There are a couple of dereferences such as `*(uint32_t
*)(devpriv->insn_buf + 1)` that are unaligned as `devpriv->insn_buf` is
of type `uint8_t *`.  This works on x86 architecture but may not be
supported on other architectures.  Call `get_unalign()` to perform the
unaligned dereferences.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: Bernd Porr <mail@berndporr.me.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:08:46 -08:00
Ian Abbott
f1ffdfcc52 staging: comedi: fix too early cleanup in comedi_auto_config()
`comedi_auto_config()` is usually called from the probe routine of a
low-level comedi driver to allocate and auto-configure a comedi device.
Part of this involves calling the low-level driver's `auto_attach()`
handler, and if that is successful, `comedi_device_postconfig()` tries
to complete the configuration of the comedi device.  If either of those
fail, `comedi_device_detach()` is called to clean up, and
`comedi_release_hardware_device()` is called to remove the dynamically
allocated comedi device.

Unfortunately, `comedi_device_detach()` clears the `hw_dev` member of
the `struct comedi_device` (indirectly via `comedi_clear_hw_dev()`), and
that stops `comedi_release_hardware_device()` finding the comedi device
associated with the hardware device, so the comedi device won't be
removed properly.

Since `comedi_release_hardware_device()` also calls
`comedi_device_detach()` (assuming it finds the comedi device associated
with the hardware device), the fix is to remove the direct call to
`comedi_device_detach()` from `comedi_auto_config()` and let the call to
`comedi_release_hardware_device()` take care of it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:08:46 -08:00
Dan Carpenter
630127f367 staging: android: ion: dummy: fix an error code
We should be returning -ENOMEM here instead of zero.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 11:08:46 -08:00
Cédric Dufour - Idiap Research Institute
8b9e418c01 staging: lustre: fix quotactl permission denied (LU-4530)
The changes introduced in commit 4b1a25f06b ("fix build when
CONFIG_UIDGID_STRICT_TYPE_CHECKS is on") got the UID check the wrong way
around, leading to "Permission denied" when a regular user attempts to
retrieve his quota (lfs quota -u ...) but allowing him to retrieve other
users quota.

Full details at: https://jira.hpdd.intel.com/browse/LU-4530

Cc: Peng Tao <tao.peng@emc.com>
Cc: <stable@vger.kernel.org> # 3.12.x
Cc: <stable@vger.kernel.org> # 3.13.x
Signed-off-by: Cédric Dufour <cedric.dufour@idiap.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:53:12 -08:00
Prakash Kamliya
ac5b705b22 staging: android: sync: Signal pt before sync_timeline object gets destroyed
There is a race condition

Assume we have *one* sync_fence object, with *one* sync_pt
which belongs to *one* sync_timeline, given this condition,
sync_timeline->kref will have two counts, one for sync_timeline
(implicit) and another for sync_pt.

Assume following is the situation on CPU

Theead-1 : (Thread which calls sync_timeline_destroy())
  -> (some function calls)
   -> sync_timeline_destory()
    -> sync_timeline_signal() (CPU is inside this
function after putting reference to sync_timeline)

At this time Thread-2 comes and does following

Thread-2 : (fclose on fence fd)
> sync_fence_release() -> because of fclose() on fence object
 -> sync_fence_free()
  -> sync_pt_free()
   -> kref_put(&pt->parent->kref, sync_timeline_free);
    -> sync_timeline_free() (CPU is inside this because
this time kref will be zero after _put)

Thread-2 will free sync_timeline object before Thread-1
has finished its work inside sync_timeline_signal.

With this change we signals all sync_pt before putting
reference to sync_timeline object.

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Prakash Kamliya <pkamliya@codeaurora.org>
[jstultz: minor commit subject tweak]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:36:27 -08:00
H Hartley Sweeten
1e85c1ea1f staging: comedi: adv_pci1710: fix analog output readback value
The last value written to a analog output channel is cached in the
private data of this driver for readback.

Currently, the wrong value is cached in the (*insn_write) functions.
The current code stores the data[n] value for readback afer the loop
has written all the values. At this time 'n' points past the end of
the data array.

Fix the functions by using a local variable to hold the data being
written to the analog output channel. This variable is then used
after the loop is complete to store the readback value. The current
value is retrieved before the loop in case no values are actually
written..

Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:19:30 -08:00
Dan Carpenter
7a081ea20e staging: r8188eu: memory corruption handling long ssids
We should cap the SSID length at NDIS_802_11_LENGTH_SSID (32) characters
to avoid memory corruption.  If the SSID is too long then I have opted
to ignore it instead of truncating it.

We don't need to clear bssid->Ssid.Ssid[0] because this struct is
allocated with rtw_zmalloc()

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:19:30 -08:00
Alexey Khoroshilov
d3a874e899 staging: gdm72xx: fix leaks at failure path in gdm_usb_probe()
Error handling code in gdm_usb_probe() misses to deallocate
tx_ and rx_structs and to do usb_put_dev().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:19:30 -08:00
Greg Kroah-Hartman
ead00ddca0 Revert "Staging: dgrp: Refactor the function dgrp_receive() in drrp_net_ops.c"
This reverts commit b73db54750.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reported-by: Chen Gang <gang.chen.5i5j@gmail.com>
Cc: Rashika Kheria <rashika.kheria@gmail.com>
Cc: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:16:38 -08:00
Salym Senyonga
0010b79d56 Staging: ozwpan: Fix null dereference
If net_dev is NULL memcpy() will Oops.

Signed-off-by: Salym Senyonga <salymsash@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:15:35 -08:00
Shuah Khan
8360fb0d9c staging/usbip: Fix vhci_hcd attach failure error message to be informative
When attach fails due to unsupported and/or invalid bus speed, the message
vhci_hcd prints out doesn't include any useful information as to what caused
the failure. Change the message to be informative and use usb_speed_string()
to get the right speed string from usb common.

Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:15:35 -08:00
Surendra Patil
fdf2f40c6c staging: rtl8821ae: Fixed the size of array to macro as discussed by Linus
Linus Torvalds writes:

It causes an interesting warning for me:

drivers/staging/rtl8821ae/rtl8821ae/dm.c: In function
‘rtl8821ae_dm_clear_txpower_tracking_state’:
drivers/staging/rtl8821ae/rtl8821ae/dm.c:487:31: warning: iteration 2u
invokes undefined behavior [-Waggressive-loop-optimizations]
   rtldm->bb_swing_idx_ofdm[p] = rtldm->default_ofdm_index;
                               ^
drivers/staging/rtl8821ae/rtl8821ae/dm.c:485:2: note: containing loop
  for (p = RF90_PATH_A; p < MAX_RF_PATH; ++p) {
  ^

and gcc is entirely correct: that loop iterates from 0 to 3, and does this:

                rtldm->bb_swing_idx_ofdm[p] = rtldm->default_ofdm_index;

but the bb_swing_idx_ofdm[] array only has two members. So the last
two iterations will overwrite bb_swing_idx_ofdm_current and the first
entry in bb_swing_idx_ofdm_base[].

Now, the bug does seem to be benign: bb_swing_idx_ofdm_current isn't
actually ever *used* as far as I can tell, and the first entry of
bb_swing_idx_ofdm_base[] will have been written with that same
"rtldm->default_ofdm_index" value.

But gcc is absolutely correct, and that driver needs fixing.

I've pulled it and will let it be because it doesn't seem to be an
issue in practice, but please fix it. The obvious fix would seem to
change the size of "2" to be "MAX_RF_PATH", but I'll abstain from
doing those kinds of changes in the merge when it doesn't seem to
affect the build or functionality).

Reported-By: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Surendra Patil <surendra.tux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:15:35 -08:00
David Daney
b91619c284 staging: octeon-usb: Probe via device tree populated platform device.
Extract clocking parameters from the device tree, and remove now dead
code and types.

Signed-off-by: David Daney <david.daney@cavium.com>
Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:11:28 -08:00
Oleg Drokin
1ea98e4c44 lustre: add myself to list of people to CC on lustre patches
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:09:38 -08:00
Oleg Drokin
18e042f0c9 lustre: Correct KUC code max changelog msg size
The kernel to userspace communication routines (KUC) allocate
and limit the maximum cs_buf size to CR_MAXSIZE.  However this
fails to account for the fact that the buffer is assumed to begin
with a struct kuc_hdr.  To allocate and account for that space,
we introduce a new define, KUC_CHANGELOG_MSG_MAXSIZE.

Signed-off-by: Christopher J. Morrone <morrone2@llnl.gov>
Reviewed-on: http://review.whamcloud.com/7406
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3587
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Reviewed-by: jacques-Charles Lafoucriere <jacques-charles.lafoucriere@cea.fr>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:09:38 -08:00
Oleg Drokin
910827f174 lustre: Account for changelog_ext_rec in CR_MAXSIZE
CR_MAXSIZE needs to account for an llog_changelog_rec that actually
contains a changelog_ext_rec structure rather than a changelog_rec.
With out doing so, a file size approaching the Linux kernel NAME_MAX
length that is renamed to a size also close to, or at, NAME_MAX will
exceed CR_MAXSIZE and trip an assertion.

Signed-off-by: Christopher J. Morrone <morrone2@llnl.gov>
Reviewed-on: http://review.whamcloud.com/6993
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3587
Reviewed-by: Niu Yawei <yawei.niu@intel.com>
Reviewed-by: Lai Siyao <lai.siyao@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:09:38 -08:00
Oleg Drokin
aadbacc7f2 staging/lustre/lnet: Fix use after free in ksocknal_send
Call to ksocknal_launch_packet might schedule a callback that
might free the just sent message, and so subsequent access to it
via lntmsg->msg_vmflush goes to freed memory.

Instead we'll just remember if we are in the vmflush thread and
only restore if we happened to set mempressure flag.

Signed-off-by: Oleg Drokin <oleg.drokin@intel.com>
Reviewed-on: http://review.whamcloud.com/8667
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-4360
Reviewed-by: Liang Zhen <liang.zhen@intel.com>
Reviewed-by: Amir Shehata <amir.shehata@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:09:38 -08:00
Oleg Drokin
52481e4b00 staging/lustre: fix compile warning with is_vmalloc_addr
Recent commit 175f5475fb
introduced this compile warning (because vaddr is unsigned long),
so add a cast:
drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c: In function ‘kiblnd_kvaddr_to_page’:
drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:532:2: warning: passing argument 1 of ‘is_vmalloc_addr’ makes pointer from integer without a cast [enabled by default]
  if (is_vmalloc_addr(vaddr)) {
  ^
In file included from drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.h:43:0,
                 from drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:41:
include/linux/mm.h:336:59: note: expected ‘const void *’ but argument is of type ‘long unsigned int’
 static inline int is_vmalloc_addr(const void *x)

Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
CC: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:05:00 -08:00
Marek Szyprowski
1ebf5b72dc staging: lustre: fix GFP_ATOMIC macro usage
GFP_ATOMIC is not a single gfp flag, but a macro which expands to the other
flags and LACK of __GFP_WAIT flag. To check if caller wanted to perform an
atomic allocation, the code must test __GFP_WAIT flag presence.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:05:00 -08:00
John Stultz
a33b2fc5a9 staging: ion: Fix build warning
Add #include <linux/device.h> to fix the following warning seen
with gcc 4.7.3:

In file included from drivers/staging/android/ion/ion_heap.c:26:0:
drivers/staging/android/ion/ion_priv.h:358:21: warning: ‘struct device’ declared inside parameter list [enabled by default]
drivers/staging/android/ion/ion_priv.h:358:21: warning: its scope is only this definition or declaration, which is probably not what you want [enabled by default]

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:03:16 -08:00
Laura Abbott
8666a87611 staging: ion: Fix ION_IOC_FREE compat ioctl
The compat ioctl for ION_IOC_FREE currently passes allocation data
instead of the free data. Correct this.

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
[jstultz: Folded in a small build fix]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:03:16 -08:00
Colin Cross
c9e8440eca staging: ion: Fix overflow and list bugs in system heap
Fix a few bugs in ion_system_heap:

Initialize the list node in the info block.

Don't store size_remaining in a signed long, allocating >2GB
could overflow, resulting in a call to sg_alloc_table with
nents=0 which panics.  alloc_largest_available will never
return a block larger than size_remanining, so it can never
go negative.

Limit a single allocation to half of all memory.  Prevents a
large allocation from taking down the whole system.

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Colin Cross <ccross@android.com>
[jstultz: Minor commit subject tweak]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:03:16 -08:00
Todd Poynor
077f6db973 staging: ashmem: Avoid deadlock between read and mmap calls
Avoid holding ashmem_mutex across code that can page fault.  Page faults
grab the mmap_sem for the process, which are also held by mmap calls
prior to calling ashmem_mmap, which locks ashmem_mutex.  The reversed
order of locking between the two can deadlock.

The calls that can page fault are read() and the ASHMEM_SET_NAME and
ASHMEM_GET_NAME ioctls.  Move the code that accesses userspace pages
outside the ashmem_mutex.

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Todd Poynor <toddpoynor@google.com>
[jstultz: minor commit message tweaks]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:03:16 -08:00
Alistair Strachan
5cf045f54d staging: sync: Fix a race condition between release_obj and print_obj
Before this change, a timeline would only be removed from the timeline
list *after* the sync driver had its release_obj() called. However, the
driver's release_obj() may free resources needed by print_obj().

Although the timeline list is locked when print_obj() is called, it is
not locked when release_obj() is called. If one CPU was in print_obj()
when another was in release_obj(), the print_obj() may make unsafe
accesses.

It is not actually necessary to hold the timeline list lock when calling
release_obj() if the call is made after the timeline is unlinked from
the list, since there is no possibility another thread could be in --
or enter -- print_obj() for that timeline.

This change moves the release_obj() call to after the timeline is
unlinked, preventing the above race from occurring.

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com>
[jstultz: minor commit subject tweak]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:03:16 -08:00
Greg Hackmann
bbd9ae8a05 staging: sw_sync: Add stubs for kernels without CONFIG_SW_SYNC
Add stubs for kernels without CONFIG_SW_SYNC

Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
[jstultz: resolved minor conflict, tweaked commit message]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:03:16 -08:00
Paul Gortmaker
102f1a2a49 staging: don't use module_init in non-modular ion_dummy_driver.c
The ION_DUMMY option is bool, and hence this code is either
present or absent.  It will never be modular, so using
module_init as an alias for __initcall is rather misleading.

Fix this up now, so that we can relocate module_init from
init.h into module.h in the future.  If we don't do this, we'd
have to add module.h to obviously non-modular code, and that
would be a worse thing.

Note that direct use of __initcall is discouraged, vs. one
of the priority categorized subgroups.  As __initcall gets
mapped onto device_initcall, our use of device_initcall
directly in this change means that the runtime impact is
zero -- it will remain at level 6 in initcall ordering.

Cc: Colin Cross <ccross@android.com>
Cc: Jesse Barker <jesse.barker@arm.com>
Cc: Android Kernel Team <kernel-team@android.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07 09:01:09 -08:00