summaryrefslogtreecommitdiffstats
path: root/drivers/staging
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'v4l_for_linus' of ↵Linus Torvalds2014-05-212-4/+11
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: "Most of the changes are drivers fixes (rtl28xuu, fc2580, ov7670, davinci, gspca, s5p-fimc and s5c73m3). There is also a compat32 fix and one infoleak fixup at the media controller" * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: [media] V4L2: fix VIDIOC_CREATE_BUFS in 64- / 32-bit compatibility mode [media] V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel from user-space [media] media-device: fix infoleak in ioctl media_enum_entities() [media] fc2580: fix tuning failure on 32-bit arch [media] Prefer gspca_sonixb over sn9c102 for all devices [media] media: davinci: vpfe: make sure all the buffers unmapped and released [media] staging: media: davinci: vpfe: make sure all the buffers are released [media] media: davinci: vpbe_display: fix releasing of active buffers [media] media: davinci: vpif_display: fix releasing of active buffers [media] media: davinci: vpif_capture: fix releasing of active buffers [media] s5p-fimc: Fix YUV422P depth [media] s5c73m3: Add missing rename of v4l2_of_get_next_endpoint() function [media] rtl28xxu: silence error log about disabled rtl2832_sdr module [media] rtl28xxu: do not hard depend on staging SDR module
| * [media] Prefer gspca_sonixb over sn9c102 for all devicesJean Delvare2014-04-151-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sn9c102 driver is deprecated. It was moved to staging in anticipation of its removal in a future kernel version. However, USB devices 0C45:6024 and 0C45:6025 are still handled by sn9c102 when both sn9c102 and gspca_sonixb are enabled. We must migrate all the users of these devices to the gspca_sonixb driver now, so that it gets sufficient testing before the sn9c102 driver is finally phased out. Signed-off-by: Jean Delvare <jdelvare@suse.de> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
| * [media] staging: media: davinci: vpfe: make sure all the buffers are releasedLad, Prabhakar2014-04-151-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | from commit-id: b3379c6201bb3555298cdbf0aa004af260f2a6a4 "vb2: only call start_streaming if sufficient buffers are queued" the vb2 framework warns on (WARN_ON()) if all the active buffers are not released when streaming is stopped, initially the vb2 silently released the buffer internally if the buffer was not released by the driver. This patch fixes following issue: WARNING: CPU: 0 PID: 2049 at drivers/media/v4l2-core/videobuf2-core.c:2011 __vb2_queue_cancel+0x1a0/0x218() Modules linked in: CPU: 0 PID: 2049 Comm: vpfe_video Tainted: G W 3.14.0-rc5-00414-ged97a6f #89 [<c000e3f0>] (unwind_backtrace) from [<c000c618>] (show_stack+0x10/0x14) [<c000c618>] (show_stack) from [<c001adb0>] (warn_slowpath_common+0x68/0x88) [<c001adb0>] (warn_slowpath_common) from [<c001adec>] (warn_slowpath_null+0x1c/0x24) [<c001adec>] (warn_slowpath_null) from [<c0252e0c>] (__vb2_queue_cancel+0x1a0/0x218) [<c0252e0c>] (__vb2_queue_cancel) from [<c02533a4>] (vb2_queue_release+0x14/0x24) [<c02533a4>] (vb2_queue_release) from [<c025a65c>] (vpfe_release+0x60/0x230) [<c025a65c>] (vpfe_release) from [<c023fe5c>] (v4l2_release+0x34/0x74) [<c023fe5c>] (v4l2_release) from [<c00b4a00>] (__fput+0x80/0x224) [<c00b4a00>] (__fput) from [<c00341e8>] (task_work_run+0xa0/0xd0) [<c00341e8>] (task_work_run) from [<c001cc28>] (do_exit+0x244/0x918) [<c001cc28>] (do_exit) from [<c001d344>] (do_group_exit+0x48/0xdc) [<c001d344>] (do_group_exit) from [<c0029894>] (get_signal_to_deliver+0x2a0/0x5bc) [<c0029894>] (get_signal_to_deliver) from [<c000b888>] (do_signal+0x78/0x3a0) [<c000b888>] (do_signal) from [<c000bc54>] (do_work_pending+0xa4/0xb4) [<c000bc54>] (do_work_pending) from [<c00096dc>] (work_pending+0xc/0x20) ---[ end trace 5faa75e8c2f8a6a1 ]--- ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2049 at drivers/media/v4l2-core/videobuf2-core.c:1095 vb2_buffer_done+0x1e0/0x224() Modules linked in: CPU: 0 PID: 2049 Comm: vpfe_video Tainted: G W 3.14.0-rc5-00414-ged97a6f #89 [<c000e3f0>] (unwind_backtrace) from [<c000c618>] (show_stack+0x10/0x14) [<c000c618>] (show_stack) from [<c001adb0>] (warn_slowpath_common+0x68/0x88) [<c001adb0>] (warn_slowpath_common) from [<c001adec>] (warn_slowpath_null+0x1c/0x24) [<c001adec>] (warn_slowpath_null) from [<c0252c28>] (vb2_buffer_done+0x1e0/0x224) [<c0252c28>] (vb2_buffer_done) from [<c0252e3c>] (__vb2_queue_cancel+0x1d0/0x218) [<c0252e3c>] (__vb2_queue_cancel) from [<c02533a4>] (vb2_queue_release+0x14/0x24) [<c02533a4>] (vb2_queue_release) from [<c025a65c>] (vpfe_release+0x60/0x230) [<c025a65c>] (vpfe_release) from [<c023fe5c>] (v4l2_release+0x34/0x74) [<c023fe5c>] (v4l2_release) from [<c00b4a00>] (__fput+0x80/0x224) [<c00b4a00>] (__fput) from [<c00341e8>] (task_work_run+0xa0/0xd0) [<c00341e8>] (task_work_run) from [<c001cc28>] (do_exit+0x244/0x918) [<c001cc28>] (do_exit) from [<c001d344>] (do_group_exit+0x48/0xdc) [<c001d344>] (do_group_exit) from [<c0029894>] (get_signal_to_deliver+0x2a0/0x5bc) [<c0029894>] (get_signal_to_deliver) from [<c000b888>] (do_signal+0x78/0x3a0) [<c000b888>] (do_signal) from [<c000bc54>] (do_work_pending+0xa4/0xb4) [<c000bc54>] (do_work_pending) from [<c00096dc>] (work_pending+0xc/0x20) ---[ end trace 5faa75e8c2f8a6a2 ]--- Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
* | staging: rtl8723au: Do not reset wdev->iftype in netdev_close()Jes Sorensen2014-05-161-2/+0
| | | | | | | | | | | | | | | | wdev->ifdev should be set by .change_virtual_intf(). This solves the problem of WARN() messages on module unload. Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | staging: rtl8723au: Use correct pipe type for USB interruptsJes Sorensen2014-05-161-1/+1
| | | | | | | | | | | | | | | | | | Use a correct pipe type when filling un interrupt urbs. This should finally take care of the WARN() messages on the console when USB urbs are submitted. Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge branch 'imx-drm-fixes-urgent' of ↵Greg Kroah-Hartman2014-05-062-2/+7
|\ \ | | | | | | | | | | | | | | | git://ftp.arm.linux.org.uk/~rmk/linux-arm into staging-linus imx drm fixes from Russell
| * | imx-drm: imx-tve: correct DDC property name to 'ddc-i2c-bus'Shawn Guo2014-04-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 62e3879 (imx-drm: imx-tve: Fix DDC I2C bus property) was trying to use 'ddc-i2c-bus' as the DDC property name (we can see that from the commit log), but unfortunately 'i2c-ddc-bus' which is a typo was actually used in the code. This results in some unnecessary inconsistency and confusions, because all the documented DDC property in device tree bindings use 'ddc-i2c-bus'. Documentation/devicetree/bindings/staging/imx-drm/hdmi.txt Documentation/devicetree/bindings/panel/simple-panel.txt Documentation/devicetree/bindings/video/dvi-connector.txt Let's fix it before the error spreads. Signed-off-by: Shawn Guo <shawn.guo@freescale.com> Acked-by: Philipp Zabel <p.zabel@pengutronix.de> Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
| * | imx-drm: imx-drm-core: skip components whose parent device is disabledShawn Guo2014-04-191-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In a board setup which disables LDB device node completely by changing status to 'disabled', and only enables HDMI device, we're running into the problem that imx-drm master never succeeds in binding, and hence HDMI does not come up either. &ldb { status = "disabled"; lvds-channel@1 { ... status = "okay"; }; }; The imx-drm-core should really skip the LVDS channels no matter what lvds-channel's status is, if LDB device is disabled. Let's consider such setup a misconfiguration, give a warning in there and not add the component. Signed-off-by: Shawn Guo <shawn.guo@freescale.com> Acked-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
| * | imx-drm: imx-drm-core: fix imx_drm_encoder_get_mux_idPhilipp Zabel2014-04-191-1/+1
| |/ | | | | | | | | | | | | | | | | | | The decoder mux id is equal to the port id of the encoder's input port that is connected to the given crtc, not to the endpoint id (which is arbitrary and usually zero). Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Tested-by: Shawn Guo <shawn.guo@freescale.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* | Merge tag 'iio-fixes-for-3.15b' of ↵Greg Kroah-Hartman2014-04-301-1/+2
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: Second set of fixes for IIO in the 3.15 cycle. * ad2s1200 - Fix some missing parenthesis in a for statement that could have led to an error being missed when getting gpios. * Fix a null derefference issue in the mpu6050 when platform data is not provided (or is provided via the device tree for example). * exynos_adc bug on remove due to child devices having been added to the parent of the IIO device rather than the IIO device itself. This caused an issue with the IIO device removing itself in it's remove function. * Make all ADC drivers buildable as modules to avoid dependency issues if the IIO core is itself built as a module. The exynos adc bug became apparently whilst this fix was being tested.
| * | staging:iio:ad2s1200 fix missing parenthesis in a for statment.Jimmy Li2014-04-261-1/+2
| | | | | | | | | | | | | | | Signed-off-by: Jimmy Li <coder.liss@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
* | | staging: comedi: usbdux: bug fix for accessing 'ao_chanlist' in private dataH Hartley Sweeten2014-04-231-6/+3
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In usbdux_ao_cmd(), the channels for the command are transfered from the cmd->chanlist and stored in the private data 'ao_chanlist'. The channel numbers are bit-shifted when stored so that they become the "command" that is transfered to the device. The channel to command conversion results in the 'ao_chanlist' having these values for the channels: channel 0 -> ao_chanlist = 0x00 channel 1 -> ao_chanlist = 0x40 channel 2 -> ao_chanlist = 0x80 channel 3 -> ao_chanlist = 0xc0 The problem is, the usbduxsub_ao_isoc_irq() function uses the 'chan' value from 'ao_chanlist' to access the 'ao_readback' array in the private data. So instead of accessing the array as 0, 1, 2, 3, it accesses it as 0x00, 0x40, 0x80, 0xc0. Fix this by storing the raw channel number in 'ao_chanlist' and doing the bit-shift when creating the command. Fixes: a998a3db530bff80 "staging: comedi: usbdux: cleanup the private data 'outBuffer'" Cc: stable <stable@vger.kernel.org> # 3.12 Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Acked-by: Bernd Porr <mail@berndporr.me.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge tag 'iio-fixes-for-3.15a' of ↵Greg Kroah-Hartman2014-04-222-1/+2
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: First found of IIO fixes for the 3.15 cycle. * Fix the platform data support for the at91 adc driver. * A couple of related follow up patches get the support working again for at91sam9260 and at91sam9g45 as the earlier patch results in a device name change. * A default timer value in the at91 adc driver was bonkers. Make it sane. * Fix incorrect reporting of the integration time for the cm32181 light sensor * Fix a missing break in the ad2s1200 driver which would have give a false error return. * Make sure buffer scan mask queries from userspace return 0/1 rather than a fairly random value depending on their implementation of test_bit * Fix leak of the i2c client and a null pointer dereference in the cm36651 driver. * Fix a build warning on avr32 for the mxs-lradc (not exactly a critical combination - but the issue was real).
| * | iio: adc: mxs-lradc: fix warning when buidling on avr32Alexandre Belloni2014-03-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes: drivers/staging/iio/adc/mxs-lradc.c: In function 'mxs_lradc_probe': drivers/staging/iio/adc/mxs-lradc.c:1558: warning: comparison of distinct pointer types lacks a cast drivers/staging/iio/adc/mxs-lradc.c:1558: warning: right shift count >= width of type drivers/staging/iio/adc/mxs-lradc.c:1558: warning: passing argument 1 of '__div64_32' from incompatible pointer type When building on avr32. Reported-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
| * | staging:iio:ad2s1200 fix a missing breakJimmy Li2014-03-221-0/+1
| | | | | | | | | | | | | | | Signed-off-by: Jimmy Li <coder.liss@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
* | | Merge tag 'staging-3.15-rc2' of ↵Linus Torvalds2014-04-1852-19978/+154
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are a few staging driver fixes for issues that have been reported for 3.15-rc2. Also dominating the diffstat for the pull request is the removal of the rtl8187se driver. It's no longer needed in staging as a "real" driver for this hardware is now merged in the tree in the "correct" location in drivers/net/ All of these patches have been tested in linux-next" * tag 'staging-3.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: r8188eu: Fix case where ethtype was never obtained and always be checked against 0 staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return NULL staging: comedi: fix circular locking dependency in comedi_mmap() staging: r8723au: Add missing initialization of change_inx in sort algorithm Staging: unisys: use after free in list_for_each() staging: unisys: use after free in error messages staging: speakup: fix misuse of kstrtol() in handle_goto() staging: goldfish: Call free_irq in error path staging: delete rtl8187se wireless driver staging: rtl8723au: Fix buffer overflow in rtw_get_wfd_ie() staging: gs_fpgaboot: remove __TIMESTAMP__ macro staging: vme: fix memory leak in vme_user_probe() staging: fpgaboot: clean up Makefile staging/usbip: fix store_attach() sscanf return value check staging/usbip: userspace - fix usbipd SIGSEGV from refresh_exported_devices() staging: rtl8188eu: remove spaces, correct counts to unbreak P2P ioctls staging/rtl8821ae: Fix OOM handling in _rtl_init_deferred_work()
| * | | staging: r8188eu: Fix case where ethtype was never obtained and always be ↵Larry Finger2014-04-161-9/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | checked against 0 Zero-initializing ether_type masked that the ether type would never be obtained for 8021x packets and the comparison against eapol_type would always fail. Reported-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: r8712u: Fix case where ethtype was never obtained and always be ↵Larry Finger2014-04-161-7/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | checked against 0 Zero-initializing ether_type masked that the ether type would never be obtained for 8021x packets and the comparison against eapol_type would always fail. Reported-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return ↵Larry Finger2014-04-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NULL This makes the follow-on check for psta != NULL pointless and makes the whole exercise rather pointless. This is another case of why blindly zero-initializing variables when they are declared is bad. Reported-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: comedi: fix circular locking dependency in comedi_mmap()Ian Abbott2014-04-163-6/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mmapping a comedi data buffer with lockdep checking enabled produced the following kernel debug messages: ====================================================== [ INFO: possible circular locking dependency detected ] 3.5.0-rc3-ija1+ #9 Tainted: G C ------------------------------------------------------- comedi_test/4160 is trying to acquire lock: (&dev->mutex#2){+.+.+.}, at: [<ffffffffa00313f4>] comedi_mmap+0x57/0x1d9 [comedi] but task is already holding lock: (&mm->mmap_sem){++++++}, at: [<ffffffff810c96fe>] vm_mmap_pgoff+0x41/0x76 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&mm->mmap_sem){++++++}: [<ffffffff8106d0e8>] lock_acquire+0x97/0x105 [<ffffffff810ce3bc>] might_fault+0x6d/0x90 [<ffffffffa0031ffb>] do_devinfo_ioctl.isra.7+0x11e/0x14c [comedi] [<ffffffffa003227f>] comedi_unlocked_ioctl+0x256/0xe48 [comedi] [<ffffffff810f7fcd>] vfs_ioctl+0x18/0x34 [<ffffffff810f87fd>] do_vfs_ioctl+0x382/0x43c [<ffffffff810f88f9>] sys_ioctl+0x42/0x65 [<ffffffff81415c62>] system_call_fastpath+0x16/0x1b -> #0 (&dev->mutex#2){+.+.+.}: [<ffffffff8106c528>] __lock_acquire+0x101d/0x1591 [<ffffffff8106d0e8>] lock_acquire+0x97/0x105 [<ffffffff8140c894>] mutex_lock_nested+0x46/0x2a4 [<ffffffffa00313f4>] comedi_mmap+0x57/0x1d9 [comedi] [<ffffffff810d5816>] mmap_region+0x281/0x492 [<ffffffff810d5c92>] do_mmap_pgoff+0x26b/0x2a7 [<ffffffff810c971a>] vm_mmap_pgoff+0x5d/0x76 [<ffffffff810d493f>] sys_mmap_pgoff+0xc7/0x10d [<ffffffff81004d36>] sys_mmap+0x16/0x20 [<ffffffff81415c62>] system_call_fastpath+0x16/0x1b other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&mm->mmap_sem); lock(&dev->mutex#2); lock(&mm->mmap_sem); lock(&dev->mutex#2); *** DEADLOCK *** To avoid the circular dependency, just try to get the lock in `comedi_mmap()` instead of blocking. Since the comedi device's main mutex is heavily used, do a down-read of its `attach_lock` rwsemaphore instead. Trying to down-read `attach_lock` should only fail if some task has down-write locked it, and that is only done while the comedi device is being attached to or detached from a low-level hardware device. Unfortunately, acquiring the `attach_lock` doesn't prevent another task replacing the comedi data buffer we are trying to mmap. The details of the buffer are held in a `struct comedi_buf_map` and pointed to by `s->async->buf_map` where `s` is the comedi subdevice whose buffer we are trying to map. The `struct comedi_buf_map` is already reference counted with a `struct kref`, so we can stop it being freed prematurely. Modify `comedi_mmap()` to call new function `comedi_buf_map_from_subdev_get()` to read the subdevice's current buffer map pointer and increment its reference instead of accessing `async->buf_map` directly. Call `comedi_buf_map_put()` to decrement the reference once the buffer map structure has been dealt with. (Note that `comedi_buf_map_put()` does nothing if passed a NULL pointer.) `comedi_buf_map_from_subdev_get()` checks the subdevice's buffer map pointer has been set and the buffer map has been initialized enough for `comedi_mmap()` to deal with it (specifically, check the `n_pages` member has been set to a non-zero value). If all is well, the buffer map's reference is incremented and a pointer to it is returned. The comedi subdevice's spin-lock is used to protect the checks. Also use the spin-lock in `__comedi_buf_alloc()` and `__comedi_buf_free()` to protect changes to the subdevice's buffer map structure pointer and the buffer map structure's `n_pages` member. (This checking of `n_pages` is a bit clunky and I [Ian Abbott] plan to deal with it in the future.) Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Cc: <stable@vger.kernel.org> # 3.14.x, 3.15.x Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: r8723au: Add missing initialization of change_inx in sort algorithmGeert Uytterhoeven2014-04-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | drivers/staging/rtl8723au/core/rtw_wlan_util.c: In function ‘WMMOnAssocRsp23a’: drivers/staging/rtl8723au/core/rtw_wlan_util.c:684: warning: ‘change_inx’ may be used uninitialized in this function Depending on the uninitialized data on the stack, the array may not be sorted correctly. Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | Staging: unisys: use after free in list_for_each()Dan Carpenter2014-04-162-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These should be using the _safe version of list_for_each() because we free the current element and it leads to a use after free bug. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: unisys: use after free in error messagesDan Carpenter2014-04-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We dereference "bus" when we report the error so we have to move the kfree() down a couple lines. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: speakup: fix misuse of kstrtol() in handle_goto()Daeseok Youn2014-04-161-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A string of goto_buf has a number followed by x or y. e.g. "3x" means move 3 lines down. The kstrtol() returns an error(-EINVAL) with this string so go_pos has unsigned a value of that error. And also "*cp" has not expected value. And fix sparse warnings: drivers/staging/speakup/main.c:1901 handle_goto() warn: unsigned '(speakup_console[vc->vc_num]->go_pos)' is never less than zero. drivers/staging/speakup/main.c:1911 handle_goto() warn: unsigned '(speakup_console[vc->vc_num]->go_pos)' is never less than zero. Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: goldfish: Call free_irq in error pathTuomas Tynkkynen2014-04-161-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If misc_register failed in goldfish_audio_probe, the already requested IRQ wouldn't get freed. Add a call to free_irq() like there is in goldfish_audio_remove(). Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> Acked-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: delete rtl8187se wireless driverGreg Kroah-Hartman2014-04-1631-19847/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is a "real" driver for this hardware now in drivers/net/ so remove the staging version as it's not needed anymore. Reported-by: Xose Vazquez Perez <xose.vazquez@gmail.com> Cc: Larry Finger <Larry.Finger@lwfinger.net> Cc: John W. Linville" <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: rtl8723au: Fix buffer overflow in rtw_get_wfd_ie()Jes Sorensen2014-04-154-38/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add bounds checking to not allow WFD Information Elements larger than 128, and make sure we use the correct buffer size MAX_WFD_IE_LEN instea of hardcoding the size. This also simplifies rtw_get_wfd_ie() by using the cfg80211 infrastructure. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: gs_fpgaboot: remove __TIMESTAMP__ macroArnd Bergmann2014-04-151-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We specifically build the kernel with -Werror=date-time to detect such macros, which gives us this error: gs_fpgaboot/gs_fpgaboot.c:376:44: error: macro "__TIMESTAMP__" might prevent reproducible builds [-Werror=date-time] pr_info("built at %s UTC\n", __TIMESTAMP__); The obvious fix is to remove the printk output line. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Insop Song <insop.song@gainspeed.com> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: vme: fix memory leak in vme_user_probe()Daeseok Youn2014-04-151-6/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If vme_master_request() returns NULL when it failed, it need to free buffers for master. And also removes unreachable code in vme_user_probe(). Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: fpgaboot: clean up MakefilePaul Bolle2014-04-151-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This Makefile tries to set the DEBUG macro but it uses an unknown Kconfig macro to do so. Since no code appears to even care about the DEBUG macro this line can safely be removed. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Reviewed-by: Insop Song <insop.song@gainspeed.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging/usbip: fix store_attach() sscanf return value checkShuah Khan2014-04-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | sscanf() parses the input buffer for four input items. However, the return value check is incorrect, as it checks for one input item instead of four which is what it is expecting in the input buffer. As a result, sscanf() will always fail even when the input buffer is correct. Signed-off-by: Shuah Khan <shuah.kh@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging/usbip: userspace - fix usbipd SIGSEGV from refresh_exported_devices()Shuah Khan2014-04-151-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | refresh_exported_devices() doesn't check udev_device_new_from_syspath() return value and passed in null dev to udev_device_get_driver() resulting in a segmentation fault. Change it to check for null return value from both udev_device_new_from_syspath() and udev_device_get_driver(). Signed-off-by: Shuah Khan <shuah.kh@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging: rtl8188eu: remove spaces, correct counts to unbreak P2P ioctlsWilfried Klaebe2014-04-151-37/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | staging: rtl8188eu: remove spaces, correct counts to unbreak P2P ioctls It looks like someone did a search-and-replace on that driver, putting spaces before "=" characters, without checking this is OK everywhere. Also, in some places, there's memcpm()s/strncmp()s checking for some different length than the fixed string argument. These things result in code not working as intended. Fix that. Signed-off-by: Wilfried Klaebe <w-lkml@lebenslange-mailadresse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | staging/rtl8821ae: Fix OOM handling in _rtl_init_deferred_work()Richard Weinberger2014-04-151-2/+8
| | |/ | |/| | | | | | | | | | | | | | | | alloc_workqueue() can fail, handle this case. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* / | video: move fbdev to drivers/video/fbdevTomi Valkeinen2014-04-173-4/+4
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The drivers/video directory is a mess. It contains generic video related files, directories for backlight, console, linux logo, lots of fbdev device drivers, fbdev framework files. Make some order into the chaos by creating drivers/video/fbdev directory, and move all fbdev related files there. No functionality is changed, although I guess it is possible that some subtle Makefile build order related issue could be created by this patch. Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Rob Clark <robdclark@gmail.com> Acked-by: Jingoo Han <jg1.han@samsung.com> Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds2014-04-121-2/+2
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull yet more networking updates from David Miller: 1) Various fixes to the new Redpine Signals wireless driver, from Fariya Fatima. 2) L2TP PPP connect code takes PMTU from the wrong socket, fix from Dmitry Petukhov. 3) UFO and TSO packets differ in whether they include the protocol header in gso_size, account for that in skb_gso_transport_seglen(). From Florian Westphal. 4) If VLAN untagging fails, we double free the SKB in the bridging output path. From Toshiaki Makita. 5) Several call sites of sk->sk_data_ready() were referencing an SKB just added to the socket receive queue in order to calculate the second argument via skb->len. This is dangerous because the moment the skb is added to the receive queue it can be consumed in another context and freed up. It turns out also that none of the sk->sk_data_ready() implementations even care about this second argument. So just kill it off and thus fix all these use-after-free bugs as a side effect. 6) Fix inverted test in tcp_v6_send_response(), from Lorenzo Colitti. 7) pktgen needs to do locking properly for LLTX devices, from Daniel Borkmann. 8) xen-netfront driver initializes TX array entries in RX loop :-) From Vincenzo Maffione. 9) After refactoring, some tunnel drivers allow a tunnel to be configured on top itself. Fix from Nicolas Dichtel. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (46 commits) vti: don't allow to add the same tunnel twice gre: don't allow to add the same tunnel twice drivers: net: xen-netfront: fix array initialization bug pktgen: be friendly to LLTX devices r8152: check RTL8152_UNPLUG net: sun4i-emac: add promiscuous support net/apne: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO net: ipv6: Fix oif in TCP SYN+ACK route lookup. drivers: net: cpsw: enable interrupts after napi enable and clearing previous interrupts drivers: net: cpsw: discard all packets received when interface is down net: Fix use after free by removing length arg from sk_data_ready callbacks. Drivers: net: hyperv: Address UDP checksum issues Drivers: net: hyperv: Negotiate suitable ndis version for offload support Drivers: net: hyperv: Allocate memory for all possible per-pecket information bridge: Fix double free and memory leak around br_allowed_ingress bonding: Remove debug_fs files when module init fails i40evf: program RSS LUT correctly i40evf: remove open-coded skb_cow_head ixgb: remove open-coded skb_cow_head igbvf: remove open-coded skb_cow_head ...
| * | net: Fix use after free by removing length arg from sk_data_ready callbacks.David S. Miller2014-04-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Several spots in the kernel perform a sequence like: skb_queue_tail(&sk->s_receive_queue, skb); sk->sk_data_ready(sk, skb->len); But at the moment we place the SKB onto the socket receive queue it can be consumed and freed up. So this skb->len access is potentially to freed up memory. Furthermore, the skb->len can be modified by the consumer so it is possible that the value isn't accurate. And finally, no actual implementation of this callback actually uses the length argument. And since nobody actually cared about it's value, lots of call sites pass arbitrary values in such as '0' and even '1'. So just remove the length argument from the callback, that way there is no confusion whatsoever and all of these use-after-free cases get fixed as a side effect. Based upon a patch by Eric Dumazet and his suggestion to audit this issue tree-wide. Signed-off-by: David S. Miller <davem@davemloft.net>
* | | Merge branch 'v4l_for_linus' of ↵Linus Torvalds2014-04-122-6/+11
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: "A series of bug fix patches for v3.15-rc1. Most are just driver fixes. There are some changes at remote controller core level, fixing some definitions on a new API added for Kernel v3.15. It also adds the missing include at include/uapi/linux/v4l2-common.h, to allow its compilation on userspace, as pointed by you" * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (24 commits) [media] gpsca: remove the risk of a division by zero [media] stk1160: warrant a NUL terminated string [media] v4l: ti-vpe: retain v4l2_buffer flags for captured buffers [media] v4l: ti-vpe: Set correct field parameter for output and capture buffers [media] v4l: ti-vpe: zero out reserved fields in try_fmt [media] v4l: ti-vpe: Fix initial configuration queue data [media] v4l: ti-vpe: Use correct bus_info name for the device in querycap [media] v4l: ti-vpe: report correct capabilities in querycap [media] v4l: ti-vpe: Allow usage of smaller images [media] v4l: ti-vpe: Use video_device_release_empty [media] v4l: ti-vpe: Make sure in job_ready that we have the needed number of dst_bufs [media] lgdt3305: include sleep functionality in lgdt3304_ops [media] drx-j: use customise option correctly [media] m88rs2000: fix sparse static warnings [media] r820t: fix size and init values [media] rc-core: remove generic scancode filter [media] rc-core: split dev->s_filter [media] rc-core: do not change 32bit NEC scancode format for now [media] rtl28xxu: remove duplicate ID 0458:707f Genius TVGo DVB-T03 [media] xc2028: add missing break to switch ...
| * | | [media] msi3101: check I/O return values on stop streamingAntti Palosaari2014-04-061-4/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Coverity CID 1196496: Unchecked return value (CHECKED_RETURN) Calling "msi3101_ctrl_msg" without checking return value (as is done elsewhere 8 out of 10 times). Reported-by: <scan-admin@coverity.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
| * | | [media] msi3101: remove unused variable assignmentAntti Palosaari2014-04-061-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Coverity CID 1196508: Unused pointer value (UNUSED_VALUE) Pointer "bandwidth" returned by "v4l2_ctrl_find(&s->hdl, 10619148U)" is overwritten. Reported-by: <scan-admin@coverity.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
| * | | [media] msi001: fix possible integer overflowAntti Palosaari2014-04-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Coverity CID 1196502: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "(f_rf + f_if + f_if1) * lo_div" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic before being used in a context which expects an expression of type "u64" (64 bits, unsigned). To avoid overflow, cast either operand to "u64" before performing the multiplication. Reported-by: <scan-admin@coverity.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
* | | | Merge branch 'for-linus' of ↵Linus Torvalds2014-04-128-126/+25
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs updates from Al Viro: "The first vfs pile, with deep apologies for being very late in this window. Assorted cleanups and fixes, plus a large preparatory part of iov_iter work. There's a lot more of that, but it'll probably go into the next merge window - it *does* shape up nicely, removes a lot of boilerplate, gets rid of locking inconsistencie between aio_write and splice_write and I hope to get Kent's direct-io rewrite merged into the same queue, but some of the stuff after this point is having (mostly trivial) conflicts with the things already merged into mainline and with some I want more testing. This one passes LTP and xfstests without regressions, in addition to usual beating. BTW, readahead02 in ltp syscalls testsuite has started giving failures since "mm/readahead.c: fix readahead failure for memoryless NUMA nodes and limit readahead pages" - might be a false positive, might be a real regression..." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits) missing bits of "splice: fix racy pipe->buffers uses" cifs: fix the race in cifs_writev() ceph_sync_{,direct_}write: fix an oops on ceph_osdc_new_request() failure kill generic_file_buffered_write() ocfs2_file_aio_write(): switch to generic_perform_write() ceph_aio_write(): switch to generic_perform_write() xfs_file_buffered_aio_write(): switch to generic_perform_write() export generic_perform_write(), start getting rid of generic_file_buffer_write() generic_file_direct_write(): get rid of ppos argument btrfs_file_aio_write(): get rid of ppos kill the 5th argument of generic_file_buffered_write() kill the 4th argument of __generic_file_aio_write() lustre: don't open-code kernel_recvmsg() ocfs2: don't open-code kernel_recvmsg() drbd: don't open-code kernel_recvmsg() constify blk_rq_map_user_iov() and friends lustre: switch to kernel_sendmsg() ocfs2: don't open-code kernel_sendmsg() take iov_iter stuff to mm/iov_iter.c process_vm_access: tidy up a bit ...
| * | | lustre: don't open-code kernel_recvmsg()Al Viro2014-04-012-33/+9
| | | | | | | | | | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * | | lustre: switch to kernel_sendmsg()Al Viro2014-04-012-36/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | (casts are due to misannotations in lustre; it uses iovec where kvec would be correct type; too much noise to properly annotate right now). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * | | lustre: generic_readlink() is just fine there, TYVM...Al Viro2014-04-011-22/+1
| | | | | | | | | | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * | | usbip: don't open-code sockfd_lookup/sockfd_putAl Viro2014-04-015-35/+9
| | |/ | |/| | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | | Merge tag 'staging-3.15-rc1' of ↵Linus Torvalds2014-04-08136-2/+89854
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull more staging patches from Greg KH: "Here are some more staging patches for 3.15-rc1. They include a late-submission of a wireless driver that a bunch of people seem to have the hardware for now. As it's stand-alone, it should be fine (now passes the 0-day random build bot tests). There are also some fixes for the unisys drivers, as they were causing havoc on a number of different machines. To resolve all of those issues, we just mark the driver as BROKEN now, and we can fix it up "properly" over time" * tag 'staging-3.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: rtl8723au: The 8723 only has two paths Staging: unisys: mark drivers as BROKEN Staging: unisys: verify that a control channel exists staging: unisys: Add missing close parentheses in filexfer.c staging: r8723au: Fix build problem when RFKILL is not selected staging: r8723au: Fix randconfig build errors staging: r8723au: Turn on build of new driver staging: r8723au: Additional source patches staging: r8723au: Add source files for new driver - part 4 staging: r8723au: Add source files for new driver - part 3 staging: r8723au: Add source files for new driver - part 2 staging: r8723au: Add source files for new driver - part 1
| * | | staging: rtl8723au: The 8723 only has two pathsJes Sorensen2014-04-073-45/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Converting the driver from the original RTL provided version, by error converted the code to use four, which caused all sorts of issues. The confusion was caused by the RTL driver having support for both two and four paths, and in some places had RF_PATH_MAX = 3. At the same time it kept the data structures hard coded for two paths, in particular the ones matching the efuse data. Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | Staging: unisys: mark drivers as BROKENGreg Kroah-Hartman2014-04-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Turns out these drivers like to mess around with the system even if the hardware they control isn't present. That's not good, and people are starting to report lots of issues with this in their build/boot testing. So for now, let's just mark them as BROKEN, until the code gets converted to use the proper driver model interaction (i.e. don't do anything until the hardware is actually found in the system.) Reported-by: Fengguang Wu <fengguang.wu@intel.com> Reported-by: Sasha Levin <sasha.levin@oracle.com> Cc: Benjamin Romer <benjamin.romer@unisys.com> Cc: David Kershner <david.kershner@unisys.com> Cc: someone <sparmaintainer@unisys.com> Cc: Ken Cox <jkc@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * | | Staging: unisys: verify that a control channel existsSasha Levin2014-04-071-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code didn't verify that a control channel exists before trying to use it. It caused NULL ptr derefs which were easy to trigger by an unpriviliged user simply by reading the proc file, causing: [ 68.161404] BUG: unable to handle kernel NULL pointer dereference at (null) [ 68.162442] IP: visorchannel_read (drivers/staging/unisys/visorchannel/visorchannel_funcs.c:225) [ 68.163165] PGD 5ca21067 PUD 5ca20067 PMD 0 [ 68.163712] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 68.164390] Dumping ftrace buffer: [ 68.164793] (ftrace buffer empty) [ 68.165220] Modules linked in: [ 68.165601] CPU: 0 PID: 7915 Comm: cat Tainted: G W 3.14.0-next-20140403-sasha-00012-gef5fa7d-dirty #373 [ 68.166821] task: ffff88006e8c3000 ti: ffff88005ca30000 task.ti: ffff88005ca30000 [ 68.167689] RIP: visorchannel_read (drivers/staging/unisys/visorchannel/visorchannel_funcs.c:225) [ 68.168683] RSP: 0018:ffff88005ca31e58 EFLAGS: 00010282 [ 68.169302] RAX: ffff88005ca10000 RBX: ffff88005ca31e97 RCX: 0000000000000001 [ 68.170019] RDX: ffff88005ca31e97 RSI: 0000000000000bd6 RDI: 0000000000000000 [ 68.170019] RBP: ffff88005ca31e78 R08: 0000000000000000 R09: 0000000000000000 [ 68.170019] R10: ffff880000000000 R11: 0000000000000001 R12: 0000000000000001 [ 68.170019] R13: 0000000000000bd6 R14: 0000000000000000 R15: 0000000000008000 [ 68.170019] FS: 00007f0e8c041700(0000) GS:ffff88007be00000(0000) knlGS:0000000000000000 [ 68.170019] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 68.170019] CR2: 0000000000000000 CR3: 000000006efe9000 CR4: 00000000000006b0 [ 68.170019] Stack: [ 68.170019] ffff88005ca31f50 ffff88005ca10000 000000000060e000 ffff88005ca31f50 [ 68.170019] ffff88005ca31ec8 ffffffff83e6f983 ffff8800780db810 0000000000008000 [ 68.170019] ffff88005ca31ec8 ffff88006da5f908 ffff8800780db800 000000000060e000 [ 68.170019] Call Trace: [ 68.170019] proc_read_toolaction (drivers/staging/unisys/visorchipset/visorchipset_main.c:2541) [ 68.170019] proc_reg_read (fs/proc/inode.c:211) [ 68.170019] vfs_read (fs/read_write.c:408) [ 68.170019] SyS_read (fs/read_write.c:519 fs/read_write.c:511) [ 68.170019] tracesys (arch/x86/kernel/entry_64.S:749) [ 68.170019] Code: 00 00 66 66 66 66 90 55 48 89 e5 48 83 ec 20 48 89 5d e0 48 89 d3 4c 89 65 e8 49 89 cc 4c 89 6d f0 49 89 f5 4c 89 75 f8 49 89 fe <48> 8b 3f e8 4f f9 ff ff 85 c0 0f 88 97 00 00 00 4d 85 ed 0f 85 [ 68.170019] RIP visorchannel_read (drivers/staging/unisys/visorchannel/visorchannel_funcs.c:225) [ 68.170019] RSP <ffff88005ca31e58> [ 68.170019] CR2: 0000000000000000 Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>