Kevin McKinney [Wed, 23 Nov 2011 01:25:57 +0000 (20:25 -0500)]
Staging: bcm: Fix semaphore locking error when downloading firmware.
This patch releases semaphore locks when
an error occurrs while attempting to
download firmware for the bcm driver.
When downloading firmware for this driver,
a process is expected to call
the following ioctl's in this order:
(1)IOCTL_BCM_BUFFER_DOWNLOAD_START,
(2)IOCTL_BCM_BUFFER_DOWNLOAD, and (3)
IOCTL_BCM_BUFFER_DOWNLOAD_STOP.
Semaphore, “Adapter->fw_download_sema” is
expected to be acquired in the first ioctl,
IOCTL_BCM_BUFFER_DOWNLOAD_START, and it should
block until IOCTL_BCM_BUFFER_DOWNLOAD_STOP
is called. In this case, if an error
occurred before STOP finished, the semaphore
"Adapter->fw_download_sema" was not being released.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kevin McKinney [Wed, 23 Nov 2011 01:25:56 +0000 (20:25 -0500)]
Staging: bcm: Fix semaphore locking bug in, IOCTL_BCM_BUFFER_DOWNLOAD
In this ioctl, we are testing to see if the lock is held.
If it is not held, that means this ioctl used incorrectly.
Therefore, we do not want to take the lock ourselves here.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kevin McKinney [Wed, 9 Nov 2011 03:33:35 +0000 (22:33 -0500)]
Staging: bcm: Clean up code in ioctl: IOCTL_BCM_EEPROM_REGISTER_READ
This patch verifies two conditions before executing
a kmalloc call. First, it checks to see that
IoBuffer.OutputLength is not greater than an
unsigned short. If so, an invalid value may be
returned. The second change is a check to make
sure IoBuffer.OutputLength is not equal to
zero. Which simply keeps this code inline with
the other ioctl, IOCTL_BCM_REGISTER_READ_PRIVATE.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kevin McKinney [Sun, 6 Nov 2011 14:40:11 +0000 (09:40 -0500)]
Staging: bcm: Fix information leak in ioctl: IOCTL_BCM_REGISTER_READ_PRIVATE, IOCTL_BCM_EEPROM_REGISTER_READ
This patch fixes an information leak in ioctl
IOCTL_BCM_REGISTER_READ_PRIVATE and
IOCTL_BCM_EEPROM_REGISTER_READ when determining
the number of bytes to copy to user space. Function,
usb_control_msg, returns the correct number of
bytes from the hardware. Instead of using
this value, we were using a value derived from
user space. In this case, this value could be more
than the hardware allocated. Therefore, this
patch copies the proper number of bytes from
the hardware, and uses this value as the maximum
number of bytes for user space.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diego F. Marfil [Thu, 3 Nov 2011 15:25:37 +0000 (12:25 -0300)]
Staging: bcm: hostmibs: Added temporary variable to shorten lines
Signed-off-by: Diego F. Marfil <diegomarfil@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diego F. Marfil [Thu, 3 Nov 2011 15:25:36 +0000 (12:25 -0300)]
Staging: bcm: hostmibs: White spaces and indentation fixes.
Signed-off-by: Diego F. Marfil <diegomarfil@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diego F. Marfil [Thu, 3 Nov 2011 15:25:35 +0000 (12:25 -0300)]
Staging: bcm: hostmibs: C99 comments replaced
Signed-off-by: Diego F. Marfil <diegomarfil@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Fix error handling storvsc_host_reset(). I would like to thank
Long Li <longli@microsoft.com> for reporting this.
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com> Reported-by: Long Li <longli@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
K. Y. Srinivasan [Wed, 26 Oct 2011 00:19:49 +0000 (17:19 -0700)]
Staging: hv: mousevsc: Inline the code for reportdesc_callback()
Inline the code for reportdesc_callback() as this function is called from
mousevsc_probe(). As part of this, cleanup the code in reportdesc_callback().
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Sasha Levin [Tue, 22 Nov 2011 06:02:21 +0000 (08:02 +0200)]
iio: Don't OOPS if dummy evgen failed init
If the dummy evgen failed init, the irq allocation functions which assume
init succeeded may still be called - causing an OOPS due to wrong assumption.
staging:iio: Add missing MODULE_DEVICE_TABLE and MODULE_ALIAS
Quite a few iio drivers provide no MODULE_DEVICE_TABLE or MODULE_ALIAS or only
provide a MODULE_ALIAS while they have support for multiple device ids. This
prevents auto module loading from working correctly.
This patch fixes it by adding the missing MODULE_DEVICE_TABLEs and
MODULE_ALIAS'.
Paul Bolle [Sun, 13 Nov 2011 13:05:45 +0000 (14:05 +0100)]
staging: iio: drop "select IIO_SIMPLE_DUMMY_EVGEN"
Commit e6477000fc ("staging:iio:dummy Add event support + fake event
generator") added "select IIO_SIMPLE_DUMMY_EVGEN if [...]". But there
is no Kconfig symbol named IIO_SIMPLE_DUMMY_EVGEN. The select statement
for that symbol is a nop. Drop it.
Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Acked-by: Jonathan Cameron <jic23@camd.ac.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
staging:iio: Make write_event_value callback optional
Some devices have fixed thresholds which can not be modified so make the
write_event_value callback optional, so the drivers for these devices do not
have to implement a boilerplate no-op callback.
Jonathan Cameron [Wed, 26 Oct 2011 16:41:36 +0000 (17:41 +0100)]
staging:iio:treewide only use shared to decide on interfaces
Internally the fact that say scale is shared across channels is
actually of remarkably little interest. Hence lets not store it.
Numerous devices have weird combinations of channels sharing
scale anyway so it is not as though this was really telling
us much. Note however that we do still use the shared sysfs
attrs thus massively reducing the number of attrs in complex
drivers.
Side effect is that certain drivers that were abusing this
(mostly my work) needed to do a few more checks on what the
channel they are being queried on actually is.
This is also helpful for in kernel interfaces where we
just want to query the scale and don't care whether it
is shared with other channels or not.
staging:iio: Do not use bitmasks for channel info addresses
Currently the iio framework uses bitmasks for the address field of channel info
attributes. This is for historical reasons and no longer required since it will
only ever query a single info attribute at once. This patch changes the code to
use the non-shifted iio_chan_info_enum values for the info attribute address.
Jonathan Cameron [Wed, 26 Oct 2011 16:41:32 +0000 (17:41 +0100)]
staging:iio: header reorganization
Issue brought up by Lars-Peter Clausen. This is a varient of what
he suggested.
io/iio.h for driver stuff (has to include types.h)
Sub files for the bits drivers may or may not use
iio/sysfs.h
iio/buffer.h (contents of current buffer_generic.h)
(obviously anything offering events will need events.h as well)
iio/types.h for the enums that matter to both
iio_chan_type, iio_modifier
iio/events.h for the event code stuff
IIO_EVENT_CODE and friends. + everything in chrdev.h So this
is the stuff that userspace cares about.
Also include iio_event_type, iio_event_direction
Thus iio drivers include iio.h + as required
events.h
sysfs.h
buffer.h
in kernel users (once that interface is merged) will need inkern.h
which will pull in types.h
Userspace will need just events.h (which pulls in types.h) to get
everything they need to know about. Buffer userspace access doesn't
currently need any core defines. All information about the data
format is passed through sysfs.
Signed-off-by: Jonathan Cameron <jic23@cam.ac.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jonathan Cameron [Wed, 26 Oct 2011 16:27:45 +0000 (17:27 +0100)]
staging:iio: core. Allow for event chrdev obtaining ioctl if no buffer present.
Logic bug meant the chrdev would fail to open if there was no buffer support
in a driver or in the core. This meant the ioctl to get the event chrdev
would fail and hence events were not available.
V2: change error to -EINVAL to mark as unsuitable for reading rather than
not there. Both are true depending on how you look at it.
Signed-off-by: Jonathan Cameron <jic23@cam.ac.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jonathan Cameron [Wed, 26 Oct 2011 16:27:40 +0000 (17:27 +0100)]
staging:iio:kfifo remove entirely pointless code.
I really don't want to think about how this bit got
in there. It allocates some storage - copies something
into it then frees it without making use of it.
Oops.
Signed-off-by: Jonathan Cameron <jic23@cam.ac.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Maxin B. John [Wed, 26 Oct 2011 16:27:37 +0000 (17:27 +0100)]
staging:iio:light:tsl2563 missing setting of id in get id function.
Signed-off-by: Maxin B. John <maxin.john@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jonathan Cameron <jic23@cam.ac.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mark Einon [Sun, 13 Nov 2011 19:43:39 +0000 (19:43 +0000)]
staging: et131x: Remove section comments
Following the move to put the driver into one file, comments were added to identify which source file each set of functions originated from.
These no longer made sense after functions were moved around to remove some forward declarations, so remove them.
A function comment was previously not moved along with its function, now they are reunited.
Signed-off-by: Mark Einon <mark.einon@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Hajnoczi [Wed, 23 Nov 2011 08:20:45 +0000 (08:20 +0000)]
staging: line6: alloc/free buffers in hw_params/hw_free
It is unsafe to free buffers in line6_pcm_stop(), which is not allowed
to sleep, since urbs cannot be killed completely there and only
unlinked. This means I/O may still be in progress and the URB
completion function still gets invoked. This may result in memory
corruption when buffer_in is freed but I/O is still pending.
Additionally, line6_pcm_start() is not supposed to sleep so it should
not use kmalloc(GFP_KERNEL).
These issues can be resolved by performing buffer allocation/freeing in
the .hw_params/.hw_free callbacks instead. The ALSA documentation also
recommends doing buffer allocation/freeing in these callbacks.
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Hajnoczi [Wed, 23 Nov 2011 08:20:44 +0000 (08:20 +0000)]
staging: line6: use smallest iso ep packet size
The POD HD300 isochronous endpoints have different max packet sizes for
read and write. Using the read endpoint max packet size may be too
large for the write endpoint. Instead we should use the minimum of both
endpoints to be sure the size is acceptable.
In theory we could decouple read and write packet sizes but the driver
currently uses a single size which I chose not to mess with since other
features like software monitoring may depend on a single packet size for
both endpoints.
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Hajnoczi [Wed, 23 Nov 2011 08:20:43 +0000 (08:20 +0000)]
staging: line6: add missing MIDI postprocessing case for POD HD300
The driver leaves MIDI processing up to userspace for the POD HD300
device. Add a missing case statement to skip MIDI postprocessing in the
driver. This change has no effect other than silencing a printk:
line6usb driver bug: missing case in linux/drivers/staging/line6/midi.c:179
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Hajnoczi [Wed, 23 Nov 2011 08:20:42 +0000 (08:20 +0000)]
staging: line6: add Pod HD300 support
The Pod HD device family uses new MIDI SysEx messages and therefore
cannot reuse the existing Pod code. Instead of hardcoding Pod HD MIDI
messages into the driver, leave MIDI up to userspace. This driver
simply presents MIDI and pcm ALSA devices.
This device is similar to the Pod except that it has 48 kHz audio and
does not respond to Pod SysEx messages.
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jesper Juhl [Mon, 24 Oct 2011 21:41:37 +0000 (23:41 +0200)]
line6: fix memory leaks in line6_init_midi()
If the first call to line6_midibuf_init() fails we'll leak a little
bit of memory. If the second call fails we'll leak a bit more. This
happens when we return from the function and the local variable
'line6midi' goes out of scope.
Tomas Winkler [Sun, 13 Nov 2011 07:41:15 +0000 (09:41 +0200)]
staging/mei: fix check for allocating host client id
MEI_CLIENTS_MAX is 255 and host_client_id is u8 therefore
for check to work we need to first assign the return value
of find_first_zero_bit to unsigned long variable
Fix warning
drivers/staging/mei/main.c: In function mei_open
drivers/staging/mei/main.c:260:2: warning: comparison is always false due to limited range of data type
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Cox [Fri, 25 Nov 2011 11:13:58 +0000 (11:13 +0000)]
gma500: mark staging broken
It now clashes with upstream DRM which we don't want to block.
We don't want to delete this code just yet as we want to keep it for
comparison and reference when debugging, but soon it will be a removal
candidate as well
Signed-off-by: Alan Cox <alan@linux.intel.com> Cc: linux-next@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Linus Torvalds [Thu, 24 Nov 2011 04:19:31 +0000 (20:19 -0800)]
Merge git://github.com/rustyrussell/linux
* git://github.com/rustyrussell/linux:
virtio-pci: make reset operation safer
virtio-mmio: Correct the name of the guest features selector
virtio: add HAS_IOMEM dependency to MMIO platform bus driver
virtio pci device reset actually just does an I/O
write, which in PCI is really posted, that is it
can complete on CPU before the device has received it.
Further, interrupts might have been pending on
another CPU, so device callback might get invoked after reset.
This conflicts with how drivers use reset, which is typically:
reset
unregister
a callback running after reset completed can race with
unregister, potentially leading to use after free bugs.
Fix by flushing out the write, and flushing pending interrupts.
This assumes that device is never reset from
its vq/config callbacks, or in parallel with being
added/removed, document this assumption.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Heiko Carstens [Tue, 15 Nov 2011 09:13:24 +0000 (10:13 +0100)]
virtio: add HAS_IOMEM dependency to MMIO platform bus driver
Fix this compile error on s390:
CC [M] drivers/virtio/virtio_mmio.o
drivers/virtio/virtio_mmio.c: In function 'vm_get_features':
drivers/virtio/virtio_mmio.c:107:2: error: implicit declaration of function 'writel'
Cc: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Acked-by: Pawel Moll <pawel.moll@arm.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Linus Torvalds [Wed, 23 Nov 2011 22:58:46 +0000 (14:58 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci:
PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs
PCI: pciehp: wait 100 ms after Link Training check
PCI: pciehp: wait 1000 ms before Link Training check
PCI: pciehp: Retrieve link speed after link is trained
PCI: Let PCI_PRI depend on PCI
PCI: Fix compile errors with PCI_ATS and !PCI_IOV
PCI / ACPI: Make acpiphp ignore root bridges using PCIe native hotplug
Linus Torvalds [Wed, 23 Nov 2011 22:28:13 +0000 (14:28 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs:
eCryptfs: Extend array bounds for all filename chars
eCryptfs: Flush file in vma close
eCryptfs: Prevent file create race condition
Tyler Hicks [Wed, 23 Nov 2011 17:31:24 +0000 (11:31 -0600)]
eCryptfs: Extend array bounds for all filename chars
From mhalcrow's original commit message:
Characters with ASCII values greater than the size of
filename_rev_map[] are valid filename characters.
ecryptfs_decode_from_filename() will access kernel memory beyond
that array, and ecryptfs_parse_tag_70_packet() will then decrypt
those characters. The attacker, using the FNEK of the crafted file,
can then re-encrypt the characters to reveal the kernel memory past
the end of the filename_rev_map[] array. I expect low security
impact since this array is statically allocated in the text area,
and the amount of memory past the array that is accessible is
limited by the largest possible ASCII filename character.
This patch solves the issue reported by mhalcrow but with an
implementation suggested by Linus to simply extend the length of
filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
0x00, which is how invalid characters less than 0x7A were previously
being handled.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reported-by: Michael Halcrow <mhalcrow@google.com> Cc: stable@kernel.org
Tyler Hicks [Mon, 21 Nov 2011 23:31:29 +0000 (17:31 -0600)]
eCryptfs: Flush file in vma close
Dirty pages weren't being written back when an mmap'ed eCryptfs file was
closed before the mapping was unmapped. Since f_ops->flush() is not
called by the munmap() path, the lower file was simply being released.
This patch flushes the eCryptfs file in the vm_ops->close() path.
Tyler Hicks [Mon, 21 Nov 2011 23:31:02 +0000 (17:31 -0600)]
eCryptfs: Prevent file create race condition
The file creation path prematurely called d_instantiate() and
unlock_new_inode() before the eCryptfs inode info was fully
allocated and initialized and before the eCryptfs metadata was written
to the lower file.
This could result in race conditions in subsequent file and inode
operations leading to unexpected error conditions or a null pointer
dereference while attempting to use the unallocated memory.
Linus Torvalds [Wed, 23 Nov 2011 17:47:25 +0000 (09:47 -0800)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (31 commits)
drm: integer overflow in drm_mode_dirtyfb_ioctl()
drivers/gpu/vga/vgaarb.c: add missing kfree
drm/radeon/kms/atom: unify i2c gpio table handling
drm/radeon/kms: fix up gpio i2c mask bits for r4xx for real
ttm: Don't return the bo reserved on error path
drm/radeon/kms: add a CS ioctl flag not to rewrite tiling flags in the CS
drm/i915: Fix inconsistent backlight level during disabled
drm, i915: Fix memory leak in i915_gem_busy_ioctl().
drm/i915: Use DPCD value for max DP lanes.
drm/i915: Initiate DP link training only on the lanes we'll be using
drm/i915: Remove trailing white space
drm/i915: Try harder during dp pattern 1 link training
drm/i915: Make DP prepare/commit consistent with DP dpms
drm/i915: Let panel power sequencing hardware do its job
drm/i915: Treat PCH eDP like DP in most places
drm/i915: Remove link_status field from intel_dp structure
drm/i915: Move common PCH_PP_CONTROL setup to ironlake_get_pp_control
drm/i915: Module parameters using '-1' as default must be signed type
drm/i915: Turn on another required clock gating bit on gen6.
drm/i915: Turn on a required 3D clock gating bit on Sandybridge.
...
Afzal Mohammed [Tue, 8 Nov 2011 13:24:10 +0000 (18:54 +0530)]
regulator: TPS65910: Fix VDD1/2 voltage selector count
Count of selector voltage is required for regulator_set_voltage
to work via set_voltage_sel. VDD1/2 currently have it as zero,
so regulator_set_voltage won't work for VDD1/2.
Update count (n_voltages) for VDD1/2.
Output Voltage = (step value * 12.5 mV + 562.5 mV) * gain
With above expr, number of voltages that can be selected is
step value count * gain count
constant for gain count will be called VDD1_2_NUM_VOLT_COARSE
existing constant for step value count is VDD1_2_NUM_VOLTS,
use VDD1_2_NUM_VOLT_FINE instead to make clear that step value
is not the only component in deciding selectable voltage count
Signed-off-by: Afzal Mohammed <afzal@ti.com> Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Jean Delvare [Wed, 23 Nov 2011 10:33:07 +0000 (11:33 +0100)]
i2c: Fix device name for 10-bit slave address
10-bit addresses overlap with traditional 7-bit addresses, leading in
device name collisions. Add an arbitrary offset to 10-bit addresses to
prevent this collision. The offset was chosen so that the address is
still easily recognizable.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Acked-by: Wolfram Sang <w.sang@pengutronix.de>
Xi Wang [Wed, 23 Nov 2011 06:12:01 +0000 (01:12 -0500)]
drm: integer overflow in drm_mode_dirtyfb_ioctl()
There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips. The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.
Reported-by: Haogang Chen <haogangchen@gmail.com> Signed-off-by: Xi Wang <xi.wang@gmail.com> Cc: stable@kernel.org Signed-off-by: Dave Airlie <airlied@redhat.com>