summaryrefslogtreecommitdiffstats
path: root/drivers
AgeCommit message (Collapse)Author
2014-02-08iio: ak8975: Fix calculation formula for convert micro tesla to gauss unitBeomho Seo
This effects the reported scale of the raw values, and thus userspace applications that use this value. One micro tesla equal 0.01 gauss. So I have fixed calculation formula And add RAW_TO_GAUSS macro. ASA is in the range of 0 to 255. If multiply 0.003, calculation result(in_magn_[*]_scale) is always 0. So multiply 3000 and return and IIO_VAL_INT_PLUS_MICRO. As a result, read_raw call back function return accurate scale value. Signed-off-by: Beomho Seo <beomho.seo@samsung.com> Cc: stable@vger.kernel.org Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08staging:iio:ad799x fix typo in ad799x_events[]Hartmut Knaack
This patch fixes a typo in ad799x_events[], which caused the error "Failed to register event set". Signed-off-by: Hartmut Knaack <knaack.h@gmx.de> Cc: stable@vger.kernel.org Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08iio: mxs-lradc: remove useless scale_available filesAlexandre Belloni
in_voltage8_scale_available and in_voltage9_scale_available are exposed to userspace but useless as in_voltage8_raw and in_voltage9_raw are not available. Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08iio: mxs-lradc: fix buffer overflowAlexandre Belloni
Fixes: drivers/staging/iio/adc/mxs-lradc.c:1556 mxs_lradc_probe() error: buffer overflow 'iio->channels' 15 <= 15 The reported available scales for in_voltage15 were also wrong. The realbits lookup is not necessary as all the channels of the LRADC have the same resolution, use LRADC_RESOLUTION instead. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08iio:magnetometer:mag3110: Fix output of decimal digits in show_int_plus_micros()Peter Meerwald
need to print leading zeros, hence "%d.%06d" Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08iio:magnetometer:mag3110: Report busy in _read_raw() / write_raw() when ↵Peter Meerwald
buffer is enabled individual reads are not permitted concurrently with buffered reads Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-02-08watchdog: dw_wdt: Add dependency on HAS_IOMEMRichard Weinberger
On archs like S390 or um this driver cannot build nor work. Make it depend on HAS_IOMEM to bypass build failures. drivers/built-in.o: In function `dw_wdt_drv_probe': drivers/watchdog/dw_wdt.c:302: undefined reference to `devm_ioremap_resource' Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
2014-02-07drivers/base: fix devres handling for master deviceRussell King
We weren't handling the devres issues for the master device failing a bind, or being unbound properly. Add a devres group to contain these, and release the resources at the appropriate points. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07misc: mic: fix possible signed underflow (undefined behavior) in userspace APISudeep Dutt
iovcnt is declared as a signed integer in both the userspace API and as a local variable in mic_virtio.c. The while() loop in mic_virtio.c iterates until the local variable iovcnt reaches the value 0. If userspace passes e.g. INT_MIN as iovcnt field, this loop then appears to depend on an undefined behavior (signed underflow) to complete. The fix is to use unsigned integers in both the userspace API and the local variable. This issue was reported @ https://lkml.org/lkml/2014/1/10/10 Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Signed-off-by: Sudeep Dutt <sudeep.dutt@intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07misc: eeprom: sunxi: Add new compatiblesMaxime Ripard
The Allwinner A10 compatibles were following a slightly different compatible patterns than the rest of the SoCs for historical reasons. Add compatibles matching the other pattern to the SID driver for consistency, and keep the older one for backward compatibility. Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07misc: genwqe: Fix potential memory leak when pinning memoryChristian Engelmayer
Fix a memory leak in the genwqe_pin_mem() error path as called by ioctl GENWQE_PIN_MEM. In case there is an error encountered when mapping memory, the already allocated dma_mapping struct needs to be freed correctly. Detected by Coverity: CID 1162606. Signed-off-by: Christian Engelmayer <cengelma@gmx.at> Acked-by: Frank Haverkamp <haver@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07Revert "usb: xhci: Link TRB must not occur within a USB payload burst"Sarah Sharp
This reverts commit 35773dac5f862cb1c82ea151eba3e2f6de51ec3e. It's a hack that caused regressions in the usb-storage and userspace USB drivers that use usbfs and libusb. Commit 70cabb7d992f "xhci 1.0: Limit arbitrarily-aligned scatter gather." should fix the issues seen with the ax88179_178a driver on xHCI 1.0 hosts, without causing regressions. Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Cc: stable@vger.kernel.org # 3.12
2014-02-07Revert "xhci: Avoid infinite loop when sg urb requires too many trbs"Sarah Sharp
This reverts commit d6c9ea9069af684358efedcaf2f2f687f51c58ee. We are ripping out commit 35773dac5f862cb1c82ea151eba3e2f6de51ec3e "usb: xhci: Link TRB must not occur within a USB payload burst" because it's a hack that caused regressions in the usb-storage and userspace USB drivers that use usbfs and libusb. This commit attempted to fix the issues with that patch. Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Cc: stable@vger.kernel.org # 3.12
2014-02-07Revert "xhci: Set scatter-gather limit to avoid failed block writes."Sarah Sharp
This reverts commit f2d9b991c549f159dc9ae81f77d8206c790cbfee. We are ripping out commit 35773dac5f862cb1c82ea151eba3e2f6de51ec3e "usb: xhci: Link TRB must not occur within a USB payload burst" because it's a hack that caused regressions in the usb-storage and userspace USB drivers that use usbfs and libusb. This commit attempted to fix the issues with that patch. Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Cc: stable@vger.kernel.org #3.12
2014-02-07xhci 1.0: Limit arbitrarily-aligned scatter gather.Sarah Sharp
xHCI 1.0 hosts have a set of requirements on how to align transfer buffers on the endpoint rings called "TD fragment" rules. When the ax88179_178a driver added support for scatter gather in 3.12, with commit 804fad45411b48233b48003e33a78f290d227c8 "USBNET: ax88179_178a: enable tso if usb host supports sg dma", it broke the device under xHCI 1.0 hosts. Under certain network loads, the device would see an unexpected short packet from the host, which would cause the device to stop sending ethernet packets, even through USB packets would still be sent. Commit 35773dac5f86 "usb: xhci: Link TRB must not occur within a USB payload burst" attempted to fix this. It was a quick hack to partially implement the TD fragment rules. However, it caused regressions in the usb-storage layer and userspace USB drivers using libusb. The patches to attempt to fix this are too far reaching into the USB core, and we really need to implement the TD fragment rules correctly in the xHCI driver, instead of continuing to wallpaper over the issues. Disable arbitrarily-aligned scatter-gather in the xHCI driver for 1.0 hosts. Only the ax88179_178a driver checks the no_sg_constraint flag, so don't set it for 1.0 hosts. This should not impact usb-storage or usbfs behavior, since they pass down max packet sized aligned sg-list entries (512 for USB 2.0 and 1024 for USB 3.0). Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Tested-by: Mark Lord <mlord@pobox.com> Cc: David Laight <David.Laight@ACULAB.COM> Cc: Bjørn Mork <bjorn@mork.no> Cc: Freddy Xin <freddy@asix.com.tw> Cc: Ming Lei <ming.lei@canonical.com> Cc: stable@vger.kernel.org # 3.12
2014-02-07block/null_blk: Fix completion processing from LIFO to FIFOShlomo Pongratz
The completion queue is implemented using lockless list. The llist_add is adds the events to the list head which is a push operation. The processing of the completion elements is done by disconnecting all the pushed elements and iterating over the disconnected list. The problem is that the processing is done in reverse order w.r.t order of the insertion i.e. LIFO processing. By reversing the disconnected list which is done in linear time the desired FIFO processing is achieved. Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com> Signed-off-by: Jens Axboe <axboe@fb.com>
2014-02-07Merge branch 'v4l_for_linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: "A series of small fixes. Mostly driver ones. There is one core regression fix on a patch that was meant to fix some race issues on vb2, but that actually caused more harm than good. So, we're just reverting it for now" * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: [media] adv7842: Composite free-run platfrom-data fix [media] v4l2-dv-timings: fix GTF calculation [media] hdpvr: Fix memory leak in debug [media] af9035: add ID [2040:f900] Hauppauge WinTV-MiniStick 2 [media] mxl111sf: Fix compile when CONFIG_DVB_USB_MXL111SF is unset [media] mxl111sf: Fix unintentional garbage stack read [media] cx24117: use a valid dev pointer for dev_err printout [media] cx24117: remove dead code in always 'false' if statement [media] update Michael Krufky's email address [media] vb2: Check if there are buffers before streamon [media] Revert "[media] videobuf_vm_{open,close} race fixes" [media] go7007-loader: fix usb_dev leak [media] media: bt8xx: add missing put_device call [media] exynos4-is: Compile in fimc-lite runtime PM callbacks conditionally [media] exynos4-is: Compile in fimc runtime PM callbacks conditionally [media] exynos4-is: Fix error paths in probe() for !pm_runtime_enabled() [media] s5p-jpeg: Fix wrong NV12 format parameters [media] s5k5baf: allow to handle arbitrary long i2c sequences
2014-02-07Merge tag 'hwmon-for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: "Fix PMBus driver problem with some multi-page voltage sensors and fix da9055 interrupt initialization" * tag 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (da9055) Remove use of regmap_irq_get_virq() hwmon: (pmbus) Support per-page exponent in linear mode
2014-02-07Merge tag 'pm+acpi-3.14-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI and power management fixes from Rafael Wysocki: "These include a fix for a recent ACPI hotplug regression, four concurrency related fixes and one PCI device removal fix for ACPI-based PCI hotplug (ACPIPHP), intel_pstate fix that should go into stable, three simple ACPI cleanups and a new entry for the ACPI video blacklist. Specifics: - Fix for a recent ACPI hotplug regression causing a NULL pointer dereference to occur while handling ACPI eject notifications for already ejected devices. From Toshi Kani. - Four concurrency-related fixes for ACPIPHP. Two of them add missing locking and the other two fix race conditions related to reference counting. - ACPIPHP fix to avoid NULL pointer dereferences during device removal involving Virtual Funcions. - intel_pstate fix to make it compute the percentage of time the CPU is busy properly. From Dirk Brandewie. - Removal of two unnecessary NULL pointer checks in ACPI code and a fix for sscanf() format string from Dan Carpenter and Luis G.F. - New ACPI video blacklist entry for HP EliteBook Revolve 810 from Mika Westerberg" * tag 'pm+acpi-3.14-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI / hotplug: Fix panic on eject to ejected device ACPI / battery: Fix incorrect sscanf() string in acpi_battery_init_alarm() ACPI / proc: remove unneeded NULL check ACPI / utils: remove a pointless NULL check ACPI / video: Add HP EliteBook Revolve 810 to the blacklist intel_pstate: Take core C0 time into account for core busy calculation ACPI / hotplug / PCI: Fix bridge removal race vs dock events ACPI / hotplug / PCI: Fix bridge removal race in handle_hotplug_event() ACPI / hotplug / PCI: Scan root bus under the PCI rescan-remove lock ACPI / hotplug / PCI: Move PCI rescan-remove locking to hotplug_event() ACPI / hotplug / PCI: Remove entries from bus->devices in reverse order
2014-02-07wlags49_h2: Fix overflow in wireless_set_essid()Maurizio Lombardi
This patch prevents the wireless_set_essid() function from overwriting the last byte of the NetworkName buffer which must be NULL. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07xlr_net: Fix missing trivial allocation checkAlan Cox
Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: r8188eu: overflow in rtw_p2p_get_go_device_address()Dan Carpenter
The go_devadd_str[] array is two characters too small to hold the address so we corrupt memory. I've changed the user space API slightly and I don't have a way to test if this breaks anything. In the original code we truncated away the last digit of the address and the NUL terminator so it was already a bit broken. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: r8188eu: array overflow in rtw_mp_ioctl_hdl()Dan Carpenter
MAX_MP_IOCTL_SUBCODE (35) and mp_ioctl_hdl (32 elements) are no longer in sync. It leads to a bogus pointer dereference. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: r8188eu: Fix typo in USB_DEVICE listLarry Finger
There is a typo in the device list that interchanges the vendor and product codes for one of the entries. This exchange was determined by noticing that the vendor code is 0x07b8 for Abocom at http://www.linux-usb.org/usb.ids. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07usbip/userspace/libsrc/names.c: memory leakHeinrich Schuchardt
revised patch p is freed if NULL. p is leaked if second calloc fails. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07gpu: ion: dereferencing an ERR_PTRDan Carpenter
We dereference "heap->task" before checking if it's an ERR_PTR. Fixes: ea313b5f88ed ('gpu: ion: Also shrink memory cached in the deferred free list') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: comedi: usbduxsigma: fix unaligned dereferencesIan Abbott
There are a couple of dereferences such as `*(uint32_t *)(devpriv->insn_buf + 1)` that are unaligned as `devpriv->insn_buf` is of type `uint8_t *`. This works on x86 architecture but may not be supported on other architectures. Call `get_unalign()` to perform the unaligned dereferences. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Cc: Bernd Porr <mail@berndporr.me.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: comedi: fix too early cleanup in comedi_auto_config()Ian Abbott
`comedi_auto_config()` is usually called from the probe routine of a low-level comedi driver to allocate and auto-configure a comedi device. Part of this involves calling the low-level driver's `auto_attach()` handler, and if that is successful, `comedi_device_postconfig()` tries to complete the configuration of the comedi device. If either of those fail, `comedi_device_detach()` is called to clean up, and `comedi_release_hardware_device()` is called to remove the dynamically allocated comedi device. Unfortunately, `comedi_device_detach()` clears the `hw_dev` member of the `struct comedi_device` (indirectly via `comedi_clear_hw_dev()`), and that stops `comedi_release_hardware_device()` finding the comedi device associated with the hardware device, so the comedi device won't be removed properly. Since `comedi_release_hardware_device()` also calls `comedi_device_detach()` (assuming it finds the comedi device associated with the hardware device), the fix is to remove the direct call to `comedi_device_detach()` from `comedi_auto_config()` and let the call to `comedi_release_hardware_device()` take care of it. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: android: ion: dummy: fix an error codeDan Carpenter
We should be returning -ENOMEM here instead of zero. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07Merge branch 'master' of ↵John W. Linville
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem
2014-02-07xen-blkfront: handle backend CLOSED without CLOSINGDavid Vrabel
Backend drivers shouldn't transistion to CLOSED unless the frontend is CLOSED. If a backend does transition to CLOSED too soon then the frontend may not see the CLOSING state and will not properly shutdown. So, treat an unexpected backend CLOSED state the same as CLOSING. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2014-02-07xen-blkif: drop struct blkif_request_segment_alignedRoger Pau Monne
This was wrongly introduced in commit 402b27f9, the only difference between blkif_request_segment_aligned and blkif_request_segment is that the former has a named padding, while both share the same memory layout. Also correct a few minor glitches in the description, including for it to no longer assume PAGE_SIZE == 4096. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> [Description fix by Jan Beulich] Signed-off-by: Jan Beulich <jbeulich@suse.com> Reported-by: Jan Beulich <jbeulich@suse.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: David Vrabel <david.vrabel@citrix.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Tested-by: Matt Rushton <mrushton@amazon.com> Cc: Matt Wilson <msw@amazon.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2014-02-07xen-blkback: fix shutdown raceRoger Pau Monne
Introduce a new variable to keep track of the number of in-flight requests. We need to make sure that when xen_blkif_put is called the request has already been freed and we can safely free xen_blkif, which was not the case before. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com> Tested-by: Matt Rushton <mrushton@amazon.com> Reviewed-by: Matt Rushton <mrushton@amazon.com> Cc: Matt Wilson <msw@amazon.com> Cc: Ian Campbell <Ian.Campbell@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2014-02-07xen-blkback: fix memory leaksRoger Pau Monne
I've at least identified two possible memory leaks in blkback, both related to the shutdown path of a VBD: - blkback doesn't wait for any pending purge work to finish before cleaning the list of free_pages. The purge work will call put_free_pages and thus we might end up with pages being added to the free_pages list after we have emptied it. Fix this by making sure there's no pending purge work before exiting xen_blkif_schedule, and moving the free_page cleanup code to xen_blkif_free. - blkback doesn't wait for pending requests to end before cleaning persistent grants and the list of free_pages. Again this can add pages to the free_pages list or persistent grants to the persistent_gnts red-black tree. Fixed by moving the persistent grants and free_pages cleanup code to xen_blkif_free. Also, add some checks in xen_blkif_free to make sure we are cleaning everything. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: David Vrabel <david.vrabel@citrix.com> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Tested-by: Matt Rushton <mrushton@amazon.com> Reviewed-by: Matt Rushton <mrushton@amazon.com> Cc: Matt Wilson <msw@amazon.com> Cc: Ian Campbell <Ian.Campbell@citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2014-02-07xen-blkback: fix memory leak when persistent grants are usedMatt Rushton
Currently shrink_free_pagepool() is called before the pages used for persistent grants are released via free_persistent_gnts(). This results in a memory leak when a VBD that uses persistent grants is torn down. Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Cc: "Roger Pau Monné" <roger.pau@citrix.com> Cc: Ian Campbell <Ian.Campbell@citrix.com> Reviewed-by: David Vrabel <david.vrabel@citrix.com> Cc: linux-kernel@vger.kernel.org Cc: xen-devel@lists.xen.org Cc: Anthony Liguori <aliguori@amazon.com> Signed-off-by: Matt Rushton <mrushton@amazon.com> Signed-off-by: Matt Wilson <msw@amazon.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
2014-02-07staging: lustre: fix quotactl permission denied (LU-4530)Cédric Dufour - Idiap Research Institute
The changes introduced in commit 4b1a25f06b30b203 ("fix build when CONFIG_UIDGID_STRICT_TYPE_CHECKS is on") got the UID check the wrong way around, leading to "Permission denied" when a regular user attempts to retrieve his quota (lfs quota -u ...) but allowing him to retrieve other users quota. Full details at: https://jira.hpdd.intel.com/browse/LU-4530 Cc: Peng Tao <tao.peng@emc.com> Cc: <stable@vger.kernel.org> # 3.12.x Cc: <stable@vger.kernel.org> # 3.13.x Signed-off-by: Cédric Dufour <cedric.dufour@idiap.ch> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: android: sync: Signal pt before sync_timeline object gets destroyedPrakash Kamliya
There is a race condition Assume we have *one* sync_fence object, with *one* sync_pt which belongs to *one* sync_timeline, given this condition, sync_timeline->kref will have two counts, one for sync_timeline (implicit) and another for sync_pt. Assume following is the situation on CPU Theead-1 : (Thread which calls sync_timeline_destroy()) -> (some function calls) -> sync_timeline_destory() -> sync_timeline_signal() (CPU is inside this function after putting reference to sync_timeline) At this time Thread-2 comes and does following Thread-2 : (fclose on fence fd) > sync_fence_release() -> because of fclose() on fence object -> sync_fence_free() -> sync_pt_free() -> kref_put(&pt->parent->kref, sync_timeline_free); -> sync_timeline_free() (CPU is inside this because this time kref will be zero after _put) Thread-2 will free sync_timeline object before Thread-1 has finished its work inside sync_timeline_signal. With this change we signals all sync_pt before putting reference to sync_timeline object. Cc: Colin Cross <ccross@android.com> Cc: Android Kernel Team <kernel-team@android.com> Signed-off-by: Prakash Kamliya <pkamliya@codeaurora.org> [jstultz: minor commit subject tweak] Signed-off-by: John Stultz <john.stultz@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: comedi: adv_pci1710: fix analog output readback valueH Hartley Sweeten
The last value written to a analog output channel is cached in the private data of this driver for readback. Currently, the wrong value is cached in the (*insn_write) functions. The current code stores the data[n] value for readback afer the loop has written all the values. At this time 'n' points past the end of the data array. Fix the functions by using a local variable to hold the data being written to the analog output channel. This variable is then used after the loop is complete to store the readback value. The current value is retrieved before the loop in case no values are actually written.. Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: r8188eu: memory corruption handling long ssidsDan Carpenter
We should cap the SSID length at NDIS_802_11_LENGTH_SSID (32) characters to avoid memory corruption. If the SSID is too long then I have opted to ignore it instead of truncating it. We don't need to clear bssid->Ssid.Ssid[0] because this struct is allocated with rtw_zmalloc() Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: gdm72xx: fix leaks at failure path in gdm_usb_probe()Alexey Khoroshilov
Error handling code in gdm_usb_probe() misses to deallocate tx_ and rx_structs and to do usb_put_dev(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07Revert "Staging: dgrp: Refactor the function dgrp_receive() in drrp_net_ops.c"Greg Kroah-Hartman
This reverts commit b73db54750482cf3910046c82a84ce8c1684dfbe. Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> Reported-by: Chen Gang <gang.chen.5i5j@gmail.com> Cc: Rashika Kheria <rashika.kheria@gmail.com> Cc: James Hogan <james.hogan@imgtec.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07Staging: ozwpan: Fix null dereferenceSalym Senyonga
If net_dev is NULL memcpy() will Oops. Signed-off-by: Salym Senyonga <salymsash@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging/usbip: Fix vhci_hcd attach failure error message to be informativeShuah Khan
When attach fails due to unsupported and/or invalid bus speed, the message vhci_hcd prints out doesn't include any useful information as to what caused the failure. Change the message to be informative and use usb_speed_string() to get the right speed string from usb common. Signed-off-by: Shuah Khan <shuah.kh@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: rtl8821ae: Fixed the size of array to macro as discussed by LinusSurendra Patil
Linus Torvalds writes: It causes an interesting warning for me: drivers/staging/rtl8821ae/rtl8821ae/dm.c: In function ‘rtl8821ae_dm_clear_txpower_tracking_state’: drivers/staging/rtl8821ae/rtl8821ae/dm.c:487:31: warning: iteration 2u invokes undefined behavior [-Waggressive-loop-optimizations] rtldm->bb_swing_idx_ofdm[p] = rtldm->default_ofdm_index; ^ drivers/staging/rtl8821ae/rtl8821ae/dm.c:485:2: note: containing loop for (p = RF90_PATH_A; p < MAX_RF_PATH; ++p) { ^ and gcc is entirely correct: that loop iterates from 0 to 3, and does this: rtldm->bb_swing_idx_ofdm[p] = rtldm->default_ofdm_index; but the bb_swing_idx_ofdm[] array only has two members. So the last two iterations will overwrite bb_swing_idx_ofdm_current and the first entry in bb_swing_idx_ofdm_base[]. Now, the bug does seem to be benign: bb_swing_idx_ofdm_current isn't actually ever *used* as far as I can tell, and the first entry of bb_swing_idx_ofdm_base[] will have been written with that same "rtldm->default_ofdm_index" value. But gcc is absolutely correct, and that driver needs fixing. I've pulled it and will let it be because it doesn't seem to be an issue in practice, but please fix it. The obvious fix would seem to change the size of "2" to be "MAX_RF_PATH", but I'll abstain from doing those kinds of changes in the merge when it doesn't seem to affect the build or functionality). Reported-By: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Surendra Patil <surendra.tux@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging: octeon-usb: Probe via device tree populated platform device.David Daney
Extract clocking parameters from the device tree, and remove now dead code and types. Signed-off-by: David Daney <david.daney@cavium.com> Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07lustre: add myself to list of people to CC on lustre patchesOleg Drokin
Signed-off-by: Oleg Drokin <oleg.drokin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07lustre: Correct KUC code max changelog msg sizeOleg Drokin
The kernel to userspace communication routines (KUC) allocate and limit the maximum cs_buf size to CR_MAXSIZE. However this fails to account for the fact that the buffer is assumed to begin with a struct kuc_hdr. To allocate and account for that space, we introduce a new define, KUC_CHANGELOG_MSG_MAXSIZE. Signed-off-by: Christopher J. Morrone <morrone2@llnl.gov> Reviewed-on: http://review.whamcloud.com/7406 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3587 Reviewed-by: Andreas Dilger <andreas.dilger@intel.com> Reviewed-by: jacques-Charles Lafoucriere <jacques-charles.lafoucriere@cea.fr> Reviewed-by: Oleg Drokin <oleg.drokin@intel.com> Signed-off-by: Oleg Drokin <oleg.drokin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07lustre: Account for changelog_ext_rec in CR_MAXSIZEOleg Drokin
CR_MAXSIZE needs to account for an llog_changelog_rec that actually contains a changelog_ext_rec structure rather than a changelog_rec. With out doing so, a file size approaching the Linux kernel NAME_MAX length that is renamed to a size also close to, or at, NAME_MAX will exceed CR_MAXSIZE and trip an assertion. Signed-off-by: Christopher J. Morrone <morrone2@llnl.gov> Reviewed-on: http://review.whamcloud.com/6993 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3587 Reviewed-by: Niu Yawei <yawei.niu@intel.com> Reviewed-by: Lai Siyao <lai.siyao@intel.com> Reviewed-by: Oleg Drokin <oleg.drokin@intel.com> Signed-off-by: Oleg Drokin <oleg.drokin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging/lustre/lnet: Fix use after free in ksocknal_sendOleg Drokin
Call to ksocknal_launch_packet might schedule a callback that might free the just sent message, and so subsequent access to it via lntmsg->msg_vmflush goes to freed memory. Instead we'll just remember if we are in the vmflush thread and only restore if we happened to set mempressure flag. Signed-off-by: Oleg Drokin <oleg.drokin@intel.com> Reviewed-on: http://review.whamcloud.com/8667 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-4360 Reviewed-by: Liang Zhen <liang.zhen@intel.com> Reviewed-by: Amir Shehata <amir.shehata@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-07staging/lustre: fix compile warning with is_vmalloc_addrOleg Drokin
Recent commit 175f5475fb9c5800319da4e3c4204413d7280f5c introduced this compile warning (because vaddr is unsigned long), so add a cast: drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c: In function ‘kiblnd_kvaddr_to_page’: drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:532:2: warning: passing argument 1 of ‘is_vmalloc_addr’ makes pointer from integer without a cast [enabled by default] if (is_vmalloc_addr(vaddr)) { ^ In file included from drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.h:43:0, from drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c:41: include/linux/mm.h:336:59: note: expected ‘const void *’ but argument is of type ‘long unsigned int’ static inline int is_vmalloc_addr(const void *x) Signed-off-by: Oleg Drokin <green@linuxhacker.ru> CC: Laura Abbott <lauraa@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>