<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/misc, branch v3.16.52</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>misc: ad525x_dpot: Fix the enabling of the "otpXen" attributes</title>
<updated>2017-10-12T14:28:17+00:00</updated>
<author>
<name>Dan Bogdan Nechita</name>
<email>dan.bogdan.nechita@gmail.com</email>
</author>
<published>2016-02-23T09:48:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=982ff37658a22a7ebe715a197a912b3c3225fab8'/>
<id>982ff37658a22a7ebe715a197a912b3c3225fab8</id>
<content type='text'>
commit 1bb850a1b7f68b66361e658e334f9fdf8231f17d upstream.

Currently writing the attributes with "echo" will result in comparing:
"enabled\n" with "enabled\0" and attribute is always set to false.

Use the sysfs_streq() instead because it treats both NUL and
new-line-then-NUL as equivalent string terminations.

Signed-off-by: Dan Bogdan Nechita &lt;dan.bogdan.nechita@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1bb850a1b7f68b66361e658e334f9fdf8231f17d upstream.

Currently writing the attributes with "echo" will result in comparing:
"enabled\n" with "enabled\0" and attribute is always set to false.

Use the sysfs_streq() instead because it treats both NUL and
new-line-then-NUL as equivalent string terminations.

Signed-off-by: Dan Bogdan Nechita &lt;dan.bogdan.nechita@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails.</title>
<updated>2017-10-12T14:27:58+00:00</updated>
<author>
<name>Maurizio Lombardi</name>
<email>mlombard@redhat.com</email>
</author>
<published>2017-06-27T09:53:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dbe514c87fbeda1cbe6fe0325d8588e610b9dbdc'/>
<id>dbe514c87fbeda1cbe6fe0325d8588e610b9dbdc</id>
<content type='text'>
commit 62e62ffd95539b9220894a7900a619e0f3ef4756 upstream.

The enclosure_add_device() function should fail if it can't create the
relevant sysfs links.

Signed-off-by: Maurizio Lombardi &lt;mlombard@redhat.com&gt;
Tested-by: Douglas Miller &lt;dougmill@linux.vnet.ibm.com&gt;
Acked-by: James Bottomley &lt;jejb@linux.vnet.ibm.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 62e62ffd95539b9220894a7900a619e0f3ef4756 upstream.

The enclosure_add_device() function should fail if it can't create the
relevant sysfs links.

Signed-off-by: Maurizio Lombardi &lt;mlombard@redhat.com&gt;
Tested-by: Douglas Miller &lt;dougmill@linux.vnet.ibm.com&gt;
Acked-by: James Bottomley &lt;jejb@linux.vnet.ibm.com&gt;
Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mei: move write cb to completion on credentials failures</title>
<updated>2017-03-16T02:26:49+00:00</updated>
<author>
<name>Alexander Usyskin</name>
<email>alexander.usyskin@intel.com</email>
</author>
<published>2016-12-14T15:56:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=abf35ecb24ad917de55f75c715c0e5ed5e6a6069'/>
<id>abf35ecb24ad917de55f75c715c0e5ed5e6a6069</id>
<content type='text'>
commit e09ee853c92011860a4bd2fbdf6126f60fc16bd3 upstream.

The credentials handling was pushed to the write handlers
but error handling wasn't done properly.
Move write callbacks to completion queue to destroy them
and to notify a blocked writer about the failure

Fixes: 136698e535cd1 (mei: push credentials inside the irq write handler)
Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e09ee853c92011860a4bd2fbdf6126f60fc16bd3 upstream.

The credentials handling was pushed to the write handlers
but error handling wasn't done properly.
Move write callbacks to completion queue to destroy them
and to notify a blocked writer about the failure

Fixes: 136698e535cd1 (mei: push credentials inside the irq write handler)
Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mei: bus: fix received data size check in NFC fixup</title>
<updated>2017-02-23T03:54:26+00:00</updated>
<author>
<name>Alexander Usyskin</name>
<email>alexander.usyskin@intel.com</email>
</author>
<published>2016-10-31T17:02:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ad6dcc78333f0e2e2add0f1b350ce8d049e98ffc'/>
<id>ad6dcc78333f0e2e2add0f1b350ce8d049e98ffc</id>
<content type='text'>
commit 582ab27a063a506ccb55fc48afcc325342a2deba upstream.

NFC version reply size checked against only header size, not against
full message size. That may lead potentially to uninitialized memory access
in version data.

That leads to warnings when version data is accessed:
drivers/misc/mei/bus-fixup.c: warning: '*((void *)&amp;ver+11)' may be used uninitialized in this function [-Wuninitialized]:  =&gt; 212:2

Reported in
Build regressions/improvements in v4.9-rc3
https://lkml.org/lkml/2016/10/30/57

Fixes: 59fcd7c63abf (mei: nfc: Initial nfc implementation)
Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Drop change in mei_phy.c
 - Adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 582ab27a063a506ccb55fc48afcc325342a2deba upstream.

NFC version reply size checked against only header size, not against
full message size. That may lead potentially to uninitialized memory access
in version data.

That leads to warnings when version data is accessed:
drivers/misc/mei/bus-fixup.c: warning: '*((void *)&amp;ver+11)' may be used uninitialized in this function [-Wuninitialized]:  =&gt; 212:2

Reported in
Build regressions/improvements in v4.9-rc3
https://lkml.org/lkml/2016/10/30/57

Fixes: 59fcd7c63abf (mei: nfc: Initial nfc implementation)
Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Drop change in mei_phy.c
 - Adjust filename]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Fix bad page access during abort of resource allocation</title>
<updated>2017-02-23T03:54:24+00:00</updated>
<author>
<name>Gerald Schaefer</name>
<email>gerald.schaefer@de.ibm.com</email>
</author>
<published>2016-10-19T10:29:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=192d5e7c1ccfe5c6391bfc7090d28204a95984bd'/>
<id>192d5e7c1ccfe5c6391bfc7090d28204a95984bd</id>
<content type='text'>
commit a7a7aeefbca2982586ba2c9fd7739b96416a6d1d upstream.

When interrupting an application which was allocating DMAable
memory, it was possible, that the DMA memory was deallocated
twice, leading to the error symptoms below.

Thanks to Gerald, who analyzed the problem and provided this
patch.

I agree with his analysis of the problem: ddcb_cmd_fixups() -&gt;
genwqe_alloc_sync_sgl() (fails in f/lpage, but sgl-&gt;sgl != NULL
and f/lpage maybe also != NULL) -&gt; ddcb_cmd_cleanup() -&gt;
genwqe_free_sync_sgl() (double free, because sgl-&gt;sgl != NULL and
f/lpage maybe also != NULL)

In this scenario we would have exactly the kind of double free that
would explain the WARNING / Bad page state, and as expected it is
caused by broken error handling (cleanup).

Using the Ubuntu git source, tag Ubuntu-4.4.0-33.52, he was able to reproduce
the "Bad page state" issue, and with the patch on top he could not reproduce
it any more.

------------[ cut here ]------------
WARNING: at /build/linux-o03cxz/linux-4.4.0/arch/s390/include/asm/pci_dma.h:141
Modules linked in: qeth_l2 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common genwqe_card qeth crc_itu_t qdio ccwgroup vmur dm_multipath dasd_eckd_mod dasd_mod
CPU: 2 PID: 3293 Comm: genwqe_gunzip Not tainted 4.4.0-33-generic #52-Ubuntu
task: 0000000032c7e270 ti: 00000000324e4000 task.ti: 00000000324e4000
Krnl PSW : 0404c00180000000 0000000000156346 (dma_update_cpu_trans+0x9e/0xa8)
           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
Krnl GPRS: 00000000324e7bcd 0000000000c3c34a 0000000027628298 000000003215b400
           0000000000000400 0000000000001fff 0000000000000400 0000000116853000
           07000000324e7b1e 0000000000000001 0000000000000001 0000000000000001
           0000000000001000 0000000116854000 0000000000156402 00000000324e7a38
Krnl Code: 000000000015633a: 95001000           cli     0(%r1),0
           000000000015633e: a774ffc3           brc     7,1562c4
          #0000000000156342: a7f40001           brc     15,156344
          &gt;0000000000156346: 92011000           mvi     0(%r1),1
           000000000015634a: a7f4ffbd           brc     15,1562c4
           000000000015634e: 0707               bcr     0,%r7
           0000000000156350: c00400000000       brcl    0,156350
           0000000000156356: eb7ff0500024       stmg    %r7,%r15,80(%r15)
Call Trace:
([&lt;00000000001563e0&gt;] dma_update_trans+0x90/0x228)
 [&lt;00000000001565dc&gt;] s390_dma_unmap_pages+0x64/0x160
 [&lt;00000000001567c2&gt;] s390_dma_free+0x62/0x98
 [&lt;000003ff801310ce&gt;] __genwqe_free_consistent+0x56/0x70 [genwqe_card]
 [&lt;000003ff801316d0&gt;] genwqe_free_sync_sgl+0xf8/0x160 [genwqe_card]
 [&lt;000003ff8012bd6e&gt;] ddcb_cmd_cleanup+0x86/0xa8 [genwqe_card]
 [&lt;000003ff8012c1c0&gt;] do_execute_ddcb+0x110/0x348 [genwqe_card]
 [&lt;000003ff8012c914&gt;] genwqe_ioctl+0x51c/0xc20 [genwqe_card]
 [&lt;000000000032513a&gt;] do_vfs_ioctl+0x3b2/0x518
 [&lt;0000000000325344&gt;] SyS_ioctl+0xa4/0xb8
 [&lt;00000000007b86c6&gt;] system_call+0xd6/0x264
 [&lt;000003ff9e8e520a&gt;] 0x3ff9e8e520a
Last Breaking-Event-Address:
 [&lt;0000000000156342&gt;] dma_update_cpu_trans+0x9a/0xa8
---[ end trace 35996336235145c8 ]---
BUG: Bad page state in process jbd2/dasdb1-8  pfn:3215b
page:000003d100c856c0 count:-1 mapcount:0 mapping:          (null) index:0x0
flags: 0x3fffc0000000000()
page dumped because: nonzero _count

Signed-off-by: Gerald Schaefer &lt;gerald.schaefer@de.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a7a7aeefbca2982586ba2c9fd7739b96416a6d1d upstream.

When interrupting an application which was allocating DMAable
memory, it was possible, that the DMA memory was deallocated
twice, leading to the error symptoms below.

Thanks to Gerald, who analyzed the problem and provided this
patch.

I agree with his analysis of the problem: ddcb_cmd_fixups() -&gt;
genwqe_alloc_sync_sgl() (fails in f/lpage, but sgl-&gt;sgl != NULL
and f/lpage maybe also != NULL) -&gt; ddcb_cmd_cleanup() -&gt;
genwqe_free_sync_sgl() (double free, because sgl-&gt;sgl != NULL and
f/lpage maybe also != NULL)

In this scenario we would have exactly the kind of double free that
would explain the WARNING / Bad page state, and as expected it is
caused by broken error handling (cleanup).

Using the Ubuntu git source, tag Ubuntu-4.4.0-33.52, he was able to reproduce
the "Bad page state" issue, and with the patch on top he could not reproduce
it any more.

------------[ cut here ]------------
WARNING: at /build/linux-o03cxz/linux-4.4.0/arch/s390/include/asm/pci_dma.h:141
Modules linked in: qeth_l2 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common genwqe_card qeth crc_itu_t qdio ccwgroup vmur dm_multipath dasd_eckd_mod dasd_mod
CPU: 2 PID: 3293 Comm: genwqe_gunzip Not tainted 4.4.0-33-generic #52-Ubuntu
task: 0000000032c7e270 ti: 00000000324e4000 task.ti: 00000000324e4000
Krnl PSW : 0404c00180000000 0000000000156346 (dma_update_cpu_trans+0x9e/0xa8)
           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
Krnl GPRS: 00000000324e7bcd 0000000000c3c34a 0000000027628298 000000003215b400
           0000000000000400 0000000000001fff 0000000000000400 0000000116853000
           07000000324e7b1e 0000000000000001 0000000000000001 0000000000000001
           0000000000001000 0000000116854000 0000000000156402 00000000324e7a38
Krnl Code: 000000000015633a: 95001000           cli     0(%r1),0
           000000000015633e: a774ffc3           brc     7,1562c4
          #0000000000156342: a7f40001           brc     15,156344
          &gt;0000000000156346: 92011000           mvi     0(%r1),1
           000000000015634a: a7f4ffbd           brc     15,1562c4
           000000000015634e: 0707               bcr     0,%r7
           0000000000156350: c00400000000       brcl    0,156350
           0000000000156356: eb7ff0500024       stmg    %r7,%r15,80(%r15)
Call Trace:
([&lt;00000000001563e0&gt;] dma_update_trans+0x90/0x228)
 [&lt;00000000001565dc&gt;] s390_dma_unmap_pages+0x64/0x160
 [&lt;00000000001567c2&gt;] s390_dma_free+0x62/0x98
 [&lt;000003ff801310ce&gt;] __genwqe_free_consistent+0x56/0x70 [genwqe_card]
 [&lt;000003ff801316d0&gt;] genwqe_free_sync_sgl+0xf8/0x160 [genwqe_card]
 [&lt;000003ff8012bd6e&gt;] ddcb_cmd_cleanup+0x86/0xa8 [genwqe_card]
 [&lt;000003ff8012c1c0&gt;] do_execute_ddcb+0x110/0x348 [genwqe_card]
 [&lt;000003ff8012c914&gt;] genwqe_ioctl+0x51c/0xc20 [genwqe_card]
 [&lt;000000000032513a&gt;] do_vfs_ioctl+0x3b2/0x518
 [&lt;0000000000325344&gt;] SyS_ioctl+0xa4/0xb8
 [&lt;00000000007b86c6&gt;] system_call+0xd6/0x264
 [&lt;000003ff9e8e520a&gt;] 0x3ff9e8e520a
Last Breaking-Event-Address:
 [&lt;0000000000156342&gt;] dma_update_cpu_trans+0x9a/0xa8
---[ end trace 35996336235145c8 ]---
BUG: Bad page state in process jbd2/dasdb1-8  pfn:3215b
page:000003d100c856c0 count:-1 mapcount:0 mapping:          (null) index:0x0
flags: 0x3fffc0000000000()
page dumped because: nonzero _count

Signed-off-by: Gerald Schaefer &lt;gerald.schaefer@de.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mei: txe: don't clean an unprocessed interrupt cause.</title>
<updated>2017-02-23T03:54:20+00:00</updated>
<author>
<name>Alexander Usyskin</name>
<email>alexander.usyskin@intel.com</email>
</author>
<published>2016-10-18T22:34:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=47e1befd550ccacf735afb640d17cf55e4d4b8ec'/>
<id>47e1befd550ccacf735afb640d17cf55e4d4b8ec</id>
<content type='text'>
commit 43605e293eb13c07acb546c14f407a271837af17 upstream.

SEC registers are not accessible when the TXE device is in low power
state, hence the SEC interrupt cannot be processed if device is not
awake.

In some rare cases entrance to low power state (aliveness off) and input
ready bits can be signaled at the same time, resulting in communication
stall as input ready won't be signaled again after waking up. To resolve
this IPC_HHIER_SEC bit in HHISR_REG should not be cleaned if the
interrupt is not processed.

Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 43605e293eb13c07acb546c14f407a271837af17 upstream.

SEC registers are not accessible when the TXE device is in low power
state, hence the SEC interrupt cannot be processed if device is not
awake.

In some rare cases entrance to low power state (aliveness off) and input
ready bits can be signaled at the same time, resulting in communication
stall as input ready won't be signaled again after waking up. To resolve
this IPC_HHIER_SEC bit in HHISR_REG should not be cleaned if the
interrupt is not processed.

Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>misc: mic: Fix for double fetch security bug in VOP driver</title>
<updated>2016-08-22T21:38:29+00:00</updated>
<author>
<name>Ashutosh Dixit</name>
<email>ashutosh.dixit@intel.com</email>
</author>
<published>2016-04-27T21:36:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=72aaf646fb6b6f8f7befb44cbd5b1acd3bb5b483'/>
<id>72aaf646fb6b6f8f7befb44cbd5b1acd3bb5b483</id>
<content type='text'>
commit 9bf292bfca94694a721449e3fd752493856710f6 upstream.

The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang &lt;wpengfeinudt@gmail.com&gt;
Reviewed-by: Sudeep Dutt &lt;sudeep.dutt@intel.com&gt;
Signed-off-by: Ashutosh Dixit &lt;ashutosh.dixit@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Adjust filename, context
 - goto exit on failure]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9bf292bfca94694a721449e3fd752493856710f6 upstream.

The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang &lt;wpengfeinudt@gmail.com&gt;
Reviewed-by: Sudeep Dutt &lt;sudeep.dutt@intel.com&gt;
Signed-off-by: Ashutosh Dixit &lt;ashutosh.dixit@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Adjust filename, context
 - goto exit on failure]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors</title>
<updated>2016-04-30T22:05:52+00:00</updated>
<author>
<name>Michael Hennerich</name>
<email>michael.hennerich@analog.com</email>
</author>
<published>2016-02-22T09:20:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1355472bf466c15303667b4ff7b5324efe1037b7'/>
<id>1355472bf466c15303667b4ff7b5324efe1037b7</id>
<content type='text'>
commit f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577 upstream.

Fix RDAC read back errors caused by a typo. Value must shift by 2.

Fixes: a4bd394956f2 ("drivers/misc/ad525x_dpot.c: new features")
Signed-off-by: Michael Hennerich &lt;michael.hennerich@analog.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577 upstream.

Fix RDAC read back errors caused by a typo. Value must shift by 2.

Fixes: a4bd394956f2 ("drivers/misc/ad525x_dpot.c: new features")
Signed-off-by: Michael Hennerich &lt;michael.hennerich@analog.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mei: fix format string in debug prints</title>
<updated>2016-04-30T22:05:49+00:00</updated>
<author>
<name>Alexander Usyskin</name>
<email>alexander.usyskin@intel.com</email>
</author>
<published>2016-02-17T16:27:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6efef4d65461d7b21284a96bb7d2b365a08de6c7'/>
<id>6efef4d65461d7b21284a96bb7d2b365a08de6c7</id>
<content type='text'>
commit 35bf7692e765c2275bf93fe573f7ca868ab73453 upstream.

buf_idx type was changed to size_t, and few places
missed out to change the print format from %ld to %zu.
Use also uz for buf.size which is also of size_t

Fixes:
commit 56988f22e097 ("mei: fix possible integer overflow issue")'

Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 35bf7692e765c2275bf93fe573f7ca868ab73453 upstream.

buf_idx type was changed to size_t, and few places
missed out to change the print format from %ld to %zu.
Use also uz for buf.size which is also of size_t

Fixes:
commit 56988f22e097 ("mei: fix possible integer overflow issue")'

Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mei: fix possible integer overflow issue</title>
<updated>2016-04-30T22:05:49+00:00</updated>
<author>
<name>Tomas Winkler</name>
<email>tomas.winkler@intel.com</email>
</author>
<published>2016-02-07T21:35:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2e7adcd5a04c9147c441ef156ad94178bee862c1'/>
<id>2e7adcd5a04c9147c441ef156ad94178bee862c1</id>
<content type='text'>
commit f862b6b24f0ffd954633a55f39251a6873b664ca upstream.

There is a possible integer overflow following by a buffer overflow
when accumulating messages coming from the FW to compose a full payload.
Occurrence of wrap around has to be prevented for next message size
calculation.
For unsigned integer the addition overflow has occurred when the
result is smaller than one of the arguments.
To simplify the fix, the types of buf.size and buf_idx are set to the
same width, namely size_t also to be aligned with the type of length
parameter in file read/write ops.

Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Adjust context, indentation
 - Return error directly, rather than through cb-&gt;status and the completion list
 - Fix up additional format string in mei_cl_write()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f862b6b24f0ffd954633a55f39251a6873b664ca upstream.

There is a possible integer overflow following by a buffer overflow
when accumulating messages coming from the FW to compose a full payload.
Occurrence of wrap around has to be prevented for next message size
calculation.
For unsigned integer the addition overflow has occurred when the
result is smaller than one of the arguments.
To simplify the fix, the types of buf.size and buf_idx are set to the
same width, namely size_t also to be aligned with the type of length
parameter in file read/write ops.

Signed-off-by: Tomas Winkler &lt;tomas.winkler@intel.com&gt;
Signed-off-by: Alexander Usyskin &lt;alexander.usyskin@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
[bwh: Backported to 3.16:
 - Adjust context, indentation
 - Return error directly, rather than through cb-&gt;status and the completion list
 - Fix up additional format string in mei_cl_write()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
