linux-stable.git/drivers/staging, branch v3.12.2 Linux kernel stable tree staging: comedi: avoid memleak for subdevice private 2013-11-29T19:27:56+00:00 Ian Abbott abbotti@mev.co.uk 2013-10-07T14:51:58+00:00 adf0c46683b2c5b3ba261b21b68ad6e6b7592b89 commit 67aa4acbc97f6a55b328e4e2305ef19cbe949d85 upstream. `comedi_alloc_spriv()` allocates private storage for a comedi subdevice and sets the `SRF_FREE_SPRIV` flag in the `runflags` member of the subdevice to allow the private storage to be automatically freed when the comedi device is being cleaned up. Unfortunately, the flag gets clobbered by `do_cmd_ioctl()` which calls `comedi_set_subdevice_runflags()` with a mask value `~0` and only the `SRF_USER` and `SRF_RUNNING` flags set, all the other SRF flags being cleared. Change the calls to `comedi_set_subdevice_runflags()` that currently use a mask value of `~0` to use a more relevant mask value. For `do_cmd_ioctl()`, the relevant SRF flags are `SRF_USER`, `SRF_ERROR` and `SRF_RUNNING`. (At one time, `SRF_RT` would be included in that set of flags, but it is no longer used.) For `comedi_alloc_spriv()` replace the call to `comedi_set_subdevice_runflags()` with a simple OR-assignment to avoid unnecessary use of a spin-lock. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 67aa4acbc97f6a55b328e4e2305ef19cbe949d85 upstream.

`comedi_alloc_spriv()` allocates private storage for a comedi subdevice
and sets the `SRF_FREE_SPRIV` flag in the `runflags` member of the
subdevice to allow the private storage to be automatically freed when
the comedi device is being cleaned up.  Unfortunately, the flag gets
clobbered by `do_cmd_ioctl()` which calls
`comedi_set_subdevice_runflags()` with a mask value `~0` and only the
`SRF_USER` and `SRF_RUNNING` flags set, all the other SRF flags being
cleared.

Change the calls to `comedi_set_subdevice_runflags()` that currently use
a mask value of `~0` to use a more relevant mask value.  For
`do_cmd_ioctl()`, the relevant SRF flags are `SRF_USER`, `SRF_ERROR` and
`SRF_RUNNING`.  (At one time, `SRF_RT` would be included in that set of
flags, but it is no longer used.)  For `comedi_alloc_spriv()` replace
the call to `comedi_set_subdevice_runflags()` with a simple
OR-assignment to avoid unnecessary use of a spin-lock.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: r8188eu: Set device type to wlan 2013-11-29T19:27:56+00:00 Larry Finger Larry.Finger@lwfinger.net 2013-10-22T03:15:05+00:00 32f33da06f1b769fc7f9088bee344880cb70536a commit 0d1206be229697f897f00822bc142e66da731417 upstream. The latest version of NetworkManager does not recognize the device as wireless without this change. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 0d1206be229697f897f00822bc142e66da731417 upstream.

The latest version of NetworkManager does not recognize the device as wireless
without this change.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging: zram: Fix access of NULL pointer 2013-11-29T19:27:56+00:00 Rashika Kheria rashika.kheria@gmail.com 2013-10-30T13:06:32+00:00 5cf7798500bbdf71d6587d108c48364d69331c79 commit 46a51c80216cb891f271ad021f59009f34677499 upstream. This patch fixes the bug in reset_store caused by accessing NULL pointer. The bdev gets its value from bdget_disk() which could fail when memory pressure is severe and hence can return NULL because allocation of inode in bdget could fail. Hence, this patch introduces a check for bdev to prevent reference to a NULL pointer in the later part of the code. It also removes unnecessary check of bdev for fsync_bdev(). Acked-by: Jerome Marchand <jmarchan@redhat.com> Signed-off-by: Rashika Kheria <rashika.kheria@gmail.com> Acked-by: Minchan Kim <minchan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 46a51c80216cb891f271ad021f59009f34677499 upstream.

This patch fixes the bug in reset_store caused by accessing NULL pointer.

The bdev gets its value from bdget_disk() which could fail when memory
pressure is severe and hence can return NULL because allocation of
inode in bdget could fail.

Hence, this patch introduces a check for bdev to prevent reference to a
NULL pointer in the later part of the code. It also removes unnecessary
check of bdev for fsync_bdev().

Acked-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Rashika Kheria <rashika.kheria@gmail.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: ashmem: Fix ASHMEM_PURGE_ALL_CACHES return value 2013-11-29T19:27:54+00:00 John Stultz john.stultz@linaro.org 2013-10-21T16:58:07+00:00 9d7e7af2818ec88bc6973837c67ef8cf59df7e48 commit 5957324045ba2c127c9401fa3ac61ac52e043ca8 upstream. Hopefully this isn't too late for 3.12. In commit 7dc19d5aff (convert shrinkers to new count/scan API) the return value to PURGE_ALL_CACHES was dropped, causing -EPERM to always be returned. This patch re-adds the ret assignment, setting it to the the ashmem_shrink_count(), which is the lru_count. (Sorry this was missed in the review!) Fixes: 7dc19d5affd7 ("convert shrinkers to new count/scan API") Cc: Colin Cross <ccross@android.com> Cc: Android Kernel Team <kernel-team@android.com> Cc: Glauber Costa <glommer@openvz.org> Reported-by: YongQin Liu <yongqin.liu@linaro.org> Signed-off-by: John Stultz <john.stultz@linaro.org> Acked-by: Dave Chinner <dchinner@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 5957324045ba2c127c9401fa3ac61ac52e043ca8 upstream.

Hopefully this isn't too late for 3.12.

In commit 7dc19d5aff (convert shrinkers to new count/scan API)
the return value to PURGE_ALL_CACHES was dropped, causing -EPERM
to always be returned.

This patch re-adds the ret assignment, setting it to the the
ashmem_shrink_count(), which is the lru_count.

(Sorry this was missed in the review!)

Fixes: 7dc19d5affd7 ("convert shrinkers to new count/scan API")
Cc: Colin Cross <ccross@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Cc: Glauber Costa <glommer@openvz.org>
Reported-by: YongQin Liu <yongqin.liu@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Acked-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging: sb105x: info leak in mp_get_count() 2013-10-30T19:24:50+00:00 Dan Carpenter dan.carpenter@oracle.com 2013-10-29T20:01:43+00:00 a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
The icount.reserved[] array isn't initialized so it leaks stack
information to userspace.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Staging: bcm: info leak in ioctl 2013-10-30T19:24:49+00:00 Dan Carpenter dan.carpenter@oracle.com 2013-10-29T20:01:11+00:00 8d1e72250c847fa96498ec029891de4dc638a5ba The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel
information to user space.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
staging: wlags49_h2: buffer overflow setting station name 2013-10-30T19:24:49+00:00 Dan Carpenter dan.carpenter@oracle.com 2013-10-29T20:00:15+00:00 b5e2f339865fb443107e5b10603e53bbc92dc054 We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
We need to check the length parameter before doing the memcpy().  I've
actually changed it to strlcpy() as well so that it's NUL terminated.

You need CAP_NET_ADMIN to trigger these so it's not the end of the
world.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
staging: ozwpan: prevent overflow in oz_cdev_write() 2013-10-30T19:24:49+00:00 Dan Carpenter dan.carpenter@oracle.com 2013-10-29T19:07:47+00:00 c2c65cd2e14ada6de44cb527e7f1990bede24e15 We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
We need to check "count" so we don't overflow the ei->data buffer.

Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2013-10-23T06:52:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2013-10-23T06:52:36+00:00 f4e5e14f53691871c25ec3925010ab4edbf73391 Pull media fixes from Mauro Carvalho Chehab: - Compilation fixes for GCC < 4.4.6 - one Kbuild dependency select fix (selecting videobuf on msi3101) - driver fixes on tda10071, e4000, msi3101, soc_camera, s5p-jpeg, saa7134 and adv7511 - some device quirks needed to make them work properly - some videobuf2 core regression fixes for some features used only on embedded drivers * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: [media] saa7134: Fix crash when device is closed before streamoff [media] adv7511: fix error return code in adv7511_probe() [media] ths8200: fix compilation with GCC < 4.4.6 [media] ad9389b: fix compilation with GCC < 4.4.6 [media] adv7511: fix compilation with GCC < 4.4.6 [media] adv7842: fix compilation with GCC < 4.4.6 [media] s5p-jpeg: Initialize vfd_decoder->vfl_dir field [media] videobuf2-dc: Fix support for mappings without struct page in userptr mode [media] vb2: Allow queuing OUTPUT buffers with zeroed 'bytesused' [media] mx3-camera: locking cleanup in mx3_videobuf_queue() [media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out() [media] tda10071: change firmware download condition [media] msi3101: correct max videobuf2 alloc [media] Add HCL T12Rg-H to STK webcam upside-down table [media] msi3101: Kconfig select VIDEOBUF2_VMALLOC [media] msi3101: msi3101_ioctl_ops can be static [media] e4000: fix PLL calc bug on 32-bit arch [media] uvcvideo: quirk PROBE_DEF for Microsoft Lifecam NX-3000 [media] uvcvideo: quirk PROBE_DEF for Dell SP2008WFP monitor 
Pull media fixes from Mauro Carvalho Chehab:
 - Compilation fixes for GCC < 4.4.6
 - one Kbuild dependency select fix (selecting videobuf on msi3101)
 - driver fixes on tda10071, e4000, msi3101, soc_camera, s5p-jpeg,
   saa7134 and adv7511
 - some device quirks needed to make them work properly
 - some videobuf2 core regression fixes for some features used only on
   embedded drivers

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] saa7134: Fix crash when device is closed before streamoff
  [media] adv7511: fix error return code in adv7511_probe()
  [media] ths8200: fix compilation with GCC < 4.4.6
  [media] ad9389b: fix compilation with GCC < 4.4.6
  [media] adv7511: fix compilation with GCC < 4.4.6
  [media] adv7842: fix compilation with GCC < 4.4.6
  [media] s5p-jpeg: Initialize vfd_decoder->vfl_dir field
  [media] videobuf2-dc: Fix support for mappings without struct page in userptr mode
  [media] vb2: Allow queuing OUTPUT buffers with zeroed 'bytesused'
  [media] mx3-camera: locking cleanup in mx3_videobuf_queue()
  [media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out()
  [media] tda10071: change firmware download condition
  [media] msi3101: correct max videobuf2 alloc
  [media] Add HCL T12Rg-H to STK webcam upside-down table
  [media] msi3101: Kconfig select VIDEOBUF2_VMALLOC
  [media] msi3101: msi3101_ioctl_ops can be static
  [media] e4000: fix PLL calc bug on 32-bit arch
  [media] uvcvideo: quirk PROBE_DEF for Microsoft Lifecam NX-3000
  [media] uvcvideo: quirk PROBE_DEF for Dell SP2008WFP monitor
staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice 2013-10-03T21:27:32+00:00 Ian Abbott abbotti@mev.co.uk 2013-10-02T13:57:51+00:00 677a31565692d596ef42ea589b53ba289abf4713 The `insn_bits` handler `ni_65xx_dio_insn_bits()` has a `for` loop that currently writes (optionally) and reads back up to 5 "ports" consisting of 8 channels each. It reads up to 32 1-bit channels but can only read and write a whole port at once - it needs to handle up to 5 ports as the first channel it reads might not be aligned on a port boundary. It breaks out of the loop early if the next port it handles is beyond the final port on the card. It also breaks out early on the 5th port in the loop if the first channel was aligned. Unfortunately, it doesn't check that the current port it is dealing with belongs to the comedi subdevice the `insn_bits` handler is acting on. That's a bug. Redo the `for` loop to terminate after the final port belonging to the subdevice, changing the loop variable in the process to simplify things a bit. The `for` loop could now try and handle more than 5 ports if the subdevice has more than 40 channels, but the test `if (bitshift >= 32)` ensures it will break out early after 4 or 5 ports (depending on whether the first channel is aligned on a port boundary). (`bitshift` will be between -7 and 7 inclusive on the first iteration, increasing by 8 for each subsequent operation.) Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Cc: <stable@vger.kernel.org> # 3.10.y 3.11.y 3.12.y Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The `insn_bits` handler `ni_65xx_dio_insn_bits()` has a `for` loop that
currently writes (optionally) and reads back up to 5 "ports" consisting
of 8 channels each.  It reads up to 32 1-bit channels but can only read
and write a whole port at once - it needs to handle up to 5 ports as the
first channel it reads might not be aligned on a port boundary.  It
breaks out of the loop early if the next port it handles is beyond the
final port on the card.  It also breaks out early on the 5th port in the
loop if the first channel was aligned.  Unfortunately, it doesn't check
that the current port it is dealing with belongs to the comedi subdevice
the `insn_bits` handler is acting on.  That's a bug.

Redo the `for` loop to terminate after the final port belonging to the
subdevice, changing the loop variable in the process to simplify things
a bit.  The `for` loop could now try and handle more than 5 ports if the
subdevice has more than 40 channels, but the test `if (bitshift >= 32)`
ensures it will break out early after 4 or 5 ports (depending on whether
the first channel is aligned on a port boundary).  (`bitshift` will be
between -7 and 7 inclusive on the first iteration, increasing by 8 for
each subsequent operation.)

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: <stable@vger.kernel.org> # 3.10.y 3.11.y 3.12.y
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>