linux-stable.git/drivers/staging, branch v3.6.7 Linux kernel stable tree staging: comedi: amplc_pc236: fix possible NULL deref during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:18+00:00 6c04efd97dd25596a1bf80cc1c518fe7e451cc1e commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream. `pc236_detach()` is called by the comedi core to clean up if either `pc236_attach()` or `pc236_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `pc236_attach()` fails, but not if `pc236_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `pc236_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream.

`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: amplc_pc236: fix invalid register access during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:17+00:00 ec7fe3d6e91ff29ee3000e35f13f5eb3df2eca30 commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream. `pc236_detach()` is called by the comedi core if it attempted to attach a device and failed. `pc236_detach()` calls `pc236_intr_disable()` if the comedi device private data pointer (`devpriv`) is non-null. This test is insufficient as `pc236_intr_disable()` accesses hardware registers and the attach routine may have failed before it has saved their I/O base addresses. Fix it by checking `dev->iobase` is non-zero before calling `pc236_intr_disable()` as that means the I/O base addresses have been saved and the hardware registers can be accessed. It also implies the comedi device private data pointer is valid, so there is no need to check it. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream.

`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed.  `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null.  This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.

Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed.  It also implies the
comedi device private data pointer is valid, so there is no need to
check it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: amplc_pc263: fix possible NULL deref during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:19+00:00 3792dd12ee4419bc276cd321c8f74506a37aa93d commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream. `pc263_detach()` is called by the comedi core to clean up if either `pc263_attach()` or `pc263_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `pc263_attach()` fails, but not if `pc263_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `pc263_detach()` and return early if it is `NULL`. This is okay because no other resources need cleaning up in this case. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream.

`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`.  This is okay because no other resources need cleaning up in
this case.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: amplc_dio200: fix possible NULL deref during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:16+00:00 6f9445326d4a262a863cc634fd377c5ca562e17d commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream. `dio200_detach()` is called by the comedi core to clean up if either `dio200_attach()` or `dio200_attach_pci()` return an error. It assigns `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. In the case of a previous call to `dio200_attach()` it won't be `NULL` because the comedi core will have pointed it to one of the elements of `dio200_boards[]`, but in the case of a previous call to `dio200_attach_pci()` it could be `NULL`, leading to a null pointer dereference. Check that `thisboard` is valid at the top of `dio200_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream.

`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error.  It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.

Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`.  This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: ni_labpc: fix possible NULL deref during detach 2012-10-31T17:09:59+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:21+00:00 9f275003e609824e738b22caef0020d5c4a4def5 commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream. `labpc_common_detach()` is called by the comedi core to clean up if either `labpc_attach()` (including the one in the "ni_labpc_cs" module) or `labpc_attach_pci()` returns an error. It assumes the `thisboard` macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is non-null. This is a valid assumption if `labpc_attach()` fails, but not if `labpc_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `labpc_common_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream.

`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error.  It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null.  This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`.  This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: ni_daq_700: fix dio subdevice regression 2012-10-31T17:09:59+00:00 Fred Brooks nsaspook@nsaspook.com 2012-10-02T10:10:26+00:00 8098a2e23e88e979566c78e68aec11fa21808df0 commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream. Here is a small patch to fix a problem caused by a previous patch that removed the callback function. The callback remove patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a I finally booted my dev machine on the latest kernel (running Debian here so it's still on 3.2 normally) to test the ni_daq_700 driver with my test program and noticed this bug. Shift the DIO_R read result to bits 8..15 Digital direction configuration: channels 0-7 output, 8-15 input (8225 device emu as port A output, port B input, port C N/A). Signed-off-by: Fred Brooks <nsaspook@nsaspook.com> Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream.

Here is a small patch to fix a problem caused by a previous patch that
removed the  callback function.  The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a

I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.

Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).

Signed-off-by: Fred Brooks <nsaspook@nsaspook.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: das08: fix possible NULL deref during detach 2012-10-31T17:09:59+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:20+00:00 d136f0fd47d9953139381c8af74976de86eeb224 commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream. `das08_detach()` is called by the comedi core to clean up if either `das08_attach()` or `das08_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `das08_attach()` fails, but not if `das08_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `das08_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream.

`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: zram: Fix handling of incompressible pages 2012-10-31T17:09:59+00:00 Nitin Gupta ngupta@vflare.org 2012-10-11T00:42:18+00:00 88d5e653e2282bda43459dd577f3841f6ef140bf commit c8f2f0db1d0294aaf37e8a85bea9bbc4aaf5c0fe upstream. Change 130f315a (staging: zram: remove special handle of uncompressed page) introduced a bug in the handling of incompressible pages which resulted in memory allocation failure for such pages. When a page expands on compression, say from 4K to 4K+30, we were trying to do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can allocate is PAGE_SIZE (for obvious reasons), so such allocation requests always return failure (0). For a page that has compressed size larger than the original size (this may happen with already compressed or random data), there is no point storing the compressed version as that would take more space and would also require time for decompression when needed again. So, the fix is to store any page, whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e. without compression. Memory required for storing this uncompressed page can then be requested from zsmalloc which supports PAGE_SIZE sized allocations. Lastly, the fix checks that we do not attempt to "decompress" the page which we stored in the uncompressed form -- we just memcpy() out such pages. Signed-off-by: Nitin Gupta <ngupta@vflare.org> Reported-by: viechweg@gmail.com Reported-by: paerley@gmail.com Reported-by: wu.tommy@gmail.com Acked-by: Minchan Kim <minchan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit c8f2f0db1d0294aaf37e8a85bea9bbc4aaf5c0fe upstream.

Change 130f315a (staging: zram: remove special handle of uncompressed page)
introduced a bug in the handling of incompressible pages which resulted in
memory allocation failure for such pages.

When a page expands on compression, say from 4K to 4K+30, we were trying to
do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can
allocate is PAGE_SIZE (for obvious reasons), so such allocation requests
always return failure (0).

For a page that has compressed size larger than the original size (this may
happen with already compressed or random data), there is no point storing
the compressed version as that would take more space and would also require
time for decompression when needed again. So, the fix is to store any page,
whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e.
without compression.  Memory required for storing this uncompressed page can
then be requested from zsmalloc which supports PAGE_SIZE sized allocations.

Lastly, the fix checks that we do not attempt to "decompress" the page which
we stored in the uncompressed form -- we just memcpy() out such pages.

Signed-off-by: Nitin Gupta <ngupta@vflare.org>
Reported-by: viechweg@gmail.com
Reported-by: paerley@gmail.com
Reported-by: wu.tommy@gmail.com
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging: android: binder: Allow using highmem for binder buffers 2012-10-31T17:09:59+00:00 Arve Hjønnevåg arve@android.com 2012-10-16T22:29:55+00:00 e4c52c43352370daf54ba0cbe9476f593d89b0de commit 585650dcec88e704a19bb226a34b6a7166111623 upstream. The default kernel mapping for the pages allocated for the binder buffers is never used. Set the __GFP_HIGHMEM flag when allocating these pages so we don't needlessly use low memory pages that may be required elsewhere. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 585650dcec88e704a19bb226a34b6a7166111623 upstream.

The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Staging: android: binder: Fix memory leak on thread/process exit 2012-10-31T17:09:58+00:00 Arve Hjønnevåg arve@android.com 2012-10-16T22:29:54+00:00 ab261cc53424005d6d079320c4f73344c0a1750d commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream. If a thread or process exited while a reply, one-way transaction or death notification was pending, the struct holding the pending work was leaked. Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream.

If a thread or process exited while a reply, one-way transaction or
death notification was pending, the struct holding the pending work
was leaked.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>