From fcff311c938c95c90573c060d37648df00e45017 Mon Sep 17 00:00:00 2001 From: Alan Cox Date: Wed, 21 Mar 2012 12:32:32 +0000 Subject: [PATCH 01/19] staging: sep: Fix sign of error One of our errors wasn't negative as intended. Fix this. (Found by Hillf Danton) While we are at it turn user causable messages down to dev_dbg level in the ioctl paths. Signed-off-by: Alan Cox Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/staging/sep/sep_main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/staging/sep/sep_main.c b/drivers/staging/sep/sep_main.c index ad54c2e5c932..f1701bc6e312 100644 --- a/drivers/staging/sep/sep_main.c +++ b/drivers/staging/sep/sep_main.c @@ -3114,7 +3114,7 @@ static long sep_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) current->pid); if (1 == test_bit(SEP_LEGACY_SENDMSG_DONE_OFFSET, &call_status->status)) { - dev_warn(&sep->pdev->dev, + dev_dbg(&sep->pdev->dev, "[PID%d] dcb prep needed before send msg\n", current->pid); error = -EPROTO; @@ -3122,9 +3122,9 @@ static long sep_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) } if (!arg) { - dev_warn(&sep->pdev->dev, + dev_dbg(&sep->pdev->dev, "[PID%d] dcb null arg\n", current->pid); - error = EINVAL; + error = -EINVAL; goto end_function; } From eaa004a4ba3264d17d7e6882948a7980e14e9d20 Mon Sep 17 00:00:00 2001 From: Gerard Snitselaar Date: Fri, 23 Mar 2012 03:21:05 -0700 Subject: [PATCH 02/19] staging/vme: Fix module parameters loopback should be declared bool, and variant probably shouldn't be const. Signed-off-by: Gerard Snitselaar Acked-by: Martyn Welch Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vme/devices/vme_pio2_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/vme/devices/vme_pio2_core.c b/drivers/staging/vme/devices/vme_pio2_core.c index 9fedc442a779..573c80003f0c 100644 --- a/drivers/staging/vme/devices/vme_pio2_core.c +++ b/drivers/staging/vme/devices/vme_pio2_core.c @@ -35,10 +35,10 @@ static int vector[PIO2_CARDS_MAX]; static int vector_num; static int level[PIO2_CARDS_MAX]; static int level_num; -static const char *variant[PIO2_CARDS_MAX]; +static char *variant[PIO2_CARDS_MAX]; static int variant_num; -static int loopback; +static bool loopback; static int pio2_match(struct vme_dev *); static int __devinit pio2_probe(struct vme_dev *); From 50637f050e88fb175135de62a53be33c374a5349 Mon Sep 17 00:00:00 2001 From: Dan Magenheimer Date: Fri, 23 Mar 2012 09:40:15 -0700 Subject: [PATCH 03/19] staging: ramster: unbreak my heart The just-merged ramster staging driver was dependent on a cleanup patch in cleancache, so was marked CONFIG_BROKEN until that patch could be merged. That cleancache patch is now merged (and the correct SHA of the cleancache patch is 3167760f83899ccda312b9ad9306ec9e5dda06d4 rather than the one shown in the comment removed in the patch below). So remove the CONFIG_BROKEN now and the comment that is no longer true... Signed-off-by: Dan Magenheimer Signed-off-by: Greg Kroah-Hartman --- drivers/staging/ramster/Kconfig | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/staging/ramster/Kconfig b/drivers/staging/ramster/Kconfig index 8b57b87edda4..4af1f8d4b953 100644 --- a/drivers/staging/ramster/Kconfig +++ b/drivers/staging/ramster/Kconfig @@ -1,10 +1,6 @@ -# Dependency on CONFIG_BROKEN is because there is a commit dependency -# on a cleancache naming change to be submitted by Konrad Wilk -# a39c00ded70339603ffe1b0ffdf3ade85bcf009a "Merge branch 'stable/cleancache.v13' -# into linux-next. Once this commit is present, BROKEN can be removed config RAMSTER bool "Cross-machine RAM capacity sharing, aka peer-to-peer tmem" - depends on (CLEANCACHE || FRONTSWAP) && CONFIGFS_FS=y && !ZCACHE && !XVMALLOC && !HIGHMEM && BROKEN + depends on (CLEANCACHE || FRONTSWAP) && CONFIGFS_FS=y && !ZCACHE && !XVMALLOC && !HIGHMEM select LZO_COMPRESS select LZO_DECOMPRESS default n From 218f4d437d69b4621f36affd52dcd6343597149a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lothar=20Wa=C3=9Fmann?= Date: Sat, 24 Mar 2012 07:19:25 +0100 Subject: [PATCH 04/19] staging:iio:core add missing increment of loop index in iio_map_array_unregister() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit staging:iio:core add missing increment of loop index in iio_map_array_unregister() Signed-off-by: Lothar Waßmann Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/staging/iio/inkern.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/iio/inkern.c b/drivers/staging/iio/inkern.c index de2c8ea64965..ef07a02bf542 100644 --- a/drivers/staging/iio/inkern.c +++ b/drivers/staging/iio/inkern.c @@ -82,6 +82,7 @@ int iio_map_array_unregister(struct iio_dev *indio_dev, ret = -ENODEV; goto error_ret; } + i++; } error_ret: mutex_unlock(&iio_map_list_lock); From 401c90e56c48b1c642507a8bec91b7ae21f1156e Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Sat, 24 Mar 2012 23:39:18 +0100 Subject: [PATCH 05/19] staging/media/as102: Don't call release_firmware() on uninitialized variable If, in drivers/staging/media/as102/as102_fw.c::as102_fw_upload(), the call cmd_buf = kzalloc(MAX_FW_PKT_SIZE, GFP_KERNEL); should fail and return NULL so that we jump to the 'error:' label, then we'll end up calling 'release_firmware(firmware);' with 'firmware' still uninitialized - not good. The easy fix is to just initialize 'firmware' to NULL when we declare it, since release_firmware() deals gracefully with being passed NULL pointers. Signed-off-by: Jesper Juhl Signed-off-by: Greg Kroah-Hartman --- drivers/staging/media/as102/as102_fw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/media/as102/as102_fw.c b/drivers/staging/media/as102/as102_fw.c index 43ebc43e6b9a..1075fb1df0d9 100644 --- a/drivers/staging/media/as102/as102_fw.c +++ b/drivers/staging/media/as102/as102_fw.c @@ -165,7 +165,7 @@ static int as102_firmware_upload(struct as10x_bus_adapter_t *bus_adap, int as102_fw_upload(struct as10x_bus_adapter_t *bus_adap) { int errno = -EFAULT; - const struct firmware *firmware; + const struct firmware *firmware = NULL; unsigned char *cmd_buf = NULL; char *fw1, *fw2; struct usb_device *dev = bus_adap->usb_dev; From 4ca5218e3939685c2325fc0a0a1ac8150272c93f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 29 Mar 2012 09:43:54 +0300 Subject: [PATCH 06/19] Staging: vt6655-6: check keysize before memcpy() We need to check the we don't copy too much memory. This comes from a copy_from_user() in the ioctl. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vt6655/key.c | 3 +++ drivers/staging/vt6656/key.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/drivers/staging/vt6655/key.c b/drivers/staging/vt6655/key.c index 0ff8d7bbf2a7..774b0d4a7e06 100644 --- a/drivers/staging/vt6655/key.c +++ b/drivers/staging/vt6655/key.c @@ -655,6 +655,9 @@ bool KeybSetDefaultKey ( return (false); } + if (uKeyLength > MAX_KEY_LEN) + return false; + pTable->KeyTable[MAX_KEY_TABLE-1].bInUse = true; for(ii=0;iiKeyTable[MAX_KEY_TABLE-1].abyBSSID[ii] = 0xFF; diff --git a/drivers/staging/vt6656/key.c b/drivers/staging/vt6656/key.c index 27bb523c8a97..ee62a06a75f4 100644 --- a/drivers/staging/vt6656/key.c +++ b/drivers/staging/vt6656/key.c @@ -684,6 +684,9 @@ BOOL KeybSetDefaultKey( return (FALSE); } + if (uKeyLength > MAX_KEY_LEN) + return false; + pTable->KeyTable[MAX_KEY_TABLE-1].bInUse = TRUE; for (ii = 0; ii < ETH_ALEN; ii++) pTable->KeyTable[MAX_KEY_TABLE-1].abyBSSID[ii] = 0xFF; From 0d05568ac79bfc595f1eadc3e0fd7a20a45f7b69 Mon Sep 17 00:00:00 2001 From: wwang Date: Tue, 27 Mar 2012 16:43:11 +0800 Subject: [PATCH 07/19] staging:rts_pstor:Fix possible panic by NULL pointer dereference rtsx_transport.c (rtsx_transfer_sglist_adma_partial): pointer struct scatterlist *sg, which is mapped in dma_map_sg, is used as an iterator in later transfer operation. It is corrupted and passed to dma_unmap_sg, thus causing fatal unmap of some erroneous address. Fix it by duplicating *sg_ptr for iterating. Signed-off-by: wwang Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rts_pstor/rtsx_transport.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/staging/rts_pstor/rtsx_transport.c b/drivers/staging/rts_pstor/rtsx_transport.c index 4e3d2c106af0..9b2e5c99870f 100644 --- a/drivers/staging/rts_pstor/rtsx_transport.c +++ b/drivers/staging/rts_pstor/rtsx_transport.c @@ -335,6 +335,7 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card, int sg_cnt, i, resid; int err = 0; long timeleft; + struct scatterlist *sg_ptr; u32 val = TRIG_DMA; if ((sg == NULL) || (num_sg <= 0) || !offset || !index) @@ -371,7 +372,7 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card, sg_cnt = dma_map_sg(&(rtsx->pci->dev), sg, num_sg, dma_dir); resid = size; - + sg_ptr = sg; chip->sgi = 0; /* Usually the next entry will be @sg@ + 1, but if this sg element * is part of a chained scatterlist, it could jump to the start of @@ -379,14 +380,14 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card, * the proper sg */ for (i = 0; i < *index; i++) - sg = sg_next(sg); + sg_ptr = sg_next(sg_ptr); for (i = *index; i < sg_cnt; i++) { dma_addr_t addr; unsigned int len; u8 option; - addr = sg_dma_address(sg); - len = sg_dma_len(sg); + addr = sg_dma_address(sg_ptr); + len = sg_dma_len(sg_ptr); RTSX_DEBUGP("DMA addr: 0x%x, Len: 0x%x\n", (unsigned int)addr, len); @@ -415,7 +416,7 @@ static int rtsx_transfer_sglist_adma_partial(struct rtsx_chip *chip, u8 card, if (!resid) break; - sg = sg_next(sg); + sg_ptr = sg_next(sg_ptr); } RTSX_DEBUGP("SG table count = %d\n", chip->sgi); From b5bd70a162492a76ee49065605ca15d484bb623a Mon Sep 17 00:00:00 2001 From: wwang Date: Tue, 27 Mar 2012 16:43:20 +0800 Subject: [PATCH 08/19] staging:rts_pstor:Avoid "Bad target number" message when probing driver Avoid "Bad LUN" and "Bad target number" message by setting the supported max_lun and max_id for the scsi host Signed-off-by: wwang Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rts_pstor/rtsx.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/staging/rts_pstor/rtsx.c b/drivers/staging/rts_pstor/rtsx.c index a7feb3e328a0..1dccd933a7e4 100644 --- a/drivers/staging/rts_pstor/rtsx.c +++ b/drivers/staging/rts_pstor/rtsx.c @@ -1000,6 +1000,11 @@ static int __devinit rtsx_probe(struct pci_dev *pci, rtsx_init_chip(dev->chip); + /* set the supported max_lun and max_id for the scsi host + * NOTE: the minimal value of max_id is 1 */ + host->max_id = 1; + host->max_lun = dev->chip->max_lun; + /* Start up our control thread */ th = kthread_run(rtsx_control_thread, dev, CR_DRIVER_NAME); if (IS_ERR(th)) { From 678b7c17073a9e383f204c3e8e0000821afb6103 Mon Sep 17 00:00:00 2001 From: Chris Kelly Date: Thu, 29 Mar 2012 12:09:45 +0000 Subject: [PATCH 09/19] staging: ozwpan: Added new maintainer for ozwpan Added Rupesh Gujare to MAINTAINERS file and contact in TODO file for ozwpan driver. Signed-off-by: Chris Kelly Signed-off-by: Greg Kroah-Hartman --- MAINTAINERS | 1 + drivers/staging/ozwpan/TODO | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 2dcfca850639..d87ad1844b4f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -6466,6 +6466,7 @@ S: Odd Fixes F: drivers/staging/olpc_dcon/ STAGING - OZMO DEVICES USB OVER WIFI DRIVER +M: Rupesh Gujare M: Chris Kelly S: Maintained F: drivers/staging/ozwpan/ diff --git a/drivers/staging/ozwpan/TODO b/drivers/staging/ozwpan/TODO index f7a9c122f596..c2d30a7112f3 100644 --- a/drivers/staging/ozwpan/TODO +++ b/drivers/staging/ozwpan/TODO @@ -8,5 +8,7 @@ TODO: - code review by USB developer community. - testing with as many devices as possible. -Please send any patches for this driver to Chris Kelly +Please send any patches for this driver to +Rupesh Gujare +Chris Kelly and Greg Kroah-Hartman . From 3fd654c22c7b002e8681accaed50a6d46656d815 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 29 Mar 2012 21:52:57 +0300 Subject: [PATCH 10/19] Staging: rts_pstor: off by one in for loop I already fixed the other similar for loop in this file. I'm not sure how I missed this one. We use seg_no+1 inside the loop so we can't go right up to the end of the loop. Also if we don't break out of the loop then we end up past the end of the array, but with this fix we end up on the last element. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rts_pstor/ms.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rts_pstor/ms.c b/drivers/staging/rts_pstor/ms.c index 66341dff8c99..f9a4498984cc 100644 --- a/drivers/staging/rts_pstor/ms.c +++ b/drivers/staging/rts_pstor/ms.c @@ -3498,7 +3498,8 @@ static int ms_rw_multi_sector(struct scsi_cmnd *srb, struct rtsx_chip *chip, u32 log_blk++; - for (seg_no = 0; seg_no < sizeof(ms_start_idx)/2; seg_no++) { + for (seg_no = 0; seg_no < ARRAY_SIZE(ms_start_idx) - 1; + seg_no++) { if (log_blk < ms_start_idx[seg_no+1]) break; } From f4477e90b3ea4c40466e8f418cf41a17aef09192 Mon Sep 17 00:00:00 2001 From: Nitin Gupta Date: Mon, 2 Apr 2012 09:13:56 -0500 Subject: [PATCH 11/19] staging: zsmalloc: fix memory leak This patch fixes a memory leak in zsmalloc where the first subpage of each zspage is leaked when the zspage is freed. Signed-off-by: Nitin Gupta Acked-by: Seth Jennings Acked-by: Dan Magenheimer Signed-off-by: Greg Kroah-Hartman --- drivers/staging/zsmalloc/zsmalloc-main.c | 30 ++++++++++++++---------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/drivers/staging/zsmalloc/zsmalloc-main.c b/drivers/staging/zsmalloc/zsmalloc-main.c index 09caa4f2687e..917461c66014 100644 --- a/drivers/staging/zsmalloc/zsmalloc-main.c +++ b/drivers/staging/zsmalloc/zsmalloc-main.c @@ -267,33 +267,39 @@ static unsigned long obj_idx_to_offset(struct page *page, return off + obj_idx * class_size; } +static void reset_page(struct page *page) +{ + clear_bit(PG_private, &page->flags); + clear_bit(PG_private_2, &page->flags); + set_page_private(page, 0); + page->mapping = NULL; + page->freelist = NULL; + reset_page_mapcount(page); +} + static void free_zspage(struct page *first_page) { - struct page *nextp, *tmp; + struct page *nextp, *tmp, *head_extra; BUG_ON(!is_first_page(first_page)); BUG_ON(first_page->inuse); - nextp = (struct page *)page_private(first_page); + head_extra = (struct page *)page_private(first_page); - clear_bit(PG_private, &first_page->flags); - clear_bit(PG_private_2, &first_page->flags); - set_page_private(first_page, 0); - first_page->mapping = NULL; - first_page->freelist = NULL; - reset_page_mapcount(first_page); + reset_page(first_page); __free_page(first_page); /* zspage with only 1 system page */ - if (!nextp) + if (!head_extra) return; - list_for_each_entry_safe(nextp, tmp, &nextp->lru, lru) { + list_for_each_entry_safe(nextp, tmp, &head_extra->lru, lru) { list_del(&nextp->lru); - clear_bit(PG_private_2, &nextp->flags); - nextp->index = 0; + reset_page(nextp); __free_page(nextp); } + reset_page(head_extra); + __free_page(head_extra); } /* Initialize a newly allocated zspage */ From be0775ac140dd80a1d60fb7e71ec60e649c14ff8 Mon Sep 17 00:00:00 2001 From: Rob Clark Date: Thu, 5 Apr 2012 10:34:56 -0500 Subject: [PATCH 12/19] staging: drm/omap: move where DMM driver is registered Not sure what triggered the change in behavior, but seems to result in recursively acquiring a mutex and hanging on boot. But omap_drm_init() seems a much more sane place to register the driver for the DMM sub-device. Signed-off-by: Greg Kroah-Hartman --- drivers/staging/omapdrm/omap_drv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/staging/omapdrm/omap_drv.c b/drivers/staging/omapdrm/omap_drv.c index 3df5b4c58ecd..620b8d54223d 100644 --- a/drivers/staging/omapdrm/omap_drv.c +++ b/drivers/staging/omapdrm/omap_drv.c @@ -803,9 +803,6 @@ static void pdev_shutdown(struct platform_device *device) static int pdev_probe(struct platform_device *device) { DBG("%s", device->name); - if (platform_driver_register(&omap_dmm_driver)) - dev_err(&device->dev, "DMM registration failed\n"); - return drm_platform_init(&omap_drm_driver, device); } @@ -833,6 +830,10 @@ struct platform_driver pdev = { static int __init omap_drm_init(void) { DBG("init"); + if (platform_driver_register(&omap_dmm_driver)) { + /* we can continue on without DMM.. so not fatal */ + dev_err(NULL, "DMM registration failed\n"); + } return platform_driver_register(&pdev); } From 40f32d9345bee0b24d3317b498e79b02e4be27f4 Mon Sep 17 00:00:00 2001 From: Preetham Chandru Date: Mon, 9 Apr 2012 18:05:01 +0530 Subject: [PATCH 13/19] staging: iio: ak8975: Remove i2c client data corruption i2c client data set is of type struct indio_dev pointer and hence the pointer returned from i2c_get_clientdata() should be assigned to an object of type struct indio_dev and not to an object of type struct ak8975_data. Also in ak8975_probe() client data should be set first before calling ak8975_setup() as it references the client data. Signed-off-by: Preetham Chandru R CC: Laxman Dewangan Signed-off-by: Greg Kroah-Hartman --- drivers/staging/iio/magnetometer/ak8975.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/staging/iio/magnetometer/ak8975.c b/drivers/staging/iio/magnetometer/ak8975.c index d5ddac3d8831..ebc2d0840caf 100644 --- a/drivers/staging/iio/magnetometer/ak8975.c +++ b/drivers/staging/iio/magnetometer/ak8975.c @@ -108,7 +108,8 @@ static const int ak8975_index_to_reg[] = { static int ak8975_write_data(struct i2c_client *client, u8 reg, u8 val, u8 mask, u8 shift) { - struct ak8975_data *data = i2c_get_clientdata(client); + struct iio_dev *indio_dev = i2c_get_clientdata(client); + struct ak8975_data *data = iio_priv(indio_dev); u8 regval; int ret; @@ -159,7 +160,8 @@ static int ak8975_read_data(struct i2c_client *client, */ static int ak8975_setup(struct i2c_client *client) { - struct ak8975_data *data = i2c_get_clientdata(client); + struct iio_dev *indio_dev = i2c_get_clientdata(client); + struct ak8975_data *data = iio_priv(indio_dev); u8 device_id; int ret; @@ -509,6 +511,7 @@ static int ak8975_probe(struct i2c_client *client, goto exit_gpio; } data = iio_priv(indio_dev); + i2c_set_clientdata(client, indio_dev); /* Perform some basic start-of-day setup of the device. */ err = ak8975_setup(client); if (err < 0) { @@ -516,7 +519,6 @@ static int ak8975_probe(struct i2c_client *client, goto exit_free_iio; } - i2c_set_clientdata(client, indio_dev); data->client = client; mutex_init(&data->lock); data->eoc_irq = client->irq; From 099f5d01a6f73712e17552679aa724e021809a6e Mon Sep 17 00:00:00 2001 From: Colin Cross Date: Wed, 21 Mar 2012 10:18:33 -0700 Subject: [PATCH 14/19] android: make persistent_ram based drivers depend on HAVE_MEMBLOCK m68k doesn't have memblock_reserve, which causes a build failure with allmodconfig. Make PERSISTENT_RAM and RAM_CONSOLE depend on HAVE_MEMBLOCK. Reported-by: Geert Uytterhoeven Reported-by: Paul Gortmaker Signed-off-by: Colin Cross Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/Kconfig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/android/Kconfig b/drivers/staging/android/Kconfig index 08a3b1133d29..eb1dee26bda3 100644 --- a/drivers/staging/android/Kconfig +++ b/drivers/staging/android/Kconfig @@ -27,13 +27,14 @@ config ANDROID_LOGGER config ANDROID_PERSISTENT_RAM bool + depends on HAVE_MEMBLOCK select REED_SOLOMON select REED_SOLOMON_ENC8 select REED_SOLOMON_DEC8 config ANDROID_RAM_CONSOLE bool "Android RAM buffer console" - depends on !S390 && !UML + depends on !S390 && !UML && HAVE_MEMBLOCK select ANDROID_PERSISTENT_RAM default n From 5d92f71e687e4e1a0bed489707d1ec58fe1100de Mon Sep 17 00:00:00 2001 From: Axel Lin Date: Wed, 21 Mar 2012 09:24:57 +0800 Subject: [PATCH 15/19] Staging: android: timed_gpio: Fix resource leak in timed_gpio_probe error paths If gpio_request fails, we need to free all allocated resources. Current code uses wrong array index to access gpio_data array. So current code actually frees gpio_data[i].gpio by j times. This patch moves the error handling code to err_out and thus improves readability. Signed-off-by: Axel Lin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/timed_gpio.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/drivers/staging/android/timed_gpio.c b/drivers/staging/android/timed_gpio.c index bc723eff11af..45c522cbe784 100644 --- a/drivers/staging/android/timed_gpio.c +++ b/drivers/staging/android/timed_gpio.c @@ -85,7 +85,7 @@ static int timed_gpio_probe(struct platform_device *pdev) struct timed_gpio_platform_data *pdata = pdev->dev.platform_data; struct timed_gpio *cur_gpio; struct timed_gpio_data *gpio_data, *gpio_dat; - int i, j, ret = 0; + int i, ret; if (!pdata) return -EBUSY; @@ -108,18 +108,12 @@ static int timed_gpio_probe(struct platform_device *pdev) gpio_dat->dev.get_time = gpio_get_time; gpio_dat->dev.enable = gpio_enable; ret = gpio_request(cur_gpio->gpio, cur_gpio->name); - if (ret >= 0) { - ret = timed_output_dev_register(&gpio_dat->dev); - if (ret < 0) - gpio_free(cur_gpio->gpio); - } + if (ret < 0) + goto err_out; + ret = timed_output_dev_register(&gpio_dat->dev); if (ret < 0) { - for (j = 0; j < i; j++) { - timed_output_dev_unregister(&gpio_data[i].dev); - gpio_free(gpio_data[i].gpio); - } - kfree(gpio_data); - return ret; + gpio_free(cur_gpio->gpio); + goto err_out; } gpio_dat->gpio = cur_gpio->gpio; @@ -131,6 +125,15 @@ static int timed_gpio_probe(struct platform_device *pdev) platform_set_drvdata(pdev, gpio_data); return 0; + +err_out: + while (--i >= 0) { + timed_output_dev_unregister(&gpio_data[i].dev); + gpio_free(gpio_data[i].gpio); + } + kfree(gpio_data); + + return ret; } static int timed_gpio_remove(struct platform_device *pdev) From 6490311f423b0d77969d6fa2ab6354b87e373bf9 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Mon, 19 Mar 2012 21:50:09 +0400 Subject: [PATCH 16/19] staging/xgifb: fix display on XGI Volari Z11m cards Image on Z11m cards was totally garbled due to wrong memory being selected. Add a special handling for Z11m cards. Tested on PCIe Z11 and Z11m cards. Signed-off-by: Dmitry Eremin-Solenikov Signed-off-by: Greg Kroah-Hartman --- drivers/staging/xgifb/vb_init.c | 2 +- drivers/staging/xgifb/vb_setmode.c | 7 +++++++ drivers/staging/xgifb/vb_table.h | 11 ++++++++++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/staging/xgifb/vb_init.c b/drivers/staging/xgifb/vb_init.c index 94d5c35e22fb..3650bbff7686 100644 --- a/drivers/staging/xgifb/vb_init.c +++ b/drivers/staging/xgifb/vb_init.c @@ -61,7 +61,7 @@ XGINew_GetXG20DRAMType(struct xgi_hw_device_info *HwDeviceExtension, } temp = xgifb_reg_get(pVBInfo->P3c4, 0x3B); /* SR3B[7][3]MAA15 MAA11 (Power on Trapping) */ - if ((temp & 0x88) == 0x80) + if (((temp & 0x88) == 0x80) || ((temp & 0x88) == 0x08)) data = 0; /* DDR */ else data = 1; /* DDRII */ diff --git a/drivers/staging/xgifb/vb_setmode.c b/drivers/staging/xgifb/vb_setmode.c index 2919924213c4..60d4adf99923 100644 --- a/drivers/staging/xgifb/vb_setmode.c +++ b/drivers/staging/xgifb/vb_setmode.c @@ -152,6 +152,7 @@ void InitTo330Pointer(unsigned char ChipType, struct vb_device_info *pVBInfo) pVBInfo->pXGINew_CR97 = &XG20_CR97; if (ChipType == XG27) { + unsigned char temp; pVBInfo->MCLKData = (struct SiS_MCLKData *) XGI27New_MCLKData; pVBInfo->CR40 = XGI27_cr41; @@ -162,7 +163,13 @@ void InitTo330Pointer(unsigned char ChipType, struct vb_device_info *pVBInfo) pVBInfo->pCRDE = XG27_CRDE; pVBInfo->pSR40 = &XG27_SR40; pVBInfo->pSR41 = &XG27_SR41; + pVBInfo->SR15 = XG27_SR13; + /*Z11m DDR*/ + temp = xgifb_reg_get(pVBInfo->P3c4, 0x3B); + /* SR3B[7][3]MAA15 MAA11 (Power on Trapping) */ + if (((temp & 0x88) == 0x80) || ((temp & 0x88) == 0x08)) + pVBInfo->pXGINew_CR97 = &Z11m_CR97; } if (ChipType >= XG20) { diff --git a/drivers/staging/xgifb/vb_table.h b/drivers/staging/xgifb/vb_table.h index dddf261ed53d..e8d6f674b274 100644 --- a/drivers/staging/xgifb/vb_table.h +++ b/drivers/staging/xgifb/vb_table.h @@ -33,6 +33,13 @@ static struct XGI_ECLKDataStruct XGI340_ECLKData[] = { {0x5c, 0x23, 0x01, 166} }; +static unsigned char XG27_SR13[4][8] = { + {0x35, 0x45, 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00}, /* SR13 */ + {0x41, 0x51, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00}, /* SR14 */ + {0x32, 0x32, 0x42, 0x00, 0x00, 0x00, 0x00, 0x00}, /* SR18 */ + {0x03, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00} /* SR1B */ +}; + static unsigned char XGI340_SR13[4][8] = { {0x35, 0x45, 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00}, /* SR13 */ {0x41, 0x51, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00}, /* SR14 */ @@ -71,7 +78,7 @@ static unsigned char XGI27_cr41[24][8] = { {0x20, 0x40, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00}, /* 0 CR41 */ {0xC4, 0x40, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00}, /* 1 CR8A */ {0xC4, 0x40, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00}, /* 2 CR8B */ - {0xB5, 0x13, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x00}, /* 3 CR40[7], + {0xB3, 0x13, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x00}, /* 3 CR40[7], CR99[2:0], CR45[3:0]*/ {0xf0, 0xf5, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x00}, /* 4 CR59 */ @@ -2803,6 +2810,8 @@ static unsigned char XG27_CRDE[2]; static unsigned char XG27_SR40 = 0x04 ; static unsigned char XG27_SR41 = 0x00 ; +static unsigned char Z11m_CR97 = 0x80 ; + static struct XGI330_VCLKDataStruct XGI_VCLKData[] = { /* SR2B,SR2C,SR2D */ {0x1B, 0xE1, 25}, /* 00 (25.175MHz) */ From 62d2feb9803f18c4e3c8a1a2c7e30a54df8a1d72 Mon Sep 17 00:00:00 2001 From: Marek Belisko Date: Thu, 12 Apr 2012 21:48:03 +0200 Subject: [PATCH 17/19] staging: iio: hmc5843: Fix crash in probe function. Fix crash after issuing: echo hmc5843 0x1e > /sys/class/i2c-dev/i2c-2/device/new_device [ 37.180999] device: '2-001e': device_add [ 37.188293] bus: 'i2c': add device 2-001e [ 37.194549] PM: Adding info for i2c:2-001e [ 37.200958] bus: 'i2c': driver_probe_device: matched device 2-001e with driver hmc5843 [ 37.210815] bus: 'i2c': really_probe: probing driver hmc5843 with device 2-001e [ 37.224884] HMC5843 initialized [ 37.228759] ------------[ cut here ]------------ [ 37.233612] kernel BUG at mm/slab.c:505! [ 37.237701] Internal error: Oops - BUG: 0 [#1] PREEMPT [ 37.243103] Modules linked in: [ 37.246337] CPU: 0 Not tainted (3.3.1-gta04+ #28) [ 37.251647] PC is at kfree+0x84/0x144 [ 37.255493] LR is at kfree+0x20/0x144 [ 37.259338] pc : [] lr : [] psr: 40000093 [ 37.259368] sp : de249cd8 ip : 0000000c fp : 00000090 [ 37.271362] r10: 0000000a r9 : de229eac r8 : c0236274 [ 37.276855] r7 : c09d6490 r6 : a0000013 r5 : de229c00 r4 : de229c10 [ 37.283691] r3 : c0f00218 r2 : 00000400 r1 : c0eea000 r0 : c00b4028 [ 37.290527] Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 37.298095] Control: 10c5387d Table: 9e1d0019 DAC: 00000015 [ 37.304107] Process sh (pid: 91, stack limit = 0xde2482f0) [ 37.309844] Stack: (0xde249cd8 to 0xde24a000) [ 37.314422] 9cc0: de229c10 de229c00 [ 37.322998] 9ce0: de229c10 ffffffea 00000005 c0236274 de140a80 c00b4798 dec00080 de140a80 [ 37.331573] 9d00: c032f37c dec00080 000080d0 00000001 de229c00 de229c10 c048d578 00000005 [ 37.340148] 9d20: de229eac 0000000a 00000090 c032fa40 00000001 00000000 00000001 de229c10 [ 37.348724] 9d40: de229eac 00000029 c075b558 00000001 00000003 00000004 de229c10 c048d594 [ 37.357299] 9d60: 00000000 60000013 00000018 205b0007 37332020 3432322e 5d343838 c0060020 [ 37.365905] 9d80: de251600 00000001 00000000 de251600 00000001 c0065a84 de229c00 de229c48 [ 37.374481] 9da0: 00000006 0048d62c de229c38 de229c00 de229c00 de1f6c00 de1f6c20 00000001 [ 37.383056] 9dc0: 00000000 c048d62c 00000000 de229c00 de229c00 de1f6c00 de1f6c20 00000001 [ 37.391632] 9de0: 00000000 c048d62c 00000000 c0330164 00000000 de1f6c20 c048d62c de1f6c00 [ 37.400207] 9e00: c0330078 de1f6c04 c078d714 de189b58 00000000 c02ccfd8 de1f6c20 c0795f40 [ 37.408782] 9e20: c0238330 00000000 00000000 c02381a8 de1b9fc0 de1f6c20 de1f6c20 de249e48 [ 37.417358] 9e40: c0238330 c0236bb0 decdbed8 de7d0f14 de1f6c20 de1f6c20 de1f6c54 de1f6c20 [ 37.425933] 9e60: 00000000 c0238030 de1f6c20 c078d7bc de1f6c20 c02377ec de1f6c20 de1f6c28 [ 37.434509] 9e80: dee64cb0 c0236138 c047c554 de189b58 00000000 c004b45c de1f6c20 de1f6cd8 [ 37.443084] 9ea0: c0edfa6c de1f6c00 dee64c68 de1f6c04 de1f6c20 dee64cb8 c047c554 de189b58 [ 37.451690] 9ec0: 00000000 c02cd634 dee64c68 de249ef4 de23b008 dee64cb0 0000000d de23b000 [ 37.460266] 9ee0: de23b007 c02cd78c 00000002 00000000 00000000 35636d68 00333438 00000000 [ 37.468841] 9f00: 00000000 00000000 001e0000 00000000 00000000 00000000 00000000 0a10cec0 [ 37.477416] 9f20: 00000002 de249f80 0000000d dee62990 de189b40 c0234d88 0000000d c010c354 [ 37.485992] 9f40: 0000000d de210f28 000acc88 de249f80 0000000d de248000 00000000 c00b7bf8 [ 37.494567] 9f60: de210f28 000acc88 de210f28 000acc88 00000000 00000000 0000000d c00b7ed8 [ 37.503143] 9f80: 00000000 00000000 0000000d 00000000 0007fa28 0000000d 000acc88 00000004 [ 37.511718] 9fa0: c000e544 c000e380 0007fa28 0000000d 00000001 000acc88 0000000d 00000000 [ 37.520294] 9fc0: 0007fa28 0000000d 000acc88 00000004 00000001 00000020 00000002 00000000 [ 37.528869] 9fe0: 00000000 beab8624 0000ea05 b6eaebac 600d0010 00000001 00000000 00000000 [ 37.537475] [] (kfree+0x84/0x144) from [] (device_add+0x530/0x57c) [ 37.545806] [] (device_add+0x530/0x57c) from [] (iio_device_register+0x8c8/0x990) [ 37.555480] [] (iio_device_register+0x8c8/0x990) from [] (hmc5843_probe+0xec/0x114) [ 37.565338] [] (hmc5843_probe+0xec/0x114) from [] (i2c_device_probe+0xc4/0xf8) [ 37.574737] [] (i2c_device_probe+0xc4/0xf8) from [] (driver_probe_device+0x118/0x218) [ 37.584777] [] (driver_probe_device+0x118/0x218) from [] (bus_for_each_drv+0x4c/0x84) [ 37.594818] [] (bus_for_each_drv+0x4c/0x84) from [] (device_attach+0x78/0xa4) [ 37.604125] [] (device_attach+0x78/0xa4) from [] (bus_probe_device+0x28/0x9c) [ 37.613433] [] (bus_probe_device+0x28/0x9c) from [] (device_add+0x3f4/0x57c) [ 37.622650] [] (device_add+0x3f4/0x57c) from [] (i2c_new_device+0xf8/0x19c) [ 37.631805] [] (i2c_new_device+0xf8/0x19c) from [] (i2c_sysfs_new_device+0xb4/0x130) [ 37.641754] [] (i2c_sysfs_new_device+0xb4/0x130) from [] (dev_attr_store+0x18/0x24) [ 37.651611] [] (dev_attr_store+0x18/0x24) from [] (sysfs_write_file+0x10c/0x140) [ 37.661193] [] (sysfs_write_file+0x10c/0x140) from [] (vfs_write+0xb0/0x178) [ 37.670410] [] (vfs_write+0xb0/0x178) from [] (sys_write+0x3c/0x68) [ 37.678833] [] (sys_write+0x3c/0x68) from [] (ret_fast_syscall+0x0/0x3c) [ 37.687683] Code: 1593301c e5932000 e3120080 1a000000 (e7f001f2) [ 37.700775] ---[ end trace aaf805debdb69390 ]--- Client data was assigned to iio_dev structure in probe but in hmc5843_init_client function casted to private driver data structure which is wrong. Possibly calling mutex_init(&data->lock); corrupt data which the lead to above crash. Signed-off-by: Marek Belisko Cc: stable Acked-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/staging/iio/magnetometer/hmc5843.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/iio/magnetometer/hmc5843.c b/drivers/staging/iio/magnetometer/hmc5843.c index 91dd3da70cb4..e00b416c4d33 100644 --- a/drivers/staging/iio/magnetometer/hmc5843.c +++ b/drivers/staging/iio/magnetometer/hmc5843.c @@ -521,7 +521,9 @@ static int hmc5843_detect(struct i2c_client *client, /* Called when we have found a new HMC5843. */ static void hmc5843_init_client(struct i2c_client *client) { - struct hmc5843_data *data = i2c_get_clientdata(client); + struct iio_dev *indio_dev = i2c_get_clientdata(client); + struct hmc5843_data *data = iio_priv(indio_dev); + hmc5843_set_meas_conf(client, data->meas_conf); hmc5843_set_rate(client, data->rate); hmc5843_configure(client, data->operating_mode); From 17b7e1ba1e2ecc9a09f5e154e555accd2a2eaedf Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Thu, 12 Apr 2012 00:35:46 +0200 Subject: [PATCH 18/19] staging: vt6656: Don't leak memory in drivers/staging/vt6656/ioctl.c::private_ioctl() If copy_to_user() fails in the WLAN_CMD_GET_NODE_LIST case of the switch in drivers/staging/vt6656/ioctl.c::private_ioctl() we'll leak the memory allocated to 'pNodeList'. Fix that by kfree'ing the memory in the failure case. Also remove a pointless cast (to type 'PSNodeList') of a kmalloc() return value - kmalloc() returns a void pointer that is implicitly converted, so there is no need for an explicit cast. Signed-off-by: Jesper Juhl Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vt6656/ioctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/vt6656/ioctl.c b/drivers/staging/vt6656/ioctl.c index 1463d76895f0..d59456c29df1 100644 --- a/drivers/staging/vt6656/ioctl.c +++ b/drivers/staging/vt6656/ioctl.c @@ -565,7 +565,7 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) result = -ENOMEM; break; } - pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC); + pNodeList = kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC); if (pNodeList == NULL) { result = -ENOMEM; break; @@ -601,6 +601,7 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) } } if (copy_to_user(pReq->data, pNodeList, sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)))) { + kfree(pNodeList); result = -EFAULT; break; } From 474a89885f77953b12bce9f23660c31ef5c2630e Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Wed, 11 Apr 2012 22:10:20 +0200 Subject: [PATCH 19/19] staging: android: fix mem leaks in __persistent_ram_init() If, in __persistent_ram_init(), the call to persistent_ram_buffer_init() fails or the call to persistent_ram_init_ecc() fails then we fail to free the memory we allocated to 'prz' with kzalloc() - thus leaking it. To prevent the leaks I consolidated all error exits from the function at a 'err:' label at the end and made all error cases jump to that label where we can then make sure we always free 'prz'. This is safe since all the situations where the code bails out happen before 'prz' has been stored anywhere and although we'll do a redundant kfree(NULL) call in the case of kzalloc() itself failing that's OK since kfree() deals gracefully with NULL pointers and I felt it was more important to keep all error exits at a single location than to avoid that one harmless/redundant kfree() on a error path. Signed-off-by: Jesper Juhl Acked-by: Colin Cross Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/persistent_ram.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/staging/android/persistent_ram.c b/drivers/staging/android/persistent_ram.c index e08f2574e30a..8d8c1e33e0ff 100644 --- a/drivers/staging/android/persistent_ram.c +++ b/drivers/staging/android/persistent_ram.c @@ -399,12 +399,12 @@ static __init struct persistent_ram_zone *__persistent_ram_init(struct device *dev, bool ecc) { struct persistent_ram_zone *prz; - int ret; + int ret = -ENOMEM; prz = kzalloc(sizeof(struct persistent_ram_zone), GFP_KERNEL); if (!prz) { pr_err("persistent_ram: failed to allocate persistent ram zone\n"); - return ERR_PTR(-ENOMEM); + goto err; } INIT_LIST_HEAD(&prz->node); @@ -412,13 +412,13 @@ struct persistent_ram_zone *__persistent_ram_init(struct device *dev, bool ecc) ret = persistent_ram_buffer_init(dev_name(dev), prz); if (ret) { pr_err("persistent_ram: failed to initialize buffer\n"); - return ERR_PTR(ret); + goto err; } prz->ecc = ecc; ret = persistent_ram_init_ecc(prz, prz->buffer_size); if (ret) - return ERR_PTR(ret); + goto err; if (prz->buffer->sig == PERSISTENT_RAM_SIG) { if (buffer_size(prz) > prz->buffer_size || @@ -442,6 +442,9 @@ struct persistent_ram_zone *__persistent_ram_init(struct device *dev, bool ecc) atomic_set(&prz->buffer->size, 0); return prz; +err: + kfree(prz); + return ERR_PTR(ret); } struct persistent_ram_zone * __init