Linux kernel source tree https://git.amat.us/linux/atom/drivers/staging?h=v3.11 2013-08-23T17:31:47Z 2013-08-23T17:31:47Z Ian Abbott abbotti@mev.co.uk 2013-08-23T11:37:17Z urn:sha1:3955dfa8216f712bc204a5ad2f4e51efff252fde Commit dcd7b8bd63cb81c5b973bf86510ca3c80bbbd162 ("staging: comedi: put module _after_ detach" by myself) reversed a couple of calls in `comedi_device_attach()` when recovering from an error returned by the low-level driver's 'attach' handler. Unfortunately, that introduced a NULL pointer dereference bug as `dev->driver` is NULL after the call to `comedi_device_detach()`. We still have a pointer to the low-level comedi driver structure in the `driv` variable, so use that instead. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Cc: <stable@vger.kernel.org> # 3.10+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-29T18:45:09Z Piotr Sarna p.sarna@partner.samsung.com 2013-07-29T10:25:20Z urn:sha1:02073798a6b081bf74e6c10d6f7e7a693c067ecd Commit 835f2f5 ("staging: zcache: enable zcache to be built/loaded as a module") introduced an incorrect handling of "zcache=" parameter. Inside zcache_comp_init() function, zcache_comp_name variable is checked for being empty. If not empty, the above variable is tested for being compatible with Crypto API. Unfortunately, after that function ends unconditionally (by the "goto out" directive) and returns: - non-zero value if verification succeeded, wrongly indicating an error - zero value if verification failed, falsely informing that function zcache_comp_init() ended properly. A solution to this problem is as following: 1. Move the "goto out" directive inside the "if (!ret)" statement 2. In case that crypto_has_comp() returned 0, change the value of ret to non-zero before "goto out" to indicate an error. This patch replaces an earlier one from Michal Hocko (based on report from Cristian Rodriguez): http://permalink.gmane.org/gmane.linux.kernel.mm/102484 It also addressed the same issue but didn't fix the zcache_comp_init() for case when the compressor data passed to "zcache=" option was invalid or unsupported. Signed-off-by: Piotr Sarna <p.sarna@partner.samsung.com> [bzolnier: updated patch description] Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Acked-by: Michal Hocko <mhocko@suse.cz> Cc: stable <stable@vger.kernel.org> # 3.10 Cc: Cristian Rodriguez <crrodriguez@opensuse.org> Cc: Bob Liu <bob.liu@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-24T16:51:18Z Lidza Louina lidza.louina@gmail.com 2013-07-24T15:29:33Z urn:sha1:81b884c9dfe6753a78df0cbf4e96f095d718bd95 This patch updates the list of maintainers for the staging/comedi driver. Signed-off-by: Lidza Louina <lidza.louina@gmail.com> Acked-by: H Hartley Sweeten <hsweeten@visionengravers.com> Acked-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-24T16:51:18Z Jingoo Han jg1.han@samsung.com 2013-07-24T05:34:08Z urn:sha1:932ef3685f287799fa844862d607a6b596ba5b9e The usage of strict_strtol() is not preferred, because strict_strtol() is obsolete. Thus, kstrtos32() should be used in order to convert a string to s32. Also, error handling is added to get rid of a __must_check warning. This fixes a memory corruption bug as well. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-23T22:08:50Z Karlis Ogsts karlis.ogsts@sonymobile.com 2013-07-22T20:51:42Z urn:sha1:72bb99cfe9c57d2044445fb34bbc95b4c0bae6f2 In the situation that a writer fails to copy data from userspace it will reset the write offset to the value it had before it went to sleep. This discarding any messages written while aquiring the mutex. Therefore the reset offset needs to be retrieved after acquiring the mutex. Cc: Android Kernel Team <kernel-team@android.com> Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-23T22:08:50Z Sergey Senozhatsky sergey.senozhatsky@gmail.com 2013-06-26T12:28:39Z urn:sha1:644d478793c6594277f8ae76954da4ace7ac6f96 Commit 9b3bb7abcdf2df0f1b2657e6cbc9d06bc2b3b36f (remove zram_sysfs file (v2)) accidentally made zram_reset_device() racy. Protect zram_reset_device() call with zram->lock. Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Acked-by: Jerome Marchand <jmarchand@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-23T22:08:50Z Dan Carpenter dan.carpenter@oracle.com 2013-07-22T08:00:53Z urn:sha1:f2a6fed1ceaecf6054627f0ddbd4becf43c997fc Sometimes free_qos_entry() sometimes frees its argument. I have moved the dereference of "entry" ahead on line to avoid a use after free. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-23T22:08:50Z Paul Bolle pebolle@tiscali.nl 2013-07-14T11:29:48Z urn:sha1:3a349cee593a464b25f329a1b76635900187fdb0 Commit ac4c1a9b33 ("staging: drm/imx: Add LDB support") added the DRM_IMX_LDB Kconfig entry. That entry selects OF_VIDEOMODE. But there is no Kconfig symbol named OF_VIDEOMODE. The select statement for that symbol is a nop. Drop it. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Acked-by: Sascha Hauer <s.hauer@pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-23T22:08:50Z Dan Carpenter dan.carpenter@oracle.com 2013-07-22T06:57:49Z urn:sha1:c8145c56103099565be2e18aeac2a32f79361f3f usb_alphatrack_delete() frees "dev" so we can't use it on that path. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-07-23T21:30:54Z Ian Abbott abbotti@mev.co.uk 2013-07-05T15:49:34Z urn:sha1:4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 `do_cmd_ioctl()` is called with the comedi device's mutex locked to process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command handling on a comedi subdevice. `comedi_read()` and `comedi_write()` are the `read` and `write` handlers for the comedi device, but do not lock the mutex (for performance reasons, as some things can hold the mutex for quite a long time). There is a race condition if `comedi_read()` or `comedi_write()` is running at the same time and for the same file object and comedi subdevice as `do_cmd_ioctl()`. `do_cmd_ioctl()` sets the subdevice's `busy` pointer to the file object way before it sets the `SRF_RUNNING` flag in the subdevice's `runflags` member. `comedi_read() and `comedi_write()` check the subdevice's `busy` pointer is pointing to the current file object, then if the `SRF_RUNNING` flag is not set, will call `do_become_nonbusy()` to shut down the asyncronous command. Bad things can happen if the asynchronous command is being shutdown and set up at the same time. To prevent the race, don't set the `busy` pointer until after the `SRF_RUNNING` flag has been set. Also, make sure the mutex is held in `comedi_read()` and `comedi_write()` while calling `do_become_nonbusy()` in order to avoid moving the race condition to a point within that function. Change some error handling `goto cleanup` statements in `do_cmd_ioctl()` to simple `return -ERRFOO` statements as a result of changing when the `busy` pointer is set. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>