linux/drivers/staging, branch v3.15-rc4

staging: comedi: usbdux: bug fix for accessing 'ao_chanlist' in private data

2014-04-23T23:20:15Z

In usbdux_ao_cmd(), the channels for the command are transfered from the cmd->chanlist and stored in the private data 'ao_chanlist'. The channel numbers are bit-shifted when stored so that they become the "command" that is transfered to the device. The channel to command conversion results in the 'ao_chanlist' having these values for the channels: channel 0 -> ao_chanlist = 0x00 channel 1 -> ao_chanlist = 0x40 channel 2 -> ao_chanlist = 0x80 channel 3 -> ao_chanlist = 0xc0 The problem is, the usbduxsub_ao_isoc_irq() function uses the 'chan' value from 'ao_chanlist' to access the 'ao_readback' array in the private data. So instead of accessing the array as 0, 1, 2, 3, it accesses it as 0x00, 0x40, 0x80, 0xc0. Fix this by storing the raw channel number in 'ao_chanlist' and doing the bit-shift when creating the command. Fixes: a998a3db530bff80 "staging: comedi: usbdux: cleanup the private data 'outBuffer'" Cc: stable # 3.12 Signed-off-by: H Hartley Sweeten Reviewed-by: Ian Abbott Acked-by: Bernd Porr Signed-off-by: Greg Kroah-Hartman

Merge tag 'iio-fixes-for-3.15a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus

2014-04-23T04:29:20Z

Jonathan writes: First found of IIO fixes for the 3.15 cycle. * Fix the platform data support for the at91 adc driver. * A couple of related follow up patches get the support working again for at91sam9260 and at91sam9g45 as the earlier patch results in a device name change. * A default timer value in the at91 adc driver was bonkers. Make it sane. * Fix incorrect reporting of the integration time for the cm32181 light sensor * Fix a missing break in the ad2s1200 driver which would have give a false error return. * Make sure buffer scan mask queries from userspace return 0/1 rather than a fairly random value depending on their implementation of test_bit * Fix leak of the i2c client and a null pointer dereference in the cm36651 driver. * Fix a build warning on avr32 for the mxs-lradc (not exactly a critical combination - but the issue was real).

Merge tag 'staging-3.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

2014-04-18T23:58:47Z

Pull staging driver fixes from Greg KH: "Here are a few staging driver fixes for issues that have been reported for 3.15-rc2. Also dominating the diffstat for the pull request is the removal of the rtl8187se driver. It's no longer needed in staging as a "real" driver for this hardware is now merged in the tree in the "correct" location in drivers/net/ All of these patches have been tested in linux-next" * tag 'staging-3.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: r8188eu: Fix case where ethtype was never obtained and always be checked against 0 staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return NULL staging: comedi: fix circular locking dependency in comedi_mmap() staging: r8723au: Add missing initialization of change_inx in sort algorithm Staging: unisys: use after free in list_for_each() staging: unisys: use after free in error messages staging: speakup: fix misuse of kstrtol() in handle_goto() staging: goldfish: Call free_irq in error path staging: delete rtl8187se wireless driver staging: rtl8723au: Fix buffer overflow in rtw_get_wfd_ie() staging: gs_fpgaboot: remove __TIMESTAMP__ macro staging: vme: fix memory leak in vme_user_probe() staging: fpgaboot: clean up Makefile staging/usbip: fix store_attach() sscanf return value check staging/usbip: userspace - fix usbipd SIGSEGV from refresh_exported_devices() staging: rtl8188eu: remove spaces, correct counts to unbreak P2P ioctls staging/rtl8821ae: Fix OOM handling in _rtl_init_deferred_work()

video: move fbdev to drivers/video/fbdev

2014-04-17T05:10:19Z

The drivers/video directory is a mess. It contains generic video related files, directories for backlight, console, linux logo, lots of fbdev device drivers, fbdev framework files. Make some order into the chaos by creating drivers/video/fbdev directory, and move all fbdev related files there. No functionality is changed, although I guess it is possible that some subtle Makefile build order related issue could be created by this patch. Signed-off-by: Tomi Valkeinen Acked-by: Laurent Pinchart Acked-by: Geert Uytterhoeven Acked-by: Rob Clark Acked-by: Jingoo Han Acked-by: Daniel Vetter

staging: r8188eu: Fix case where ethtype was never obtained and always be checked against 0

2014-04-16T20:07:19Z

Zero-initializing ether_type masked that the ether type would never be obtained for 8021x packets and the comparison against eapol_type would always fail. Reported-by: Jes Sorensen Signed-off-by: Larry Finger Cc: Stable Signed-off-by: Greg Kroah-Hartman

staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0

2014-04-16T20:07:19Z

staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return NULL

2014-04-16T18:46:18Z

This makes the follow-on check for psta != NULL pointless and makes the whole exercise rather pointless. This is another case of why blindly zero-initializing variables when they are declared is bad. Reported-by: Jes Sorensen Signed-off-by: Larry Finger Cc: Stable Signed-off-by: Greg Kroah-Hartman

staging: comedi: fix circular locking dependency in comedi_mmap()

2014-04-16T18:41:45Z

Mmapping a comedi data buffer with lockdep checking enabled produced the following kernel debug messages: ====================================================== [ INFO: possible circular locking dependency detected ] 3.5.0-rc3-ija1+ #9 Tainted: G C ------------------------------------------------------- comedi_test/4160 is trying to acquire lock: (&dev->mutex#2){+.+.+.}, at: [] comedi_mmap+0x57/0x1d9 [comedi] but task is already holding lock: (&mm->mmap_sem){++++++}, at: [] vm_mmap_pgoff+0x41/0x76 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&mm->mmap_sem){++++++}: [] lock_acquire+0x97/0x105 [] might_fault+0x6d/0x90 [] do_devinfo_ioctl.isra.7+0x11e/0x14c [comedi] [] comedi_unlocked_ioctl+0x256/0xe48 [comedi] [] vfs_ioctl+0x18/0x34 [] do_vfs_ioctl+0x382/0x43c [] sys_ioctl+0x42/0x65 [] system_call_fastpath+0x16/0x1b -> #0 (&dev->mutex#2){+.+.+.}: [] __lock_acquire+0x101d/0x1591 [] lock_acquire+0x97/0x105 [] mutex_lock_nested+0x46/0x2a4 [] comedi_mmap+0x57/0x1d9 [comedi] [] mmap_region+0x281/0x492 [] do_mmap_pgoff+0x26b/0x2a7 [] vm_mmap_pgoff+0x5d/0x76 [] sys_mmap_pgoff+0xc7/0x10d [] sys_mmap+0x16/0x20 [] system_call_fastpath+0x16/0x1b other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&mm->mmap_sem); lock(&dev->mutex#2); lock(&mm->mmap_sem); lock(&dev->mutex#2); *** DEADLOCK *** To avoid the circular dependency, just try to get the lock in `comedi_mmap()` instead of blocking. Since the comedi device's main mutex is heavily used, do a down-read of its `attach_lock` rwsemaphore instead. Trying to down-read `attach_lock` should only fail if some task has down-write locked it, and that is only done while the comedi device is being attached to or detached from a low-level hardware device. Unfortunately, acquiring the `attach_lock` doesn't prevent another task replacing the comedi data buffer we are trying to mmap. The details of the buffer are held in a `struct comedi_buf_map` and pointed to by `s->async->buf_map` where `s` is the comedi subdevice whose buffer we are trying to map. The `struct comedi_buf_map` is already reference counted with a `struct kref`, so we can stop it being freed prematurely. Modify `comedi_mmap()` to call new function `comedi_buf_map_from_subdev_get()` to read the subdevice's current buffer map pointer and increment its reference instead of accessing `async->buf_map` directly. Call `comedi_buf_map_put()` to decrement the reference once the buffer map structure has been dealt with. (Note that `comedi_buf_map_put()` does nothing if passed a NULL pointer.) `comedi_buf_map_from_subdev_get()` checks the subdevice's buffer map pointer has been set and the buffer map has been initialized enough for `comedi_mmap()` to deal with it (specifically, check the `n_pages` member has been set to a non-zero value). If all is well, the buffer map's reference is incremented and a pointer to it is returned. The comedi subdevice's spin-lock is used to protect the checks. Also use the spin-lock in `__comedi_buf_alloc()` and `__comedi_buf_free()` to protect changes to the subdevice's buffer map structure pointer and the buffer map structure's `n_pages` member. (This checking of `n_pages` is a bit clunky and I [Ian Abbott] plan to deal with it in the future.) Signed-off-by: Ian Abbott Cc: # 3.14.x, 3.15.x Signed-off-by: Greg Kroah-Hartman

staging: r8723au: Add missing initialization of change_inx in sort algorithm

2014-04-16T18:41:45Z

drivers/staging/rtl8723au/core/rtw_wlan_util.c: In function ‘WMMOnAssocRsp23a’: drivers/staging/rtl8723au/core/rtw_wlan_util.c:684: warning: ‘change_inx’ may be used uninitialized in this function Depending on the uninitialized data on the stack, the array may not be sorted correctly. Signed-off-by: Geert Uytterhoeven Acked-by: Larry Finger Signed-off-by: Greg Kroah-Hartman

Staging: unisys: use after free in list_for_each()

2014-04-16T18:41:45Z

These should be using the _safe version of list_for_each() because we free the current element and it leads to a use after free bug. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman