Commit Graph

23298 Commits

Author SHA1 Message Date
Pali Rohár 5d60122b7e [media] radio-bcm2048: fix wrong overflow check
This patch fixes an off by one check in bcm2048_set_region().

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-05-23 12:17:21 -03:00
Jinqiang Zeng cd6ff5c2df [media] fix the code style errors in sn9c102
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-05-23 12:16:03 -03:00
Laurent Pinchart fa7014f569 [media] omap4iss: Relax usleep ranges
Allow the system to merge CPU wakeups by specifying different minimum
and maximum usleep values.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-05-23 12:03:18 -03:00
Laurent Pinchart 05b1b986b5 [media] omap4iss: Use a common macro for all sleep-based poll loops
Instead of implementing usleep_range-based poll loops manually (and
slightly differently), create a generic iss_poll_wait_timeout() macro
and use it through the driver.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-05-23 12:02:57 -03:00
Laurent Pinchart 47a963f102 [media] omap4iss: Add missing white space
The error was reported by checkpatch.pl. Fix it.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-05-23 12:01:05 -03:00
Laurent Pinchart d14cb130f3 [media] omap4iss: Don't check for DEBUG when printing IRQ debugging messages
Now that the VIDEO_OMAP4_DEBUG Kconfig option has been removed in favour
of dynamic printk, the DEBUG macro isn't defined anymore. Don't check
for it to guard IRQ debugging messages compilation, as they're already
guarded by the ISS_ISR_DEBUG macro.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-05-23 12:00:45 -03:00
Paul Bolle 2e509dddc4 [media] omap4iss: Remove VIDEO_OMAP4_DEBUG Kconfig option
The option was supposed to control the definition of the DEBUG macro in
the Makefile but has been left unused by mistake. Given that debugging
should be enabled using dynamic printk, remote the Kconfig option.

[Reworked the commit message]

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-05-23 11:52:08 -03:00
Mauro Carvalho Chehab e899966f62 Linux 3.15-rc6
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJTfR2zAAoJEHm+PkMAQRiG3noH/2s+KUge3qO2M+AmxttUo74B
 +npAMdbqYR3MdEiwxYZfsHcMu4Ye/IKLcrh4pydB5hI2mdjtGkH1bnmia0f1ve/c
 Z/a0256+W8gWp7mcUBqSNztqLPAWa7wKOqNdLjj5idr1BSj6u8im+fQ9FBh2woki
 1fyYAuq/60lq4CMOKJvkA95V1Ome/jO+8tS4PguOgsCETQxCVFGurZcBbG3Mx5Y3
 v+ioCqeRc6GvxPFR6YngnTZCrsLxSRT3tnO2Qy5zX7dxjIQkCEbvIckpBQv01Y3R
 wNUaX+2Jae207igxrEv8CjmCFnmZFuUI15aWWCy6fOS/j8bjuk6ThYJO8N4ZBM0=
 =2ShG
 -----END PGP SIGNATURE-----

Merge tag 'v3.15-rc6' into patchwork

Linux 3.15-rc6

* tag 'v3.15-rc6': (1314 commits)
  Linux 3.15-rc6
  Btrfs: send, fix incorrect ref access when using extrefs
  Btrfs: fix EIO on reading file after ioctl clone works on it
  scripts/checksyscalls.sh: Make renameat optional
  asm-generic: Add renameat2 syscall
  ia64: add renameat2 syscall
  parisc: add renameat2 syscall
  m68k: add renameat2 syscall
  sysfs: make sure read buffer is zeroed
  ahci: imx: PLL clock needs 100us to settle down
  PCI: Wrong register used to check pending traffic
  target: fix memory leak on XCOPY
  random: fix BUG_ON caused by accounting simplification
  clk: tegra: Fix wrong value written to PLLE_AUX
  staging: rtl8723au: Do not reset wdev->iftype in netdev_close()
  ACPI / video: Revert native brightness quirk for ThinkPad T530
  staging: rtl8723au: Use correct pipe type for USB interrupts
  crush: decode and initialize chooseleaf_vary_r
  libceph: fix corruption when using page_count 0 page in rbd
  arm64: fix pud_huge() for 2-level pagetables
  ...
2014-05-21 23:03:15 -03:00
Linus Torvalds fba69f042a Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media fixes from Mauro Carvalho Chehab:
 "Most of the changes are drivers fixes (rtl28xuu, fc2580, ov7670,
  davinci, gspca, s5p-fimc and s5c73m3).

  There is also a compat32 fix and one infoleak fixup at the media
  controller"

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] V4L2: fix VIDIOC_CREATE_BUFS in 64- / 32-bit compatibility mode
  [media] V4L2: ov7670: fix a wrong index, potentially Oopsing the kernel from user-space
  [media] media-device: fix infoleak in ioctl media_enum_entities()
  [media] fc2580: fix tuning failure on 32-bit arch
  [media] Prefer gspca_sonixb over sn9c102 for all devices
  [media] media: davinci: vpfe: make sure all the buffers unmapped and released
  [media] staging: media: davinci: vpfe: make sure all the buffers are released
  [media] media: davinci: vpbe_display: fix releasing of active buffers
  [media] media: davinci: vpif_display: fix releasing of active buffers
  [media] media: davinci: vpif_capture: fix releasing of active buffers
  [media] s5p-fimc: Fix YUV422P depth
  [media] s5c73m3: Add missing rename of v4l2_of_get_next_endpoint() function
  [media] rtl28xxu: silence error log about disabled rtl2832_sdr module
  [media] rtl28xxu: do not hard depend on staging SDR module
2014-05-21 19:01:08 +09:00
Jes Sorensen bb4e506565 staging: rtl8723au: Do not reset wdev->iftype in netdev_close()
wdev->ifdev should be set by .change_virtual_intf(). This solves the
problem of WARN() messages on module unload.

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-16 15:23:11 -07:00
Jes Sorensen be02f259fd staging: rtl8723au: Use correct pipe type for USB interrupts
Use a correct pipe type when filling un interrupt urbs. This should
finally take care of the WARN() messages on the console when USB urbs
are submitted.

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-05-16 11:53:50 -07:00
Greg Kroah-Hartman 3519acb3b0 Merge branch 'imx-drm-fixes-urgent' of git://ftp.arm.linux.org.uk/~rmk/linux-arm into staging-linus
imx drm fixes from Russell
2014-05-06 06:25:10 -07:00
Greg Kroah-Hartman 86281966c7 Second set of fixes for IIO in the 3.15 cycle.
* ad2s1200 - Fix some missing parenthesis in a for statement that could have
   led to an error being missed when getting gpios.
 * Fix a null derefference issue in the mpu6050 when platform data is not
   provided (or is provided via the device tree for example).
 * exynos_adc bug on remove due to child devices having been added to the
   parent of the IIO device rather than the IIO device itself.  This caused an
   issue with the IIO device removing itself in it's remove function.
 * Make all ADC drivers buildable as modules to avoid dependency issues if
   the IIO core is itself built as a module.  The exynos adc bug became
   apparently whilst this fix was being tested.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTW8mSAAoJEFSFNJnE9BaI9jsP/AlX5/G8f5jynM1C0WNQ3WaA
 EigVPSWbZgIUaPoMCULNTFoKCB/o76ecR83t+q8+b/2i/wyTdvI+5nmDhR5kH/mN
 m5nRHjYT3mv2u8WnXQgoY7LtcaGDPFEG8TgykXCq4e6OeEa5rpCjeDcVWe6ogT2i
 jtrgOLvbW+y99GY8nGng5B3vqPyQoQQxiZBVvHstRlSFJbyRD2PaCsoWlu5ap1c1
 xbuVf2T48rfTskqZK8gzlGeXszZsrGeU4UZBCBMxIfG3Q5KtOtMj1FgfNBr/Dwgp
 AgYwY7x5V7CV3pucMBB7ZES8NPjXh3POQhrx9ZWWHZzMAMDjlbTDjUQFSZHiT1MO
 tfh9B3aGNxpWJ/wv23wPlyFSQ8/ffTWA6v8VlxkItrwJa5123FdDPRsHvn4cTAJe
 LHNeERlRYJbOZd+iPyojObwpU7le4f/yk2heb45TlRmb5vAuJd7VWDXkjO3XRZJB
 ya1gYUEbC+XF8gnFSrEOLI7RTYUcBIB216PPODP3jh4Ui32lfDgGvqr2QSy5XMZF
 JK8SChrVw/OhC8th+/qOKGmSnjxfVx1IndpzdnrCD5c6B3YeFKkk7dzwBLIMXubW
 MOcVguVOZawgtodff48uoCQ9EJlvVpSWf6ps/oWdYDIp0zur50lFokixIggUYQc0
 WYiQk6D+Lovmb9x9BYms
 =qTIz
 -----END PGP SIGNATURE-----

Merge tag 'iio-fixes-for-3.15b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus

Jonathan writes:

Second set of fixes for IIO in the 3.15 cycle.

* ad2s1200 - Fix some missing parenthesis in a for statement that could have
  led to an error being missed when getting gpios.
* Fix a null derefference issue in the mpu6050 when platform data is not
  provided (or is provided via the device tree for example).
* exynos_adc bug on remove due to child devices having been added to the
  parent of the IIO device rather than the IIO device itself.  This caused an
  issue with the IIO device removing itself in it's remove function.
* Make all ADC drivers buildable as modules to avoid dependency issues if
  the IIO core is itself built as a module.  The exynos adc bug became
  apparently whilst this fix was being tested.
2014-04-30 14:19:23 -07:00
Shawn Guo a3fe964135 imx-drm: imx-tve: correct DDC property name to 'ddc-i2c-bus'
Commit 62e3879 (imx-drm: imx-tve: Fix DDC I2C bus property) was trying
to use 'ddc-i2c-bus' as the DDC property name (we can see that from the
commit log), but unfortunately 'i2c-ddc-bus' which is a typo was
actually used in the code.  This results in some unnecessary
inconsistency and confusions, because all the documented DDC property
in device tree bindings use 'ddc-i2c-bus'.

  Documentation/devicetree/bindings/staging/imx-drm/hdmi.txt
  Documentation/devicetree/bindings/panel/simple-panel.txt
  Documentation/devicetree/bindings/video/dvi-connector.txt

Let's fix it before the error spreads.

Signed-off-by: Shawn Guo <shawn.guo@freescale.com>
Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2014-04-26 11:23:38 +01:00
Jimmy Li c60e5760b0 staging:iio:ad2s1200 fix missing parenthesis in a for statment.
Signed-off-by: Jimmy Li <coder.liss@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2014-04-26 10:51:14 +01:00
H Hartley Sweeten 2704f807f9 staging: comedi: usbdux: bug fix for accessing 'ao_chanlist' in private data
In usbdux_ao_cmd(), the channels for the command are transfered from the
cmd->chanlist and stored in the private data 'ao_chanlist'. The channel
numbers are bit-shifted when stored so that they become the "command"
that is transfered to the device. The channel to command conversion
results in the 'ao_chanlist' having these values for the channels:

  channel 0 -> ao_chanlist = 0x00
  channel 1 -> ao_chanlist = 0x40
  channel 2 -> ao_chanlist = 0x80
  channel 3 -> ao_chanlist = 0xc0

The problem is, the usbduxsub_ao_isoc_irq() function uses the 'chan' value
from 'ao_chanlist' to access the 'ao_readback' array in the private data.
So instead of accessing the array as 0, 1, 2, 3, it accesses it as 0x00,
0x40, 0x80, 0xc0.

Fix this by storing the raw channel number in 'ao_chanlist' and doing the
bit-shift when creating the command.

Fixes: a998a3db53 "staging: comedi: usbdux: cleanup the private data 'outBuffer'"
Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Acked-by: Bernd Porr <mail@berndporr.me.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-23 16:20:15 -07:00
Hans Verkuil e37559b22c [media] vb2: stop_streaming should return void
The vb2 core ignores any return code from the stop_streaming op.
And there really isn't anything it can do anyway in case of an error.
So change the return type to void and update any drivers that implement it.

The int return gave drivers the idea that this operation could actually
fail, but that's really not the case.

The pwc amd sdr-msi3101 drivers both had this construction:

        if (mutex_lock_interruptible(&s->v4l2_lock))
                return -ERESTARTSYS;

This has been updated to just call mutex_lock(). The stop_streaming op
expects this to really stop streaming and I very much doubt this will
work reliably if stop_streaming just returns without really stopping the
DMA.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Pawel Osciak <pawel@osciak.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-04-23 10:12:51 -03:00
Greg Kroah-Hartman 8b425aa193 First found of IIO fixes for the 3.15 cycle.
* Fix the platform data support for the at91 adc driver.
 * A couple of related follow up patches get the support working again
   for at91sam9260 and at91sam9g45 as the earlier patch results in a device
   name change.
 * A default timer value in the at91 adc driver was bonkers.  Make it sane.
 * Fix incorrect reporting of the integration time for the cm32181 light sensor
 * Fix a missing break in the ad2s1200 driver which would have give a false
   error return.
 * Make sure buffer scan mask queries from userspace return 0/1 rather than
   a fairly random value depending on their implementation of test_bit
 * Fix leak of the i2c client and a null pointer dereference in the cm36651
   driver.
 * Fix a build warning on avr32 for the mxs-lradc (not exactly a critical
   combination - but the issue was real).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTSX1HAAoJEFSFNJnE9BaIGkoQAIotGana51TXPo9KYnQJaCYH
 +xBfaaXEaR69lARoXT8SDGzyXPCQNOEbVfsXRwrVQ4Wl8x2hP8n9YdUrAHzZ/8O/
 Wf8Z0jb81Q+KNJ+SMMgcy4kK5OU71EMMk5fbocPzD+WfQ+WlDr+My1F3yZ5UIvOM
 nOUF6QCcYA0MN7dopEVIqyP8HZhrxR1YUvgzqOmp1fteYL4gFCU006WPSI30GxEv
 fMM8MiWbbn9xjOsR7SBzaLEo0Hv3YC92zwSAuJxGClH/+9cKogWAaE/PiNUO3y6A
 +2D0KQnGRopKy4j/QCjdPZsTmYDBxQ9vMlUOtRlOf1XAVjL6pZu2EJ2/ereShLW6
 B4rev23tqgk9nyNk/Li4n+5krzvPqqOcbWNW1la769DkEt7LU+YU+hiShkDm1+0M
 6hwxPd6gQxg0QUjuusi1+B5JqweAv+mEcCsQ+ga6ZK61X9bNJ6c/4YF451rkNhc6
 mlC3ZqBvDALmNSVdCas0GOGHLaeWxfoT7E9G6p62h9uBVerqZ6epvlAUC6JOHotc
 /qz/D1VL1+ptPAawXiFSNOb8RMJogdBfjPB9bOlYQSSHV3eF0RVNK6FQiqvc4mFX
 or1pPG6lDLGm6g3NcDEjxEEVThevQpEwKmpM0TCEUMiIuxSHYN/M//P2PSeDvYwk
 9k8x3fJae7dWNsGIT92y
 =HMr3
 -----END PGP SIGNATURE-----

Merge tag 'iio-fixes-for-3.15a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus

Jonathan writes:

First found of IIO fixes for the 3.15 cycle.

* Fix the platform data support for the at91 adc driver.
* A couple of related follow up patches get the support working again
  for at91sam9260 and at91sam9g45 as the earlier patch results in a device
  name change.
* A default timer value in the at91 adc driver was bonkers.  Make it sane.
* Fix incorrect reporting of the integration time for the cm32181 light sensor
* Fix a missing break in the ad2s1200 driver which would have give a false
  error return.
* Make sure buffer scan mask queries from userspace return 0/1 rather than
  a fairly random value depending on their implementation of test_bit
* Fix leak of the i2c client and a null pointer dereference in the cm36651
  driver.
* Fix a build warning on avr32 for the mxs-lradc (not exactly a critical
  combination - but the issue was real).
2014-04-22 21:29:20 -07:00
Shawn Guo 1c2366298b imx-drm: imx-drm-core: skip components whose parent device is disabled
In a board setup which disables LDB device node completely by changing
status to 'disabled', and only enables HDMI device, we're running into
the problem that imx-drm master never succeeds in binding, and hence
HDMI does not come up either.

&ldb {
	status = "disabled";

	lvds-channel@1 {
		...
		status = "okay";
	};
};

The imx-drm-core should really skip the LVDS channels no matter what
lvds-channel's status is, if LDB device is disabled.  Let's consider
such setup a misconfiguration, give a warning in there and not add the
component.

Signed-off-by: Shawn Guo <shawn.guo@freescale.com>
Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2014-04-19 09:50:57 +01:00
Philipp Zabel c509bdc20d imx-drm: imx-drm-core: fix imx_drm_encoder_get_mux_id
The decoder mux id is equal to the port id of the encoder's input port
that is connected to the given crtc, not to the endpoint id (which is
arbitrary and usually zero).

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Tested-by: Shawn Guo <shawn.guo@freescale.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2014-04-19 09:36:03 +01:00
Linus Torvalds 8cb652bb10 staging driver fixes for 3.15-rc2
Here are a few staging driver fixes for issues that have been reported
 for 3.15-rc2.
 
 Also dominating the diffstat for the pull request is the removal of the
 rtl8187se driver.  It's no longer needed in staging as a "real" driver
 for this hardware is now merged in the tree in the "correct" location in
 drivers/net/
 
 All of these patches have been tested in linux-next.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iEYEABECAAYFAlNRmSwACgkQMUfUDdst+ympmwCgmht0boH4QJSf8ojnkrgXhZOG
 JUsAoJqfC22c/dKfLbMgXYuU12Kuidhe
 =poU3
 -----END PGP SIGNATURE-----

Merge tag 'staging-3.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
 "Here are a few staging driver fixes for issues that have been reported
  for 3.15-rc2.

  Also dominating the diffstat for the pull request is the removal of
  the rtl8187se driver.  It's no longer needed in staging as a "real"
  driver for this hardware is now merged in the tree in the "correct"
  location in drivers/net/

  All of these patches have been tested in linux-next"

* tag 'staging-3.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: r8188eu: Fix case where ethtype was never obtained and always be checked against 0
  staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0
  staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return NULL
  staging: comedi: fix circular locking dependency in comedi_mmap()
  staging: r8723au: Add missing initialization of change_inx in sort algorithm
  Staging: unisys: use after free in list_for_each()
  staging: unisys: use after free in error messages
  staging: speakup: fix misuse of kstrtol() in handle_goto()
  staging: goldfish: Call free_irq in error path
  staging: delete rtl8187se wireless driver
  staging: rtl8723au: Fix buffer overflow in rtw_get_wfd_ie()
  staging: gs_fpgaboot: remove __TIMESTAMP__ macro
  staging: vme: fix memory leak in vme_user_probe()
  staging: fpgaboot: clean up Makefile
  staging/usbip: fix store_attach() sscanf return value check
  staging/usbip: userspace - fix usbipd SIGSEGV from refresh_exported_devices()
  staging: rtl8188eu: remove spaces, correct counts to unbreak P2P ioctls
  staging/rtl8821ae: Fix OOM handling in _rtl_init_deferred_work()
2014-04-18 16:58:47 -07:00
Tomi Valkeinen f7018c2135 video: move fbdev to drivers/video/fbdev
The drivers/video directory is a mess. It contains generic video related
files, directories for backlight, console, linux logo, lots of fbdev
device drivers, fbdev framework files.

Make some order into the chaos by creating drivers/video/fbdev
directory, and move all fbdev related files there.

No functionality is changed, although I guess it is possible that some
subtle Makefile build order related issue could be created by this
patch.

Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Rob Clark <robdclark@gmail.com>
Acked-by: Jingoo Han <jg1.han@samsung.com>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-04-17 08:10:19 +03:00
Lad, Prabhakar 8f7402a304 [media] staging: media: davinci: vpfe: release buffers in case start_streaming call back fails
this patch releases the buffer by calling vb2_buffer_done(),
with state marked as VB2_BUF_STATE_QUEUED if start_streaming()
call back fails.

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-04-16 18:26:47 -03:00
Lad, Prabhakar 933fd6e57d [media] staging: media: davinci: vpfe: use v4l2_fh for priority handling
Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-04-16 18:26:03 -03:00
Mike Sampson 07002c05c3 [media] sn9c102_hv7131r: fix style warnings flagged by checkpatch.pl
Signed-off-by: Mike Sampson <mike@sambodata.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-04-16 18:25:27 -03:00
ileana@telecom-paristech.fr 576f7d3487 [media] staging: omap24xx: fix coding style
Fix missing parentheses in macros
Errors found by checkpatch.pl

Signed-off-by: Ioana Ileana <ileana@enst.fr>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-04-16 18:21:19 -03:00
Larry Finger 33c84bc14c staging: r8188eu: Fix case where ethtype was never obtained and always be checked against 0
Zero-initializing ether_type masked that the ether type would never be
obtained for 8021x packets and the comparison against eapol_type
would always fail.

Reported-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 13:07:19 -07:00
Larry Finger f764cd68d9 staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0
Zero-initializing ether_type masked that the ether type would never be
obtained for 8021x packets and the comparison against eapol_type
would always fail.

Reported-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 13:07:19 -07:00
Larry Finger 9452bf5602 staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return NULL
This makes the follow-on check for psta != NULL pointless and makes
the whole exercise rather pointless. This is another case of why
blindly zero-initializing variables when they are declared is bad.

Reported-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:46:18 -07:00
Ian Abbott b34aa86f12 staging: comedi: fix circular locking dependency in comedi_mmap()
Mmapping a comedi data buffer with lockdep checking enabled produced the
following kernel debug messages:

======================================================
[ INFO: possible circular locking dependency detected ]
3.5.0-rc3-ija1+ #9 Tainted: G         C
-------------------------------------------------------
comedi_test/4160 is trying to acquire lock:
 (&dev->mutex#2){+.+.+.}, at: [<ffffffffa00313f4>] comedi_mmap+0x57/0x1d9 [comedi]

but task is already holding lock:
 (&mm->mmap_sem){++++++}, at: [<ffffffff810c96fe>] vm_mmap_pgoff+0x41/0x76

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (&mm->mmap_sem){++++++}:
       [<ffffffff8106d0e8>] lock_acquire+0x97/0x105
       [<ffffffff810ce3bc>] might_fault+0x6d/0x90
       [<ffffffffa0031ffb>] do_devinfo_ioctl.isra.7+0x11e/0x14c [comedi]
       [<ffffffffa003227f>] comedi_unlocked_ioctl+0x256/0xe48 [comedi]
       [<ffffffff810f7fcd>] vfs_ioctl+0x18/0x34
       [<ffffffff810f87fd>] do_vfs_ioctl+0x382/0x43c
       [<ffffffff810f88f9>] sys_ioctl+0x42/0x65
       [<ffffffff81415c62>] system_call_fastpath+0x16/0x1b

-> #0 (&dev->mutex#2){+.+.+.}:
       [<ffffffff8106c528>] __lock_acquire+0x101d/0x1591
       [<ffffffff8106d0e8>] lock_acquire+0x97/0x105
       [<ffffffff8140c894>] mutex_lock_nested+0x46/0x2a4
       [<ffffffffa00313f4>] comedi_mmap+0x57/0x1d9 [comedi]
       [<ffffffff810d5816>] mmap_region+0x281/0x492
       [<ffffffff810d5c92>] do_mmap_pgoff+0x26b/0x2a7
       [<ffffffff810c971a>] vm_mmap_pgoff+0x5d/0x76
       [<ffffffff810d493f>] sys_mmap_pgoff+0xc7/0x10d
       [<ffffffff81004d36>] sys_mmap+0x16/0x20
       [<ffffffff81415c62>] system_call_fastpath+0x16/0x1b

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&mm->mmap_sem);
                               lock(&dev->mutex#2);
                               lock(&mm->mmap_sem);
  lock(&dev->mutex#2);

 *** DEADLOCK ***

To avoid the circular dependency, just try to get the lock in
`comedi_mmap()` instead of blocking.  Since the comedi device's main mutex
is heavily used, do a down-read of its `attach_lock` rwsemaphore
instead.  Trying to down-read `attach_lock` should only fail if
some task has down-write locked it, and that is only done while the
comedi device is being attached to or detached from a low-level hardware
device.

Unfortunately, acquiring the `attach_lock` doesn't prevent another
task replacing the comedi data buffer we are trying to mmap.  The
details of the buffer are held in a `struct comedi_buf_map` and pointed
to by `s->async->buf_map` where `s` is the comedi subdevice whose buffer
we are trying to map.  The `struct comedi_buf_map` is already reference
counted with a `struct kref`, so we can stop it being freed prematurely.

Modify `comedi_mmap()` to call new function
`comedi_buf_map_from_subdev_get()` to read the subdevice's current
buffer map pointer and increment its reference instead of accessing
`async->buf_map` directly.  Call `comedi_buf_map_put()` to decrement the
reference once the buffer map structure has been dealt with.  (Note that
`comedi_buf_map_put()` does nothing if passed a NULL pointer.)

`comedi_buf_map_from_subdev_get()` checks the subdevice's buffer map
pointer has been set and the buffer map has been initialized enough for
`comedi_mmap()` to deal with it (specifically, check the `n_pages`
member has been set to a non-zero value).  If all is well, the buffer
map's reference is incremented and a pointer to it is returned.  The
comedi subdevice's spin-lock is used to protect the checks.  Also use
the spin-lock in `__comedi_buf_alloc()` and `__comedi_buf_free()` to
protect changes to the subdevice's buffer map structure pointer and the
buffer map structure's `n_pages` member.  (This checking of `n_pages` is
a bit clunky and I [Ian Abbott] plan to deal with it in the future.)

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: <stable@vger.kernel.org> # 3.14.x, 3.15.x
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:41:45 -07:00
Geert Uytterhoeven 2c33d7cc38 staging: r8723au: Add missing initialization of change_inx in sort algorithm
drivers/staging/rtl8723au/core/rtw_wlan_util.c: In function ‘WMMOnAssocRsp23a’:
drivers/staging/rtl8723au/core/rtw_wlan_util.c:684: warning: ‘change_inx’ may be used uninitialized in this function

Depending on the uninitialized data on the stack, the array may not be
sorted correctly.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:41:45 -07:00
Dan Carpenter e6b1ea773e Staging: unisys: use after free in list_for_each()
These should be using the _safe version of list_for_each() because we
free the current element and it leads to a use after free bug.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:41:45 -07:00
Dan Carpenter d21bb45081 staging: unisys: use after free in error messages
We dereference "bus" when we report the error so we have to move the
kfree() down a couple lines.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:41:44 -07:00
Daeseok Youn ef35a4f44b staging: speakup: fix misuse of kstrtol() in handle_goto()
A string of goto_buf has a number followed by x or y.
e.g. "3x" means move 3 lines down.
The kstrtol() returns an error(-EINVAL) with this string so
go_pos has unsigned a value of that error.
And also "*cp" has not expected value.

And fix sparse warnings:
 drivers/staging/speakup/main.c:1901 handle_goto() warn: unsigned '(speakup_console[vc->vc_num]->go_pos)' is never less than zero.
 drivers/staging/speakup/main.c:1911 handle_goto() warn: unsigned '(speakup_console[vc->vc_num]->go_pos)' is never less than zero.

Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:41:44 -07:00
Tuomas Tynkkynen ff8ebe6448 staging: goldfish: Call free_irq in error path
If misc_register failed in goldfish_audio_probe, the already requested
IRQ wouldn't get freed. Add a call to free_irq() like there is in
goldfish_audio_remove().

Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:41:44 -07:00
Greg Kroah-Hartman 5ed0a8e667 staging: delete rtl8187se wireless driver
There is a "real" driver for this hardware now in drivers/net/ so remove
the staging version as it's not needed anymore.

Reported-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: John W. Linville" <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-16 11:35:54 -07:00
Jes Sorensen f5d197b614 staging: rtl8723au: Fix buffer overflow in rtw_get_wfd_ie()
Add bounds checking to not allow WFD Information Elements larger than
128, and make sure we use the correct buffer size MAX_WFD_IE_LEN
instea of hardcoding the size.

This also simplifies rtw_get_wfd_ie() by using the cfg80211
infrastructure.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 15:34:40 -07:00
Arnd Bergmann 14e6e35d04 staging: gs_fpgaboot: remove __TIMESTAMP__ macro
We specifically build the kernel with -Werror=date-time to detect
such macros, which gives us this error:

gs_fpgaboot/gs_fpgaboot.c:376:44: error: macro "__TIMESTAMP__" might prevent reproducible builds [-Werror=date-time]
  pr_info("built at %s UTC\n", __TIMESTAMP__);

The obvious fix is to remove the printk output line.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Insop Song <insop.song@gainspeed.com>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 14:46:43 -07:00
Daeseok Youn 1a52489318 staging: vme: fix memory leak in vme_user_probe()
If vme_master_request() returns NULL when it failed,
it need to free buffers for master.

And also removes unreachable code in vme_user_probe().

Signed-off-by: Daeseok Youn <daeseok.youn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 14:46:43 -07:00
Paul Bolle d06fb58cb6 staging: fpgaboot: clean up Makefile
This Makefile tries to set the DEBUG macro but it uses an unknown
Kconfig macro to do so. Since no code appears to even care about the
DEBUG macro this line can safely be removed.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Reviewed-by: Insop Song <insop.song@gainspeed.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 14:46:42 -07:00
Shuah Khan de4734bc65 staging/usbip: fix store_attach() sscanf return value check
sscanf() parses the input buffer for four input items. However,
the return value check is incorrect, as it checks for one input
item instead of four which is what it is expecting in the input
buffer. As a result, sscanf() will always fail even when the input
buffer is correct.

Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 14:43:01 -07:00
Shuah Khan 21c5e8408d staging/usbip: userspace - fix usbipd SIGSEGV from refresh_exported_devices()
refresh_exported_devices() doesn't check udev_device_new_from_syspath()
return value and passed in null dev to udev_device_get_driver() resulting
in a segmentation fault. Change it to check for null return value from
both udev_device_new_from_syspath() and udev_device_get_driver().

Signed-off-by: Shuah Khan <shuah.kh@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 14:43:01 -07:00
Wilfried Klaebe ec03ab77cc staging: rtl8188eu: remove spaces, correct counts to unbreak P2P ioctls
staging: rtl8188eu: remove spaces, correct counts to unbreak P2P ioctls

It looks like someone did a search-and-replace on that driver, putting
spaces before "=" characters, without checking this is OK everywhere.
Also, in some places, there's memcpm()s/strncmp()s checking for some
different length than the fixed string argument.

These things result in code not working as intended. Fix that.

Signed-off-by: Wilfried Klaebe <w-lkml@lebenslange-mailadresse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 13:52:14 -07:00
Richard Weinberger 29d1e7209e staging/rtl8821ae: Fix OOM handling in _rtl_init_deferred_work()
alloc_workqueue() can fail, handle this case.

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-15 11:39:09 -07:00
Jean Delvare 877ed14306 [media] Prefer gspca_sonixb over sn9c102 for all devices
The sn9c102 driver is deprecated. It was moved to staging in
anticipation of its removal in a future kernel version. However, USB
devices 0C45:6024 and 0C45:6025 are still handled by sn9c102 when
both sn9c102 and gspca_sonixb are enabled.

We must migrate all the users of these devices to the gspca_sonixb
driver now, so that it gets sufficient testing before the sn9c102
driver is finally phased out.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-04-15 09:59:31 -03:00
Lad, Prabhakar d891ae5ef1 [media] staging: media: davinci: vpfe: make sure all the buffers are released
from commit-id: b3379c6201
"vb2: only call start_streaming if sufficient buffers are queued"
the vb2 framework warns on (WARN_ON()) if all the active buffers
are not released when streaming is stopped, initially the vb2 silently
released the buffer internally if the buffer was not released by
the driver.

This patch fixes following issue:

WARNING: CPU: 0 PID: 2049 at drivers/media/v4l2-core/videobuf2-core.c:2011 __vb2_queue_cancel+0x1a0/0x218()
Modules linked in:
CPU: 0 PID: 2049 Comm: vpfe_video Tainted: G        W    3.14.0-rc5-00414-ged97a6f #89
[<c000e3f0>] (unwind_backtrace) from [<c000c618>] (show_stack+0x10/0x14)
[<c000c618>] (show_stack) from [<c001adb0>] (warn_slowpath_common+0x68/0x88)
[<c001adb0>] (warn_slowpath_common) from [<c001adec>] (warn_slowpath_null+0x1c/0x24)
[<c001adec>] (warn_slowpath_null) from [<c0252e0c>] (__vb2_queue_cancel+0x1a0/0x218)
[<c0252e0c>] (__vb2_queue_cancel) from [<c02533a4>] (vb2_queue_release+0x14/0x24)
[<c02533a4>] (vb2_queue_release) from [<c025a65c>] (vpfe_release+0x60/0x230)
[<c025a65c>] (vpfe_release) from [<c023fe5c>] (v4l2_release+0x34/0x74)
[<c023fe5c>] (v4l2_release) from [<c00b4a00>] (__fput+0x80/0x224)
[<c00b4a00>] (__fput) from [<c00341e8>] (task_work_run+0xa0/0xd0)
[<c00341e8>] (task_work_run) from [<c001cc28>] (do_exit+0x244/0x918)
[<c001cc28>] (do_exit) from [<c001d344>] (do_group_exit+0x48/0xdc)
[<c001d344>] (do_group_exit) from [<c0029894>] (get_signal_to_deliver+0x2a0/0x5bc)
[<c0029894>] (get_signal_to_deliver) from [<c000b888>] (do_signal+0x78/0x3a0)
[<c000b888>] (do_signal) from [<c000bc54>] (do_work_pending+0xa4/0xb4)
[<c000bc54>] (do_work_pending) from [<c00096dc>] (work_pending+0xc/0x20)
---[ end trace 5faa75e8c2f8a6a1 ]---
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2049 at drivers/media/v4l2-core/videobuf2-core.c:1095 vb2_buffer_done+0x1e0/0x224()
Modules linked in:
CPU: 0 PID: 2049 Comm: vpfe_video Tainted: G        W    3.14.0-rc5-00414-ged97a6f #89
[<c000e3f0>] (unwind_backtrace) from [<c000c618>] (show_stack+0x10/0x14)
[<c000c618>] (show_stack) from [<c001adb0>] (warn_slowpath_common+0x68/0x88)
[<c001adb0>] (warn_slowpath_common) from [<c001adec>] (warn_slowpath_null+0x1c/0x24)
[<c001adec>] (warn_slowpath_null) from [<c0252c28>] (vb2_buffer_done+0x1e0/0x224)
[<c0252c28>] (vb2_buffer_done) from [<c0252e3c>] (__vb2_queue_cancel+0x1d0/0x218)
[<c0252e3c>] (__vb2_queue_cancel) from [<c02533a4>] (vb2_queue_release+0x14/0x24)
[<c02533a4>] (vb2_queue_release) from [<c025a65c>] (vpfe_release+0x60/0x230)
[<c025a65c>] (vpfe_release) from [<c023fe5c>] (v4l2_release+0x34/0x74)
[<c023fe5c>] (v4l2_release) from [<c00b4a00>] (__fput+0x80/0x224)
[<c00b4a00>] (__fput) from [<c00341e8>] (task_work_run+0xa0/0xd0)
[<c00341e8>] (task_work_run) from [<c001cc28>] (do_exit+0x244/0x918)
[<c001cc28>] (do_exit) from [<c001d344>] (do_group_exit+0x48/0xdc)
[<c001d344>] (do_group_exit) from [<c0029894>] (get_signal_to_deliver+0x2a0/0x5bc)
[<c0029894>] (get_signal_to_deliver) from [<c000b888>] (do_signal+0x78/0x3a0)
[<c000b888>] (do_signal) from [<c000bc54>] (do_work_pending+0xa4/0xb4)
[<c000bc54>] (do_work_pending) from [<c00096dc>] (work_pending+0xc/0x20)
---[ end trace 5faa75e8c2f8a6a2 ]---

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
2014-04-15 09:54:28 -03:00
Linus Torvalds 454fd351f2 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull yet more networking updates from David Miller:

 1) Various fixes to the new Redpine Signals wireless driver, from
    Fariya Fatima.

 2) L2TP PPP connect code takes PMTU from the wrong socket, fix from
    Dmitry Petukhov.

 3) UFO and TSO packets differ in whether they include the protocol
    header in gso_size, account for that in skb_gso_transport_seglen().
   From Florian Westphal.

 4) If VLAN untagging fails, we double free the SKB in the bridging
    output path.  From Toshiaki Makita.

 5) Several call sites of sk->sk_data_ready() were referencing an SKB
    just added to the socket receive queue in order to calculate the
    second argument via skb->len.  This is dangerous because the moment
    the skb is added to the receive queue it can be consumed in another
    context and freed up.

    It turns out also that none of the sk->sk_data_ready()
    implementations even care about this second argument.

    So just kill it off and thus fix all these use-after-free bugs as a
    side effect.

 6) Fix inverted test in tcp_v6_send_response(), from Lorenzo Colitti.

 7) pktgen needs to do locking properly for LLTX devices, from Daniel
    Borkmann.

 8) xen-netfront driver initializes TX array entries in RX loop :-) From
    Vincenzo Maffione.

 9) After refactoring, some tunnel drivers allow a tunnel to be
    configured on top itself.  Fix from Nicolas Dichtel.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (46 commits)
  vti: don't allow to add the same tunnel twice
  gre: don't allow to add the same tunnel twice
  drivers: net: xen-netfront: fix array initialization bug
  pktgen: be friendly to LLTX devices
  r8152: check RTL8152_UNPLUG
  net: sun4i-emac: add promiscuous support
  net/apne: replace IS_ERR and PTR_ERR with PTR_ERR_OR_ZERO
  net: ipv6: Fix oif in TCP SYN+ACK route lookup.
  drivers: net: cpsw: enable interrupts after napi enable and clearing previous interrupts
  drivers: net: cpsw: discard all packets received when interface is down
  net: Fix use after free by removing length arg from sk_data_ready callbacks.
  Drivers: net: hyperv: Address UDP checksum issues
  Drivers: net: hyperv: Negotiate suitable ndis version for offload support
  Drivers: net: hyperv: Allocate memory for all possible per-pecket information
  bridge: Fix double free and memory leak around br_allowed_ingress
  bonding: Remove debug_fs files when module init fails
  i40evf: program RSS LUT correctly
  i40evf: remove open-coded skb_cow_head
  ixgb: remove open-coded skb_cow_head
  igbvf: remove open-coded skb_cow_head
  ...
2014-04-12 17:31:22 -07:00
Linus Torvalds 9309444906 Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media fixes from Mauro Carvalho Chehab:
 "A series of bug fix patches for v3.15-rc1.  Most are just driver
  fixes.  There are some changes at remote controller core level, fixing
  some definitions on a new API added for Kernel v3.15.

  It also adds the missing include at include/uapi/linux/v4l2-common.h,
  to allow its compilation on userspace, as pointed by you"

* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (24 commits)
  [media] gpsca: remove the risk of a division by zero
  [media] stk1160: warrant a NUL terminated string
  [media] v4l: ti-vpe: retain v4l2_buffer flags for captured buffers
  [media] v4l: ti-vpe: Set correct field parameter for output and capture buffers
  [media] v4l: ti-vpe: zero out reserved fields in try_fmt
  [media] v4l: ti-vpe: Fix initial configuration queue data
  [media] v4l: ti-vpe: Use correct bus_info name for the device in querycap
  [media] v4l: ti-vpe: report correct capabilities in querycap
  [media] v4l: ti-vpe: Allow usage of smaller images
  [media] v4l: ti-vpe: Use video_device_release_empty
  [media] v4l: ti-vpe: Make sure in job_ready that we have the needed number of dst_bufs
  [media] lgdt3305: include sleep functionality in lgdt3304_ops
  [media] drx-j: use customise option correctly
  [media] m88rs2000: fix sparse static warnings
  [media] r820t: fix size and init values
  [media] rc-core: remove generic scancode filter
  [media] rc-core: split dev->s_filter
  [media] rc-core: do not change 32bit NEC scancode format for now
  [media] rtl28xxu: remove duplicate ID 0458:707f Genius TVGo DVB-T03
  [media] xc2028: add missing break to switch
  ...
2014-04-12 16:18:17 -07:00
Linus Torvalds 5166701b36 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs updates from Al Viro:
 "The first vfs pile, with deep apologies for being very late in this
  window.

  Assorted cleanups and fixes, plus a large preparatory part of iov_iter
  work.  There's a lot more of that, but it'll probably go into the next
  merge window - it *does* shape up nicely, removes a lot of
  boilerplate, gets rid of locking inconsistencie between aio_write and
  splice_write and I hope to get Kent's direct-io rewrite merged into
  the same queue, but some of the stuff after this point is having
  (mostly trivial) conflicts with the things already merged into
  mainline and with some I want more testing.

  This one passes LTP and xfstests without regressions, in addition to
  usual beating.  BTW, readahead02 in ltp syscalls testsuite has started
  giving failures since "mm/readahead.c: fix readahead failure for
  memoryless NUMA nodes and limit readahead pages" - might be a false
  positive, might be a real regression..."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits)
  missing bits of "splice: fix racy pipe->buffers uses"
  cifs: fix the race in cifs_writev()
  ceph_sync_{,direct_}write: fix an oops on ceph_osdc_new_request() failure
  kill generic_file_buffered_write()
  ocfs2_file_aio_write(): switch to generic_perform_write()
  ceph_aio_write(): switch to generic_perform_write()
  xfs_file_buffered_aio_write(): switch to generic_perform_write()
  export generic_perform_write(), start getting rid of generic_file_buffer_write()
  generic_file_direct_write(): get rid of ppos argument
  btrfs_file_aio_write(): get rid of ppos
  kill the 5th argument of generic_file_buffered_write()
  kill the 4th argument of __generic_file_aio_write()
  lustre: don't open-code kernel_recvmsg()
  ocfs2: don't open-code kernel_recvmsg()
  drbd: don't open-code kernel_recvmsg()
  constify blk_rq_map_user_iov() and friends
  lustre: switch to kernel_sendmsg()
  ocfs2: don't open-code kernel_sendmsg()
  take iov_iter stuff to mm/iov_iter.c
  process_vm_access: tidy up a bit
  ...
2014-04-12 14:49:50 -07:00
David S. Miller 676d23690f net: Fix use after free by removing length arg from sk_data_ready callbacks.
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-11 16:15:36 -04:00