linux/drivers/staging, branch v3.12

Staging: sb105x: info leak in mp_get_count()

2013-10-30T19:24:50Z

The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds

Staging: bcm: info leak in ioctl

2013-10-30T19:24:49Z

The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds

staging: wlags49_h2: buffer overflow setting station name

2013-10-30T19:24:49Z

We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds

staging: ozwpan: prevent overflow in oz_cdev_write()

2013-10-30T19:24:49Z

We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds

Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

2013-10-23T06:52:36Z

Pull media fixes from Mauro Carvalho Chehab: - Compilation fixes for GCC < 4.4.6 - one Kbuild dependency select fix (selecting videobuf on msi3101) - driver fixes on tda10071, e4000, msi3101, soc_camera, s5p-jpeg, saa7134 and adv7511 - some device quirks needed to make them work properly - some videobuf2 core regression fixes for some features used only on embedded drivers * 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: [media] saa7134: Fix crash when device is closed before streamoff [media] adv7511: fix error return code in adv7511_probe() [media] ths8200: fix compilation with GCC < 4.4.6 [media] ad9389b: fix compilation with GCC < 4.4.6 [media] adv7511: fix compilation with GCC < 4.4.6 [media] adv7842: fix compilation with GCC < 4.4.6 [media] s5p-jpeg: Initialize vfd_decoder->vfl_dir field [media] videobuf2-dc: Fix support for mappings without struct page in userptr mode [media] vb2: Allow queuing OUTPUT buffers with zeroed 'bytesused' [media] mx3-camera: locking cleanup in mx3_videobuf_queue() [media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out() [media] tda10071: change firmware download condition [media] msi3101: correct max videobuf2 alloc [media] Add HCL T12Rg-H to STK webcam upside-down table [media] msi3101: Kconfig select VIDEOBUF2_VMALLOC [media] msi3101: msi3101_ioctl_ops can be static [media] e4000: fix PLL calc bug on 32-bit arch [media] uvcvideo: quirk PROBE_DEF for Microsoft Lifecam NX-3000 [media] uvcvideo: quirk PROBE_DEF for Dell SP2008WFP monitor

staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice

2013-10-03T21:27:32Z

The `insn_bits` handler `ni_65xx_dio_insn_bits()` has a `for` loop that currently writes (optionally) and reads back up to 5 "ports" consisting of 8 channels each. It reads up to 32 1-bit channels but can only read and write a whole port at once - it needs to handle up to 5 ports as the first channel it reads might not be aligned on a port boundary. It breaks out of the loop early if the next port it handles is beyond the final port on the card. It also breaks out early on the 5th port in the loop if the first channel was aligned. Unfortunately, it doesn't check that the current port it is dealing with belongs to the comedi subdevice the `insn_bits` handler is acting on. That's a bug. Redo the `for` loop to terminate after the final port belonging to the subdevice, changing the loop variable in the process to simplify things a bit. The `for` loop could now try and handle more than 5 ports if the subdevice has more than 40 channels, but the test `if (bitshift >= 32)` ensures it will break out early after 4 or 5 ports (depending on whether the first channel is aligned on a port boundary). (`bitshift` will be between -7 and 7 inclusive on the first iteration, increasing by 8 for each subsequent operation.) Signed-off-by: Ian Abbott Cc: # 3.10.y 3.11.y 3.12.y Signed-off-by: Greg Kroah-Hartman

staging: r8188eu: Add new device ID

2013-09-26T23:44:45Z

The DLink DWA-125 Rev D1 also uses this driver. Signed-off-by: Larry Finger Reported-by: Sergey Kostanbaev Tested-by: Sergey Kostanbaev Cc: Sergey Kostanbaev Cc: stable Signed-off-by: Greg Kroah-Hartman

staging: imx-drm: Fix probe failure

2013-09-25T23:53:40Z

Since commit b5dc0d10 (drm/imx: kill firstopen callback) the following probe failure is seen: [drm] Supports vblank timestamp caching Rev 1 (10.10.2010). [drm] No driver support for vblank timestamp query. [drm] Initialized imx-drm 1.0.0 20120507 on minor 0 imx-ldb ldb.10: adding encoder failed with -16 imx-ldb: probe of ldb.10 failed with error -16 imx-ipuv3 2400000.ipu: IPUv3H probed imx-ipuv3 2800000.ipu: IPUv3H probed imx-ipuv3-crtc imx-ipuv3-crtc.0: adding crtc failed with -16. imx-ipuv3-crtc: probe of imx-ipuv3-crtc.0 failed with error -16 imx-ipuv3-crtc imx-ipuv3-crtc.1: adding crtc failed with -16. imx-ipuv3-crtc: probe of imx-ipuv3-crtc.1 failed with error -16 imx-ipuv3-crtc imx-ipuv3-crtc.2: adding crtc failed with -16. imx-ipuv3-crtc: probe of imx-ipuv3-crtc.2 failed with error -16 imx-ipuv3-crtc imx-ipuv3-crtc.3: adding crtc failed with -16. imx-ipuv3-crtc: probe of imx-ipuv3-crtc.3 failed with error -16 The reason for the probe failure is that now 'imxdrm->references' is incremented early in imx_drm_driver_load(), so the following checks in imx_drm_add_crtc() and imx_drm_add_encoder(): if (imxdrm->references) { ret = -EBUSY; goto err_busy; } ,will always fail. Instead of manually keeping the references in the imx-drm driver, let's use drm->open_count. After this patch, lvds panel is functional on a mx6qsabrelite board. Signed-off-by: Fabio Estevam Acked-by: Sascha Hauer Signed-off-by: Greg Kroah-Hartman

staging: vt6656: [BUG] iwctl_siwencodeext return if device not open

2013-09-25T23:53:40Z

Don't allow entry to iwctl_siwencodeext if device not open. This fixes a race condition where wpa supplicant/network manager enters the function when the device is already closed. Signed-off-by: Malcolm Priestley Cc: stable@vger.kernel.org # 3.8+ Signed-off-by: Greg Kroah-Hartman

staging: vt6656: [BUG] main_usb.c oops on device_close move flag earlier.

2013-09-25T23:53:40Z

The vt6656 is prone to resetting on the usb bus. It seems there is a race condition and wpa supplicant is trying to open the device via iw_handlers before its actually closed at a stage that the buffers are being removed. The device is longer considered open when the buffers are being removed. So move ~DEVICE_FLAGS_OPENED flag to before freeing the device buffers. Signed-off-by: Malcolm Priestley Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman