linux/drivers/staging, branch v3.17

staging: vt6655: buffer overflow in ioctl

2014-09-19T22:32:20Z

->u.generic_elem.len is a user controlled number between 0-255. We should limit it to avoid memory corruption. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman

Merge tag 'iio-fixes-3.17a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus

2014-09-19T22:29:39Z

Jonathan writes: First round of IIO fixes for the 3.17 cycle. * Fix an overwritten error return that can prevent deferred probing when using of_iio_channel_get_by_name * A series that deals with an incorrect reference count when the default trigger is set within the main probe routine for a driver. Can result in a double free if the trigger is changed. * Fix a buglet with xilinx-xadc concerning setup of the address for an aux channel. * At91 adc driver could sometimes get a touchscreen reading rather than the intended adc channel. This is fixed by using the channel data register instead. * Fix some ST magnetometer gain values that differ in production parts from the prerelease ones used for driver development.

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

2014-09-15T00:37:36Z

Pull vfs fixes from Al Viro: "double iput() on failure exit in lustre, racy removal of spliced dentries from ->s_anon in __d_materialise_dentry() plus a bunch of assorted RCU pathwalk fixes" The RCU pathwalk fixes end up fixing a couple of cases where we incorrectly dropped out of RCU walking, due to incorrect initialization and testing of the sequence locks in some corner cases. Since dropping out of RCU walk mode forces the slow locked accesses, those corner cases slowed down quite dramatically. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: be careful with nd->inode in path_init() and follow_dotdot_rcu() don't bugger nd->seq on set_root_rcu() from follow_dotdot_rcu() fix bogus read_seqretry() checks introduced in b37199e move the call of __d_drop(anon) into __d_materialise_unique(dentry, anon) [fix] lustre: d_make_root() does iput() on dentry allocation failure

[fix] lustre: d_make_root() does iput() on dentry allocation failure

2014-09-14T02:13:39Z

double-free is a bad thing Signed-off-by: Al Viro

android: fix reference leak in sync_fence_create

2014-09-08T20:42:00Z

According to the documentation sync_fence_create takes ownership of the point, not a reference on the point. This fixes a memory leak introduced in 3.17's android fence rework. Signed-off-by: Maarten Lankhorst Cc: Colin Cross Cc: Dan Carpenter Signed-off-by: Greg Kroah-Hartman

imx-drm: imx-ldb: fix NULL pointer in imx_ldb_unbind()

2014-09-08T19:10:28Z

When trying to unbind imx-drm, the following oops was observed from the imx-ldb driver: Unable to handle kernel NULL pointer dereference at virtual address 0000001c pgd = de954000 [0000001c] *pgd=2e92c831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] SMP ARM Modules linked in: bnep rfcomm bluetooth nfsd exportfs hid_cypress brcmfmac brcmutil snd_soc_fsl_ssi snd_soc_fsl_spdif imx_pcm_fiq imx_pcm_dma imx_ldb(C) imx_thermal imx_sdma imx2_wdt snd_soc_sgtl5000 snd_soc_imx_sgtl5000 snd_soc_imx_spdif snd_soc_imx_audmux CPU: 1 PID: 1228 Comm: bash Tainted: G C 3.16.0-rc2+ #1229 task: ea378d80 ti: de948000 task.ti: de948000 PC is at imx_ldb_unbind+0x1c/0x58 [imx_ldb] LR is at component_unbind+0x38/0x70 pc : [] lr : [] psr: 200f0013 sp : de949da8 ip : de949dc0 fp : de949dbc r10: e9a44b0c r9 : 00000000 r8 : de949f78 r7 : 00000012 r6 : e9b3f400 r5 : e9b133b8 r4 : e9b13010 r3 : 00000000 r2 : e9b3f400 r1 : ea9a0210 r0 : e9b13020 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 2e95404a DAC: 00000015 Process bash (pid: 1228, stack limit = 0xde948240) Stack: (0xde949da8 to 0xde94a000) ... Backtrace: [] (imx_ldb_unbind [imx_ldb]) from [] (component_unbind+0x38/0x70) [] (component_unbind) from [] (component_unbind_all+0x94/0xc8) [] (component_unbind_all) from [] (imx_drm_driver_unload+0x34/0x4c) [] (imx_drm_driver_unload) from [] (drm_dev_unregister+0x2c/0xa0) [] (drm_dev_unregister) from [] (drm_put_dev+0x30/0x6c) [] (drm_put_dev) from [] (imx_drm_unbind+0x14/0x18) [] (imx_drm_unbind) from [] (component_master_del+0xbc/0xd8) ... Code: e5904058 e2840010 e2845fea e59430a0 (e593301c) ---[ end trace 4f211c6dbbcd4963 ]--- This is caused by only having one channel out of the pair configured in DT; the second channel remains uninitialised, but upon unbind, the driver attempts to clean up both, thereby dereferencing a NULL pointer. Avoid this by checking that the second channel is initialised. Fixes: 1b3f76756633 ("imx-drm: initialise drm components directly") Cc: Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman

imx-drm: ipuv3-plane: fix ipu_plane_dpms()

2014-09-08T19:10:28Z

When unbinding imx-drm, the following oops was observed: Unable to handle kernel NULL pointer dereference at virtual address 00000004 pgd = e995c000 [00000004] *pgd=4fea5831 Internal error: Oops: 817 [#1] SMP ARM Modules linked in: bnep rfcomm bluetooth nfsd exportfs hid_cypress brcmfmac brcmutil snd_soc_fsl_ssi snd_soc_fsl_spdif imx_pcm_fiq imx_pcm_dma snd_soc_sgtl5000 imx_sdma imx2_wdt imx_ldb(C) imx_thermal snd_soc_imx_sgtl5000 snd_soc_imx_spdif snd_soc_imx_audmux CPU: 1 PID: 779 Comm: bash Tainted: G C 3.16.0-rc2+ #1230 task: ea9eb180 ti: ea378000 task.ti: ea378000 PC is at ipu_dp_put+0x10/0x18 LR is at ipu_plane_dpms+0x60/0x8c pc : [] lr : [] psr: 200f0013 sp : ea379d80 ip : ea379d90 fp : ea379d8c r10: 00100100 r9 : 00000000 r8 : 00200200 r7 : e9ba0264 r6 : e9ba01f8 r5 : 00000000 r4 : ea34b800 r3 : 00000000 r2 : 00000000 r1 : 0000009b r0 : 00000000 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c53c7d Table: 3995c04a DAC: 00000015 Process bash (pid: 779, stack limit = 0xea378240) Stack: (0xea379d80 to 0xea37a000) ... Backtrace: [] (ipu_dp_put) from [] (ipu_plane_dpms+0x60/0x8c) [] (ipu_plane_dpms) from [] (ipu_disable_plane+0x2c/0x60) [] (ipu_disable_plane) from [] (ipu_plane_destroy+0x28/0x60) [] (ipu_plane_destroy) from [] (drm_mode_config_cleanup+0x1b8/0x250) [] (drm_mode_config_cleanup) from [] (imx_drm_driver_unload+0x44/0x4c) [] (imx_drm_driver_unload) from [] (drm_dev_unregister+0x2c/0xa0) [] (drm_dev_unregister) from [] (drm_put_dev+0x30/0x6c) [] (drm_put_dev) from [] (imx_drm_unbind+0x14/0x18) [] (imx_drm_unbind) from [] (component_master_del+0xbc/0xd8) ... Code: e1a0c00d e92dd800 e24cb004 e3a03000 (e5c03004) This is caused by a missing check in ipu_plane_dpms for a NULL pointer. Fixes: b8d181e408af ("staging: drm/imx: add drm plane support") Cc: Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman

Merge tag 'usb-3.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

2014-08-29T19:10:03Z

Pull USB fixes from Greg KH: "Here are a bunch of fixes for the USB drivers for 3.17-rc3. Also in here is the movement of the usbip driver out of staging, into the "real" part of the kernel, it had to wait until after -rc1 to handle the merge issues involved between the USB and staging trees. The code is identical, just file movements there. The USB fixes are all over the place, new device ids, xhci fixes for reported issues and the usual gadget driver fixes as well. All have been in linux-next for a while now" * tag 'usb-3.17-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (46 commits) USB: fix build error with CONFIG_PM_RUNTIME disabled Revert "usb: ehci/ohci-exynos: Fix PHY getting sequence" xhci: Disable streams on Via XHCI with device-id 0x3432 USB: serial: fix potential heap buffer overflow USB: serial: fix potential stack buffer overflow usb: ehci/ohci-exynos: Fix PHY getting sequence usb: hub: Prevent hub autosuspend if usbcore.autosuspend is -1 USB: sisusb: add device id for Magic Control USB video usb: dwc2: gadget: Set the default EP max packet value as 8 bytes usb: ehci: using wIndex + 1 for hub port USB: storage: add quirk for Newer Technology uSCSI SCSI-USB converter MAINTAINERS: Add an entry for USB/IP driver usbip: remove struct usb_device_id table usbip: move usbip kernel code out of staging usbip: move usbip userspace code out of staging USB: whiteheat: Added bounds checking for bulk command response usb: gadget: remove $(PWD) in ccflags-y usb: pch_udc: usb gadget device support for Intel Quark X1000 usb: gadget: uvc: fix possible lockup in uvc gadget usb: wusbcore: fix below build warning ...

staging: r8188eu: Add new USB ID

2014-08-25T22:00:56Z

The Elecom WDC-150SU2M uses this chip. Reported-by: Hiroki Kondo Signed-off-by: Larry Finger Cc: stable Signed-off-by: Greg Kroah-Hartman

iio: meter: ade7758: Fix indio_dev->trig assignment

2014-08-25T20:49:21Z

This can result in wrong reference count for trigger device, call iio_trigger_get to increment reference. Refer to http://www.spinics.net/lists/linux-iio/msg13669.html for discussion with Jonathan. Signed-off-by: Srinivas Pandruvada Acked-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Stable@vger.kernel.org