From 7316a9f2a94c14e66e9421a777dffc509a2fe0e3 Mon Sep 17 00:00:00 2001 From: Steven Rostedt Date: Mon, 23 May 2011 16:45:32 -0400 Subject: st_kim: Handle case of no device found for ID 0 Running ktest.pl, I hit this bug: [ 19.780654] BUG: unable to handle kernel NULL pointer dereference at 0000000c [ 19.780660] IP: [] dev_get_drvdata+0xc/0x46 [ 19.780669] *pdpt = 0000000031daf001 *pde = 0000000000000000 [ 19.780673] Oops: 0000 [#1] SMP [ 19.780680] Dumping ftrace buffer:^M [ 19.780685] (ftrace buffer empty) [ 19.780687] Modules linked in: ide_pci_generic firewire_ohci firewire_core evbug crc_itu_t e1000 ide_core i2c_i801 iTCO_wdt [ 19.780697] [ 19.780700] Pid: 346, comm: v4l_id Not tainted 2.6.39-test-02740-gcaebc16-dirty #4 /DG965MQ [ 19.780706] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 [ 19.780709] EIP is at dev_get_drvdata+0xc/0x46 [ 19.780712] EAX: 00000008 EBX: f1e37da4 ECX: 00000000 EDX: 00000000 [ 19.780715] ESI: f1c3f200 EDI: c33ec95c EBP: f1e37d80 ESP: f1e37d80 [ 19.780718] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 19.780721] Process v4l_id (pid: 346, ti=f1e36000 task=f2bc2a60 task.ti=f1e36000) [ 19.780723] Stack: [ 19.780725] f1e37d8c c117d395 c33ec93c f1e37db4 c117a0f9 00000002 00000000 c1725e54 [ 19.780732] 00000001 00000007 f2918c90 f1c3f200 c33ec95c f1e37dd4 c1789d3d 22222222 [ 19.780740] 22222222 22222222 f2918c90 f1c3f200 f29194f4 f1e37de8 c178d5c4 c1725e54 [ 19.780747] Call Trace: [ 19.780752] [] st_kim_ref+0x28/0x41 [ 19.780756] [] st_register+0x29/0x562 [ 19.780761] [] ? v4l2_open+0x111/0x1e3 [ 19.780766] [] fmc_prepare+0x97/0x424 [ 19.780770] [] fm_v4l2_fops_open+0x70/0x106 [ 19.780773] [] ? v4l2_open+0x111/0x1e3 [ 19.780777] [] v4l2_open+0x158/0x1e3 [ 19.780782] [] chrdev_open+0x22c/0x276 [ 19.780787] [] __dentry_open+0x35c/0x581 [ 19.780792] [] nameidata_to_filp+0x7c/0x96 [ 19.780795] [] ? cdev_put+0x57/0x57 [ 19.780800] [] do_last+0x743/0x9d4 [ 19.780804] [] ? path_init+0x1ee/0x596 [ 19.780808] [] path_openat+0x10c/0x597 [ 19.780813] [] ? trace_hardirqs_off+0x27/0x37 [ 19.780817] [] ? local_clock+0x78/0xc7 [ 19.780821] [] do_filp_open+0x39/0xc2 [ 19.780827] [] ? _raw_spin_unlock+0x4c/0x5d^M [ 19.780831] [] ? alloc_fd+0x19e/0x1b7 [ 19.780836] [] do_sys_open+0xb7/0x1bd [ 19.780840] [] ? sys_munmap+0x78/0x8d [ 19.780844] [] sys_open+0x36/0x58 [ 19.780849] [] sysenter_do_call+0x12/0x38 [ 19.780852] Code: d8 2f 20 c3 01 83 15 dc 2f 20 c3 00 f0 ff 00 83 05 e0 2f 20 c3 01 83 15 e4 2f 20 c3 00 5d c3 55 89 e5 3e 8d 74 26 00 85 c0 74 28 <8b> 40 04 83 05 e8 2f 20 c3 01 83 15 ec 2f 20 c3 00 85 c0 74 13 ^M [ 19.780889] EIP: [] dev_get_drvdata+0xc/0x46 SS:ESP 0068:f1e37d80 [ 19.780894] CR2: 000000000000000c [ 19.780898] ---[ end trace e7d1d0f6a2d1d390 ]--- The id of 0 passed to st_kim_ref() found no device, keeping pdev null, and causing pdev->dev cause a NULL pointer dereference. After having st_kim_ref() check for NULL, the st_unregister() function needed to be updated to handle the case that st_gdata was not set by the st_kim_ref(). Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman --- drivers/misc/ti-st/st_core.c | 2 +- drivers/misc/ti-st/st_kim.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'drivers/misc') diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c index f91f82eabda7..54c91ffe4a91 100644 --- a/drivers/misc/ti-st/st_core.c +++ b/drivers/misc/ti-st/st_core.c @@ -605,7 +605,7 @@ long st_unregister(struct st_proto_s *proto) pr_debug("%s: %d ", __func__, proto->chnl_id); st_kim_ref(&st_gdata, 0); - if (proto->chnl_id >= ST_MAX_CHANNELS) { + if (!st_gdata || proto->chnl_id >= ST_MAX_CHANNELS) { pr_err(" chnl_id %d not supported", proto->chnl_id); return -EPROTONOSUPPORT; } diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c index 5da93ee6f6be..3613c3bc4da3 100644 --- a/drivers/misc/ti-st/st_kim.c +++ b/drivers/misc/ti-st/st_kim.c @@ -604,6 +604,10 @@ void st_kim_ref(struct st_data_s **core_data, int id) struct kim_data_s *kim_gdata; /* get kim_gdata reference from platform device */ pdev = st_get_plat_device(id); + if (!pdev) { + *core_data = NULL; + return; + } kim_gdata = dev_get_drvdata(&pdev->dev); *core_data = kim_gdata->core_data; } -- cgit v1.2.1 From 9d031d94da453077bbc6108b7822fc751ac85299 Mon Sep 17 00:00:00 2001 From: Shahar Lev Date: Mon, 23 May 2011 11:36:11 +0300 Subject: drivers:misc: ti-st: fix skipping of change remote baud Before the incrementing of ptr in skip_change_remote_baud, it points to cur_action, but the increment is done by the size of nxt_action instead. This could cause ptr to not point to a bts_action structure, which is harmful for the increment of ptr done in download_firmware. Therefore, the skipping is first done for cur_action. Signed-off-by: Shahar Lev Signed-off-by: Greg Kroah-Hartman --- drivers/misc/ti-st/st_kim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/misc') diff --git a/drivers/misc/ti-st/st_kim.c b/drivers/misc/ti-st/st_kim.c index 3613c3bc4da3..38fd2f04c07e 100644 --- a/drivers/misc/ti-st/st_kim.c +++ b/drivers/misc/ti-st/st_kim.c @@ -245,9 +245,9 @@ void skip_change_remote_baud(unsigned char **ptr, long *len) pr_err("invalid action after change remote baud command"); } else { *ptr = *ptr + sizeof(struct bts_action) + - ((struct bts_action *)nxt_action)->size; + ((struct bts_action *)cur_action)->size; *len = *len - (sizeof(struct bts_action) + - ((struct bts_action *)nxt_action)->size); + ((struct bts_action *)cur_action)->size); /* warn user on not commenting these in firmware */ pr_warn("skipping the wait event of change remote baud"); } -- cgit v1.2.1 From 29021bccea0dc42d7d101004058438a9a4e693b1 Mon Sep 17 00:00:00 2001 From: J Freyensee Date: Wed, 25 May 2011 14:38:18 -0700 Subject: pti: double-free security PTI fix This patch fixes a double-free error that will not always be seen unless /dev/pti char interface is stressed. Signed-off-by: J Freyensee Signed-off-by: Greg Kroah-Hartman --- drivers/misc/pti.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers/misc') diff --git a/drivers/misc/pti.c b/drivers/misc/pti.c index bb6f9255c17c..be4857358d91 100644 --- a/drivers/misc/pti.c +++ b/drivers/misc/pti.c @@ -317,7 +317,8 @@ EXPORT_SYMBOL_GPL(pti_request_masterchannel); * a master, channel ID address * used to write to PTI HW. * - * @mc: master, channel apeture ID address to be released. + * @mc: master, channel apeture ID address to be released. This + * will de-allocate the structure via kfree(). */ void pti_release_masterchannel(struct pti_masterchannel *mc) { @@ -581,7 +582,7 @@ static int pti_char_open(struct inode *inode, struct file *filp) static int pti_char_release(struct inode *inode, struct file *filp) { pti_release_masterchannel(filp->private_data); - kfree(filp->private_data); + filp->private_data = NULL; return 0; } -- cgit v1.2.1 From 1dae42bff57f7a61577ee881265985a660d35c07 Mon Sep 17 00:00:00 2001 From: J Freyensee Date: Wed, 25 May 2011 14:45:40 -0700 Subject: pti: ENXIO error case memory leak PTI fix. This patch fixes a memory leak that can occur in the error case ENXIO is returned in the pti_tty_install() routine. Signed-off-by: J Freyensee Signed-off-by: Greg Kroah-Hartman --- drivers/misc/pti.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/misc') diff --git a/drivers/misc/pti.c b/drivers/misc/pti.c index be4857358d91..e74e7d266569 100644 --- a/drivers/misc/pti.c +++ b/drivers/misc/pti.c @@ -476,8 +476,10 @@ static int pti_tty_install(struct tty_driver *driver, struct tty_struct *tty) else pti_tty_data->mc = pti_request_masterchannel(2); - if (pti_tty_data->mc == NULL) + if (pti_tty_data->mc == NULL) { + kfree(pti_tty_data); return -ENXIO; + } tty->driver_data = pti_tty_data; } -- cgit v1.2.1 From 1312ba40c0d00f0a5cfcfe3afc222fcef2a90b56 Mon Sep 17 00:00:00 2001 From: J Freyensee Date: Wed, 25 May 2011 14:56:43 -0700 Subject: pti: PTI semantics fix in pti_tty_cleanup. This patch fixes a semantics issue in the pti_tty_cleanup() routine. Signed-off-by: J Freyensee Signed-off-by: Greg Kroah-Hartman --- drivers/misc/pti.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/misc') diff --git a/drivers/misc/pti.c b/drivers/misc/pti.c index e74e7d266569..374dfcfccd07 100644 --- a/drivers/misc/pti.c +++ b/drivers/misc/pti.c @@ -498,7 +498,7 @@ static void pti_tty_cleanup(struct tty_struct *tty) if (pti_tty_data == NULL) return; pti_release_masterchannel(pti_tty_data->mc); - kfree(tty->driver_data); + kfree(pti_tty_data); tty->driver_data = NULL; } -- cgit v1.2.1 From 5a1e6f75831bf1f8e596d642cd8a2512f11548fc Mon Sep 17 00:00:00 2001 From: Axel Lin Date: Wed, 15 Jun 2011 15:08:21 -0700 Subject: drivers/misc/spear13xx_pcie_gadget.c: fix a memory leak in spear_pcie_gadget_probe error path In the case of goto err_kzalloc, we should kfree target. Signed-off-by: Axel Lin Acked-by: Pratyush Anand Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/misc/spear13xx_pcie_gadget.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/misc') diff --git a/drivers/misc/spear13xx_pcie_gadget.c b/drivers/misc/spear13xx_pcie_gadget.c index 7aded90f9daa..cfbddbef11de 100644 --- a/drivers/misc/spear13xx_pcie_gadget.c +++ b/drivers/misc/spear13xx_pcie_gadget.c @@ -845,7 +845,7 @@ err_iounmap: err_iounmap_app: iounmap(config->va_app_base); err_kzalloc: - kfree(config); + kfree(target); err_rel_res: release_mem_region(res1->start, resource_size(res1)); err_rel_res0: -- cgit v1.2.1 From 4bbd61fb9726808e72ab2aa440401f6e5e1aa8f7 Mon Sep 17 00:00:00 2001 From: Christian Gmeiner Date: Wed, 15 Jun 2011 15:08:22 -0700 Subject: drivers/misc/cs5535-mfgpt.c: fix wrong if condition Fix the wrong `if' condition for the check if the requested timer is available. The bitmap avail is used to store if a timer is used already. test_bit() is used to check if the requested timer is available. If a bit in the avail bitmap is set it means that the timer is available. The runtime effect would be that allocating a specific timer always fails (versus telling cs5535_mfgpt_alloc_timer to allocate the first available timer, which works). Signed-off-by: Christian Gmeiner Acked-by: Andres Salomon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/misc/cs5535-mfgpt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/misc') diff --git a/drivers/misc/cs5535-mfgpt.c b/drivers/misc/cs5535-mfgpt.c index e01e08c8c88b..bc685bfc4c33 100644 --- a/drivers/misc/cs5535-mfgpt.c +++ b/drivers/misc/cs5535-mfgpt.c @@ -174,7 +174,7 @@ struct cs5535_mfgpt_timer *cs5535_mfgpt_alloc_timer(int timer_nr, int domain) timer_nr = t < max ? (int) t : -1; } else { /* check if the requested timer's available */ - if (test_bit(timer_nr, mfgpt->avail)) + if (!test_bit(timer_nr, mfgpt->avail)) timer_nr = -1; } -- cgit v1.2.1 From ec8f9ceacef719a844ca269d654502af6a00a273 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Wed, 15 Jun 2011 15:08:59 -0700 Subject: drivers/misc/apds990x.c: apds990x_chip_on() should depend on CONFIG_PM || CONFIG_PM_RUNTIME Fixes this warning: drivers/misc/apds990x.c: At top level: drivers/misc/apds990x.c:613: warning: `apds990x_chip_on' defined but not used Signed-off-by: Geert Uytterhoeven Cc: Samu Onkalo Cc: Jonathan Cameron Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/misc/apds990x.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/misc') diff --git a/drivers/misc/apds990x.c b/drivers/misc/apds990x.c index 200311fea369..e2a52e5cf449 100644 --- a/drivers/misc/apds990x.c +++ b/drivers/misc/apds990x.c @@ -609,6 +609,7 @@ static int apds990x_detect(struct apds990x_chip *chip) return ret; } +#if defined(CONFIG_PM) || defined(CONFIG_PM_RUNTIME) static int apds990x_chip_on(struct apds990x_chip *chip) { int err = regulator_bulk_enable(ARRAY_SIZE(chip->regs), @@ -624,6 +625,7 @@ static int apds990x_chip_on(struct apds990x_chip *chip) apds990x_mode_on(chip); return 0; } +#endif static int apds990x_chip_off(struct apds990x_chip *chip) { -- cgit v1.2.1 From 44da29d26bb8df3b0411ba902f2bc9b973ea38e4 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Sun, 19 Jun 2011 12:52:36 +0000 Subject: sgi-xp: fix a use after free Its illegal to dereference skb after dev_kfree_skb(skb) Signed-off-by: Eric Dumazet CC: Robin Holt Signed-off-by: David S. Miller --- drivers/misc/sgi-xp/xpnet.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'drivers/misc') diff --git a/drivers/misc/sgi-xp/xpnet.c b/drivers/misc/sgi-xp/xpnet.c index ee5109a3cd98..42f067347bc7 100644 --- a/drivers/misc/sgi-xp/xpnet.c +++ b/drivers/misc/sgi-xp/xpnet.c @@ -495,14 +495,14 @@ xpnet_dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) } } + dev->stats.tx_packets++; + dev->stats.tx_bytes += skb->len; + if (atomic_dec_return(&queued_msg->use_count) == 0) { dev_kfree_skb(skb); kfree(queued_msg); } - dev->stats.tx_packets++; - dev->stats.tx_bytes += skb->len; - return NETDEV_TX_OK; } -- cgit v1.2.1 From e9e8bcb8178e197d889ec31e79fa1ddc1732c8f9 Mon Sep 17 00:00:00 2001 From: James Hogan Date: Tue, 21 Jun 2011 10:55:34 +0100 Subject: mmc: cb710: fix #ifdef HAVE_EFFICIENT_UNALIGNED_ACCESS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit HAVE_EFFICIENT_UNALIGNED_ACCESS is a config option, therefore it needs the CONFIG_ before it when used by the preprocessor. Signed-off-by: James Hogan Acked-by: Michał Mirosław Signed-off-by: Chris Ball --- drivers/misc/cb710/sgbuf2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/misc') diff --git a/drivers/misc/cb710/sgbuf2.c b/drivers/misc/cb710/sgbuf2.c index d019746551f3..2a40d0efdff5 100644 --- a/drivers/misc/cb710/sgbuf2.c +++ b/drivers/misc/cb710/sgbuf2.c @@ -47,7 +47,7 @@ static uint32_t sg_dwiter_read_buffer(struct sg_mapping_iter *miter) static inline bool needs_unaligned_copy(const void *ptr) { -#ifdef HAVE_EFFICIENT_UNALIGNED_ACCESS +#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS return false; #else return ((ptr - NULL) & 3) != 0; -- cgit v1.2.1 From aa2c96d6f329e66cc59352b0f12e8f04e6a9593b Mon Sep 17 00:00:00 2001 From: Josh Hunt Date: Mon, 27 Jun 2011 16:18:08 -0700 Subject: drivers/misc/lkdtm.c: fix race when crashpoint is hit multiple times before checking count We observed the crash point count going negative in cases where the crash point is hit multiple times before the check of "count == 0" is done. Because of this we never call lkdtm_do_action(). This patch just adds a spinlock to protect count. Reported-by: Tapan Dhimant Signed-off-by: Josh Hunt Acked-by: Ankita Garg Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/misc/lkdtm.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'drivers/misc') diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 81d7fa4ec0db..150cd7061b80 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -120,6 +120,7 @@ static int recur_count = REC_NUM_DEFAULT; static enum cname cpoint = CN_INVALID; static enum ctype cptype = CT_NONE; static int count = DEFAULT_COUNT; +static DEFINE_SPINLOCK(count_lock); module_param(recur_count, int, 0644); MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test, "\ @@ -230,11 +231,14 @@ static const char *cp_name_to_str(enum cname name) static int lkdtm_parse_commandline(void) { int i; + unsigned long flags; if (cpoint_count < 1 || recur_count < 1) return -EINVAL; + spin_lock_irqsave(&count_lock, flags); count = cpoint_count; + spin_unlock_irqrestore(&count_lock, flags); /* No special parameters */ if (!cpoint_type && !cpoint_name) @@ -349,6 +353,9 @@ static void lkdtm_do_action(enum ctype which) static void lkdtm_handler(void) { + unsigned long flags; + + spin_lock_irqsave(&count_lock, flags); count--; printk(KERN_INFO "lkdtm: Crash point %s of type %s hit, trigger in %d rounds\n", cp_name_to_str(cpoint), cp_type_to_str(cptype), count); @@ -357,6 +364,7 @@ static void lkdtm_handler(void) lkdtm_do_action(cptype); count = cpoint_count; } + spin_unlock_irqrestore(&count_lock, flags); } static int lkdtm_register_cpoint(enum cname which) -- cgit v1.2.1 From 1fc6e987d8f606371337211f52ff74c6753298a6 Mon Sep 17 00:00:00 2001 From: Ralf Baechle Date: Mon, 27 Jun 2011 16:18:15 -0700 Subject: drivers/misc/ioc4.c: fix section mismatch / race condition Fix this section mismatch: WARNING: drivers/misc/ioc4.o(.data+0x144): Section mismatch in reference from the variable ioc4_load_modules_work to the function .devinit.text:ioc4_load_modules() The variable ioc4_load_modules_work references the function __devinit ioc4_load_modules() If the reference is valid then annotate the variable with __init* or __refdata (see linux/init.h) or name the variable: *driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console This one is potentially fatal; by the time ioc4_load_modules is invoked it may already have been freed. For that reason ioc4_load_modules_work can't be turned to __devinitdata but also because it's referenced in ioc4_exit. Signed-off-by: Ralf Baechle Acked-by: Brent Casavant Cc: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/misc/ioc4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/misc') diff --git a/drivers/misc/ioc4.c b/drivers/misc/ioc4.c index 668d41e594a9..df03dd3bd0e2 100644 --- a/drivers/misc/ioc4.c +++ b/drivers/misc/ioc4.c @@ -270,7 +270,7 @@ ioc4_variant(struct ioc4_driver_data *idd) return IOC4_VARIANT_PCI_RT; } -static void __devinit +static void ioc4_load_modules(struct work_struct *work) { request_module("sgiioc4"); -- cgit v1.2.1