From b4106c55b574fe37900b02ddf89cbe4b9d971392 Mon Sep 17 00:00:00 2001 From: Viktor Slavkovic Date: Mon, 8 Jan 2018 10:43:03 -0800 Subject: staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl commit 443064cb0b1fb4569fe0a71209da7625129fb760 upstream. A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a race condition when mmap is called. After the !asma->file check, before setting asma->size, asma->file can be set in mmap. That would result in having different asma->size than the mapped memory size. Combined with ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory corruption. Signed-off-by: Viktor Slavkovic Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ashmem.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/staging') diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index 9c6357c03905..b64327722660 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -759,10 +759,12 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg) break; case ASHMEM_SET_SIZE: ret = -EINVAL; + mutex_lock(&ashmem_mutex); if (!asma->file) { ret = 0; asma->size = (size_t)arg; } + mutex_unlock(&ashmem_mutex); break; case ASHMEM_GET_SIZE: ret = asma->size; -- cgit v1.2.3 From 46a7fd70437702432ab642cc3455e8cd6b72f43f Mon Sep 17 00:00:00 2001 From: Larry Finger Date: Sat, 25 Nov 2017 13:32:38 -0600 Subject: staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID [ Upstream commit b77992d2df9e47144354d1b25328b180afa33442 ] When not associated with an AP, wifi device drivers should respond to the SIOCGIWESSID ioctl with a zero-length string for the SSID, which is the behavior expected by dhcpcd. Currently, this driver returns an error code (-1) from the ioctl call, which causes dhcpcd to assume that the device is not a wireless interface and therefore it fails to work correctly with it thereafter. This problem was reported and tested at https://github.com/lwfinger/rtl8188eu/issues/234. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) (limited to 'drivers/staging') diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index a076ede50b22..ec90f2781085 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -1399,19 +1399,13 @@ static int rtw_wx_get_essid(struct net_device *dev, if ((check_fwstate(pmlmepriv, _FW_LINKED)) || (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE))) { len = pcur_bss->Ssid.SsidLength; - - wrqu->essid.length = len; - memcpy(extra, pcur_bss->Ssid.Ssid, len); - - wrqu->essid.flags = 1; } else { - ret = -1; - goto exit; + len = 0; + *extra = 0; } - -exit: - + wrqu->essid.length = len; + wrqu->essid.flags = 1; return ret; } -- cgit v1.2.3 From 74d1cc277e8bdb3d6ee6e12a989ba059e8be9431 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 4 Feb 2018 02:06:27 +0000 Subject: staging: android: ashmem: Fix a race condition in pin ioctls commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream. ashmem_pin_unpin() reads asma->file and asma->size before taking the ashmem_mutex, so it can race with other operations that modify them. Build-tested only. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ashmem.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'drivers/staging') diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index b64327722660..ec31b53ae3a5 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -704,30 +704,32 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd, size_t pgstart, pgend; int ret = -EINVAL; + mutex_lock(&ashmem_mutex); + if (unlikely(!asma->file)) - return -EINVAL; + goto out_unlock; - if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) - return -EFAULT; + if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { + ret = -EFAULT; + goto out_unlock; + } /* per custom, you can pass zero for len to mean "everything onward" */ if (!pin.len) pin.len = PAGE_ALIGN(asma->size) - pin.offset; if (unlikely((pin.offset | pin.len) & ~PAGE_MASK)) - return -EINVAL; + goto out_unlock; if (unlikely(((__u32)-1) - pin.offset < pin.len)) - return -EINVAL; + goto out_unlock; if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len)) - return -EINVAL; + goto out_unlock; pgstart = pin.offset / PAGE_SIZE; pgend = pgstart + (pin.len / PAGE_SIZE) - 1; - mutex_lock(&ashmem_mutex); - switch (cmd) { case ASHMEM_PIN: ret = ashmem_pin(asma, pgstart, pgend); @@ -740,6 +742,7 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd, break; } +out_unlock: mutex_unlock(&ashmem_mutex); return ret; -- cgit v1.2.3 From 67315b2b2905f99da06f58debeac81da09a92d36 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 22 Jan 2018 11:53:12 +0200 Subject: staging: iio: adc: ad7192: fix external frequency setting commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream. The external clock frequency was set only when selecting the internal clock, which is fixed at 4.9152 Mhz. This is incorrect, since it should be set when any of the external clock or crystal settings is selected. Added range validation for the external (crystal/clock) frequency setting. Valid values are between 2.4576 and 5.12 Mhz. Signed-off-by: Alexandru Ardelean Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/staging/iio/adc/ad7192.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) (limited to 'drivers/staging') diff --git a/drivers/staging/iio/adc/ad7192.c b/drivers/staging/iio/adc/ad7192.c index abc66908681d..6f032009f93f 100644 --- a/drivers/staging/iio/adc/ad7192.c +++ b/drivers/staging/iio/adc/ad7192.c @@ -124,6 +124,8 @@ #define AD7192_GPOCON_P1DAT BIT(1) /* P1 state */ #define AD7192_GPOCON_P0DAT BIT(0) /* P0 state */ +#define AD7192_EXT_FREQ_MHZ_MIN 2457600 +#define AD7192_EXT_FREQ_MHZ_MAX 5120000 #define AD7192_INT_FREQ_MHZ 4915200 /* NOTE: @@ -199,6 +201,12 @@ static int ad7192_calibrate_all(struct ad7192_state *st) ARRAY_SIZE(ad7192_calib_arr)); } +static inline bool ad7192_valid_external_frequency(u32 freq) +{ + return (freq >= AD7192_EXT_FREQ_MHZ_MIN && + freq <= AD7192_EXT_FREQ_MHZ_MAX); +} + static int ad7192_setup(struct ad7192_state *st, const struct ad7192_platform_data *pdata) { @@ -224,17 +232,20 @@ static int ad7192_setup(struct ad7192_state *st, id); switch (pdata->clock_source_sel) { - case AD7192_CLK_EXT_MCLK1_2: - case AD7192_CLK_EXT_MCLK2: - st->mclk = AD7192_INT_FREQ_MHZ; - break; case AD7192_CLK_INT: case AD7192_CLK_INT_CO: - if (pdata->ext_clk_hz) - st->mclk = pdata->ext_clk_hz; - else - st->mclk = AD7192_INT_FREQ_MHZ; + st->mclk = AD7192_INT_FREQ_MHZ; break; + case AD7192_CLK_EXT_MCLK1_2: + case AD7192_CLK_EXT_MCLK2: + if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) { + st->mclk = pdata->ext_clk_hz; + break; + } + dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n", + pdata->ext_clk_hz); + ret = -EINVAL; + goto out; default: ret = -EINVAL; goto out; -- cgit v1.2.3 From 57aafe5c3728f83467ee46717693da0d0e21ef36 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Fri, 20 Nov 2015 22:59:14 +0100 Subject: staging: ste_rmi4: avoid unused function warnings commit 9045a4a7e686a6316129d6d0b21b4fe2520968e4 upstream. The rmi4 touchscreen driver encloses the power-management functions in #ifdef CONFIG_PM, but the smtcfb_pci_suspend/resume functions are only really used when CONFIG_PM_SLEEP is also set, as a frequent gcc warning shows: ste_rmi4/synaptics_i2c_rmi4.c:1050:12: warning: 'synaptics_rmi4_suspend' defined but not used ste_rmi4/synaptics_i2c_rmi4.c:1084:12: warning: 'synaptics_rmi4_resume' defined but not used This changes the driver to remove the #ifdef and instead mark the functions as __maybe_unused, which is a nicer anyway, as it provides build testing for all the code in all configurations and is harder to get wrong. Signed-off-by: Arnd Bergmann Acked-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman --- drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'drivers/staging') diff --git a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c index 824d460911ec..58ccafb97344 100644 --- a/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c +++ b/drivers/staging/ste_rmi4/synaptics_i2c_rmi4.c @@ -1039,7 +1039,6 @@ static int synaptics_rmi4_remove(struct i2c_client *client) return 0; } -#ifdef CONFIG_PM /** * synaptics_rmi4_suspend() - suspend the touch screen controller * @dev: pointer to device structure @@ -1047,7 +1046,7 @@ static int synaptics_rmi4_remove(struct i2c_client *client) * This function is used to suspend the * touch panel controller and returns integer */ -static int synaptics_rmi4_suspend(struct device *dev) +static int __maybe_unused synaptics_rmi4_suspend(struct device *dev) { /* Touch sleep mode */ int retval; @@ -1081,7 +1080,7 @@ static int synaptics_rmi4_suspend(struct device *dev) * This function is used to resume the touch panel * controller and returns integer. */ -static int synaptics_rmi4_resume(struct device *dev) +static int __maybe_unused synaptics_rmi4_resume(struct device *dev) { int retval; unsigned char intr_status; @@ -1112,8 +1111,6 @@ static int synaptics_rmi4_resume(struct device *dev) return 0; } -#endif - static SIMPLE_DEV_PM_OPS(synaptics_rmi4_dev_pm_ops, synaptics_rmi4_suspend, synaptics_rmi4_resume); -- cgit v1.2.3 From 0b75172281b5c8a231f4bb377759d9fa8127227e Mon Sep 17 00:00:00 2001 From: Glen Lee Date: Thu, 5 Nov 2015 16:12:08 +0900 Subject: staging: wilc1000: fix kbuild test robot error commit b22fa80cdbf4ff1056ecddb4efdcc0ede5f5f422 upstream. This patch fixes build warning and error reported by kbuild test robot. It is fixed by including netdevice.h. >> drivers/staging/wilc1000/wilc_wlan_if.h:940:27: warning: 'struct net_device' declared inside parameter list int wilc_wlan_init(struct net_device *dev, wilc_wlan_inp_t *inp); >> drivers/staging/wilc1000/wilc_wlan_if.h:940:27: warning: its scope is only this definition or declaration, which is probably not what you want >> drivers/staging/wilc1000/wilc_wlan.c:1954:5: error: conflicting types for 'wilc_wlan_init' int wilc_wlan_init(struct net_device *dev, wilc_wlan_inp_t *inp) Fixes: 30135ce ("staging: wilc1000: wilc_wlan_init: add argument struct net_device") Reported-by: kbuild test robot Signed-off-by: Glen Lee Signed-off-by: Greg Kroah-Hartman --- drivers/staging/wilc1000/wilc_wlan_if.h | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/staging') diff --git a/drivers/staging/wilc1000/wilc_wlan_if.h b/drivers/staging/wilc1000/wilc_wlan_if.h index be972afe6e62..bfc3e96d8d25 100644 --- a/drivers/staging/wilc1000/wilc_wlan_if.h +++ b/drivers/staging/wilc1000/wilc_wlan_if.h @@ -12,6 +12,7 @@ #include #include "linux_wlan_common.h" +#include /******************************************** * -- cgit v1.2.3 From 0176ed74e5b899a9b96e115eb0f3cf1b841d42b5 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Fri, 26 Feb 2016 09:09:59 -0800 Subject: staging: unisys: visorinput depends on INPUT commit 82ddecfe8de54331bafe2d0ff526739fd0980190 upstream. Fix build errors by limiting UNISYS_VISORINPUT to the INPUT kconfig setting. drivers/built-in.o: In function `visorinput_remove': visorinput.c:(.text+0x20802e): undefined reference to `input_unregister_device' drivers/built-in.o: In function `visorinput_probe': visorinput.c:(.text+0x208177): undefined reference to `input_allocate_device' visorinput.c:(.text+0x208241): undefined reference to `input_register_device' visorinput.c:(.text+0x20824d): undefined reference to `input_free_device' visorinput.c:(.text+0x208286): undefined reference to `input_allocate_device' visorinput.c:(.text+0x208302): undefined reference to `input_set_abs_params' visorinput.c:(.text+0x20831a): undefined reference to `input_set_abs_params' visorinput.c:(.text+0x20833f): undefined reference to `input_register_device' visorinput.c:(.text+0x20834b): undefined reference to `input_free_device' visorinput.c:(.text+0x20835f): undefined reference to `input_set_capability' drivers/built-in.o: In function `visorinput_channel_interrupt': visorinput.c:(.text+0x20851e): undefined reference to `input_event' visorinput.c:(.text+0x20862c): undefined reference to `input_event' drivers/built-in.o: In function `input_report_key': visorinput.c:(.text+0x207fd1): undefined reference to `input_event' drivers/built-in.o: In function `input_sync': visorinput.c:(.text+0x207fdc): undefined reference to `input_event' Signed-off-by: Randy Dunlap Signed-off-by: Greg Kroah-Hartman --- drivers/staging/unisys/visorinput/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/staging') diff --git a/drivers/staging/unisys/visorinput/Kconfig b/drivers/staging/unisys/visorinput/Kconfig index d83deb4137e8..6baba2795ce7 100644 --- a/drivers/staging/unisys/visorinput/Kconfig +++ b/drivers/staging/unisys/visorinput/Kconfig @@ -4,7 +4,7 @@ config UNISYS_VISORINPUT tristate "Unisys visorinput driver" - depends on UNISYSSPAR && UNISYS_VISORBUS && FB + depends on UNISYSSPAR && UNISYS_VISORBUS && FB && INPUT ---help--- If you say Y here, you will enable the Unisys visorinput driver. -- cgit v1.2.3