There are two potential integer overflows in private_ioctl() if
userspace passes in a large sList.uItem / sNodeList.uItem. The
subsequent call to kmalloc() would allocate a small buffer, leading
to a memory corruption.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Removed the function iwctl_giwnwid, that just return a error code.
Changes v1 to v2:
Removed same functions of vt6655 and vt6656.
Signed-off-by: Marcos Paulo de Souza <marcos.mage@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* 'staging-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (1519 commits)
staging: et131x: Remove redundant check and return statement
staging: et131x: Mainly whitespace changes to appease checkpatch
staging: et131x: Remove last of the forward declarations
staging: et131x: Remove even more forward declarations
staging: et131x: Remove yet more forward declarations
staging: et131x: Remove more forward declarations
staging: et131x: Remove forward declaration of et131x_adapter_setup
staging: et131x: Remove some forward declarations
staging: et131x: Remove unused rx_ring.recv_packet_pool
staging: et131x: Remove call to find pci pm capability
staging: et131x: Remove redundant et131x_reset_recv() call
staging: et131x: Remove unused rx_ring.recv_buffer_pool
Staging: bcm: Fix three initialization errors in InterfaceDld.c
Staging: bcm: Fix coding style issues in InterfaceDld.c
staging:iio:dac: Add AD5360 driver
staging:iio:trigger:bfin-timer: Fix compile error
Staging: vt6655: add some range checks before memcpy()
Staging: vt6655: whitespace fixes to iotcl.c
Staging: vt6656: add some range checks before memcpy()
Staging: vt6656: whitespace cleanups in ioctl.c
...
Fix up conflicts in:
- drivers/{Kconfig,Makefile}, drivers/staging/{Kconfig,Makefile}:
vg driver movement
- drivers/staging/brcm80211/brcmfmac/{dhd_linux.c,mac80211_if.c}:
driver removal vs now stale changes
- drivers/staging/rtl8192e/r8192E_core.c:
driver removal vs now stale changes
- drivers/staging/et131x/et131*:
driver consolidation into one file, tried to do fixups
There were no range checks in the original code so the user could
write past the end of the array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The indents didn't line up at all in the original code. I also fixed
a bunch of other white issues as I went along. I changed the comment
style and removed some commented out code.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The original code left it up to the user to decide how much data to
copy, but that doesn't work with a fixed size array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Smatch has a new check for Rosenberg type information leaks where
structs are copied to the user with uninitialized stack data in them.
In this path, the .uLinkRate member doesn't get initialized so I've
set it to zero.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If staging:vt6655 is built without CONFIG_DM being defined, there are large
numbers of warnings of the following form due to use of #if instead of #ifdef:
In file included from drivers/staging/vt6655/upc.h:32,
from drivers/staging/vt6655/mac.h:39,
from drivers/staging/vt6655/wroute.c:34:
drivers/staging/vt6655/device.h:399:5: warning: "CONFIG_PM" is not defined
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Done via perl script:
$ cat remove_semi_switch.pl
my $match_balanced_parentheses = qr/(\((?:[^\(\)]++|(?-1))*\))/;
my $match_balanced_braces = qr/(\{(?:[^\{\}]++|(?-1))*\})/;
foreach my $file (@ARGV) {
my $f;
my $text;
my $oldtext;
next if ((-d $file));
open($f, '<', $file)
or die "$P: Can't open $file for read\n";
$oldtext = do { local($/) ; <$f> };
close($f);
next if ($oldtext eq "");
$text = $oldtext;
my $count = 0;
do {
$count = 0;
$count += $text =~ s@\b(switch\s*${match_balanced_parentheses}\s*)${match_balanced_braces}\s*;@"$1$3"@egx;
} while ($count > 0);
if ($text ne $oldtext) {
my $newfile = $file;
open($f, '>', $newfile)
or die "$P: Can't open $newfile for write\n";
print $f $text;
close($f);
}
}
$
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Done via perl script:
$ cat remove_semi_for.pl
my $match_balanced_parentheses = qr/(\((?:[^\(\)]++|(?-1))*\))/;
my $match_balanced_braces = qr/(\{(?:[^\{\}]++|(?-1))*\})/;
foreach my $file (@ARGV) {
my $f;
my $text;
my $oldtext;
next if ((-d $file));
open($f, '<', $file)
or die "$P: Can't open $file for read\n";
$oldtext = do { local($/) ; <$f> };
close($f);
next if ($oldtext eq "");
$text = $oldtext;
my $count = 0;
do {
$count = 0;
$count += $text =~ s@\b(for\s*${match_balanced_parentheses}\s*)${match_balanced_braces}\s*;@"$1$3"@egx;
} while ($count > 0);
if ($text ne $oldtext) {
my $newfile = $file;
open($f, '>', $newfile)
or die "$P: Can't open $newfile for write\n";
print $f $text;
close($f);
}
}
$
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Done via perl script:
$ cat remove_semi_if.pl
my $match_balanced_parentheses = qr/(\((?:[^\(\)]++|(?-1))*\))/;
my $match_balanced_braces = qr/(\{(?:[^\{\}]++|(?-1))*\})/;
foreach my $file (@ARGV) {
my $f;
my $text;
my $oldtext;
next if ((-d $file));
open($f, '<', $file)
or die "$P: Can't open $file for read\n";
$oldtext = do { local($/) ; <$f> };
close($f);
next if ($oldtext eq "");
$text = $oldtext;
my $count = 0;
do {
$count = 0;
$count += $text =~ s@\b(if\s*${match_balanced_parentheses}\s*)${match_balanced_braces}\s*;@"$1$3"@egx;
} while ($count > 0);
if ($text ne $oldtext) {
my $newfile = $file;
open($f, '>', $newfile)
or die "$P: Can't open $newfile for write\n";
print $f $text;
close($f);
}
}
$
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
It causes lots of linking errors when both of these modules are built into the
kernel directly due to their global symbol mess.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch was generated by the following semantic patch:
// <smpl>
@@ expression E; @@
- if (E != NULL) { kfree(E); }
+ kfree(E);
@@ expression E; @@
- if (E != NULL) { kfree(E); E = NULL; }
+ kfree(E);
+ E = NULL;
// </smpl>
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The patch below removes an extra "l" in the word.
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch fixes the sparse warnings
"obsolete struct initializer, use C99 syntax" in vt6655/device_main.c
by converting the struct to C99 syntax
KernelVersion: linux-next-20110110
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This merges the staging-next tree to Linus's tree and resolves
some conflicts that were present due to changes in other trees that were
affected by files here.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Changed to use the proper ccflags-y option
Signed-off-by: Tracey Dent <tdent48227@gmail.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
"param->u.wpa_associate.wpa_ie_len" comes from the user. We should
check it so that the copy_from_user() doesn't overflow the buffer.
Also further down in the function, we assume that if
"param->u.wpa_associate.wpa_ie_len" is set then "abyWPAIE[0]" is
initialized. To make that work, I changed the test here to say that if
"wpa_ie_len" is set then "wpa_ie" has to be a valid pointer or we return
-EINVAL.
Oddly, we only use the first element of the abyWPAIE[] array. So I
suspect there may be some other issues in this function.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
An error code is stored in a variable, but 0 is returned instead. Use the
variable instead of 0.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@r@
local idexpression x;
constant C;
@@
if (...) { ...
x = -C
... when != x
(
return <+...x...+>;
|
return NULL;
|
return;
|
* return ...;
)
}
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
IRQ and resource[] may not have correct values until
after PCI hotplug setup occurs at pci_enable_device() time.
The semantic match that finds this problem is as follows:
// <smpl>
@@
identifier x;
identifier request ~= "pci_request.*|pci_resource.*";
@@
(
* x->irq
|
* x->resource
|
* request(x, ...)
)
...
*pci_enable_device(x)
// </smpl>
Signed-off-by: Kulikov Vasiliy <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
A broadcast address is also a multicast address so simplify test cases where
possible.
As suggested by Joe Perches.
Signed-off-by: Charles Clément <caratorn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Replace all occurrences with unsigned char type.
Signed-off-by: Charles Clément <caratorn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Replace all occurrences with unsigned short type.
Signed-off-by: Charles Clément <caratorn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Replace all occurrences with unsigned long type, except for pointer fields that
should be u32 in packed structures and 8-byte-aligned 8 byte long structure
QWORD.
Thanks to Jiri Slaby for pointing out that simply replacing by unsigned long is
wrong on x86-64 arch.
Signed-off-by: Charles Clément <caratorn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Move functions managing the channel mapping to a new channel.c file, as done in
the staging VT6656 driver. The function names contained in card.c were prefixed
with CARD followed by the first letter of the return code, remove this and use
more coherent function names.
The following functions moved and were renamed:
ChannelValid -> is_channel_valid
CARDbSetChannel -> set_channel
CARDvInitChannelTable -> init_channel_table
CARDbyGetChannelMapping -> get_channel_mapping
CARDvSetCountryInfo -> set_country_info
CARDbySetSupportChannels -> set_support_channels
CARDbChannelGetList -> channel_get_list
CARDvSetCountryIE -> set_country_IE
CARDbGetChannelMapInfo -> get_channel_map_info
CARDvSetChannelMapInfo -> set_channel_map_info
CARDvClearChannelMapInfo -> clear_channel_map_info
CARDbyAutoChannelSelect -> auto_channel_select
CARDbyGetChannelNumber -> get_channel_number
Signed-off-by: Charles Clément <caratorn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rename driver struct and callbacks to vt6655_* instead of device_* and add
__devinit/__devexit directives.
Signed-off-by: Charles Clément <caratorn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commit 902d241129 converted U32 to u32
which you would think would be just fine. Unfortunatly, it seems that
VIA only builds their code on a 32bit processor (which makes sense if
you think about it), but this doesn't work on x86-64. So fix up the few
places where this really wanted to be an unsigned long width.
Cc: Charles Clément <caratorn@gmail.com>
Cc: Forest Bond <forest@alittletooquiet.net>,
Cc: Andres More <more.andres@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>