* Dan Carpenter <dan.carpenter@oracle.com> wrote:
[...]
> The patch c844b2f5cfea: "lttng lib: ring buffer" from Nov 28, 2011,
> leads to the following Smatch complaint:
>
> drivers/staging/lttng/lib/ringbuffer/ring_buffer_frontend.c +1150
> +lib_ring_buffer_print_buffer_errors()
> warn: variable dereferenced before check 'chan' (see line 1143)
>
> drivers/staging/lttng/lib/ringbuffer/ring_buffer_frontend.c
> 1142 {
> 1143 const struct lib_ring_buffer_config *config =
> +chan->backend.config;
>
> +^^^^^^^^^^^^^^^^^^^^
> Dereference.
>
> 1144 unsigned long write_offset, cons_offset;
> 1145
> 1146 /*
> 1147 * Can be called in the error path of allocation when
> 1148 * trans_channel_data is not yet set.
> 1149 */
> 1150 if (!chan)
> ^^^^^^^^^
> Check. At first glance the comment seems out of date, I think check can
> be removed safely.
>
> 1151 return;
> 1152 /*
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The "rtl8192e: Export symbols" patch exported three functions already
exported by the rtl8192u driver. This patch renames the three functions:
Dot11d_Init => dot11d_init
HTUpdateSelfAndPeerSetting => HT_update_self_and_peer_setting
IsLegalChannel => rtllib_legal_channel
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Allow the board file to pass a boot info string through the
platform data that is appended to the /proc/last_kmsg file.
[moved the .h file to drivers/staging/android/ to be self-contained - gregkh]
Signed-off-by: Colin Cross <ccross@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The arguments to shrink functions have changed, update
lowmem_shrink to match.
Signed-off-by: Colin Cross <ccross@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Now that we're murder-synchronous, this code path will never be
called (and if it does, it doesn't tell us anything useful other
than we killed a task that was already being killed by somebody
else but hadn't gotten its' signal yet)
Signed-off-by: San Mehat <san@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
binder_deferred_release was not unmapping the page from the buffer
before freeing it, causing memory corruption. This only happened
when page(s) had not been freed by binder_update_page_range, which
properly unmaps the pages.
This only happens on architectures with VIPT aliasing.
To reproduce, create a program which opens, mmaps, munmaps, then closes
the binder very quickly. This should leave a page allocated when the
binder is released. When binder_deferrred_release is called on the
close, the page will remain mapped to the address in the linear
proc->buffer. Later, we may map the same physical page to a different
virtual address that has different coloring, and this may cause
aliasing to occur.
PAGE_POISONING will greatly increase your chances of noticing any
problems.
Signed-off-by: Christopher Lais <chris+android@zenthought.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch optimizes lowmemkiller to not do any work when it has an outstanding
kill-request. This greatly reduces the pressure on the task_list lock
(improving interactivity), as well as improving the vmscan performance
when under heavy memory pressure (by up to 20x in tests).
Note: For this enhancement to work, you need CONFIG_PROFILING
Signed-off-by: San Mehat <san@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Under certain circumstances, a process can take awhile to
handle a sig-kill (especially if it's in a scheduler group with
a very low share ratio). When this occurs, lowmemkiller returns
to vmscan indicating the process memory has been freed - even
though the process is still waiting to die. Since the memory
hasn't actually freed, lowmemkiller is called again shortly after,
and picks the same process to die; regardless of the fact that
it has already been 'scheduled' to die and the memory has already
been reported to vmscan as having been freed.
Solution is to check fatal_signal_pending() on the selected
task, and if it's already pending destruction return; indicating
to vmscan that no resources were freed on this pass.
Signed-off-by: San Mehat <san@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Some drivers flush the global workqueue when closed. This would deadlock if
the last reference to the file was released from the binder.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The timed output device never previously checked the return value of sscanf,
resulting in an uninitialized int being passed to enable() if input value
was invalid.
Signed-off-by: Mike Lockwood <lockwood@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[Note, this is part of a patch from Sam, just the drivers/staging/
portion, that adds a function that the apanic code calls, but the apanic
code isn't here, so just include part of this to make merges and diffs
easier and this keeps things self-contained - gregkh]
Signed-off-by: San Mehat <san@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This reverts commit 2cdf99ce2b.
It now builds, so this can be reverted.
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Brian Swetland <swetland@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This reverts commit b0a0ccfad8.
Turns out I was wrong, we want these in the tree.
Note, I've disabled the drivers from the build at the moment, so other
patches can be applied to fix some build issues due to internal api
changes since the code was removed from the tree.
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Brian Swetland <swetland@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Now that the rtl8192e driver is split up, it makes sense to keep the
rtllib code in one directory and the rtl8192e specific code in
another. This patch contains the split and the fixup of includes.
Since rtl_core.h already included rtllib.h and dot11d.h, rtl_core.h
was updated to point to the parent directory. All other references to
rtllib.h and dot11d.h in the rtl8192e specific code where deleted
rather than fixed. This leaves just one file that needs to know the
real location of the rtllib includes.
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch splits the current r8192e_pci driver up into six different
drivers: rtllib, rtllib_crypt, rtllib_crypt_ccmp, rtllib_crypt_tkip,
rtllib_crypt_wep, and r8192e_pci.
Now that they are proper modules, the init and exit functions do not
need to be called directly. Also, the rtllib_*_null functions are not
needed since they will be loaded on demand.
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The rtl8192e driver had a natural split between the more generic
rtllib code and the more specific rtl8192e code. This patch exports
all the symbols needed by the r8192 specific code from the rtllib
generic code.
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rename rtl_debug.h to rtllib_debug.h. Source files should include
rtllib.h if they are generic and rtl_core.h if they are r8192e
specific. Files should never include both.
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The RTL_DEBUG enum is used for rt_global_debug_component global
variable and RT_TRACE. It should be in rtl_debug.h and not rtl_core.h.
The rtl8192_proc_* functions are r8192 specific and should not be in
rtl_debug.h. Move them to rtl_core.h.
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch cleans up rtl_debug.h by removing all the unused defines and
stub functions.
The changes to rtl_core.c are just to remove the deleted stub function
calls.
The changes to rtl_debug.c are functions that are never called.
Signed-off-by: Sean MacLennan <seanm@seanm.ca>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The lis3l02dq_read_event_config() function returned an ssize_t up to
now, which lead to a compiler warning in line 660 (initialization from
incompatible pointer type). The iio_info struct is defined to accept an
int-returning function as the read_event_config parameter.
Also it seems odd to have the check for (ret < 0) and return ret in
this case, when the return type is signed.
Signed-off-by: Andreas Ruprecht <rupran@einserver.de>
Acked-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The loop used to reset the interrupt masks has faulty logic. There are 4
banks of 8 I/O, however each mask is comprised of 2 bits and thus there are
8 sets of registers to clear. Driver was wrongly equating this with 8 banks
leading to a us writing past the end of the "bank" array (used to store mask
configuration as these registers are write only) and thus causing memory
corruption. Clear both registers of masks for each bank and half iterations.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martyn Welch <martyn.welch@ge.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The function ad7280_store_balance_timer() parses data from a char*
buffer into a long variable, but uses the the function strict_strtoul
which expects a pointer to an unsigned long variable as its third
parameter.
As Dan Carpenter mentioned, the values are capped a few lines later,
but a check if val is negative is missing.
Now this function will return -ERANGE if there is a representation of
a negative number in buf.
Additionally the checkpatch.pl considers strict_strtoul as obsolete.
I replaced its call with the suggested kstrtoul.
Signed-off-by: Andreas Ruprecht <rupran@einserver.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The advantage of kcalloc is, that will prevent integer overflows which could
result from the multiplication of number of elements and size and it is also
a bit nicer to read.
The semantic patch that makes this change is available
in https://lkml.org/lkml/2011/11/25/107
Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
There are two potential integer overflows in private_ioctl() if
userspace passes in a large sList.uItem / sNodeList.uItem. The
subsequent call to kmalloc() would allocate a small buffer, leading
to a memory corruption.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
There are two potential integer overflows in private_ioctl() if
userspace passes in a large sList.uItem / sNodeList.uItem. The
subsequent call to kmalloc() would allocate a small buffer, leading
to a memory corruption.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
In all locations that call this function ignore your returna, so remove
it.
Signed-off-by: Marcos Paulo de Souza <marcos.mage@gmail.com>
Cc: Forest Bond <forest@alittletooquiet.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch removes a lot of commented code, and some return calls of
void functions.
Signed-off-by: Marcos Paulo de Souza <marcos.mage@gmail.com>
Cc: Forest Bond <forest@alittletooquiet.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Remved some commented code, and fixed some style issues. was removed too
a redundant if statement.
Signed-off-by: Marcos Paulo de Souza <marcos.mage@gmail.com>
Cc: Forest Bond <forest@alittletooquiet.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Removed return call of void functions. Removed some code style issues.
Signed-off-by: Marcos Paulo de Souza <marcos.mage@gmail.com>
Cc: Forest Bond <forest@alittletooquiet.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Marcos Paulo de Souza <marcos.mage@gmail.com>
Cc: Forest Bond <forest@alittletooquiet.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Removed the function iwctl_giwnwid, that just return a error code.
Changes v1 to v2:
Removed same functions of vt6655 and vt6656.
Signed-off-by: Marcos Paulo de Souza <marcos.mage@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
hv_netvsc has been reviewed on netdev mailing list on 6/09/2011.
All recommended changes have been made. We are requesting to move
it out of staging area.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: KY Srinivasan <kys@microsoft.com>
Signed-off-by: Mike Sterling <Mike.Sterling@microsoft.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The code in sca3000_store_measurement_mode() uses the variable val to
do bitwise operations with an int mask and or-s it into st->rx[0] which
is an entry in a u8 array (see sca3000.h).
This means up to now values larger than a u8 were silently ignored and
just the lower 8 bits counted into the value that was written into
st->rx[0]. This code will return -ERANGE if the value in buf was too
large to fit into a u8.
Signed-off-by: Andreas Ruprecht <rupran@einserver.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
In lis3102dq_write_frequency() we used a long variable to store the
value parsed from the char* buffer buf, as there only was a
strict_strtol() function to parse values.
Now we have got kstrto* which allows us to convert to the right data
type in most cases.
In this particular function we want to write a frequency value, and it
doesn't make sense to allow negative values here (as Dan Carpenter
pointed out in a previous email).
This means we can now parse the value into an unsigned long and get an
error for invalid (e.g. negative) values.
Signed-off-by: Andreas Ruprecht <rupran@einserver.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
In the adis16220_write_16bit() function we used a long value to store
parsed data from the char* buffer buf.
The called function to actually write the data,
adis16220_spi_write_reg_16(), takes a u16 value as a parameter, so up
to now a value larger than u16 was silently ignored as it was only
truncated when passing the parameter.
Now this function will only accept values fitting into a u16.
Additionally the parsing function was changed to overcome the now
obsolete strict_strtol() function.
Signed-off-by: Andreas Ruprecht <rupran@einserver.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch reorders the semaphore locking.
It makes better sense to first evaluate
fw_download_sema semaphore then
NVMRdmWrmLocl semaphore. The
fw_download_sema is suppose to be
acquired in the START ioctl. If this is
not true, then it does not make sense
to continue.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This is a cleanup patch. I've shuffled the code around to
move the error handling closer to the calls. I've removed
some indent levels. I've replaced break statements with
direct returns.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>