From a9cc4006155a68dd0940728f4f222dd035180904 Mon Sep 17 00:00:00 2001 From: Doug Oucharek Date: Thu, 9 Jun 2016 18:45:45 -0400 Subject: staging: lustre: lnet: Don't access NULL NI on failure path In kiblnd_passive_connect(), if we are failing the connection attempt because we cannot find a valid NI (we have a NULL NI), we were coring after the "goto fail" because the failure path was assuming non-NULL NI. This patch ensures we don't dereference a NULL NI on that failure path. Signed-off-by: Doug Oucharek Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-8022 Reviewed-on: http://review.whamcloud.com/19614 Reviewed-by: Dmitry Eremin Reviewed-by: James Simmons Reviewed-by: Matt Ezell Reviewed-by: Oleg Drokin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'drivers/staging') diff --git a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c index bbfee53cfcf5..845e49a52430 100644 --- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c +++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c @@ -2521,12 +2521,13 @@ kiblnd_passive_connect(struct rdma_cm_id *cmid, void *priv, int priv_nob) return 0; failed: - if (ni) + if (ni) { lnet_ni_decref(ni); + rej.ibr_cp.ibcp_queue_depth = kiblnd_msg_queue_size(version, ni); + rej.ibr_cp.ibcp_max_frags = kiblnd_rdma_frags(version, ni); + } rej.ibr_version = version; - rej.ibr_cp.ibcp_queue_depth = kiblnd_msg_queue_size(version, ni); - rej.ibr_cp.ibcp_max_frags = kiblnd_rdma_frags(version, ni); kiblnd_reject(cmid, &rej); return -ECONNREFUSED; -- cgit v1.2.3 From 7e982555d89cc84b1fa23b5d54c7ffd9f7753908 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Mon, 30 May 2016 15:50:24 +0200 Subject: staging: iio: fix ad7606_spi regression MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As pointed out by Geert Uytterhoeven, the patch was incorrect and breaks the driver, which was fortunately pointed out by this gcc warning: drivers/staging/iio/adc/ad7606_spi.c: In function ‘ad7606_spi_read_block’: drivers/staging/iio/adc/ad7606_spi.c:34: warning: ‘data’ is used uninitialized in this function The effect of the patch is that the data is copied into a random memory location (from the uninitialized pointer) instead of being byteswapped in place. This adds the initialization for the 'data' variable back to restore the original behavior. Cc: Ksenija Stanojevic Fixes: 87787e5ef727 ("Staging: iio: Fix sparse endian warning") Signed-off-by: Arnd Bergmann Acked-by: Geert Uytterhoeven Signed-off-by: Jonathan Cameron --- drivers/staging/iio/adc/ad7606_spi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/staging') diff --git a/drivers/staging/iio/adc/ad7606_spi.c b/drivers/staging/iio/adc/ad7606_spi.c index 825da0769936..9587fa86dc69 100644 --- a/drivers/staging/iio/adc/ad7606_spi.c +++ b/drivers/staging/iio/adc/ad7606_spi.c @@ -21,7 +21,7 @@ static int ad7606_spi_read_block(struct device *dev, { struct spi_device *spi = to_spi_device(dev); int i, ret; - unsigned short *data; + unsigned short *data = buf; __be16 *bdata = buf; ret = spi_read(spi, buf, count * 2); -- cgit v1.2.3 From f4070a19142d5ee06f0da0cef56a0e78995f172c Mon Sep 17 00:00:00 2001 From: Luis de Bethencourt Date: Wed, 1 Jun 2016 20:25:54 +0100 Subject: staging: iio: ad5933: fix order of cycle conditions Correctly handle the settling time cycles value. The else branch is an impossible condition, > 1022 in the else branch of > 511. Flipping the order. Based on the Table 13 at the bottom of Page 25 of the Data Sheet: http://www.analog.com/media/en/technical-documentation/data-sheets/AD5933.pdf Signed-off-by: Luis de Bethencourt Reviewed-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/staging/iio/impedance-analyzer/ad5933.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'drivers/staging') diff --git a/drivers/staging/iio/impedance-analyzer/ad5933.c b/drivers/staging/iio/impedance-analyzer/ad5933.c index 9f43976f4ef2..170ac980abcb 100644 --- a/drivers/staging/iio/impedance-analyzer/ad5933.c +++ b/drivers/staging/iio/impedance-analyzer/ad5933.c @@ -444,10 +444,10 @@ static ssize_t ad5933_store(struct device *dev, st->settling_cycles = val; /* 2x, 4x handling, see datasheet */ - if (val > 511) - val = (val >> 1) | (1 << 9); - else if (val > 1022) + if (val > 1022) val = (val >> 2) | (3 << 9); + else if (val > 511) + val = (val >> 1) | (1 << 9); dat = cpu_to_be16(val); ret = ad5933_i2c_write(st->client, -- cgit v1.2.3 From 6982f867e058f0c6c8d3eeb4ef305efd7d7f4c8c Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Sun, 5 Jun 2016 21:01:18 +0200 Subject: Revert "Staging: drivers: rtl8188eu: use sizeof(*ptr) instead of sizeof(struct)" This reverts commit 99aded71b52c ("Staging: drivers: rtl8188eu: use sizeof(*ptr) instead of sizeof(struct)"). This commit is wrong, as adapt->HalData has a type of "void *", so now we are allocating a much to small struct, which causes the driver to overwrite random memory which leads to a non working driver and various system crashes. Cc: Jacky Boen Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8188eu/hal/usb_halinit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers/staging') diff --git a/drivers/staging/rtl8188eu/hal/usb_halinit.c b/drivers/staging/rtl8188eu/hal/usb_halinit.c index 87ea3b844951..363f3a34ddce 100644 --- a/drivers/staging/rtl8188eu/hal/usb_halinit.c +++ b/drivers/staging/rtl8188eu/hal/usb_halinit.c @@ -2072,7 +2072,8 @@ void rtl8188eu_set_hal_ops(struct adapter *adapt) { struct hal_ops *halfunc = &adapt->HalFunc; - adapt->HalData = kzalloc(sizeof(*adapt->HalData), GFP_KERNEL); + + adapt->HalData = kzalloc(sizeof(struct hal_data_8188e), GFP_KERNEL); if (!adapt->HalData) DBG_88E("cant not alloc memory for HAL DATA\n"); -- cgit v1.2.3 From bc8201e3e1885614a5cd3a5f70a79d08f99152fd Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Sun, 5 Jun 2016 21:01:19 +0200 Subject: Revert "Staging: rtl8188eu: rtw_efuse: Use sizeof type *pointer instead of sizeof type." This reverts commit b5e12ec38331 ("Staging: rtl8188eu: rtw_efuse: Use sizeof type *pointer instead of sizeof type."). This commit is wrong, the rtw_malloc2d helper function takes the size of the array elements as its 3th argument, whereas sizeof(*eFuseWord) gives the size of a pointer instead of the size of a u16. Since sizeof(void *) > sizeof(u16) this has no adverse effects, but it is still wrong. Cc: Sandhya Bankar Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8188eu/core/rtw_efuse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/staging') diff --git a/drivers/staging/rtl8188eu/core/rtw_efuse.c b/drivers/staging/rtl8188eu/core/rtw_efuse.c index c17870cddb5b..fbce1f7e68ca 100644 --- a/drivers/staging/rtl8188eu/core/rtw_efuse.c +++ b/drivers/staging/rtl8188eu/core/rtw_efuse.c @@ -102,7 +102,7 @@ efuse_phymap_to_logical(u8 *phymap, u16 _offset, u16 _size_byte, u8 *pbuf) if (!efuseTbl) return; - eFuseWord = (u16 **)rtw_malloc2d(EFUSE_MAX_SECTION_88E, EFUSE_MAX_WORD_UNIT, sizeof(*eFuseWord)); + eFuseWord = (u16 **)rtw_malloc2d(EFUSE_MAX_SECTION_88E, EFUSE_MAX_WORD_UNIT, sizeof(u16)); if (!eFuseWord) { DBG_88E("%s: alloc eFuseWord fail!\n", __func__); goto eFuseWord_failed; -- cgit v1.2.3 From ef3149eb3ddb7f9125e11c90f8330e371b55cffd Mon Sep 17 00:00:00 2001 From: Luis de Bethencourt Date: Wed, 22 Jun 2016 20:43:30 +0100 Subject: staging: iio: accel: fix error check sca3000_read_ctrl_reg() returns a negative number on failure, check for this instead of zero. Signed-off-by: Luis de Bethencourt Cc: Signed-off-by: Jonathan Cameron --- drivers/staging/iio/accel/sca3000_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/staging') diff --git a/drivers/staging/iio/accel/sca3000_core.c b/drivers/staging/iio/accel/sca3000_core.c index a8f533af9eca..ec12181822e6 100644 --- a/drivers/staging/iio/accel/sca3000_core.c +++ b/drivers/staging/iio/accel/sca3000_core.c @@ -594,7 +594,7 @@ static ssize_t sca3000_read_frequency(struct device *dev, goto error_ret_mut; ret = sca3000_read_ctrl_reg(st, SCA3000_REG_CTRL_SEL_OUT_CTRL); mutex_unlock(&st->lock); - if (ret) + if (ret < 0) goto error_ret; val = ret; if (base_freq > 0) -- cgit v1.2.3