[PATCH] [media] c8sectpfe: Fix uninitialized return in load_c8sectpfe_fw_step1()
In case of failure loading the firmware, function
load_c8sectpfe_fw_step1() uses the uninitialized variable ret as return
value instead of the retrieved error value. Make sure the result is
deterministic. Detected by Coverity CID 1324230.
Signed-off-by: Christian Engelmayer
---
Compile tested only. Applies against linux-next.
---
drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
index 486aef50d99b..16aa494f22be 100644
--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
+++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
@@ -1192,7 +1192,6 @@ err:
static int load_c8sectpfe_fw_step1(struct c8sectpfei *fei)
{
- int ret;
int err;
dev_info(fei->dev, "Loading firmware: %s\n", FIRMWARE_MEMDMA);
@@ -1207,7 +1206,7 @@ static int load_c8sectpfe_fw_step1(struct c8sectpfei *fei)
if (err) {
dev_err(fei->dev, "request_firmware_nowait err: %d.\n", err);
complete_all(&fei->fw_ack);
- return ret;
+ return err;
}
return 0;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] [media] c8sectpfe: Fix uninitialized variable in load_slim_core_fw()
Variable err in function load_slim_core_fw() is used without initializer.
Make sure that the result is deterministic. Detected by Coverity CID
1324265.
Signed-off-by: Christian Engelmayer
---
Compile tested only. Applies against linux-next.
---
drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
index 486aef50d99b..cd146464a80c 100644
--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
+++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
@@ -1106,7 +1106,7 @@ static int load_slim_core_fw(const struct firmware *fw,
void *context)
phdr = (Elf32_Phdr *)(fw->data + ehdr->e_phoff);
/* go through the available ELF segments */
- for (i = 0; i < ehdr->e_phnum && !err; i++, phdr++) {
+ for (i = 0, err = 0; i < ehdr->e_phnum && !err; i++, phdr++) {
/* Only consider LOAD segments */
if (phdr->p_type != PT_LOAD)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH 2/2] drm/vmwgfx: Fix uninitialized return in vmw_kms_helper_dirty()
Function vmw_kms_helper_dirty() uses the uninitialized variable ret as
return value. Make the result deterministic and directly return as the
variable is unused anyway. Detected by Coverity CID 1324255.
Signed-off-by: Christian Engelmayer
---
Compile tested only. Applies against linux-next.
---
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 61fb7f3de311..15a6c01cd016 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -1685,7 +1685,6 @@ int vmw_kms_helper_dirty(struct vmw_private *dev_priv,
struct drm_crtc *crtc;
u32 num_units = 0;
u32 i, k;
- int ret;
dirty->dev_priv = dev_priv;
@@ -1711,7 +1710,7 @@ int vmw_kms_helper_dirty(struct vmw_private *dev_priv,
if (!dirty->cmd) {
DRM_ERROR("Couldn't reserve fifo space "
"for dirty blits.\n");
- return ret;
+ return -ENOMEM;
}
memset(dirty->cmd, 0, dirty->fifo_reserve_size);
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/2] drm/vmwgfx: Fix uninitialized return in vmw_cotable_unbind()
Function vmw_cotable_unbind() uses the uninitialized variable ret as return value. Make the result deterministic and directly return as the variable is unused anyway. Detected by Coverity CID 1324256. Signed-off-by: Christian Engelmayer --- Compile tested only. Applies against linux-next. --- drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c b/drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c index ce659a125f2b..092ea81eeff7 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c @@ -311,7 +311,6 @@ static int vmw_cotable_unbind(struct vmw_resource *res, struct vmw_private *dev_priv = res->dev_priv; struct ttm_buffer_object *bo = val_buf->bo; struct vmw_fence_obj *fence; - int ret; if (list_empty(&res->mob_head)) return 0; @@ -328,7 +327,7 @@ static int vmw_cotable_unbind(struct vmw_resource *res, if (likely(fence != NULL)) vmw_fence_obj_unreference(&fence); - return ret; + return 0; } /** -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] rsi: Fix possible leak when loading firmware
Commit 5d5cd85ff441 ("rsi: Fix failure to load firmware after memory
leak fix and fix the leak") also added a check on the allocation of
DMA-accessible memory that may directly return. In that case the
already allocated firmware data is leaked. Make sure the data is
always freed correctly. Detected by Coverity CID 1316519.
Signed-off-by: Christian Engelmayer
---
Compile tested only.
---
drivers/net/wireless/rsi/rsi_91x_sdio_ops.c | 8 ++--
drivers/net/wireless/rsi/rsi_91x_usb_ops.c | 8 ++--
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c
b/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c
index 1c6788aecc62..40d72312f3df 100644
--- a/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c
+++ b/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c
@@ -203,8 +203,10 @@ static int rsi_load_ta_instructions(struct rsi_common
*common)
/* Copy firmware into DMA-accessible memory */
fw = kmemdup(fw_entry->data, fw_entry->size, GFP_KERNEL);
- if (!fw)
- return -ENOMEM;
+ if (!fw) {
+ status = -ENOMEM;
+ goto out;
+ }
len = fw_entry->size;
if (len % 4)
@@ -217,6 +219,8 @@ static int rsi_load_ta_instructions(struct rsi_common
*common)
status = rsi_copy_to_card(common, fw, len, num_blocks);
kfree(fw);
+
+out:
release_firmware(fw_entry);
return status;
}
diff --git a/drivers/net/wireless/rsi/rsi_91x_usb_ops.c
b/drivers/net/wireless/rsi/rsi_91x_usb_ops.c
index 30c2cf7fa93b..de4900862836 100644
--- a/drivers/net/wireless/rsi/rsi_91x_usb_ops.c
+++ b/drivers/net/wireless/rsi/rsi_91x_usb_ops.c
@@ -148,8 +148,10 @@ static int rsi_load_ta_instructions(struct rsi_common
*common)
/* Copy firmware into DMA-accessible memory */
fw = kmemdup(fw_entry->data, fw_entry->size, GFP_KERNEL);
- if (!fw)
- return -ENOMEM;
+ if (!fw) {
+ status = -ENOMEM;
+ goto out;
+ }
len = fw_entry->size;
if (len % 4)
@@ -162,6 +164,8 @@ static int rsi_load_ta_instructions(struct rsi_common
*common)
status = rsi_copy_to_card(common, fw, len, num_blocks);
kfree(fw);
+
+out:
release_firmware(fw_entry);
return status;
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] mfd: cros_ec: Fix possible leak in led_rgb_store()
On Mon, 20 Jul 2015 07:50:36 -0700, Gwendal Grignou
wrote:
> On Sun, Jul 19, 2015 at 12:43 PM, Christian Engelmayer
> wrote:
> > Function led_rgb_store() contains some direct returns in error cases that
> > leak the already allocated cros_ec_command message structure. Make sure
> > that 'msg' is freed in all exit paths. Detected by Coverity CID 1309666.
> >
> > Signed-off-by: Christian Engelmayer
> > ---
> > Compile tested only. Applies against linux-next.
> > ---
> > drivers/platform/chrome/cros_ec_lightbar.c | 8 +++-
> > 1 file changed, 3 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/platform/chrome/cros_ec_lightbar.c
> > b/drivers/platform/chrome/cros_ec_lightbar.c
> > index 144e09df9b84..4e598c11e8a4 100644
> > --- a/drivers/platform/chrome/cros_ec_lightbar.c
> > +++ b/drivers/platform/chrome/cros_ec_lightbar.c
> > @@ -252,7 +252,7 @@ static ssize_t led_rgb_store(struct device *dev, struct
> > device_attribute *attr,
> >
> > ret = sscanf(buf, "%i", &val[i++]);
> > if (ret == 0)
> > - return -EINVAL;
> > + goto exit;
> >
> > if (i == 4) {
> > param = (struct ec_params_lightbar *)msg->data;
> > @@ -268,17 +268,15 @@ static ssize_t led_rgb_store(struct device *dev,
> > struct device_attribute *attr,
> > if ((j++ % 4) == 0) {
> > ret = lb_throttle();
> > if (ret)
> > - return ret;
> > + goto exit;
> > }
> >
> > ret = cros_ec_cmd_xfer(ec->ec_dev, msg);
> > if (ret < 0)
> > goto exit;
> >
> > - if (msg->result != EC_RES_SUCCESS) {
> > - ret = -EINVAL;
> ret = -EINVAL is necessary to indicate the command did not succeed:
> the command was successfully sent to the EC, and the response was
> received, but the EC failed the command internally.
That's the code pattern seen in this module, however, in that case setting
'ret' seems superfluous and potentially misleading, as the functions exit
code is written differently:
exit:
kfree(msg);
return (ok && i == 0) ? count : -EINVAL;
> > + if (msg->result != EC_RES_SUCCESS)
> > goto exit;
> > - }
> >
> > i = 0;
> > ok = 1;
> > --
> > 1.9.1
> >
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] mfd: cros_ec: Fix possible leak in led_rgb_store()
Function led_rgb_store() contains some direct returns in error cases that
leak the already allocated cros_ec_command message structure. Make sure
that 'msg' is freed in all exit paths. Detected by Coverity CID 1309666.
Signed-off-by: Christian Engelmayer
---
Compile tested only. Applies against linux-next.
---
drivers/platform/chrome/cros_ec_lightbar.c | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/platform/chrome/cros_ec_lightbar.c
b/drivers/platform/chrome/cros_ec_lightbar.c
index 144e09df9b84..4e598c11e8a4 100644
--- a/drivers/platform/chrome/cros_ec_lightbar.c
+++ b/drivers/platform/chrome/cros_ec_lightbar.c
@@ -252,7 +252,7 @@ static ssize_t led_rgb_store(struct device *dev, struct
device_attribute *attr,
ret = sscanf(buf, "%i", &val[i++]);
if (ret == 0)
- return -EINVAL;
+ goto exit;
if (i == 4) {
param = (struct ec_params_lightbar *)msg->data;
@@ -268,17 +268,15 @@ static ssize_t led_rgb_store(struct device *dev, struct
device_attribute *attr,
if ((j++ % 4) == 0) {
ret = lb_throttle();
if (ret)
- return ret;
+ goto exit;
}
ret = cros_ec_cmd_xfer(ec->ec_dev, msg);
if (ret < 0)
goto exit;
- if (msg->result != EC_RES_SUCCESS) {
- ret = -EINVAL;
+ if (msg->result != EC_RES_SUCCESS)
goto exit;
- }
i = 0;
ok = 1;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] mfd: cros_ec: Fix leak in sequence_store()
The allocated cros_ec_command message structure is not freed in function
sequence_store(). Make sure that 'msg' is freed in all exit paths.
Detected by Coverity CID 1309667.
Signed-off-by: Christian Engelmayer
---
Compile tested only. Applies against linux-next.
---
drivers/platform/chrome/cros_ec_lightbar.c | 23 ++-
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/drivers/platform/chrome/cros_ec_lightbar.c
b/drivers/platform/chrome/cros_ec_lightbar.c
index 144e09df9b84..fc30a991b738 100644
--- a/drivers/platform/chrome/cros_ec_lightbar.c
+++ b/drivers/platform/chrome/cros_ec_lightbar.c
@@ -352,10 +352,6 @@ static ssize_t sequence_store(struct device *dev, struct
device_attribute *attr,
struct cros_ec_dev *ec = container_of(dev,
struct cros_ec_dev, class_dev);
- msg = alloc_lightbar_cmd_msg(ec);
- if (!msg)
- return -ENOMEM;
-
for (len = 0; len < count; len++)
if (!isalnum(buf[len]))
break;
@@ -370,21 +366,30 @@ static ssize_t sequence_store(struct device *dev, struct
device_attribute *attr,
return ret;
}
+ msg = alloc_lightbar_cmd_msg(ec);
+ if (!msg)
+ return -ENOMEM;
+
param = (struct ec_params_lightbar *)msg->data;
param->cmd = LIGHTBAR_CMD_SEQ;
param->seq.num = num;
ret = lb_throttle();
if (ret)
- return ret;
+ goto exit;
ret = cros_ec_cmd_xfer(ec->ec_dev, msg);
if (ret < 0)
- return ret;
+ goto exit;
- if (msg->result != EC_RES_SUCCESS)
- return -EINVAL;
+ if (msg->result != EC_RES_SUCCESS) {
+ ret = -EINVAL;
+ goto exit;
+ }
- return count;
+ ret = count;
+exit:
+ kfree(msg);
+ return ret;
}
/* Module initialization */
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] xen/pvhvm: Fix non-ANSI declaration of xen_has_pv_devices()
Fix sparse warning "non-ANSI function declaration of function
'xen_has_pv_devices'".
Signed-off-by: Christian Engelmayer
---
arch/x86/xen/platform-pci-unplug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/xen/platform-pci-unplug.c
b/arch/x86/xen/platform-pci-unplug.c
index a826171..9586ff3 100644
--- a/arch/x86/xen/platform-pci-unplug.c
+++ b/arch/x86/xen/platform-pci-unplug.c
@@ -68,7 +68,7 @@ static int check_platform_magic(void)
return 0;
}
-bool xen_has_pv_devices()
+bool xen_has_pv_devices(void)
{
if (!xen_domain())
return false;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] ARM: kprobes: Fix non-ANSI declaration of arch_init_kprobes()
Fix sparse warning "non-ANSI function declaration of function
'arch_init_kprobes'".
Signed-off-by: Christian Engelmayer
---
arch/arm/kernel/kprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/kernel/kprobes.c b/arch/arm/kernel/kprobes.c
index 6d64420..18b79a7 100644
--- a/arch/arm/kernel/kprobes.c
+++ b/arch/arm/kernel/kprobes.c
@@ -615,7 +615,7 @@ static struct undef_hook kprobes_arm_break_hook = {
#endif /* !CONFIG_THUMB2_KERNEL */
-int __init arch_init_kprobes()
+int __init arch_init_kprobes(void)
{
arm_probes_decode_init();
#ifdef CONFIG_THUMB2_KERNEL
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] serial: samsung: Fix compile error with SERIAL_SAMSUNG_DEBUG
Commit e4ac92d (serial: samsung: Neaten dbg uses) contains a typo in the changed dbg() function regarding the name of the used character buffer. This breaks the build if actually compiled with CONFIG_SERIAL_SAMSUNG_DEBUG. Signed-off-by: Christian Engelmayer --- Compile tested. Applies against branch tty-next in tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git --- drivers/tty/serial/samsung.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c index 3293377..c1d3ebd 100644 --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c @@ -66,7 +66,7 @@ static void dbg(const char *fmt, ...) char buff[256]; va_start(va, fmt); - vscnprintf(buff, sizeof(buf), fmt, va); + vscnprintf(buff, sizeof(buff), fmt, va); va_end(va); printascii(buff); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] ASoC: wm8985: Remove unused pointer in wm8985_remove()
Commit a0b148b4 (ASoC: wm8985: Use devm_regulator_bulk_get()) removed the last
user of pointer wm8985 to struct wm8985_priv. Thus remove it. Detected by
Coverity CID 1222150.
Signed-off-by: Christian Engelmayer
---
Compile tested. Applies against branch for-next in tree
git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
---
sound/soc/codecs/wm8985.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/sound/soc/codecs/wm8985.c b/sound/soc/codecs/wm8985.c
index 0f5780c..cbbdfbb 100644
--- a/sound/soc/codecs/wm8985.c
+++ b/sound/soc/codecs/wm8985.c
@@ -980,9 +980,6 @@ static int wm8985_resume(struct snd_soc_codec *codec)
static int wm8985_remove(struct snd_soc_codec *codec)
{
- struct wm8985_priv *wm8985;
-
- wm8985 = snd_soc_codec_get_drvdata(codec);
wm8985_set_bias_level(codec, SND_SOC_BIAS_OFF);
return 0;
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] staging: rtl8712: rtl871x_ioctl_linux.c: Cleaning up memory leak
On Sun, 1 Jun 2014 13:30:43 +0200, Rickard Strandqvist wrote: > There is a risk for memory leak in when something unexpected happens > and the function returns. > > This was largely found by using a static code analysis program called > cppcheck. > > Signed-off-by: Rickard Strandqvist > --- > drivers/staging/rtl8712/rtl871x_ioctl_linux.c |1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > index 23d539d..27e0243 100644 > --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > @@ -1822,6 +1822,7 @@ static int r871x_wx_set_enc_ext(struct net_device *dev, > alg_name = "CCMP"; > break; > default: > + kfree(param); > return -EINVAL; > } > strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN); Hi Rickard, This one doesn't apply either. Commit 55d4f6cc (staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()) moved the input verification to the beginning of the function so that the direct return no longer hurt. This change was also already in flight at the time of Your first version of the patch in May. Please check that Your patches are based on linux-next. Best Regards, Christian -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] staging: rtl8712: rtl871x_mlme.c: Cleaning up memory leak
On Sun, 1 Jun 2014 13:32:20 +0200, Rickard Strandqvist wrote: > There is a risk for memory leak in when something unexpected happens > and the function returns. > > This was largely found by using a static code analysis program called > cppcheck. > > Signed-off-by: Rickard Strandqvist This doesn't apply against staging-next. This fix seems to attack the same problem as existing commit 2af9e74 (staging: rtl8712: fix potential leaks in r8712_set_key()) - http://www.spinics.net/lists/linux-driver-devel/msg46501.html I think we talked about that already - see http://www.spinics.net/lists/linux-driver-devel/msg46294.html Regards, Christian -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] of: mdio: fix compile warning in of_mdiobus_register_phy()
Commit de906af1 (net: phy: make of_set_phy_supported work with genphy driver) removed the last user of variable 'max_speed' in function of_mdiobus_register_phy(), leading to compile warning "unused variable ‘max_speed’ [-Wunused-variable]". Thus remove it. Signed-off-by: Christian Engelmayer --- Compile tested. Applies against branch master in tree git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git --- drivers/of/of_mdio.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/of/of_mdio.c b/drivers/of/of_mdio.c index b857094..7c6e277 100644 --- a/drivers/of/of_mdio.c +++ b/drivers/of/of_mdio.c @@ -46,7 +46,6 @@ static int of_mdiobus_register_phy(struct mii_bus *mdio, struct device_node *chi struct phy_device *phy; bool is_c45; int rc; - u32 max_speed = 0; u32 phy_id; is_c45 = of_device_is_compatible(child, -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] Input: ims-pcu - fix uninitialized use of 'error' in ims_pcu_buffers_alloc()
In case allocation via usb_alloc_coherent() fails in ims_pcu_buffers_alloc(),
the function jumps to the exit path without initializing local variable
'error' that is used as return value. Detected by Coverity - CID 1016531.
Signed-off-by: Christian Engelmayer
---
This is an allocation function and all currently coded error scenarios
result in -ENOMEM. Thus it would be possible to eliminate 'error' at all and
always return -ENOMEM in the error path.
Compile tested. Applies against branch next in tree
git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git
---
drivers/input/misc/ims-pcu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 5a73639..719410f 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1566,6 +1566,7 @@ static int ims_pcu_buffers_alloc(struct ims_pcu *pcu)
if (!pcu->urb_ctrl_buf) {
dev_err(pcu->dev,
"Failed to allocate memory for read buffer\n");
+ error = -ENOMEM;
goto err_free_urb_out_buf;
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] net/mlx4_en: Fix uninitialized use of 'port_up' in mlx4_en_set_channels()
Function mlx4_en_set_channels() stops running ports before performing the
requested action. In that case local variable 'port_up' is set so that the
port is restarted at the end of the function, however, in case the port was
not stopped, variable 'port_up' is left uninitialized and the behaviour is
undetermined. Detected by Coverity - CID 751497.
Signed-off-by: Christian Engelmayer
---
Compile tested. Applies against branch master in tree
git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
---
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
index a72d99f..7ba3df3 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -1121,7 +1121,7 @@ static int mlx4_en_set_channels(struct net_device *dev,
{
struct mlx4_en_priv *priv = netdev_priv(dev);
struct mlx4_en_dev *mdev = priv->mdev;
- int port_up;
+ int port_up = 0;
int err = 0;
if (channel->other_count || channel->combined_count ||
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/2] staging: rtl8188eu: fix usage of uninit scalar in rtw_drv_init()
On Sat, 17 May 2014 17:44:23 +0300, Dan Carpenter wrote: > On Sat, May 17, 2014 at 12:38:57PM +0200, Christian Engelmayer wrote: > > Function rtw_drv_init() is written in a way that assumes 'status' != > > _SUCCESS > > as long as not explicitly set. Thus initialize 'status' to FAIL, in order to > > prevent undefined behaviour if going through the exit paths. Detected by > > Coverity - CID 1077832. > > > > Signed-off-by: Christian Engelmayer > > This is a bugfix and we like to merge bugfixes without asking redo > things, so don't redo. But really the better fix is to get rid of the > status variable completely. Just return directly on the success path. > > If we were to do that, then both patches would be merged together and > called: [patch] Staging: rtl8188eu: fix error handling in rtw_drv_init() > > But this patch is also acceptable as-is. Thanks for fixing the bug. :) I agree with You Dan. I'm no big fan of that status variable either. In this case I was already tempted, but saw it as a recurring pattern in that file in case cleanup is done. So I decided to just attack the bug in a small change and leave the cleanup of the error handling pattern for a later, consistent sweep over the whole file if that's wanted. Regards, Christian -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] IB/mlx4: Fix potentially uninitialized use of 'is_mcast' in create_iboe_ah()
Before commit 297e0da (IB/mlx4: Handle Ethernet L2 parameters for IP based GID
addressing) local variable 'is_mcast' in function create_iboe_ah() was
guaranteed to be set after calling mlx4_ib_resolve_grh(). Since 297e0da
'is_mcast' is set in case of rdma_is_multicast_addr(), but otherwise left
uninitialized. Thus init 'is_mcast' to 0. Detected by Coverity - CID 1164324
Signed-off-by: Christian Engelmayer
---
Compile tested. Applies against branch for-next in tree
git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband.git
---
drivers/infiniband/hw/mlx4/ah.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/ah.c b/drivers/infiniband/hw/mlx4/ah.c
index 170dca6..2d8c339 100644
--- a/drivers/infiniband/hw/mlx4/ah.c
+++ b/drivers/infiniband/hw/mlx4/ah.c
@@ -73,7 +73,7 @@ static struct ib_ah *create_iboe_ah(struct ib_pd *pd, struct
ib_ah_attr *ah_attr
{
struct mlx4_ib_dev *ibdev = to_mdev(pd->device);
struct mlx4_dev *dev = ibdev->dev;
- int is_mcast;
+ int is_mcast = 0;
struct in6_addr in6;
u16 vlan_tag;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH 0/2] staging: rtl8188eu: fix Coverity defects in rtw_drv_init()
This addresses two issues currently reported by static analysis for function rtw_drv_init() in drivers/staging/rtl8188eu/os_dep/usb_intf.c. CID 1077553 - Logically dead code CID 1077832 - Uninitialized scalar variable Compile tested only. Applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git Christian Engelmayer (2): staging: rtl8188eu: fix usage of uninit scalar in rtw_drv_init() staging: rtl8188eu: remove dead code in rtw_drv_init() drivers/staging/rtl8188eu/os_dep/usb_intf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 2/2] staging: rtl8188eu: remove dead code in rtw_drv_init()
(status != _SUCCESS) immediately after 'status = _SUCCESS' will never evaluate true. Thus remove the logically dead code. Detected by Coverity - CID 1077553. Signed-off-by: Christian Engelmayer --- drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c index 632a5b0a..2a96add 100644 --- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c +++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c @@ -713,8 +713,6 @@ static int rtw_drv_init(struct usb_interface *pusb_intf, const struct usb_device status = _SUCCESS; - if (status != _SUCCESS && if1) - rtw_usb_if1_deinit(if1); free_dvobj: if (status != _SUCCESS) usb_dvobj_deinit(pusb_intf); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/2] staging: rtl8188eu: fix usage of uninit scalar in rtw_drv_init()
Function rtw_drv_init() is written in a way that assumes 'status' != _SUCCESS
as long as not explicitly set. Thus initialize 'status' to FAIL, in order to
prevent undefined behaviour if going through the exit paths. Detected by
Coverity - CID 1077832.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
index 8ed2ac8..632a5b0a 100644
--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -685,7 +685,7 @@ static void rtw_usb_if1_deinit(struct adapter *if1)
static int rtw_drv_init(struct usb_interface *pusb_intf, const struct
usb_device_id *pdid)
{
struct adapter *if1 = NULL;
- int status;
+ int status = _FAIL;
struct dvobj_priv *dvobj;
RT_TRACE(_module_hci_intfs_c_, _drv_err_, ("+rtw_drv_init\n"));
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] misc: genwqe: fix uninitialized return value in genwqe_free_sync_sgl()
Function genwqe_free_sync_sgl() returns the value of variable 'rc'. 'rc' is
only set in the error paths, thus initialize it by 0. Coverity CID 1204242.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch char-misc-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
---
drivers/misc/genwqe/card_utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c
index d049d27..5babf40 100644
--- a/drivers/misc/genwqe/card_utils.c
+++ b/drivers/misc/genwqe/card_utils.c
@@ -454,7 +454,7 @@ int genwqe_setup_sgl(struct genwqe_dev *cd, struct
genwqe_sgl *sgl,
*/
int genwqe_free_sync_sgl(struct genwqe_dev *cd, struct genwqe_sgl *sgl)
{
- int rc;
+ int rc = 0;
struct pci_dev *pci_dev = cd->pci_dev;
if (sgl->fpage) {
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] staging: rtl8723au: Remove unused pointer in rtw_wdev_free()
Pointer 'pwdev_priv' in function rtw_wdev_free() is unused - thus remove it.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c | 4
1 file changed, 4 deletions(-)
diff --git a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
index ca100dc..be89741 100644
--- a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
@@ -3576,15 +3576,11 @@ exit:
void rtw_wdev_free(struct wireless_dev *wdev)
{
- struct rtw_wdev_priv *pwdev_priv;
-
DBG_8723A("%s(wdev =%p)\n", __func__, wdev);
if (!wdev)
return;
- pwdev_priv = wdev_to_priv(wdev);
-
kfree(wdev->wiphy->bands[IEEE80211_BAND_2GHZ]);
kfree(wdev->wiphy->bands[IEEE80211_BAND_5GHZ]);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] staging: silicom: Remove needless calls of get_status_port_fn()
Remove a needless pointer initialisation and call to get_status_port_fn()
in functions remove_bypass_tpl_auto() and set_tpl_fn(). Variable
'pbpctl_dev_b' is set correctly later in the function before first use.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..bbc183f 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -4735,10 +4735,9 @@ static void bp_tpl_timer_fn(unsigned long param)
static void remove_bypass_tpl_auto(struct bpctl_dev *pbpctl_dev)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
if (pbpctl_dev->bp_caps & TPL_CAP) {
del_timer_sync(&pbpctl_dev->bp_tpl_timer);
@@ -4785,12 +4784,10 @@ static int set_bypass_tpl_auto(struct bpctl_dev
*pbpctl_dev, unsigned int param)
static int set_tpl_fn(struct bpctl_dev *pbpctl_dev, int tpl_mode)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return -1;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
-
if (pbpctl_dev->bp_caps & TPL_CAP) {
if (tpl_mode) {
pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2 2/5] staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext()
Function rtw_wx_set_enc_ext() dynamically allocates a temporary buffer that is not freed in all error paths. Use a centralized exit path and make sure that all memory is freed correctly. Detected by Coverity - CID 1077712. Signed-off-by: Christian Engelmayer --- drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index 45b47e2..1bd476d 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -2097,7 +2097,8 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, alg_name = "CCMP"; break; default: - return -1; + ret = -1; + goto exit; } strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN); @@ -2124,6 +2125,7 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, ret = wpa_set_encryption(dev, param, param_len); +exit: kfree(param); return ret; } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v3] staging: rtl8188eu: fix potential leak in rtw_set_key()
Fix a potential leak in the error path of rtw_set_key(). In case the requested
algorithm is not supported by the driver, the function returns without
enqueuing or freeing the already allocated command and parameter structs. Use
a centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 1077716, 1077717.
Signed-off-by: Christian Engelmayer
---
v3: Resend after v2 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
v2: Added changes requested by Dan Carpenter:
* Just return directly where no cleanup is needed.
* Prefer naming labels by the labeled action rather than the goto location.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_mlme.c | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme.c
b/drivers/staging/rtl8188eu/core/rtw_mlme.c
index 769d4dd..155282e 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
@@ -1727,15 +1727,13 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
int res = _SUCCESS;
pcmd = (struct cmd_obj *)rtw_zmalloc(sizeof(struct cmd_obj));
- if (pcmd == NULL) {
- res = _FAIL; /* try again */
- goto exit;
- }
+ if (pcmd == NULL)
+ return _FAIL; /* try again */
+
psetkeyparm = (struct setkey_parm *)rtw_zmalloc(sizeof(struct
setkey_parm));
if (psetkeyparm == NULL) {
- kfree(pcmd);
res = _FAIL;
- goto exit;
+ goto err_free_cmd;
}
_rtw_memset(psetkeyparm, 0, sizeof(struct setkey_parm));
@@ -1784,7 +1782,7 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
("\n rtw_set_key:psecuritypriv->dot11PrivacyAlgrthm=%x
(must be 1 or 2 or 4 or 5)\n",
psecuritypriv->dot11PrivacyAlgrthm));
res = _FAIL;
- goto exit;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1793,7 +1791,12 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd->rspsz = 0;
_rtw_init_listhead(&pcmd->list);
res = rtw_enqueue_cmd(pcmdpriv, pcmd);
-exit:
+ return res;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
return res;
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2 0/5] staging: rtl8188eu: fix Coverity defects in os_dep/ioctl_linux.c
This is a cleanup of staging/rtl8188eu/os_dep/ioctl_linux.c regarding Coverity resource leak findings. The changes leave the current implementation intact and just attack the problems in the error paths, however, it seems that we could get easily rid of some of the mallocs altogether. char *input = kmalloc(wrqu->data.length, GFP_KERNEL); copy_from_user(input, wrqu->data.pointer, wrqu->data.length); qAutoLoad = strncmp(input, "autoload", 8); v2: Resend after v1 failed to apply * rebased against staging-next - commit 09c3fbba (staging: rtl8188eu: Remove 'u8 *pbuf' from struct recv_buf) * fixed mua: no multipart, 7bit text/plain us-ascii The series is compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git Christian Engelmayer (5): staging: rtl8188eu: fix potential leak in rtw_wx_read32() staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext() staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv() staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath() staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk() drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 69 +- 1 file changed, 45 insertions(+), 24 deletions(-) -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] staging: binder: fix usage of uninit scalar in binder_transaction()
Fix the error path when a cookie mismatch is detected. In that case the function jumps to the exit label without setting the uninitialized, local variable 'return_error'. Detected by Coverity - CID 201453. Signed-off-by: Christian Engelmayer --- v2: Resend after v1 failed to apply * rebased against staging-next - commit 09c3fbba (staging: rtl8188eu: Remove 'u8 *pbuf' from struct recv_buf) * fixed mua: no multipart, 7bit text/plain us-ascii Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 35c00ab..de8e2a3 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1546,6 +1546,7 @@ static void binder_transaction(struct binder_proc *proc, proc->pid, thread->pid, (u64)fp->binder, node->debug_id, (u64)fp->cookie, (u64)node->cookie); + return_error = BR_FAILED_REPLY; goto err_binder_get_ref_for_node_failed; } ref = binder_get_ref_for_node(target_proc, node); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()
Fix a potential leak in the error path of r871x_wx_set_enc_ext(). In case the
requested algorithm is not supported by the driver, the function returns
without freeing the already allocated 'param' struct. Move the input
verification to the beginning of the function so that the direct return is
safe. Detected by Coverity - CID 144373.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 23d539d..1eca992 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -1801,13 +1801,6 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
u32 param_len;
int ret = 0;
- param_len = sizeof(struct ieee_param) + pext->key_len;
- param = (struct ieee_param *)_malloc(param_len);
- if (param == NULL)
- return -ENOMEM;
- memset(param, 0, param_len);
- param->cmd = IEEE_CMD_SET_ENCRYPTION;
- memset(param->sta_addr, 0xff, ETH_ALEN);
switch (pext->alg) {
case IW_ENCODE_ALG_NONE:
alg_name = "none";
@@ -1824,6 +1817,15 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
default:
return -EINVAL;
}
+
+ param_len = sizeof(struct ieee_param) + pext->key_len;
+ param = (struct ieee_param *)_malloc(param_len);
+ if (param == NULL)
+ return -ENOMEM;
+ memset(param, 0, param_len);
+ param->cmd = IEEE_CMD_SET_ENCRYPTION;
+ memset(param->sta_addr, 0xff, ETH_ALEN);
+
strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);
if (pext->ext_flags & IW_ENCODE_EXT_GROUP_KEY)
param->u.crypt.set_tx = 0;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2 3/5] staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv()
Function rtw_mp_QueryDrv() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077713.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 1bd476d..8b1579b 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7350,12 +7350,15 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 qAutoLoad = 1;
struct eeprom_priv *pEEPROM = GET_EEPROM_EFUSE_PRIV(padapter);
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
qAutoLoad = strncmp(input, "autoload", 8); /* strncmp true is 0 */
@@ -7369,8 +7372,10 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
sprintf(extra, "ok");
}
wrqu->data.length = strlen(extra) + 1;
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_set(struct net_device *dev,
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] staging: rtl8712: fix potential leaks in r8712_set_key()
Fix potential leaks in the error paths of r8712_set_key(). In case the
algorithm specific checks fail, the function returns without enqueuing
or freeing the already allocated command and parameter structs. Use a
centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 144370, 144371.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_mlme.c | 28
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c
b/drivers/staging/rtl8712/rtl871x_mlme.c
index 3ea99ae..23fd8c1 100644
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1243,14 +1243,15 @@ sint r8712_set_key(struct _adapter *adapter,
struct cmd_obj *pcmd;
struct setkey_parm *psetkeyparm;
u8 keylen;
+ sint ret = _SUCCESS;
pcmd = (struct cmd_obj *)_malloc(sizeof(struct cmd_obj));
if (pcmd == NULL)
return _FAIL;
psetkeyparm = (struct setkey_parm *)_malloc(sizeof(struct setkey_parm));
if (psetkeyparm == NULL) {
- kfree((unsigned char *)pcmd);
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_cmd;
}
memset(psetkeyparm, 0, sizeof(struct setkey_parm));
if (psecuritypriv->AuthAlgrthm == 2) { /* 802.1X */
@@ -1274,23 +1275,28 @@ sint r8712_set_key(struct _adapter *adapter,
psecuritypriv->DefKey[keyid].skey, keylen);
break;
case _TKIP_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
case _AES_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
default:
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1299,7 +1305,13 @@ sint r8712_set_key(struct _adapter *adapter,
pcmd->rspsz = 0;
_init_listhead(&pcmd->list);
r8712_enqueue_cmd(pcmdpriv, pcmd);
- return _SUCCESS;
+ return ret;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
+ return ret;
}
/* adjust IEs for r8712_joinbss_cmd in WMM */
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v3] staging: rtl8188eu: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Move the affected input verification to the beginning of the function so
that it may return directly without leaking already allocated memory.
Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
v3: Resend after v2 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
v2: Added change suggested by Mateusz Guzik for the rtl8723au variant:
Move the check before allocating the memory instead of freeing the
resource afterwards in the error path.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_ap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_ap.c
b/drivers/staging/rtl8188eu/core/rtw_ap.c
index ff74d0d..85fda61 100644
--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
@@ -1306,6 +1306,10 @@ static void update_bcn_wps_ie(struct adapter *padapter)
DBG_88E("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie(ie+_FIXED_IE_LENGTH_, ielen-_FIXED_IE_LENGTH_,
NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1323,10 +1327,6 @@ static void update_bcn_wps_ie(struct adapter *padapter)
memcpy(pbackup_remainder_ie, premainder_ie,
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen) <= MAX_IE_SZ) {
memcpy(pwps_ie, pwps_ie_src, wps_ielen+2);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2 5/5] staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk()
Function rtw_mp_pwrtrk() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - 1077715.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 28 --
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index ea5e1f8..f04aaa3 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7119,15 +7119,15 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
{
u8 enable;
u32 thermal;
- s32 ret;
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->length, GFP_KERNEL);
+ int ret = 0;
if (!input)
return -ENOMEM;
if (copy_from_user(input, wrqu->pointer, wrqu->length)) {
- kfree(input);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
_rtw_memset(extra, 0, wrqu->length);
@@ -7138,22 +7138,28 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
sprintf(extra, "mp tx power tracking stop");
} else if (sscanf(input, "ther =%d", &thermal)) {
ret = Hal_SetThermalMeter(padapter,
(u8)thermal);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
sprintf(extra, "mp tx power tracking start,
target value =%d ok ", thermal);
} else {
- kfree(input);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
}
- kfree(input);
ret = Hal_SetPowerTracking(padapter, enable);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
wrqu->length = strlen(extra);
- return 0;
+
+exit:
+ kfree(input);
+ return ret;
}
static int rtw_mp_psd(struct net_device *dev,
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2 4/5] staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath()
Function rtw_mp_SetRFPath() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077714.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 8b1579b..ea5e1f8 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7321,11 +7321,14 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 bMain = 1, bTurnoff = 1;
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
bMain = strncmp(input, "1", 2); /* strncmp true is 0 */
@@ -7338,8 +7341,10 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
MP_PHY_SetRFPathSwitch(padapter, false);
DBG_88E("%s:PHY_SetRFPathSwitch = false\n", __func__);
}
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_QueryDrv(struct net_device *dev,
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2 1/5] staging: rtl8188eu: fix potential leak in rtw_wx_read32()
Function rtw_wx_read32() dynamically allocates a temporary buffer that is not
freed in all error paths. Use a centralized exit path and make sure that all
memory is freed correctly. Detected by Coverity - CID 1077711.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index cf30a08..45b47e2 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2154,6 +2154,7 @@ static int rtw_wx_read32(struct net_device *dev,
u32 bytes;
u8 *ptmp;
int rv;
+ int ret = 0;
padapter = (struct adapter *)rtw_netdev_priv(dev);
p = &wrqu->data;
@@ -2163,16 +2164,16 @@ static int rtw_wx_read32(struct net_device *dev,
return -ENOMEM;
if (copy_from_user(ptmp, p->pointer, len)) {
- kfree(ptmp);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
bytes = 0;
addr = 0;
rv = sscanf(ptmp, "%d,%x", &bytes, &addr);
if (rv != 2) {
- kfree(ptmp);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
switch (bytes) {
@@ -2190,12 +2191,14 @@ static int rtw_wx_read32(struct net_device *dev,
break;
default:
DBG_88E(KERN_INFO "%s: usage> read [bytes],[address(hex)]\n",
__func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
DBG_88E(KERN_INFO "%s: addr = 0x%08X data =%s\n", __func__, addr,
extra);
+exit:
kfree(ptmp);
- return 0;
+ return ret;
}
static int rtw_wx_write32(struct net_device *dev,
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] staging: vt6656: fix potential leak in vt6656_hostap_ioctl()
Commit fb841d67 (staging: vt6656: don't leak 'param' in vt6656_hostap_ioctl() when returning -EOPNOTSUPP) cleaned up direct returns in the ioctl switch statement that leaked already allocated memory. Fix the same issue for VIAWGET_HOSTAPD_SCAN_REQ and VIAWGET_HOSTAPD_MLME that are not supported by this driver. Detected by Coverity - CID 144381. Signed-off-by: Christian Engelmayer --- v2: Resend after v1 failed to apply * rebased against staging-next - commit 09c3fbba (staging: rtl8188eu: Remove 'u8 *pbuf' from struct recv_buf) * fixed mua: no multipart, 7bit text/plain us-ascii Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/vt6656/hostap.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c index 67ba48b..a0d9fff 100644 --- a/drivers/staging/vt6656/hostap.c +++ b/drivers/staging/vt6656/hostap.c @@ -742,7 +742,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_MLME: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_MLME \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT \n"); @@ -751,7 +752,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_SCAN_REQ: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SCAN_REQ \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_STA_CLEAR_STATS: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_STA_CLEAR_STATS \n"); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] staging: comedi: ii_pci20kc: fix usage of uninit scalar in ii20k_attach()
This driver supports the PCI-20001C-1a and PCI-20001C-2a carrier boards.
The -2a version has 32 on-board DIO channels. In case this variant is
detected, local variable 'has_dio' is set accordingly. Otherwise it is
left uninitialized and the following subdevice instantiation depends on
the stack. Detected by Coverity - CID 1077830.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/comedi/drivers/ii_pci20kc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/comedi/drivers/ii_pci20kc.c
b/drivers/staging/comedi/drivers/ii_pci20kc.c
index 3558ab3..2516ce8 100644
--- a/drivers/staging/comedi/drivers/ii_pci20kc.c
+++ b/drivers/staging/comedi/drivers/ii_pci20kc.c
@@ -461,6 +461,7 @@ static int ii20k_attach(struct comedi_device *dev,
id = readb(devpriv->ioaddr + II20K_ID_REG);
switch (id & II20K_ID_MASK) {
case II20K_ID_PCI20001C_1A:
+ has_dio = false;
break;
case II20K_ID_PCI20001C_2A:
has_dio = true;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH v3] staging: silicom: Remove unused pointer in bypass_init_module()
Pointer 'pbpctl_dev_c' in function bypass_init_module() is unused. Thus remove
it. With the last variable declaration gone, there is no more need for an own
block. Remove it and adapt the indenting accordingly.
Signed-off-by: Christian Engelmayer
---
v3: Resend after v2 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
v2: Added changes requested by Dan Carpenter:
Dan pointed out that with the declaration gone, the indent block shall be
removed. This was intentionally left out in v1 in order to keep the
changeset more readable. However, according to the input, also with the
additional indenting change this still qualifies for one logical change.
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 41 +++--
1 file changed, 17 insertions(+), 24 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..2fb9a6f 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -6371,33 +6371,26 @@ static int __init bypass_init_module(void)
sema_init(&bpctl_sema, 1);
spin_lock_init(&bpvm_lock);
- {
-
- struct bpctl_dev *pbpctl_dev_c = NULL;
- for (idx_dev = 0, dev = bpctl_dev_arr;
-idx_dev < device_num && dev->pdev;
-idx_dev++, dev++) {
- if (dev->bp_10g9) {
- pbpctl_dev_c = get_status_port_fn(dev);
- if (is_bypass_fn(dev)) {
- printk(KERN_INFO "%s found, ",
- dev->name);
- dev->bp_fw_ver = bypass_fw_ver(dev);
- printk("firmware version: 0x%x\n",
- dev->bp_fw_ver);
- }
- dev->wdt_status = WDT_STATUS_UNKNOWN;
- dev->reset_time = 0;
- atomic_set(&dev->wdt_busy, 0);
- dev->bp_status_un = 1;
-
- bypass_caps_init(dev);
-
- init_bypass_wd_auto(dev);
- init_bypass_tpl_auto(dev);
+ for (idx_dev = 0, dev = bpctl_dev_arr;
+idx_dev < device_num && dev->pdev;
+idx_dev++, dev++) {
+ if (dev->bp_10g9) {
+ if (is_bypass_fn(dev)) {
+ printk(KERN_INFO "%s found, ", dev->name);
+ dev->bp_fw_ver = bypass_fw_ver(dev);
+ printk("firmware version: 0x%x\n",
+ dev->bp_fw_ver);
}
+ dev->wdt_status = WDT_STATUS_UNKNOWN;
+ dev->reset_time = 0;
+ atomic_set(&dev->wdt_busy, 0);
+ dev->bp_status_un = 1;
+
+ bypass_caps_init(dev);
+ init_bypass_wd_auto(dev);
+ init_bypass_tpl_auto(dev);
}
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] staging: rtl8712: fix potential leaks in r8712_set_key()
On Sat, 3 May 2014 20:27:35 -0400, Greg KH wrote: > On Thu, May 01, 2014 at 11:54:02PM +0200, Christian Engelmayer wrote: > > Fix potential leaks in the error paths of r8712_set_key(). In case the > > algorithm specific checks fail, the function returns without enqueuing > > or freeing the already allocated command and parameter structs. Use a > > centralized exit path and make sure that all memory is freed correctly. > > Detected by Coverity - CID 144370, 144371. > > > > Signed-off-by: Christian Engelmayer > > --- > > Compile tested and applies against branch staging-next of tree > > git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git > > This doesn't apply either, and neither does one of your other patches, > what is going on? Greg, I am sorry that last weeks set of staging patches had problems. It is not my intention to waste Your time. I could reproduce the issue by running git am on my patches as received back from the mailing list. Most of the set failed as the mails were split incorrectly. I started rebasing the patches to the current staging-next and fixed my mail agents settings to generate no multipart, 7bit text/plain us-ascii. Thus the same set sent to myself applies now to a fresh clone of Your tree. git checkout -b integration-test origin/staging-next Branch integration-test set up to track remote branch staging-next from origin. Switched to a new branch 'integration-test' git am ./staging.mbox Applying: staging: binder: fix usage of uninit scalar in binder_transaction() Applying: staging: comedi: ii_pci20kc: fix usage of uninit scalar in ii20k_attach() Applying: staging: rtl8188eu: fix potential leak in rtw_set_key() Applying: staging: rtl8188eu: fix potential leak in rtw_wx_read32() Applying: staging: rtl8188eu: fix potential leak in update_bcn_wps_ie() Applying: staging: rtl8712: fix potential leaks in r8712_set_key() Applying: staging: rtl8723au: Remove unused pointer in rtw_wdev_free() Applying: staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext() Applying: staging: silicom: Remove needless calls of get_status_port_fn() Applying: staging: silicom: Remove unused pointer in bypass_init_module() Applying: staging: vt6656: fix potential leak in vt6656_hostap_ioctl() Applying: staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext() Applying: staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv() Applying: staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath() Applying: staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk() > Can you just refresh all of the outstanding patches you have sent me > that I have not applied and resend them? Of course. In case there are no objections or further hints, I will check the refreshed patches later this week when I have got a bit more time and will resend them. Regards, Christian -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] staging: comedi: ii_pci20kc: fix usage of uninit scalar in ii20k_attach()
This driver supports the PCI-20001C-1a and PCI-20001C-2a carrier boards.
The -2a version has 32 on-board DIO channels. In case this variant is
detected, local variable 'has_dio' is set accordingly. Otherwise it is
left uninitialized and the following subdevice instantiation depends on
the stack. Detected by Coverity - CID 1077830.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/comedi/drivers/ii_pci20kc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/comedi/drivers/ii_pci20kc.c
b/drivers/staging/comedi/drivers/ii_pci20kc.c
index 3558ab3..2516ce8 100644
--- a/drivers/staging/comedi/drivers/ii_pci20kc.c
+++ b/drivers/staging/comedi/drivers/ii_pci20kc.c
@@ -461,6 +461,7 @@ static int ii20k_attach(struct comedi_device *dev,
id = readb(devpriv->ioaddr + II20K_ID_REG);
switch (id & II20K_ID_MASK) {
case II20K_ID_PCI20001C_1A:
+ has_dio = false;
break;
case II20K_ID_PCI20001C_2A:
has_dio = true;
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] staging: binder: fix usage of uninit scalar in binder_transaction()
Fix the error path when a cookie mismatch is detected. In that case the function jumps to the exit label without setting the uninitialized, local variable 'return_error'. Detected by Coverity - CID 201453. Signed-off-by: Christian Engelmayer --- Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 1f5e249..ca1b0e3 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1529,6 +1529,7 @@ static void binder_transaction(struct binder_proc *proc, proc->pid, thread->pid, (u64)fp->binder, node->debug_id, (u64)fp->cookie, (u64)node->cookie); + return_error = BR_FAILED_REPLY; goto err_binder_get_ref_for_node_failed; } ref = binder_get_ref_for_node(target_proc, node); -- 1.9.1 signature.asc Description: PGP signature
[PATCH] staging: vt6656: fix potential leak in vt6656_hostap_ioctl()
Commit fb841d67 (staging: vt6656: don't leak 'param' in vt6656_hostap_ioctl() when returning -EOPNOTSUPP) cleaned up direct returns in the ioctl switch statement that leaked already allocated memory. Fix the same issue for VIAWGET_HOSTAPD_SCAN_REQ and VIAWGET_HOSTAPD_MLME that are also not supported by this driver. Detected by Coverity - CID 144381. Signed-off-by: Christian Engelmayer --- Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/vt6656/hostap.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c index 67ba48b..a0d9fff 100644 --- a/drivers/staging/vt6656/hostap.c +++ b/drivers/staging/vt6656/hostap.c @@ -742,7 +742,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_MLME: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_MLME \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT \n"); @@ -751,7 +752,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_SCAN_REQ: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SCAN_REQ \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_STA_CLEAR_STATS: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_STA_CLEAR_STATS \n"); -- 1.9.1 signature.asc Description: PGP signature
[PATCH] staging: rtl8712: fix potential leaks in r8712_set_key()
Fix potential leaks in the error paths of r8712_set_key(). In case the
algorithm specific checks fail, the function returns without enqueuing
or freeing the already allocated command and parameter structs. Use a
centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 144370, 144371.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_mlme.c | 28
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c
b/drivers/staging/rtl8712/rtl871x_mlme.c
index 3ea99ae..23fd8c1 100644
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1243,14 +1243,15 @@ sint r8712_set_key(struct _adapter *adapter,
struct cmd_obj *pcmd;
struct setkey_parm *psetkeyparm;
u8 keylen;
+ sint ret = _SUCCESS;
pcmd = (struct cmd_obj *)_malloc(sizeof(struct cmd_obj));
if (pcmd == NULL)
return _FAIL;
psetkeyparm = (struct setkey_parm *)_malloc(sizeof(struct setkey_parm));
if (psetkeyparm == NULL) {
- kfree((unsigned char *)pcmd);
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_cmd;
}
memset(psetkeyparm, 0, sizeof(struct setkey_parm));
if (psecuritypriv->AuthAlgrthm == 2) { /* 802.1X */
@@ -1274,23 +1275,28 @@ sint r8712_set_key(struct _adapter *adapter,
psecuritypriv->DefKey[keyid].skey, keylen);
break;
case _TKIP_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
case _AES_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
default:
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1299,7 +1305,13 @@ sint r8712_set_key(struct _adapter *adapter,
pcmd->rspsz = 0;
_init_listhead(&pcmd->list);
r8712_enqueue_cmd(pcmdpriv, pcmd);
- return _SUCCESS;
+ return ret;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
+ return ret;
}
/* adjust IEs for r8712_joinbss_cmd in WMM */
--
1.9.1
signature.asc
Description: PGP signature
[PATCH v2] staging: rtl8723au: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Move the affected input verification to the beginning of the function so
that it may return directly without leaking already allocated memory.
Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
v2: Added change suggested by Mateusz Guzik:
Move the check before allocating the memory instead of freeing the
resource afterwards in the error path.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8723au/core/rtw_ap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8723au/core/rtw_ap.c
b/drivers/staging/rtl8723au/core/rtw_ap.c
index 9b31412..da028c535 100644
--- a/drivers/staging/rtl8723au/core/rtw_ap.c
+++ b/drivers/staging/rtl8723au/core/rtw_ap.c
@@ -1256,6 +1256,10 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
DBG_8723A("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie23a(ie+_FIXED_IE_LENGTH_,
ielen-_FIXED_IE_LENGTH_, NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1274,10 +1278,6 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen)<= MAX_IE_SZ)
{
--
1.9.1
signature.asc
Description: PGP signature
[PATCH v2] staging: rtl8188eu: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Move the affected input verification to the beginning of the function so
that it may return directly without leaking already allocated memory.
Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
v2: Added change suggested by Mateusz Guzik for the rtl8723au variant:
Move the check before allocating the memory instead of freeing the
resource afterwards in the error path.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_ap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_ap.c
b/drivers/staging/rtl8188eu/core/rtw_ap.c
index ff74d0d..85fda61 100644
--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
@@ -1306,6 +1306,10 @@ static void update_bcn_wps_ie(struct adapter *padapter)
DBG_88E("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie(ie+_FIXED_IE_LENGTH_, ielen-_FIXED_IE_LENGTH_,
NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1323,10 +1327,6 @@ static void update_bcn_wps_ie(struct adapter *padapter)
memcpy(pbackup_remainder_ie, premainder_ie,
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen) <= MAX_IE_SZ) {
memcpy(pwps_ie, pwps_ie_src, wps_ielen+2);
--
1.9.1
signature.asc
Description: PGP signature
Re: [PATCH] staging: rtl8723au: fix potential leak in update_bcn_wps_ie()
On Thu, 1 May 2014 14:22:17 +0200, Mateusz Guzik wrote:
> On Thu, May 01, 2014 at 01:57:27PM +0200, Christian Engelmayer wrote:
> > Fix a potential leak in the error path of function update_bcn_wps_ie().
> > Make sure that allocated memory for 'pbackup_remainder_ie' is freed
> > upon return. Detected by Coverity - CID 1077718.
> >
>
> if (remainder_ielen > 0) {
> pbackup_remainder_ie = kmalloc(remainder_ielen, GFP_ATOMIC);
> if (pbackup_remainder_ie)
> memcpy(pbackup_remainder_ie, premainder_ie,
>remainder_ielen);
> }
>
> pwps_ie_src = pmlmepriv->wps_beacon_ie;
> if (pwps_ie_src == NULL)
> return;
>
>
> Maybe just check pwps_ie_src earlier?
>
You are right, I see no reason why this cannot be done early in the function.
diff --git a/drivers/staging/rtl8723au/core/rtw_ap.c
b/drivers/staging/rtl8723au/core/rtw_ap.c
index 9b31412..da028c535 100644
--- a/drivers/staging/rtl8723au/core/rtw_ap.c
+++ b/drivers/staging/rtl8723au/core/rtw_ap.c
@@ -1256,6 +1256,10 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
DBG_8723A("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie23a(ie+_FIXED_IE_LENGTH_,
ielen-_FIXED_IE_LENGTH_, NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1274,10 +1278,6 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen)<= MAX_IE_SZ)
{
Regards,
Christian
signature.asc
Description: PGP signature
[PATCH] staging: rtl8188eu: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Make sure that allocated memory for 'pbackup_remainder_ie' is freed
upon return. Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_ap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_ap.c
b/drivers/staging/rtl8188eu/core/rtw_ap.c
index ff74d0d..6268f44 100644
--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
@@ -1325,7 +1325,7 @@ static void update_bcn_wps_ie(struct adapter *padapter)
pwps_ie_src = pmlmepriv->wps_beacon_ie;
if (pwps_ie_src == NULL)
- return;
+ goto exit;
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen) <= MAX_IE_SZ) {
@@ -1339,6 +1339,7 @@ static void update_bcn_wps_ie(struct adapter *padapter)
pnetwork->IELength = wps_offset + (wps_ielen+2) +
remainder_ielen;
}
+exit:
kfree(pbackup_remainder_ie);
}
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] staging: rtl8723au: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie(). Make sure that allocated memory for 'pbackup_remainder_ie' is freed upon return. Detected by Coverity - CID 1077718. Signed-off-by: Christian Engelmayer --- Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/rtl8723au/core/rtw_ap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723au/core/rtw_ap.c b/drivers/staging/rtl8723au/core/rtw_ap.c index 9b31412..f2c78a7 100644 --- a/drivers/staging/rtl8723au/core/rtw_ap.c +++ b/drivers/staging/rtl8723au/core/rtw_ap.c @@ -1276,7 +1276,7 @@ static void update_bcn_wps_ie(struct rtw_adapter *padapter) pwps_ie_src = pmlmepriv->wps_beacon_ie; if (pwps_ie_src == NULL) - return; + goto exit; wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */ if ((wps_offset+wps_ielen+2+remainder_ielen)<= MAX_IE_SZ) @@ -1291,8 +1291,8 @@ static void update_bcn_wps_ie(struct rtw_adapter *padapter) pnetwork->IELength = wps_offset + (wps_ielen+2) + remainder_ielen; } - if (pbackup_remainder_ie) - kfree(pbackup_remainder_ie); +exit: + kfree(pbackup_remainder_ie); } static void update_bcn_p2p_ie(struct rtw_adapter *padapter) -- 1.9.1 signature.asc Description: PGP signature
[PATCH] staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()
Fix a potential leak in the error path of r871x_wx_set_enc_ext(). In case the
requested algorithm is not supported by the driver, the function returns
without freeing the already allocated 'param' struct. Move the input
verification to the beginning of the function so that the direct return is
safe. Detected by Coverity - CID 144373.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 23d539d..1eca992 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -1801,13 +1801,6 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
u32 param_len;
int ret = 0;
- param_len = sizeof(struct ieee_param) + pext->key_len;
- param = (struct ieee_param *)_malloc(param_len);
- if (param == NULL)
- return -ENOMEM;
- memset(param, 0, param_len);
- param->cmd = IEEE_CMD_SET_ENCRYPTION;
- memset(param->sta_addr, 0xff, ETH_ALEN);
switch (pext->alg) {
case IW_ENCODE_ALG_NONE:
alg_name = "none";
@@ -1824,6 +1817,15 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
default:
return -EINVAL;
}
+
+ param_len = sizeof(struct ieee_param) + pext->key_len;
+ param = (struct ieee_param *)_malloc(param_len);
+ if (param == NULL)
+ return -ENOMEM;
+ memset(param, 0, param_len);
+ param->cmd = IEEE_CMD_SET_ENCRYPTION;
+ memset(param->sta_addr, 0xff, ETH_ALEN);
+
strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);
if (pext->ext_flags & IW_ENCODE_EXT_GROUP_KEY)
param->u.crypt.set_tx = 0;
--
1.9.1
signature.asc
Description: PGP signature
[PATCH v2] staging: rtl8188eu: fix potential leak in rtw_set_key()
Fix a potential leak in the error path of rtw_set_key(). In case the requested
algorithm is not supported by the driver, the function returns without
enqueuing or freeing the already allocated command and parameter structs. Use
a centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 1077716, 1077717.
Signed-off-by: Christian Engelmayer
---
v2: Added changes requested by Dan Carpenter:
* Just return directly where no cleanup is needed.
* Prefer naming labels by the labeled action rather than the goto location.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_mlme.c | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme.c
b/drivers/staging/rtl8188eu/core/rtw_mlme.c
index 769d4dd..155282e 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
@@ -1727,15 +1727,13 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
int res = _SUCCESS;
pcmd = (struct cmd_obj *)rtw_zmalloc(sizeof(struct cmd_obj));
- if (pcmd == NULL) {
- res = _FAIL; /* try again */
- goto exit;
- }
+ if (pcmd == NULL)
+ return _FAIL; /* try again */
+
psetkeyparm = (struct setkey_parm *)rtw_zmalloc(sizeof(struct
setkey_parm));
if (psetkeyparm == NULL) {
- kfree(pcmd);
res = _FAIL;
- goto exit;
+ goto err_free_cmd;
}
_rtw_memset(psetkeyparm, 0, sizeof(struct setkey_parm));
@@ -1784,7 +1782,7 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
("\n rtw_set_key:psecuritypriv->dot11PrivacyAlgrthm=%x
(must be 1 or 2 or 4 or 5)\n",
psecuritypriv->dot11PrivacyAlgrthm));
res = _FAIL;
- goto exit;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1793,7 +1791,12 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd->rspsz = 0;
_rtw_init_listhead(&pcmd->list);
res = rtw_enqueue_cmd(pcmdpriv, pcmd);
-exit:
+ return res;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
return res;
}
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] staging: rtl8188eu: fix potential leak in rtw_set_key()
Fix a potential leak in the error path of rtw_set_key(). In case the requested
algorithm is not supported by the driver, the function returns without
enqueuing or freeing the already allocated command and parameter structs. Use
a centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 1077716, 1077717.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_mlme.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme.c
b/drivers/staging/rtl8188eu/core/rtw_mlme.c
index 769d4dd..275ae7b 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
@@ -1729,13 +1729,12 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd = (struct cmd_obj *)rtw_zmalloc(sizeof(struct cmd_obj));
if (pcmd == NULL) {
res = _FAIL; /* try again */
- goto exit;
+ goto fail_noobj;
}
psetkeyparm = (struct setkey_parm *)rtw_zmalloc(sizeof(struct
setkey_parm));
if (psetkeyparm == NULL) {
- kfree(pcmd);
res = _FAIL;
- goto exit;
+ goto fail_noparm;
}
_rtw_memset(psetkeyparm, 0, sizeof(struct setkey_parm));
@@ -1784,7 +1783,7 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
("\n rtw_set_key:psecuritypriv->dot11PrivacyAlgrthm=%x
(must be 1 or 2 or 4 or 5)\n",
psecuritypriv->dot11PrivacyAlgrthm));
res = _FAIL;
- goto exit;
+ goto fail;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1793,7 +1792,13 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd->rspsz = 0;
_rtw_init_listhead(&pcmd->list);
res = rtw_enqueue_cmd(pcmdpriv, pcmd);
-exit:
+ return res;
+
+fail:
+ kfree(psetkeyparm);
+fail_noparm:
+ kfree(pcmd);
+fail_noobj:
return res;
}
--
1.9.1
signature.asc
Description: PGP signature
Re: [PATCH] staging: comedi: remove duplicate pointer assignments in attach functions
On Mon, 28 Apr 2014 22:36:13 +, Hartley Sweeten
wrote:
> Technically, these drivers are fine as-is.
They are. The proposed change falls under minor code maintenance only.
> They are all legacy comedi drivers and use the manual attach mechanism. The
> dev->board pointer is setup by the comedi core before calling the drivers
> (*attach) so the foo = comedi_board(dev) is getting the board pointer that
> was found by the core.
> Unlike most comedi legacy drivers, these drivers then do an additional "probe"
> to try and identify the board. This could result in the dev->board_ptr getting
> changed which requires updating the local variable for the board pointer.
The point is that while updating dev->board_ptr is necessary in case of the
manual attach use case, deriving the local pointer before dev->board_ptr is
decided is not. Furthermore it might be a bit risky to already have a local
pointer to a valid, but potentially wrong comedi struct preselected by the
core, although it cannot be used safely anyway until overwritten after the
manual probe is done.
Having had a short look over the comedi code I was under the impression that
the change would make the 4 affected functions consistent to the other parts
that seemingly follow the skeleton.
static int skel_attach(struct comedi_device *dev, struct
comedi_devconfig *it)
{
const struct skel_board *thisboard;
struct skel_private *devpriv;
/*
* If you can probe the device to determine what device in a
series
* it is, this is the place to do it. Otherwise, dev->board_ptr
* should already be initialized.
*/
/* dev->board_ptr = skel_probe(dev, it); */
thisboard = comedi_board(dev);
> These probe functions need to be looked at to see if they are actually needed.
> For now I would prefer that the existing code stay as-is.
That added about the intention of the patch, I'm fine if You want to question
the necessity of the probes as a whole and keep the legacy code meanwhile
untouched.
Regards,
Christian
signature.asc
Description: PGP signature
[PATCH 2/5] staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext()
Function rtw_wx_set_enc_ext() dynamically allocates a temporary buffer that is not freed in all error paths. Use a centralized exit path and make sure that all memory is freed correctly. Detected by Coverity - CID 1077712. Signed-off-by: Christian Engelmayer --- drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index 45b47e2..1bd476d 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -2097,7 +2097,8 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, alg_name = "CCMP"; break; default: - return -1; + ret = -1; + goto exit; } strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN); @@ -2124,6 +2125,7 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, ret = wpa_set_encryption(dev, param, param_len); +exit: kfree(param); return ret; } -- 1.9.1 signature.asc Description: PGP signature
[PATCH 4/5] staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath()
Function rtw_mp_SetRFPath() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077714.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 8b1579b..ea5e1f8 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7321,11 +7321,14 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 bMain = 1, bTurnoff = 1;
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
bMain = strncmp(input, "1", 2); /* strncmp true is 0 */
@@ -7338,8 +7341,10 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
MP_PHY_SetRFPathSwitch(padapter, false);
DBG_88E("%s:PHY_SetRFPathSwitch = false\n", __func__);
}
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_QueryDrv(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
[PATCH 0/5] staging: rtl8188eu: fix Coverity defects in os_dep/ioctl_linux.c
This is a cleanup of staging/rtl8188eu/os_dep/ioctl_linux.c regarding Coverity resource leak findings. The changes leave the current implementation intact and just attack the problems in the error paths, however, it seems that we could get easily rid of some of the mallocs altogether. char *input = kmalloc(wrqu->data.length, GFP_KERNEL); copy_from_user(input, wrqu->data.pointer, wrqu->data.length); qAutoLoad = strncmp(input, "autoload", 8); The series is compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git Christian Engelmayer (5): staging: rtl8188eu: fix potential leak in rtw_wx_read32() staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext() staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv() staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath() staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk() drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 69 +- 1 file changed, 45 insertions(+), 24 deletions(-) -- 1.9.1 signature.asc Description: PGP signature
[PATCH 1/5] staging: rtl8188eu: fix potential leak in rtw_wx_read32()
Function rtw_wx_read32() dynamically allocates a temporary buffer that is not
freed in all error paths. Use a centralized exit path and make sure that all
memory is freed correctly. Detected by Coverity - CID 1077711.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index cf30a08..45b47e2 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2154,6 +2154,7 @@ static int rtw_wx_read32(struct net_device *dev,
u32 bytes;
u8 *ptmp;
int rv;
+ int ret = 0;
padapter = (struct adapter *)rtw_netdev_priv(dev);
p = &wrqu->data;
@@ -2163,16 +2164,16 @@ static int rtw_wx_read32(struct net_device *dev,
return -ENOMEM;
if (copy_from_user(ptmp, p->pointer, len)) {
- kfree(ptmp);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
bytes = 0;
addr = 0;
rv = sscanf(ptmp, "%d,%x", &bytes, &addr);
if (rv != 2) {
- kfree(ptmp);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
switch (bytes) {
@@ -2190,12 +2191,14 @@ static int rtw_wx_read32(struct net_device *dev,
break;
default:
DBG_88E(KERN_INFO "%s: usage> read [bytes],[address(hex)]\n",
__func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
DBG_88E(KERN_INFO "%s: addr = 0x%08X data =%s\n", __func__, addr,
extra);
+exit:
kfree(ptmp);
- return 0;
+ return ret;
}
static int rtw_wx_write32(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
[PATCH 5/5] staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk()
Function rtw_mp_pwrtrk() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - 1077715.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 28 --
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index ea5e1f8..f04aaa3 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7119,15 +7119,15 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
{
u8 enable;
u32 thermal;
- s32 ret;
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->length, GFP_KERNEL);
+ int ret = 0;
if (!input)
return -ENOMEM;
if (copy_from_user(input, wrqu->pointer, wrqu->length)) {
- kfree(input);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
_rtw_memset(extra, 0, wrqu->length);
@@ -7138,22 +7138,28 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
sprintf(extra, "mp tx power tracking stop");
} else if (sscanf(input, "ther =%d", &thermal)) {
ret = Hal_SetThermalMeter(padapter,
(u8)thermal);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
sprintf(extra, "mp tx power tracking start,
target value =%d ok ", thermal);
} else {
- kfree(input);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
}
- kfree(input);
ret = Hal_SetPowerTracking(padapter, enable);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
wrqu->length = strlen(extra);
- return 0;
+
+exit:
+ kfree(input);
+ return ret;
}
static int rtw_mp_psd(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
[PATCH 3/5] staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv()
Function rtw_mp_QueryDrv() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077713.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 1bd476d..8b1579b 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7350,12 +7350,15 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 qAutoLoad = 1;
struct eeprom_priv *pEEPROM = GET_EEPROM_EFUSE_PRIV(padapter);
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
qAutoLoad = strncmp(input, "autoload", 8); /* strncmp true is 0 */
@@ -7369,8 +7372,10 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
sprintf(extra, "ok");
}
wrqu->data.length = strlen(extra) + 1;
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_set(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
[PATCH v2] staging: silicom: Remove unused pointer in bypass_init_module()
Pointer 'pbpctl_dev_c' in function bypass_init_module() is unused. Thus remove
it. With the last variable declaration gone, there is no more need for an own
block. Remove it and adapt the indenting accordingly.
Signed-off-by: Christian Engelmayer
---
v2: Added changes requested by Dan Carpenter:
Dan pointed out that with the declaration gone, the indent block shall be
removed. This was intentionally left out in v1 in order to keep the
changeset more readable. However, according to the input, also with the
additional indenting change this still qualifies for one logical change.
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 41 +++--
1 file changed, 17 insertions(+), 24 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..2fb9a6f 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -6371,33 +6371,26 @@ static int __init bypass_init_module(void)
sema_init(&bpctl_sema, 1);
spin_lock_init(&bpvm_lock);
- {
-
- struct bpctl_dev *pbpctl_dev_c = NULL;
- for (idx_dev = 0, dev = bpctl_dev_arr;
-idx_dev < device_num && dev->pdev;
-idx_dev++, dev++) {
- if (dev->bp_10g9) {
- pbpctl_dev_c = get_status_port_fn(dev);
- if (is_bypass_fn(dev)) {
- printk(KERN_INFO "%s found, ",
- dev->name);
- dev->bp_fw_ver = bypass_fw_ver(dev);
- printk("firmware version: 0x%x\n",
- dev->bp_fw_ver);
- }
- dev->wdt_status = WDT_STATUS_UNKNOWN;
- dev->reset_time = 0;
- atomic_set(&dev->wdt_busy, 0);
- dev->bp_status_un = 1;
-
- bypass_caps_init(dev);
-
- init_bypass_wd_auto(dev);
- init_bypass_tpl_auto(dev);
+ for (idx_dev = 0, dev = bpctl_dev_arr;
+idx_dev < device_num && dev->pdev;
+idx_dev++, dev++) {
+ if (dev->bp_10g9) {
+ if (is_bypass_fn(dev)) {
+ printk(KERN_INFO "%s found, ", dev->name);
+ dev->bp_fw_ver = bypass_fw_ver(dev);
+ printk("firmware version: 0x%x\n",
+ dev->bp_fw_ver);
}
+ dev->wdt_status = WDT_STATUS_UNKNOWN;
+ dev->reset_time = 0;
+ atomic_set(&dev->wdt_busy, 0);
+ dev->bp_status_un = 1;
+
+ bypass_caps_init(dev);
+ init_bypass_wd_auto(dev);
+ init_bypass_tpl_auto(dev);
}
}
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] staging: silicom: Remove unused pointer in bypass_init_module()
Pointer 'pbpctl_dev_c' in function bypass_init_module() is unused.
Thus remove it.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..2bf8964 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -6372,13 +6372,10 @@ static int __init bypass_init_module(void)
sema_init(&bpctl_sema, 1);
spin_lock_init(&bpvm_lock);
{
-
- struct bpctl_dev *pbpctl_dev_c = NULL;
for (idx_dev = 0, dev = bpctl_dev_arr;
idx_dev < device_num && dev->pdev;
idx_dev++, dev++) {
if (dev->bp_10g9) {
- pbpctl_dev_c = get_status_port_fn(dev);
if (is_bypass_fn(dev)) {
printk(KERN_INFO "%s found, ",
dev->name);
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] staging: rtl8723au: Remove unused pointer in rtw_wdev_free()
Pointer 'pwdev_priv' in function rtw_wdev_free() is unused - thus remove it.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c | 4
1 file changed, 4 deletions(-)
diff --git a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
index ca100dc..be89741 100644
--- a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
@@ -3576,15 +3576,11 @@ exit:
void rtw_wdev_free(struct wireless_dev *wdev)
{
- struct rtw_wdev_priv *pwdev_priv;
-
DBG_8723A("%s(wdev =%p)\n", __func__, wdev);
if (!wdev)
return;
- pwdev_priv = wdev_to_priv(wdev);
-
kfree(wdev->wiphy->bands[IEEE80211_BAND_2GHZ]);
kfree(wdev->wiphy->bands[IEEE80211_BAND_5GHZ]);
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] staging: silicom: Remove needless calls of get_status_port_fn()
Remove a needless pointer initialisation and call to get_status_port_fn()
in functions remove_bypass_tpl_auto() and set_tpl_fn(). Variable
'pbpctl_dev_b' is set correctly later in the function before first use.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 2bf8964..fd2adf4 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -4735,10 +4735,9 @@ static void bp_tpl_timer_fn(unsigned long param)
static void remove_bypass_tpl_auto(struct bpctl_dev *pbpctl_dev)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
if (pbpctl_dev->bp_caps & TPL_CAP) {
del_timer_sync(&pbpctl_dev->bp_tpl_timer);
@@ -4785,12 +4784,10 @@ static int set_bypass_tpl_auto(struct bpctl_dev
*pbpctl_dev, unsigned int param)
static int set_tpl_fn(struct bpctl_dev *pbpctl_dev, int tpl_mode)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return -1;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
-
if (pbpctl_dev->bp_caps & TPL_CAP) {
if (tpl_mode) {
pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] staging: comedi: remove duplicate pointer assignments in attach functions
Some board pointer are assigned twice via comedi_board() in the comedi low
level driver attach functions. Remove the duplicate assignment from the
variable definition where the pointer is not used anyway until assigned later
in the function when dev->board_ptr, that comedi_board() relies on, is setup
correctly.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/comedi/drivers/das1800.c | 2 +-
drivers/staging/comedi/drivers/das800.c | 2 +-
drivers/staging/comedi/drivers/dt2801.c | 2 +-
drivers/staging/comedi/drivers/ni_at_a2150.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/comedi/drivers/das1800.c
b/drivers/staging/comedi/drivers/das1800.c
index d581029..0335a70 100644
--- a/drivers/staging/comedi/drivers/das1800.c
+++ b/drivers/staging/comedi/drivers/das1800.c
@@ -1479,7 +1479,7 @@ static int das1800_probe(struct comedi_device *dev)
static int das1800_attach(struct comedi_device *dev,
struct comedi_devconfig *it)
{
- const struct das1800_board *thisboard = comedi_board(dev);
+ const struct das1800_board *thisboard;
struct das1800_private *devpriv;
struct comedi_subdevice *s;
unsigned int irq = it->options[1];
diff --git a/drivers/staging/comedi/drivers/das800.c
b/drivers/staging/comedi/drivers/das800.c
index b23a12c..e2dc43d 100644
--- a/drivers/staging/comedi/drivers/das800.c
+++ b/drivers/staging/comedi/drivers/das800.c
@@ -683,7 +683,7 @@ static int das800_probe(struct comedi_device *dev)
static int das800_attach(struct comedi_device *dev, struct comedi_devconfig
*it)
{
- const struct das800_board *thisboard = comedi_board(dev);
+ const struct das800_board *thisboard;
struct das800_private *devpriv;
struct comedi_subdevice *s;
unsigned int irq = it->options[1];
diff --git a/drivers/staging/comedi/drivers/dt2801.c
b/drivers/staging/comedi/drivers/dt2801.c
index d4d4e4b..4263014 100644
--- a/drivers/staging/comedi/drivers/dt2801.c
+++ b/drivers/staging/comedi/drivers/dt2801.c
@@ -545,7 +545,7 @@ static int dt2801_dio_insn_config(struct comedi_device *dev,
*/
static int dt2801_attach(struct comedi_device *dev, struct comedi_devconfig
*it)
{
- const struct dt2801_board *board = comedi_board(dev);
+ const struct dt2801_board *board;
struct dt2801_private *devpriv;
struct comedi_subdevice *s;
int board_code, type;
diff --git a/drivers/staging/comedi/drivers/ni_at_a2150.c
b/drivers/staging/comedi/drivers/ni_at_a2150.c
index afbf251..fefd97e 100644
--- a/drivers/staging/comedi/drivers/ni_at_a2150.c
+++ b/drivers/staging/comedi/drivers/ni_at_a2150.c
@@ -695,7 +695,7 @@ static int a2150_probe(struct comedi_device *dev)
static int a2150_attach(struct comedi_device *dev, struct comedi_devconfig *it)
{
- const struct a2150_board *thisboard = comedi_board(dev);
+ const struct a2150_board *thisboard;
struct a2150_private *devpriv;
struct comedi_subdevice *s;
unsigned int irq = it->options[1];
--
1.9.1
signature.asc
Description: PGP signature
[PATCH RESEND] wlcore: fix usage of platform_device_add_data()
Coverity CID 986698 reports leakage of struct wlcore_platdev_data in the
probe functions of both the SPI/SDIO interfaces. The structure passed to
platform_device_add_data() is dynamically allocated and only freed in the
error paths, however, platform_device_add_data() adds a copy of the platform
specific data to the device. Move the temporary struct that is kmemdup'ed
to the stack. This issue exists since afb43e6d (wlcore: remove if_ops from
platform_data).
Signed-off-by: Christian Engelmayer
---
Applies against v3.15-rc2 as well as branch master in tree
git.kernel.org/pub/scm/linux/kernel/git/linville/wireless.git and is compile
tested only.
Resend with updated mail address: Luciano Coelho
---
drivers/net/wireless/ti/wlcore/sdio.c | 28 +++-
drivers/net/wireless/ti/wlcore/spi.c | 23 +--
2 files changed, 20 insertions(+), 31 deletions(-)
diff --git a/drivers/net/wireless/ti/wlcore/sdio.c
b/drivers/net/wireless/ti/wlcore/sdio.c
index 29ef249..d3dd7bf 100644
--- a/drivers/net/wireless/ti/wlcore/sdio.c
+++ b/drivers/net/wireless/ti/wlcore/sdio.c
@@ -217,7 +217,7 @@ static struct wl1271_if_operations sdio_ops = {
static int wl1271_probe(struct sdio_func *func,
const struct sdio_device_id *id)
{
- struct wlcore_platdev_data *pdev_data;
+ struct wlcore_platdev_data pdev_data;
struct wl12xx_sdio_glue *glue;
struct resource res[1];
mmc_pm_flag_t mmcflags;
@@ -228,16 +228,13 @@ static int wl1271_probe(struct sdio_func *func,
if (func->num != 0x02)
return -ENODEV;
- pdev_data = kzalloc(sizeof(*pdev_data), GFP_KERNEL);
- if (!pdev_data)
- goto out;
-
- pdev_data->if_ops = &sdio_ops;
+ memset(&pdev_data, 0x00, sizeof(pdev_data));
+ pdev_data.if_ops = &sdio_ops;
glue = kzalloc(sizeof(*glue), GFP_KERNEL);
if (!glue) {
dev_err(&func->dev, "can't allocate glue\n");
- goto out_free_pdev_data;
+ goto out;
}
glue->dev = &func->dev;
@@ -248,9 +245,9 @@ static int wl1271_probe(struct sdio_func *func,
/* Use block mode for transferring over one block size of data */
func->card->quirks |= MMC_QUIRK_BLKSZ_FOR_BYTE_MODE;
- pdev_data->pdata = wl12xx_get_platform_data();
- if (IS_ERR(pdev_data->pdata)) {
- ret = PTR_ERR(pdev_data->pdata);
+ pdev_data.pdata = wl12xx_get_platform_data();
+ if (IS_ERR(pdev_data.pdata)) {
+ ret = PTR_ERR(pdev_data.pdata);
dev_err(glue->dev, "missing wlan platform data: %d\n", ret);
goto out_free_glue;
}
@@ -260,7 +257,7 @@ static int wl1271_probe(struct sdio_func *func,
dev_dbg(glue->dev, "sdio PM caps = 0x%x\n", mmcflags);
if (mmcflags & MMC_PM_KEEP_POWER)
- pdev_data->pdata->pwr_in_suspend = true;
+ pdev_data.pdata->pwr_in_suspend = true;
sdio_set_drvdata(func, glue);
@@ -289,7 +286,7 @@ static int wl1271_probe(struct sdio_func *func,
memset(res, 0x00, sizeof(res));
- res[0].start = pdev_data->pdata->irq;
+ res[0].start = pdev_data.pdata->irq;
res[0].flags = IORESOURCE_IRQ;
res[0].name = "irq";
@@ -299,8 +296,8 @@ static int wl1271_probe(struct sdio_func *func,
goto out_dev_put;
}
- ret = platform_device_add_data(glue->core, pdev_data,
- sizeof(*pdev_data));
+ ret = platform_device_add_data(glue->core, &pdev_data,
+ sizeof(pdev_data));
if (ret) {
dev_err(glue->dev, "can't add platform data\n");
goto out_dev_put;
@@ -319,9 +316,6 @@ out_dev_put:
out_free_glue:
kfree(glue);
-out_free_pdev_data:
- kfree(pdev_data);
-
out:
return ret;
}
diff --git a/drivers/net/wireless/ti/wlcore/spi.c
b/drivers/net/wireless/ti/wlcore/spi.c
index dbe826d..5f3a389 100644
--- a/drivers/net/wireless/ti/wlcore/spi.c
+++ b/drivers/net/wireless/ti/wlcore/spi.c
@@ -327,27 +327,25 @@ static struct wl1271_if_operations spi_ops = {
static int wl1271_probe(struct spi_device *spi)
{
struct wl12xx_spi_glue *glue;
- struct wlcore_platdev_data *pdev_data;
+ struct wlcore_platdev_data pdev_data;
struct resource res[1];
int ret = -ENOMEM;
- pdev_data = kzalloc(sizeof(*pdev_data), GFP_KERNEL);
- if (!pdev_data)
- goto out;
+ memset(&pdev_data, 0x00, sizeof(pdev_data));
- pdev_data->pdata = dev_get_platdata(&spi->dev);
- if (!pdev_data->pdata) {
+ pdev_data.pdata = dev_get_platdata(&spi->dev);
+
[PATCH] wlcore: fix usage of platform_device_add_data()
Coverity CID 986698 reports leakage of struct wlcore_platdev_data in the
probe functions of both the SPI/SDIO interfaces. The structure passed to
platform_device_add_data() is dynamically allocated and only freed in the
error paths, however, platform_device_add_data() adds a copy of the platform
specific data to the device. Move the temporary struct that is kmemdup'ed
to the stack. This issue exists since afb43e6d (wlcore: remove if_ops from
platform_data).
Signed-off-by: Christian Engelmayer
---
Applies against v3.15-rc2 as well as branch master in tree
git.kernel.org/pub/scm/linux/kernel/git/linville/wireless.git and is compile
tested only.
---
drivers/net/wireless/ti/wlcore/sdio.c | 28 +++-
drivers/net/wireless/ti/wlcore/spi.c | 23 +--
2 files changed, 20 insertions(+), 31 deletions(-)
diff --git a/drivers/net/wireless/ti/wlcore/sdio.c
b/drivers/net/wireless/ti/wlcore/sdio.c
index 29ef249..d3dd7bf 100644
--- a/drivers/net/wireless/ti/wlcore/sdio.c
+++ b/drivers/net/wireless/ti/wlcore/sdio.c
@@ -217,7 +217,7 @@ static struct wl1271_if_operations sdio_ops = {
static int wl1271_probe(struct sdio_func *func,
const struct sdio_device_id *id)
{
- struct wlcore_platdev_data *pdev_data;
+ struct wlcore_platdev_data pdev_data;
struct wl12xx_sdio_glue *glue;
struct resource res[1];
mmc_pm_flag_t mmcflags;
@@ -228,16 +228,13 @@ static int wl1271_probe(struct sdio_func *func,
if (func->num != 0x02)
return -ENODEV;
- pdev_data = kzalloc(sizeof(*pdev_data), GFP_KERNEL);
- if (!pdev_data)
- goto out;
-
- pdev_data->if_ops = &sdio_ops;
+ memset(&pdev_data, 0x00, sizeof(pdev_data));
+ pdev_data.if_ops = &sdio_ops;
glue = kzalloc(sizeof(*glue), GFP_KERNEL);
if (!glue) {
dev_err(&func->dev, "can't allocate glue\n");
- goto out_free_pdev_data;
+ goto out;
}
glue->dev = &func->dev;
@@ -248,9 +245,9 @@ static int wl1271_probe(struct sdio_func *func,
/* Use block mode for transferring over one block size of data */
func->card->quirks |= MMC_QUIRK_BLKSZ_FOR_BYTE_MODE;
- pdev_data->pdata = wl12xx_get_platform_data();
- if (IS_ERR(pdev_data->pdata)) {
- ret = PTR_ERR(pdev_data->pdata);
+ pdev_data.pdata = wl12xx_get_platform_data();
+ if (IS_ERR(pdev_data.pdata)) {
+ ret = PTR_ERR(pdev_data.pdata);
dev_err(glue->dev, "missing wlan platform data: %d\n", ret);
goto out_free_glue;
}
@@ -260,7 +257,7 @@ static int wl1271_probe(struct sdio_func *func,
dev_dbg(glue->dev, "sdio PM caps = 0x%x\n", mmcflags);
if (mmcflags & MMC_PM_KEEP_POWER)
- pdev_data->pdata->pwr_in_suspend = true;
+ pdev_data.pdata->pwr_in_suspend = true;
sdio_set_drvdata(func, glue);
@@ -289,7 +286,7 @@ static int wl1271_probe(struct sdio_func *func,
memset(res, 0x00, sizeof(res));
- res[0].start = pdev_data->pdata->irq;
+ res[0].start = pdev_data.pdata->irq;
res[0].flags = IORESOURCE_IRQ;
res[0].name = "irq";
@@ -299,8 +296,8 @@ static int wl1271_probe(struct sdio_func *func,
goto out_dev_put;
}
- ret = platform_device_add_data(glue->core, pdev_data,
- sizeof(*pdev_data));
+ ret = platform_device_add_data(glue->core, &pdev_data,
+ sizeof(pdev_data));
if (ret) {
dev_err(glue->dev, "can't add platform data\n");
goto out_dev_put;
@@ -319,9 +316,6 @@ out_dev_put:
out_free_glue:
kfree(glue);
-out_free_pdev_data:
- kfree(pdev_data);
-
out:
return ret;
}
diff --git a/drivers/net/wireless/ti/wlcore/spi.c
b/drivers/net/wireless/ti/wlcore/spi.c
index dbe826d..5f3a389 100644
--- a/drivers/net/wireless/ti/wlcore/spi.c
+++ b/drivers/net/wireless/ti/wlcore/spi.c
@@ -327,27 +327,25 @@ static struct wl1271_if_operations spi_ops = {
static int wl1271_probe(struct spi_device *spi)
{
struct wl12xx_spi_glue *glue;
- struct wlcore_platdev_data *pdev_data;
+ struct wlcore_platdev_data pdev_data;
struct resource res[1];
int ret = -ENOMEM;
- pdev_data = kzalloc(sizeof(*pdev_data), GFP_KERNEL);
- if (!pdev_data)
- goto out;
+ memset(&pdev_data, 0x00, sizeof(pdev_data));
- pdev_data->pdata = dev_get_platdata(&spi->dev);
- if (!pdev_data->pdata) {
+ pdev_data.pdata = dev_get_platdata(&spi->dev);
+ if (!pdev_data.pdata) {
dev_err(
Re: [PATCH 1/3] crypto: Fix potential leak in test_aead_speed() if aad_size is too big
On Wed, 23 Apr 2014 01:33:05 +0200, Marek Vasut wrote:
> On Monday, April 21, 2014 at 08:45:59 PM, Christian Engelmayer wrote:
> > + if (aad_size >= PAGE_SIZE) {
>
> On an unrelated note ... Won't if (aad_size > PAGE_SIZE) be sufficient here?
From what I have seen how the buffers are allocated via __get_free_page() I
thought so too. However, as it previously read
if (aad_size < PAGE_SIZE)
memset(assoc, 0xff, aad_size);
else {
my intention was simply to make the modification so that the bug is addressed
without introducing an additional change.
Regards,
Christian
signature.asc
Description: PGP signature
[PATCH 0/3] Cleanup ressource leaks in test_aead_speed()
This is a cleanup of Coverity ressource leak findings for the quick & dirty crypto testing module crypto/tcrypt.c. All 3 changesets address function test_aead_speed() that was introduced in 53f52d7a (crypto: tcrypt - Added speed tests for AEAD crypto alogrithms in tcrypt test suite) The series applies against v3.15-rc2 as well as branch master in tree git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git and is compile tested only. Christian Engelmayer (3): crypto: Fix potential leak in test_aead_speed() if aad_size is too big crypto: Fix potential leak in test_aead_speed() if crypto_alloc_aead() fails crypto: Fix leak of struct aead_request in test_aead_speed() crypto/tcrypt.c | 21 +++-- 1 file changed, 11 insertions(+), 10 deletions(-) -- 1.9.1 signature.asc Description: PGP signature
[PATCH 3/3] crypto: Fix leak of struct aead_request in test_aead_speed()
Fix leakage of memory for struct aead_request that is allocated via
aead_request_alloc() but not released via aead_request_free().
Reported by Coverity - CID 1163869.
Signed-off-by: Christian Engelmayer
---
crypto/tcrypt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 1849155..09c93ff2 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -320,7 +320,7 @@ static void test_aead_speed(const char *algo, int enc,
unsigned int sec,
if (!req) {
pr_err("alg: aead: Failed to allocate request for %s\n",
algo);
- goto out;
+ goto out_noreq;
}
i = 0;
@@ -390,6 +390,8 @@ static void test_aead_speed(const char *algo, int enc,
unsigned int sec,
} while (*keysize);
out:
+ aead_request_free(req);
+out_noreq:
crypto_free_aead(tfm);
out_notfm:
kfree(sg);
--
1.9.1
signature.asc
Description: PGP signature
[PATCH 2/3] crypto: Fix potential leak in test_aead_speed() if crypto_alloc_aead() fails
Fix a potential memory leak in the error handling of test_aead_speed(). In case
crypto_alloc_aead() fails, the function returns without going through the
centralized cleanup path. Reported by Coverity - CID 1163870.
Signed-off-by: Christian Engelmayer
---
crypto/tcrypt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 1856d7f..1849155 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -313,7 +313,7 @@ static void test_aead_speed(const char *algo, int enc,
unsigned int sec,
if (IS_ERR(tfm)) {
pr_err("alg: aead: Failed to load transform for %s: %ld\n",
algo,
PTR_ERR(tfm));
- return;
+ goto out_notfm;
}
req = aead_request_alloc(tfm, GFP_KERNEL);
@@ -391,6 +391,7 @@ static void test_aead_speed(const char *algo, int enc,
unsigned int sec,
out:
crypto_free_aead(tfm);
+out_notfm:
kfree(sg);
out_nosg:
testmgr_free_buf(xoutbuf);
--
1.9.1
signature.asc
Description: PGP signature
[PATCH 1/3] crypto: Fix potential leak in test_aead_speed() if aad_size is too big
Fix a potential memory leak in the error handling of test_aead_speed(). In case
the size check on the associate data length parameter fails, the function goes
through the wrong exit label. Reported by Coverity - CID 1163870.
Signed-off-by: Christian Engelmayer
---
crypto/tcrypt.c | 14 ++
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 870be7b..1856d7f 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -282,6 +282,11 @@ static void test_aead_speed(const char *algo, int enc,
unsigned int sec,
unsigned int *b_size;
unsigned int iv_len;
+ if (aad_size >= PAGE_SIZE) {
+ pr_err("associate data length (%u) too big\n", aad_size);
+ return;
+ }
+
if (enc == ENCRYPT)
e = "encryption";
else
@@ -323,14 +328,7 @@ static void test_aead_speed(const char *algo, int enc,
unsigned int sec,
b_size = aead_sizes;
do {
assoc = axbuf[0];
-
- if (aad_size < PAGE_SIZE)
- memset(assoc, 0xff, aad_size);
- else {
- pr_err("associate data length (%u) too big\n",
- aad_size);
- goto out_nosg;
- }
+ memset(assoc, 0xff, aad_size);
sg_init_one(&asg[0], assoc, aad_size);
if ((*keysize + *b_size) > TVMEMSIZE * PAGE_SIZE) {
--
1.9.1
signature.asc
Description: PGP signature
[PATCH] mtd: nand: omap: fix compile warning on ‘erased_sector_bitflips’
Commit 2c9f2365 (mtd: nand: omap: ecc.calculate: merge omap3_calculate_ecc_bch4 in omap_calculate_ecc_bch) introduced minor compile warning "‘erased_sector_bitflips’ defined but not used [-Wunused-function]" when compiling without CONFIG_MTD_NAND_OMAP_BCH. Move function erased_sector_bitflips() into the same ifdef section as the only caller. Signed-off-by: Christian Engelmayer --- drivers/mtd/nand/omap2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/omap2.c b/drivers/mtd/nand/omap2.c index 1ff49b8..1b800bc 100644 --- a/drivers/mtd/nand/omap2.c +++ b/drivers/mtd/nand/omap2.c @@ -1237,6 +1237,7 @@ static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd, return 0; } +#ifdef CONFIG_MTD_NAND_OMAP_BCH /** * erased_sector_bitflips - count bit flips * @data: data sector buffer @@ -1276,7 +1277,6 @@ static int erased_sector_bitflips(u_char *data, u_char *oob, return flip_bits; } -#ifdef CONFIG_MTD_NAND_OMAP_BCH /** * omap_elm_correct_data - corrects page data area in case error reported * @mtd: MTD device structure -- 1.8.3.2 signature.asc Description: PGP signature
[PATCH] ASoC: Intel: Fix a self assignment in sst_mem_block_alloc_scratch()
Remove a self assignment in sst_mem_block_alloc_scratch(). When calculating
buffer sizes there is no need for statements without effect. Detected by
Coverity: CID 1195249.
Signed-off-by: Christian Engelmayer
---
sound/soc/intel/sst-firmware.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/sound/soc/intel/sst-firmware.c b/sound/soc/intel/sst-firmware.c
index f768710..f24619a 100644
--- a/sound/soc/intel/sst-firmware.c
+++ b/sound/soc/intel/sst-firmware.c
@@ -505,9 +505,7 @@ struct sst_module *sst_mem_block_alloc_scratch(struct
sst_dsp *dsp)
/* calculate required scratch size */
list_for_each_entry(sst_module, &dsp->module_list, list) {
- if (scratch->s.size > sst_module->s.size)
- scratch->s.size = scratch->s.size;
- else
+ if (scratch->s.size < sst_module->s.size)
scratch->s.size = sst_module->s.size;
}
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH] ASoC: Intel: Fix incorrect sizeof() in sst_hsw_stream_get_volume()
Fix an incorrect sizeof() usage in sst_hsw_stream_get_volume(). sst_dsp_read() is called to read into a variable of type u32, but is passed sizeof(u32 *) for argument 'size_t bytes'. Detected by Coverity: CID 1195260. Signed-off-by: Christian Engelmayer --- sound/soc/intel/sst-haswell-ipc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/intel/sst-haswell-ipc.c b/sound/soc/intel/sst-haswell-ipc.c index f46bb4d..455a185 100644 --- a/sound/soc/intel/sst-haswell-ipc.c +++ b/sound/soc/intel/sst-haswell-ipc.c @@ -991,7 +991,8 @@ int sst_hsw_stream_get_volume(struct sst_hsw *hsw, struct sst_hsw_stream *stream return -EINVAL; sst_dsp_read(hsw->dsp, volume, - stream->reply.volume_register_address[channel], sizeof(volume)); + stream->reply.volume_register_address[channel], + sizeof(*volume)); return 0; } -- 1.8.3.2 signature.asc Description: PGP signature
Re: [PATCH resend] rsi: Fix a potential memory leak in rsi_set_channel()
On Thu, 10 Apr 2014 16:01:35 -0400, Andev wrote: > On Thu, Apr 10, 2014 at 3:54 PM, Greg Kroah-Hartman wrote: > > On Thu, Apr 10, 2014 at 03:46:12PM -0400, Andev wrote: > >> Adding Greg KH, > > > > Why do I care about this? > > > > I am not sure if this needs to be applied to stable too. Should I have > cc'ed stable@? > Besides what Dan pointed out, this driver has just been pulled recently and afaik is not included in v3.14. see http://www.spinics.net/lists/netdev/msg276519.html Regards, Christian signature.asc Description: PGP signature
[PATCH resend] rsi: Fix a potential memory leak in rsi_send_auto_rate_request()
Fix a potential memory leak in the error path of function
rsi_send_auto_rate_request(). In case memory allocation for array
'selected_rates' fails, the error path exits and leaves the previously
allocated skb in place. Detected by Coverity: CID 1195575.
Signed-off-by: Christian Engelmayer
---
Applies against git.kernel.org/pub/scm/linux/kernel/git/linville/wireless.git
Compile tested.
---
drivers/net/wireless/rsi/rsi_91x_mgmt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
index 2361a68..dd7946d 100644
--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
@@ -966,6 +966,7 @@ static int rsi_send_auto_rate_request(struct rsi_common
*common)
if (!selected_rates) {
rsi_dbg(ERR_ZONE, "%s: Failed in allocation of mem\n",
__func__);
+ dev_kfree_skb(skb);
return -ENOMEM;
}
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH resend] rsi: Fix a potential memory leak in rsi_set_channel()
Fix a potential memory leak in function rsi_set_channel() that is used to
program channel changes. The channel check block for the frequency bands
directly exits the function in case of an error, thus leaving an already
allocated skb unreferenced. Move the checks above allocating the skb.
Detected by Coverity: CID 1195576.
Signed-off-by: Christian Engelmayer
---
Applies against git.kernel.org/pub/scm/linux/kernel/git/linville/wireless.git
Compile tested.
---
drivers/net/wireless/rsi/rsi_91x_mgmt.c | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
index 2361a68..be5b1fd 100644
--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
@@ -841,16 +841,6 @@ int rsi_set_channel(struct rsi_common *common, u16 channel)
rsi_dbg(MGMT_TX_ZONE,
"%s: Sending scan req frame\n", __func__);
- skb = dev_alloc_skb(FRAME_DESC_SZ);
- if (!skb) {
- rsi_dbg(ERR_ZONE, "%s: Failed in allocation of skb\n",
- __func__);
- return -ENOMEM;
- }
-
- memset(skb->data, 0, FRAME_DESC_SZ);
- mgmt_frame = (struct rsi_mac_frame *)skb->data;
-
if (common->band == IEEE80211_BAND_5GHZ) {
if ((channel >= 36) && (channel <= 64))
channel = ((channel - 32) / 4);
@@ -868,6 +858,16 @@ int rsi_set_channel(struct rsi_common *common, u16 channel)
}
}
+ skb = dev_alloc_skb(FRAME_DESC_SZ);
+ if (!skb) {
+ rsi_dbg(ERR_ZONE, "%s: Failed in allocation of skb\n",
+ __func__);
+ return -ENOMEM;
+ }
+
+ memset(skb->data, 0, FRAME_DESC_SZ);
+ mgmt_frame = (struct rsi_mac_frame *)skb->data;
+
mgmt_frame->desc_word[0] = cpu_to_le16(RSI_WIFI_MGMT_Q << 12);
mgmt_frame->desc_word[1] = cpu_to_le16(SCAN_REQUEST);
mgmt_frame->desc_word[4] = cpu_to_le16(channel);
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH] modpost: Fix ressource leak in read_dump()
Function read_dump() memory maps the input via grab_file(), but fails to call
the corresponding unmap function. Add the missing call to release_file().
Detected by Coverity: CID 1192419
Signed-off-by: Christian Engelmayer
---
Compile tested - Applies against v3.14 as well as linux-next.
---
scripts/mod/modpost.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
index 0663556..ea3e2bd 100644
--- a/scripts/mod/modpost.c
+++ b/scripts/mod/modpost.c
@@ -2113,8 +2113,10 @@ static void read_dump(const char *fname, unsigned int
kernel)
s->preloaded = 1;
sym_update_crc(symname, mod, crc, export_no(export));
}
+ release_file(file, size);
return;
fail:
+ release_file(file, size);
fatal("parse error in symbol dump file\n");
}
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH] ASoC: wm8993: Remove unused pointer in wm8993_remove()
Commit 88b5bdfd (ASoC: wm8993: drop regulator_bulk_free of devm_ allocated
data) eliminated the last user of driver data pointer 'wm8993' in function
wm8993_remove() - Thus remove it. Detected by Coverity: CID 1186208.
Signed-off-by: Christian Engelmayer
---
Applies against branch for-next in tree
git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
---
sound/soc/codecs/wm8993.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/sound/soc/codecs/wm8993.c b/sound/soc/codecs/wm8993.c
index 2ee23a3..f7978b3 100644
--- a/sound/soc/codecs/wm8993.c
+++ b/sound/soc/codecs/wm8993.c
@@ -1559,8 +1559,6 @@ static int wm8993_probe(struct snd_soc_codec *codec)
static int wm8993_remove(struct snd_soc_codec *codec)
{
- struct wm8993_priv *wm8993 = snd_soc_codec_get_drvdata(codec);
-
wm8993_set_bias_level(codec, SND_SOC_BIAS_OFF);
return 0;
}
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH 3/3] fs: ufs: Remove unused ufs_super_block_third pointer
Pointer 'usb3' to struct ufs_super_block_third acquired via
ubh_get_usb_third() is never used in function ufs_read_cylinder_structures().
Thus remove it.
Detected by Coverity: CID 139939.
Signed-off-by: Christian Engelmayer
---
fs/ufs/super.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index 53ce1af..deae93e 100644
--- a/fs/ufs/super.c
+++ b/fs/ufs/super.c
@@ -524,11 +524,9 @@ static int ufs_read_cylinder_structures(struct super_block
*sb)
struct ufs_buffer_head * ubh;
unsigned char * base, * space;
unsigned size, blks, i;
- struct ufs_super_block_third *usb3;
UFSD("ENTER\n");
- usb3 = ubh_get_usb_third(uspi);
/*
* Read cs structures from (usually) first data block
* on the device.
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH 0/3] fs: ufs: Remove unused pointer
This is a cleanup throughout ufs regarding pointers that are set up, but no
longer used in the affected functions. The ubh_get_usb_(first|second|third)
macros found in the changesets all resolve to
static inline void *get_usb_offset(struct ufs_sb_private_info *uspi,
unsigned int offset)
{
unsigned int index;
index = offset >> uspi->s_fshift;
offset &= ~uspi->s_fmask;
return uspi->s_ubh.bh[index]->b_data + offset;
}
and differ in the passed offset value. get_usb_offset() does not alter the
passed ufs_sb_private_info struct. Those calls can be thus removed safely
where the return value is not further used.
The series applies against v3.14-rc2 and is compile tested.
Christian Engelmayer (3):
fs: ufs: Remove unused ufs_super_block_first pointer.
fs: ufs: Remove unused ufs_super_block_second pointer.
fs: ufs: Remove unused ufs_super_block_third pointer.
fs/ufs/balloc.c | 12
fs/ufs/ialloc.c | 4
fs/ufs/super.c | 6 --
3 files changed, 22 deletions(-)
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH 1/3] fs: ufs: Remove unused ufs_super_block_first pointer
Remove occurences of unused pointers to struct ufs_super_block_first that were
acquired via ubh_get_usb_first().
Detected by Coverity: CID 139929 - CID 139936, CID 139940.
Signed-off-by: Christian Engelmayer
---
fs/ufs/balloc.c | 12
fs/ufs/ialloc.c | 4
fs/ufs/super.c | 2 --
3 files changed, 18 deletions(-)
diff --git a/fs/ufs/balloc.c b/fs/ufs/balloc.c
index a7ea492..0ab1de4 100644
--- a/fs/ufs/balloc.c
+++ b/fs/ufs/balloc.c
@@ -38,7 +38,6 @@ void ufs_free_fragments(struct inode *inode, u64 fragment,
unsigned count)
{
struct super_block * sb;
struct ufs_sb_private_info * uspi;
- struct ufs_super_block_first * usb1;
struct ufs_cg_private_info * ucpi;
struct ufs_cylinder_group * ucg;
unsigned cgno, bit, end_bit, bbase, blkmap, i;
@@ -46,7 +45,6 @@ void ufs_free_fragments(struct inode *inode, u64 fragment,
unsigned count)
sb = inode->i_sb;
uspi = UFS_SB(sb)->s_uspi;
- usb1 = ubh_get_usb_first(uspi);
UFSD("ENTER, fragment %llu, count %u\n",
(unsigned long long)fragment, count);
@@ -135,7 +133,6 @@ void ufs_free_blocks(struct inode *inode, u64 fragment,
unsigned count)
{
struct super_block * sb;
struct ufs_sb_private_info * uspi;
- struct ufs_super_block_first * usb1;
struct ufs_cg_private_info * ucpi;
struct ufs_cylinder_group * ucg;
unsigned overflow, cgno, bit, end_bit, i;
@@ -143,7 +140,6 @@ void ufs_free_blocks(struct inode *inode, u64 fragment,
unsigned count)
sb = inode->i_sb;
uspi = UFS_SB(sb)->s_uspi;
- usb1 = ubh_get_usb_first(uspi);
UFSD("ENTER, fragment %llu, count %u\n",
(unsigned long long)fragment, count);
@@ -499,7 +495,6 @@ static u64 ufs_add_fragments(struct inode *inode, u64
fragment,
{
struct super_block * sb;
struct ufs_sb_private_info * uspi;
- struct ufs_super_block_first * usb1;
struct ufs_cg_private_info * ucpi;
struct ufs_cylinder_group * ucg;
unsigned cgno, fragno, fragoff, count, fragsize, i;
@@ -509,7 +504,6 @@ static u64 ufs_add_fragments(struct inode *inode, u64
fragment,
sb = inode->i_sb;
uspi = UFS_SB(sb)->s_uspi;
- usb1 = ubh_get_usb_first (uspi);
count = newcount - oldcount;
cgno = ufs_dtog(uspi, fragment);
@@ -577,7 +571,6 @@ static u64 ufs_alloc_fragments(struct inode *inode,
unsigned cgno,
{
struct super_block * sb;
struct ufs_sb_private_info * uspi;
- struct ufs_super_block_first * usb1;
struct ufs_cg_private_info * ucpi;
struct ufs_cylinder_group * ucg;
unsigned oldcg, i, j, k, allocsize;
@@ -588,7 +581,6 @@ static u64 ufs_alloc_fragments(struct inode *inode,
unsigned cgno,
sb = inode->i_sb;
uspi = UFS_SB(sb)->s_uspi;
- usb1 = ubh_get_usb_first(uspi);
oldcg = cgno;
/*
@@ -690,7 +682,6 @@ static u64 ufs_alloccg_block(struct inode *inode,
{
struct super_block * sb;
struct ufs_sb_private_info * uspi;
- struct ufs_super_block_first * usb1;
struct ufs_cylinder_group * ucg;
u64 result, blkno;
@@ -698,7 +689,6 @@ static u64 ufs_alloccg_block(struct inode *inode,
sb = inode->i_sb;
uspi = UFS_SB(sb)->s_uspi;
- usb1 = ubh_get_usb_first(uspi);
ucg = ubh_get_ucg(UCPI_UBH(ucpi));
if (goal == 0) {
@@ -794,7 +784,6 @@ static u64 ufs_bitmap_search(struct super_block *sb,
0x0, 0x2, 0x6, 0xe, 0x1e, 0x3e, 0x7e, 0xfe, 0x1fe
};
struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi;
- struct ufs_super_block_first *usb1;
struct ufs_cylinder_group *ucg;
unsigned start, length, loc;
unsigned pos, want, blockmap, mask, end;
@@ -803,7 +792,6 @@ static u64 ufs_bitmap_search(struct super_block *sb,
UFSD("ENTER, cg %u, goal %llu, count %u\n", ucpi->c_cgx,
(unsigned long long)goal, count);
- usb1 = ubh_get_usb_first (uspi);
ucg = ubh_get_ucg(UCPI_UBH(ucpi));
if (goal)
diff --git a/fs/ufs/ialloc.c b/fs/ufs/ialloc.c
index d0426d7..98f7211 100644
--- a/fs/ufs/ialloc.c
+++ b/fs/ufs/ialloc.c
@@ -57,7 +57,6 @@ void ufs_free_inode (struct inode * inode)
{
struct super_block * sb;
struct ufs_sb_private_info * uspi;
- struct ufs_super_block_first * usb1;
struct ufs_cg_private_info * ucpi;
struct ufs_cylinder_group * ucg;
int is_directory;
@@ -67,7 +66,6 @@ void ufs_free_inode (struct inode * inode)
sb = inode->i_sb;
uspi = UFS_SB(sb)->s_uspi;
- usb1 = ubh_get_usb_first(uspi);
ino = inode->i_ino;
@@ -175,7 +173,6 @@ struct inode *ufs_new_inode(struct inode *dir, umode_t mode)
struct super_block * sb;
struct u
[PATCH 2/3] fs: ufs: Remove unused ufs_super_block_second pointer
Pointer 'usb2' to struct ufs_super_block_second acquired via
ubh_get_usb_second() is never used in function ufs_statfs().
Thus remove it.
Detected by Coverity: CID 139940.
Signed-off-by: Christian Engelmayer
---
fs/ufs/super.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index 3f2c086..53ce1af 100644
--- a/fs/ufs/super.c
+++ b/fs/ufs/super.c
@@ -1389,13 +1389,11 @@ static int ufs_statfs(struct dentry *dentry, struct
kstatfs *buf)
struct super_block *sb = dentry->d_sb;
struct ufs_sb_private_info *uspi= UFS_SB(sb)->s_uspi;
unsigned flags = UFS_SB(sb)->s_flags;
- struct ufs_super_block_second *usb2;
struct ufs_super_block_third *usb3;
u64 id = huge_encode_dev(sb->s_bdev->bd_dev);
lock_ufs(sb);
- usb2 = ubh_get_usb_second(uspi);
usb3 = ubh_get_usb_third(uspi);
if ((flags & UFS_TYPE_MASK) == UFS_TYPE_UFS2) {
--
1.8.3.2
signature.asc
Description: PGP signature
[PATCH] misc: genwqe: Fix potential memory leak when pinning memory
Fix a memory leak in the genwqe_pin_mem() error path as called by
ioctl GENWQE_PIN_MEM. In case there is an error encountered when
mapping memory, the already allocated dma_mapping struct needs to
be freed correctly.
Detected by Coverity: CID 1162606.
Signed-off-by: Christian Engelmayer
---
drivers/misc/genwqe/card_dev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/misc/genwqe/card_dev.c b/drivers/misc/genwqe/card_dev.c
index 8f8a6b3..2c2c9cc 100644
--- a/drivers/misc/genwqe/card_dev.c
+++ b/drivers/misc/genwqe/card_dev.c
@@ -787,6 +787,7 @@ static int genwqe_pin_mem(struct genwqe_file *cfile, struct
genwqe_mem *m)
if (rc != 0) {
dev_err(&pci_dev->dev,
"[%s] genwqe_user_vmap rc=%d\n", __func__, rc);
+ kfree(dma_map);
return rc;
}
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] block: Fix memory leak in rw_copy_check_uvector() handling
Fix a memory leak in the error handling path of function sg_io()
that is used during the processing of scsi ioctl. Memory already
allocated by rw_copy_check_uvector() needs to be freed correctly.
Detected by Coverity: CID 1128953.
Signed-off-by: Christian Engelmayer
---
block/scsi_ioctl.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index 625e3e4..2648797 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -323,12 +323,14 @@ static int sg_io(struct request_queue *q, struct gendisk
*bd_disk,
if (hdr->iovec_count) {
size_t iov_data_len;
- struct iovec *iov;
+ struct iovec *iov = NULL;
ret = rw_copy_check_uvector(-1, hdr->dxferp, hdr->iovec_count,
0, NULL, &iov);
- if (ret < 0)
+ if (ret < 0) {
+ kfree(iov);
goto out;
+ }
iov_data_len = ret;
ret = 0;
--
1.8.3.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PROBLEM] possible divide by 0 in kernel/sched/cputime.c scale_stime()
On Mon, 18 Nov 2013 18:27:06 +0100, Peter Zijlstra wrote: > That is not actually correct in the case time wraps. > > There's a further problem with this code though -- ever since Frederic > added NO_HZ_FULL a CPU can in fact aggregate a runtime delta larger than > 4 seconds, due to running without a tick. > > Therefore we need to be able to deal with u64 deltas. > > The below is a compile tested only attempt to deal with both these > problems. Comments? I had this patch applied during daily use. No systematic testing, but no user perceived regressions either. The originally reported divide by 0 scenario could no longer be reproduced with this change. > +/* > + * delta_exec * weight / lw.weight > + * OR > + * (delta_exec * (weight * lw->inv_weight)) >> WMULT_SHIFT > + * > + * Either weight := NICE_0_LOAD and lw \e prio_to_wmult[], in which case > + * we're guaranteed shift stays positive because inv_weight is guaranteed to > + * fit 32 bits, and NICE_0_LOAD gives another 10 bits; therefore shift >= 22. > + * > + * Or, weight =< lw.weight (because lw.weight is the runqueue weight), thus > + * XXX mind got twisted, but I'm fairly sure shift will stay positive. > + * > + */ > +static u64 __calc_delta(u64 delta_exec, unsigned long weight, struct > load_weight *lw) The patch itself seems comprehensible to me, although I have to admit that I would have to read into the code more deeply in order to understand why the changed __calc_delta() will always prove correct. On Mon, 18 Nov 2013 15:19:56 +0100, Peter Zijlstra wrote: > I'm not sure what tool you used to generate that, but its broken, that's > model 0x25 (37), it somehow truncates the upper model bits. Correct, that was the fairly outdated cpuid (http://www.ka9q.net/code/cpuid) currently shipped with Ubuntu 13.10. Debian already switched to packaging a maintained version (http://www.etallen.com/cpuid.html). > That said, its a westmere core and I've seen wsm-ep (dual socket) > machines loose their TSC sync quite regularly, but this would be the > first case a single socket wsm would loose its TSC sync. > > That leads me to believe your BIOS is screwing you over with SMIs or the > like. Having rechecked the running microcode as hinted by Henrique de Moraes Holschuh off-list and running the Intel BIOS Implementation Test Suite (http://biosbits.org) that seems to be an educated guess. Regards, Christian -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PROBLEM] possible divide by 0 in kernel/sched/cputime.c scale_stime()
Since upgrading from v3.8 to v3.12 I see random crashes in function
scale_stime()
in kernel/sched/cputime.c:
divide error: [#1] SMP
Modules linked in: parport_pc(F) ppdev(F) bnep rfcomm bluetooth
binfmt_misc(F)
zl10353 cx88_dvb cx88_vp3054_i2c videobuf_dvb dvb_core intel_powerclamp
coretemp
kvm_intel(F) tuner_xc2028 kvm(F) i915 snd_hda_codec_hdmi
snd_hda_codec_realtek
cx8800 cx8802 tuner snd_hda_intel snd_hda_codec cx88_alsa crct10dif_pclmul(F)
crc32_pclmul(F) snd_hwdep(F) snd_pcm(F) snd_page_alloc(F)
ghash_clmulni_intel(F)
aesni_intel(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F)
snd_seq(F)
joydev(F) cx88xx snd_seq_device(F) snd_timer(F) aes_x86_64(F) lrw(F)
gf128mul(F)
glue_helper(F) video(F) btcx_risc drm_kms_helper ablk_helper(F) tveeprom
cryptd(F)
lp(F) videobuf_dma_sg rc_core drm v4l2_common videobuf_core mei_me parport(F)
snd(F) mei soundcore(F) videodev i2c_algo_bit serio_raw(F) microcode(F)
mac_hid
lpc_ich asus_atk0110 hid_generic usbhid hid usb_storage(F) firewire_ohci
ahci(F)
libahci(F) firewire_core r8169 crc_itu_t(F) mii(F)
CPU: 3 PID: 15367 Comm: htop Tainted: GF3.12.0-031200-generic
#201311031935
Hardware name: System manufacturer System Product Name/P7H55-M PRO, BIOS
170901/04/2011
task: 8800cc09e000 ti: 8800af62 task.ti: 8800af62
RIP: 0010:[] []
cputime_adjust+0xf0/0x110
RSP: 0018:8800af621cc8 EFLAGS: 00010847
RAX: 85fdc1fef4047c00 RBX: RCX: 8800af621df8
RDX: RSI: 8800cc0634d0 RDI:
RBP: 8800af621cd8 R08: fffe R09:
R10: R11: fffe03427acc R12: 8800af621df0
R13: 8800af621df8 R14: R15: 8800cc063300
FS: 7f22a387d740() GS:880117c6() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 7f22a3892000 CR3: 97023000 CR4: 07e0
Stack:
8800c37f 8800af621df0 8800af621d18 8109aa51
0a7d8c00 42fee100 fffe03427acc 8800bf112a80
8800c37f 8800c307c280 8800af621e50 8121f74b
Call Trace:
[] thread_group_cputime_adjusted+0x41/0x50
[] do_task_stat+0x8eb/0xb60
[] ? vma_compute_subtree_gap+0x50/0x50
[] proc_tgid_stat+0x14/0x20
[] proc_single_show+0x4d/0x90
[] seq_read+0x14e/0x390
[] vfs_read+0x95/0x160
[] SyS_read+0x49/0xa0
[] system_call_fastpath+0x1a/0x1f
Code: 89 fa 49 c1 ea 20 4d 85 d2 74 ca 4c 89 c2 48 d1 ef 49 89 c0 48 d1 ea 48
89 d0 eb 9f 0f 1f 80 00 00 00 00 89 c0 31 d2 49 0f af c0 <48> f7 f7 4c
89 df 48 29 c7 49 89 c3 e9 31 ff ff ff 66 66 66 66
RIP [] cputime_adjust+0xf0/0x110
RSP
---[ end trace dbafd2159a385dd6 ]---
The affected LOC performing the division by 0 was introduced in commit
commit 55eaa7c1f511af5fb6ef808b5328804f4d4e5243
Author: Stanislaw Gruszka
Date: Tue Apr 30 17:14:42 2013 +0200
sched: Avoid cputime scaling overflow
For the problem to occur the function is called eg. with the following
input parameters
stime: 0x3567e00
rtime: 0xbf1abfdb
total: 0x3938700
which leads to 'total' being shifted to 0 during the adaption of the precision
and is then used without further check in
scaled = div_u64((u64) (u32) stime * (u64) (u32) rtime, (u32)total);
The root cause triggering this issue seems to be an overflowed value of
rtime = nsecs_to_cputime(curr->sum_exec_runtime);
On the affected machine the problem can be triggered by loading the
previously idle system by starting a full kernel build. The problem occurs
within a minute after the ondemand frequency scaling governor adjusts the
frequency from the minimum to the maximum.
The x86 init check whether all booted CPUs have their TSC's synchronized, never
failed so far, however, the tsc clocksource is sporadically marked unstable.
Clocksource tsc unstable (delta = -74994678 ns)
The used CPU provides an Intel Invariant TSC as stated by
CPUID.8007H:EDX[8]:
eax ineax ebx ecx edx
000b 756e6547 6c65746e 49656e69
0001 00020652 04100800 0298e3ff bfebfbff
0002 55035a01 00f0b2e3 09ca212c
0003
0004
0005 0040 0040 0003 1120
0006 0005 0002 0001
0007
0008
0009
000a 07300403 0004 0603
000b 002c 0004
8000 8008
8001 0001 28100800
8002 65746e49 2952286c 726f4320 4d542865
8003 35692029 55504320 20202020 20202020
8004 30353620 20402020 3032
[PATCH] gpio-pcf857x: avoid an empty kernel message in case no irq is configured
Avoid a needless kernel message in case there is no client irq to be ignored. [2.856058] gpiochip_add: registered GPIOs 248 to 255 on device: pcf8574 [2.862830] pcf857x 1-0020: Signed-off-by: Christian Engelmayer --- --- a/drivers/gpio/gpio-pcf857x.c 2012-07-06 09:19:07.0 +0200 +++ b/drivers/gpio/gpio-pcf857x.c 2012-07-06 09:21:15.0 +0200 @@ -290,8 +290,8 @@ static int pcf857x_probe(struct i2c_clie * methods can't be called from sleeping contexts. */ - dev_info(&client->dev, "%s\n", - client->irq ? " (irq ignored)" : ""); + if (client->irq) + dev_info(&client->dev, " (irq ignored)\n"); /* Let platform code set up the GPIOs and their users. * Now is the first time anyone could use them. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
