user/sven/linux.git/drivers/char, branch v3.10.47

applicom: dereferencing NULL on error path

2014-07-01T03:09:41Z

commit 8bab797c6e5724a43b7666ad70860712365cdb71 upstream. This is a static checker fix. The "dev" variable is always NULL after the while statement so we would be dereferencing a NULL pointer here. Fixes: 819a3eba4233 ('[PATCH] applicom: fix error handling') Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman

ipmi: Reset the KCS timeout when starting error recovery

2014-06-07T20:25:30Z

commit eb6d78ec213e6938559b801421d64714dafcf4b2 upstream. The OBF timer in KCS was not reset in one situation when error recovery was started, resulting in an immediate timeout. Reported-by: Bodo Stroesser Signed-off-by: Corey Minyard Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman

ipmi: Fix a race restarting the timer

2014-06-07T20:25:30Z

commit 48e8ac2979920ffa39117e2d725afa3a749bfe8d upstream. With recent changes it is possible for the timer handler to detect an idle interface and not start the timer, but the thread to start an operation at the same time. The thread will not start the timer in that instance, resulting in the timer not running. Instead, move all timer operations under the lock and start the timer in the thread if it detect non-idle and the timer is not already running. Moving under locks allows the last timeout to be set in both the thread and the timer. 'Timer is not running' means that the timer is not pending and smi_timeout() is not running. So we need a flag to detect this correctly. Also fix a few other timeout bugs: setting the last timeout when the interrupt has to be disabled and the timer started, and setting the last timeout in check_start_timer_thread possibly racing with the timer Signed-off-by: Corey Minyard Signed-off-by: Bodo Stroesser Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman

Char: ipmi_bt_sm, fix infinite loop

2014-04-27T00:15:34Z

commit a94cdd1f4d30f12904ab528152731fb13a812a16 upstream. In read_all_bytes, we do unsigned char i; ... bt->read_data[0] = BMC2HOST; bt->read_count = bt->read_data[0]; ... for (i = 1; i <= bt->read_count; i++) bt->read_data[i] = BMC2HOST; If bt->read_data[0] == bt->read_count == 255, we loop infinitely in the 'for' loop. Make 'i' an 'int' instead of 'char' to get rid of the overflow and finish the loop after 255 iterations every time. Signed-off-by: Jiri Slaby Reported-and-debugged-by: Rui Hui Dian Cc: Tomas Cech Cc: Corey Minyard Cc: Signed-off-by: Corey Minyard Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman

raw: test against runtime value of max_raw_minors

2014-02-22T20:41:27Z

commit 5bbb2ae3d6f896f8d2082d1eceb6131c2420b7cf upstream. bind_get() checks the device number it is called with. It uses MAX_RAW_MINORS for the upper bound. But MAX_RAW_MINORS is set at compile time while the actual number of raw devices can be set at runtime. This means the test can either be too strict or too lenient. And if the test ends up being too lenient bind_get() might try to access memory beyond what was allocated for "raw_devices". So check against the runtime value (max_raw_minors) in this function. Signed-off-by: Paul Bolle Acked-by: Jan Kara Signed-off-by: Greg Kroah-Hartman

tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

2014-02-06T19:08:15Z

commit 747d35bd9bb4ae6bd74b19baa5bbe32f3e0cee11 upstream. Depending on the implementation strcmp might return the difference between two strings not only -1,0,1 consequently if (strcmp (a,b) == -1) might lead to taking the wrong branch -> compare with < 0 instead, which in any case is more canonical. Signed-off-by: Peter Huewe Signed-off-by: Greg Kroah-Hartman

tpm/tpm_i2c_stm_st33: Check return code of get_burstcount

2014-02-06T19:08:15Z

commit 85c5e0d451125c6ddb78663972e40af810b83644 upstream. The 'get_burstcount' function can in some circumstances 'return -EBUSY' which in tpm_stm_i2c_send is stored in an 'u32 burstcnt' thus converting the signed value into an unsigned value, resulting in 'burstcnt' being huge. Changing the type to u32 only does not solve the problem as the signed value is converted to an unsigned in I2C_WRITE_DATA, resulting in the same effect. Thus -> Change type of burstcnt to u32 (the return type of get_burstcount) -> Add a check for the return value of 'get_burstcount' and propagate a potential error. This makes also sense in the 'I2C_READ_DATA' case, where the there is no signed/unsigned conversion. found by coverity Signed-off-by: Peter Huewe Signed-off-by: Greg Kroah-Hartman

ACPI / TPM: fix memory leak when walking ACPI namespace

2014-01-15T23:28:52Z

commit df45c712d1f4ef37714245fb75de726f4ca2bf8d upstream. In function ppi_callback(), memory allocated by acpi_get_name() will get leaked when current device isn't the desired TPM device, so fix the memory leak. Signed-off-by: Jiang Liu Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman

drivers/char/i8k.c: add Dell XPLS L421X

2013-12-12T06:36:29Z

commit 9aa5b0181bdf335f0b731d8502e128a862884bcd upstream. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=60772 Signed-off-by: Alan Cox Reported-by: Leho Kraav Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman

random: run random_int_secret_init() run after all late_initcalls

2013-10-18T14:45:44Z

commit 47d06e532e95b71c0db3839ebdef3fe8812fca2c upstream. The some platforms (e.g., ARM) initializes their clocks as late_initcalls for some unknown reason. So make sure random_int_secret_init() is run after all of the late_initcalls are run. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman