--- /dev/null
+From 96cf3dedc491d2f1f66cc26217f2b06b0c7b6797 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Tue, 11 Feb 2014 11:03:33 +0100
+Subject: mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy error
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 96cf3dedc491d2f1f66cc26217f2b06b0c7b6797 upstream.
+
+During probe the driver allocates dummy I2C devices for RTC and ADC
+with i2c_new_dummy() but it does not check the return value of this
+calls.
+
+In case of error (i2c_new_device(): memory allocation failure or I2C
+address cannot be used) this function returns NULL which is later used
+by i2c_unregister_device().
+
+If i2c_new_dummy() fails for RTC or ADC devices, fail also the probe
+for main MFD driver.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/max8925-i2c.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/mfd/max8925-i2c.c
++++ b/drivers/mfd/max8925-i2c.c
+@@ -156,9 +156,18 @@ static int __devinit max8925_probe(struc
+ mutex_init(&chip->io_lock);
+
+ chip->rtc = i2c_new_dummy(chip->i2c->adapter, RTC_I2C_ADDR);
++ if (!chip->rtc) {
++ dev_err(chip->dev, "Failed to allocate I2C device for RTC\n");
++ return -ENODEV;
++ }
+ i2c_set_clientdata(chip->rtc, chip);
+
+ chip->adc = i2c_new_dummy(chip->i2c->adapter, ADC_I2C_ADDR);
++ if (!chip->adc) {
++ dev_err(chip->dev, "Failed to allocate I2C device for ADC\n");
++ i2c_unregister_device(chip->rtc);
++ return -ENODEV;
++ }
+ i2c_set_clientdata(chip->adc, chip);
+
+ device_init_wakeup(&client->dev, 1);
--- /dev/null
+From 97dc4ed3fa377ec91bb60ba98b70d645c2099384 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Tue, 11 Feb 2014 11:03:34 +0100
+Subject: mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy error
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 97dc4ed3fa377ec91bb60ba98b70d645c2099384 upstream.
+
+During probe the driver allocates dummy I2C devices for RTC, haptic and
+MUIC with i2c_new_dummy() but it does not check the return value of this
+calls.
+
+In case of error (i2c_new_device(): memory allocation failure or I2C
+address cannot be used) this function returns NULL which is later used
+by i2c_unregister_device().
+
+If i2c_new_dummy() fails for RTC, haptic or MUIC devices, fail also the
+probe for main MFD driver.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/max8997.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/mfd/max8997.c
++++ b/drivers/mfd/max8997.c
+@@ -149,10 +149,26 @@ static int max8997_i2c_probe(struct i2c_
+ mutex_init(&max8997->iolock);
+
+ max8997->rtc = i2c_new_dummy(i2c->adapter, I2C_ADDR_RTC);
++ if (!max8997->rtc) {
++ dev_err(max8997->dev, "Failed to allocate I2C device for RTC\n");
++ return -ENODEV;
++ }
+ i2c_set_clientdata(max8997->rtc, max8997);
++
+ max8997->haptic = i2c_new_dummy(i2c->adapter, I2C_ADDR_HAPTIC);
++ if (!max8997->haptic) {
++ dev_err(max8997->dev, "Failed to allocate I2C device for Haptic\n");
++ ret = -ENODEV;
++ goto err_i2c_haptic;
++ }
+ i2c_set_clientdata(max8997->haptic, max8997);
++
+ max8997->muic = i2c_new_dummy(i2c->adapter, I2C_ADDR_MUIC);
++ if (!max8997->muic) {
++ dev_err(max8997->dev, "Failed to allocate I2C device for MUIC\n");
++ ret = -ENODEV;
++ goto err_i2c_muic;
++ }
+ i2c_set_clientdata(max8997->muic, max8997);
+
+ pm_runtime_set_active(max8997->dev);
+@@ -179,7 +195,9 @@ static int max8997_i2c_probe(struct i2c_
+ err_mfd:
+ mfd_remove_devices(max8997->dev);
+ i2c_unregister_device(max8997->muic);
++err_i2c_muic:
+ i2c_unregister_device(max8997->haptic);
++err_i2c_haptic:
+ i2c_unregister_device(max8997->rtc);
+ err:
+ kfree(max8997);
--- /dev/null
+From ed26f87b9f71693a1d1ee85f5e6209601505080f Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Tue, 11 Feb 2014 11:03:35 +0100
+Subject: mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy error
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit ed26f87b9f71693a1d1ee85f5e6209601505080f upstream.
+
+During probe the driver allocates dummy I2C device for RTC with i2c_new_dummy() but it does not check the return value of this call.
+
+In case of error (i2c_new_device(): memory allocation failure or I2C
+address cannot be used) this function returns NULL which is later used
+by i2c_unregister_device().
+
+If i2c_new_dummy() fails for RTC device, fail also the probe for
+main MFD driver.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/max8998.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/mfd/max8998.c
++++ b/drivers/mfd/max8998.c
+@@ -152,6 +152,10 @@ static int max8998_i2c_probe(struct i2c_
+ mutex_init(&max8998->iolock);
+
+ max8998->rtc = i2c_new_dummy(i2c->adapter, RTC_I2C_ADDR);
++ if (!max8998->rtc) {
++ dev_err(&i2c->dev, "Failed to allocate I2C device for RTC\n");
++ return -ENODEV;
++ }
+ i2c_set_clientdata(max8998->rtc, max8998);
+
+ max8998_irq_init(max8998);
arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch
alsa-hda-enable-beep-for-asus-1015e.patch
alsa-ice1712-fix-boundary-checks-in-pcm-pointer-ops.patch
+mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
+mfd-max8998-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
+mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
+w1-fix-w1_send_slave-dropping-a-slave-id.patch
+staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
--- /dev/null
+From abe5d64d1a74195a44cd14624f8178b9f48b7cc7 Mon Sep 17 00:00:00 2001
+From: Himangi Saraogi <himangi774@gmail.com>
+Date: Wed, 5 Mar 2014 04:59:57 +0530
+Subject: staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer
+
+From: Himangi Saraogi <himangi774@gmail.com>
+
+commit abe5d64d1a74195a44cd14624f8178b9f48b7cc7 upstream.
+
+This patch fixes the following sparse warning :
+drivers/staging/serqt_usb2/serqt_usb2.c:727:40: warning: restricted __le16 degrades to integer
+
+Signed-off-by: Himangi Saraogi <himangi774@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/serqt_usb2/serqt_usb2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/serqt_usb2/serqt_usb2.c
++++ b/drivers/staging/serqt_usb2/serqt_usb2.c
+@@ -771,7 +771,7 @@ static int qt_startup(struct usb_serial
+ goto startup_error;
+ }
+
+- switch (serial->dev->descriptor.idProduct) {
++ switch (le16_to_cpu(serial->dev->descriptor.idProduct)) {
+ case QUATECH_DSU100:
+ case QUATECH_QSU100:
+ case QUATECH_ESU100A:
--- /dev/null
+From 6b355b33a64fd6d8ead2b838ec16fb9b551f71e8 Mon Sep 17 00:00:00 2001
+From: David Fries <David@Fries.net>
+Date: Wed, 15 Jan 2014 22:29:12 -0600
+Subject: w1: fix w1_send_slave dropping a slave id
+
+From: David Fries <David@Fries.net>
+
+commit 6b355b33a64fd6d8ead2b838ec16fb9b551f71e8 upstream.
+
+Previous logic,
+if (avail > 8) {
+ store slave;
+ return;
+}
+send data; clear;
+
+The logic error is, if there isn't space send the buffer and clear,
+but the slave wasn't added to the now empty buffer loosing that slave
+id. It also should have been "if (avail >= 8)" because when it is 8,
+there is space.
+
+Instead, if there isn't space send and clear the buffer, then there is
+always space for the slave id.
+
+Signed-off-by: David Fries <David@Fries.net>
+Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/w1/w1_netlink.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/w1/w1_netlink.c
++++ b/drivers/w1/w1_netlink.c
+@@ -54,28 +54,29 @@ static void w1_send_slave(struct w1_mast
+ struct w1_netlink_msg *hdr = (struct w1_netlink_msg *)(msg + 1);
+ struct w1_netlink_cmd *cmd = (struct w1_netlink_cmd *)(hdr + 1);
+ int avail;
++ u64 *data;
+
+ /* update kernel slave list */
+ w1_slave_found(dev, rn);
+
+ avail = dev->priv_size - cmd->len;
+
+- if (avail > 8) {
+- u64 *data = (void *)(cmd + 1) + cmd->len;
+-
+- *data = rn;
+- cmd->len += 8;
+- hdr->len += 8;
+- msg->len += 8;
+- return;
++ if (avail < 8) {
++ msg->ack++;
++ cn_netlink_send(msg, 0, GFP_KERNEL);
++
++ msg->len = sizeof(struct w1_netlink_msg) +
++ sizeof(struct w1_netlink_cmd);
++ hdr->len = sizeof(struct w1_netlink_cmd);
++ cmd->len = 0;
+ }
+
+- msg->ack++;
+- cn_netlink_send(msg, 0, GFP_KERNEL);
++ data = (void *)(cmd + 1) + cmd->len;
+
+- msg->len = sizeof(struct w1_netlink_msg) + sizeof(struct w1_netlink_cmd);
+- hdr->len = sizeof(struct w1_netlink_cmd);
+- cmd->len = 0;
++ *data = rn;
++ cmd->len += 8;
++ hdr->len += 8;
++ msg->len += 8;
+ }
+
+ static int w1_process_search_command(struct w1_master *dev, struct cn_msg *msg,
projects / thirdparty / kernel / stable-queue.git / commitdiff
