6.12-stable patches

added patches:
	iio-adc-ad7124-disable-all-channels-at-probe-time.patch
	iio-adc-ad7173-fix-using-shared-static-info-struct.patch
	iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
	iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch
	iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch
	iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch
	iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch
	iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch
	iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch
	iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch
	iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch
	iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch
	iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch
	iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
	iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch
	iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch
	iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch

diff --git a/queue-6.12/iio-adc-ad7124-disable-all-channels-at-probe-time.patch b/queue-6.12/iio-adc-ad7124-disable-all-channels-at-probe-time.patch
new file mode 100644 (file)
index 0000000..ce04e2f
--- /dev/null
+++ b/queue-6.12/iio-adc-ad7124-disable-all-channels-at-probe-time.patch
@@ -0,0 +1,46 @@
+From 4be339af334c283a1a1af3cb28e7e448a0aa8a7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@baylibre.com>
+Date: Mon, 4 Nov 2024 11:19:04 +0100
+Subject: iio: adc: ad7124: Disable all channels at probe time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+commit 4be339af334c283a1a1af3cb28e7e448a0aa8a7c upstream.
+
+When during a measurement two channels are enabled, two measurements are
+done that are reported sequencially in the DATA register. As the code
+triggered by reading one of the sysfs properties expects that only one
+channel is enabled it only reads the first data set which might or might
+not belong to the intended channel.
+
+To prevent this situation disable all channels during probe. This fixes
+a problem in practise because the reset default for channel 0 is
+enabled. So all measurements before the first measurement on channel 0
+(which disables channel 0 at the end) might report wrong values.
+
+Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Link: https://patch.msgid.link/20241104101905.845737-2-u.kleine-koenig@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7124.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -917,6 +917,9 @@ static int ad7124_setup(struct ad7124_st
+                * set all channels to this default value.
+                */
+               ad7124_set_channel_odr(st, i, 10);
++
++              /* Disable all channels to prevent unintended conversions. */
++              ad_sd_write_reg(&st->sd, AD7124_CHANNEL(i), 2, 0);
+       }
+ 
+       ret = ad_sd_write_reg(&st->sd, AD7124_ADC_CONTROL, 2, st->adc_control);

diff --git a/queue-6.12/iio-adc-ad7173-fix-using-shared-static-info-struct.patch b/queue-6.12/iio-adc-ad7173-fix-using-shared-static-info-struct.patch
new file mode 100644 (file)
index 0000000..c559caf
--- /dev/null
+++ b/queue-6.12/iio-adc-ad7173-fix-using-shared-static-info-struct.patch
@@ -0,0 +1,73 @@
+From 36a44e05cd807a54e5ffad4b96d0d67f68ad8576 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Wed, 27 Nov 2024 14:01:53 -0600
+Subject: iio: adc: ad7173: fix using shared static info struct
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 36a44e05cd807a54e5ffad4b96d0d67f68ad8576 upstream.
+
+Fix a possible race condition during driver probe in the ad7173 driver
+due to using a shared static info struct. If more that one instance of
+the driver is probed at the same time, some of the info could be
+overwritten by the other instance, leading to incorrect operation.
+
+To fix this, make the static info struct const so that it is read-only
+and make a copy of the info struct for each instance of the driver that
+can be modified.
+
+Reported-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Fixes: 76a1e6a42802 ("iio: adc: ad7173: add AD7173 driver")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Tested-by: Guillaume Ranquet <granquet@baylibre.com>
+Link: https://patch.msgid.link/20241127-iio-adc-ad7313-fix-non-const-info-struct-v2-1-b6d7022b7466@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7173.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/ad7173.c
++++ b/drivers/iio/adc/ad7173.c
+@@ -198,6 +198,7 @@ struct ad7173_channel {
+ 
+ struct ad7173_state {
+       struct ad_sigma_delta sd;
++      struct ad_sigma_delta_info sigma_delta_info;
+       const struct ad7173_device_info *info;
+       struct ad7173_channel *channels;
+       struct regulator_bulk_data regulators[3];
+@@ -733,7 +734,7 @@ static int ad7173_disable_one(struct ad_
+       return ad_sd_write_reg(sd, AD7173_REG_CH(chan), 2, 0);
+ }
+ 
+-static struct ad_sigma_delta_info ad7173_sigma_delta_info = {
++static const struct ad_sigma_delta_info ad7173_sigma_delta_info = {
+       .set_channel = ad7173_set_channel,
+       .append_status = ad7173_append_status,
+       .disable_all = ad7173_disable_all,
+@@ -1371,7 +1372,7 @@ static int ad7173_fw_parse_device_config
+       if (ret < 0)
+               return dev_err_probe(dev, ret, "Interrupt 'rdy' is required\n");
+ 
+-      ad7173_sigma_delta_info.irq_line = ret;
++      st->sigma_delta_info.irq_line = ret;
+ 
+       return ad7173_fw_parse_channel_config(indio_dev);
+ }
+@@ -1404,8 +1405,9 @@ static int ad7173_probe(struct spi_devic
+       spi->mode = SPI_MODE_3;
+       spi_setup(spi);
+ 
+-      ad7173_sigma_delta_info.num_slots = st->info->num_configs;
+-      ret = ad_sd_init(&st->sd, indio_dev, spi, &ad7173_sigma_delta_info);
++      st->sigma_delta_info = ad7173_sigma_delta_info;
++      st->sigma_delta_info.num_slots = st->info->num_configs;
++      ret = ad_sd_init(&st->sd, indio_dev, spi, &st->sigma_delta_info);
+       if (ret)
+               return ret;
+ 

diff --git a/queue-6.12/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch b/queue-6.12/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
new file mode 100644 (file)
index 0000000..c294dd0
--- /dev/null
+++ b/queue-6.12/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
@@ -0,0 +1,35 @@
+From de6a73bad1743e9e81ea5a24c178c67429ff510b Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Sat, 7 Dec 2024 13:30:45 +0900
+Subject: iio: adc: at91: call input_free_device() on allocated iio_dev
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit de6a73bad1743e9e81ea5a24c178c67429ff510b upstream.
+
+Current implementation of at91_ts_register() calls input_free_deivce()
+on st->ts_input, however, the err label can be reached before the
+allocated iio_dev is stored to st->ts_input. Thus call
+input_free_device() on input instead of st->ts_input.
+
+Fixes: 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens without TSMR")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Link: https://patch.msgid.link/20241207043045.1255409-1-joe@pf.is.s.u-tokyo.ac.jp
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/at91_adc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -979,7 +979,7 @@ static int at91_ts_register(struct iio_d
+       return ret;
+ 
+ err:
+-      input_free_device(st->ts_input);
++      input_free_device(input);
+       return ret;
+ }
+ 

diff --git a/queue-6.12/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..626027a
--- /dev/null
+++ b/queue-6.12/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,37 @@
+From 38724591364e1e3b278b4053f102b49ea06ee17c Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:12 +0100
+Subject: iio: adc: rockchip_saradc: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 38724591364e1e3b278b4053f102b49ea06ee17c upstream.
+
+The 'data' local struct is used to push data to user space from a
+triggered buffer, but it does not set values for inactive channels, as
+it only uses iio_for_each_active_channel() to assign new values.
+
+Initialize the struct to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: 4e130dc7b413 ("iio: adc: rockchip_saradc: Add support iio buffers")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-4-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/rockchip_saradc.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/adc/rockchip_saradc.c
++++ b/drivers/iio/adc/rockchip_saradc.c
+@@ -368,6 +368,8 @@ static irqreturn_t rockchip_saradc_trigg
+       int ret;
+       int i, j = 0;
+ 
++      memset(&data, 0, sizeof(data));
++
+       mutex_lock(&info->lock);
+ 
+       iio_for_each_active_channel(i_dev, i) {

diff --git a/queue-6.12/iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..77e5a67
--- /dev/null
+++ b/queue-6.12/iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,43 @@
+From 75f339d3ecd38cb1ce05357d647189d4a7f7ed08 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:10 +0100
+Subject: iio: adc: ti-ads1119: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 75f339d3ecd38cb1ce05357d647189d4a7f7ed08 upstream.
+
+The 'scan' local struct is used to push data to user space from a
+triggered buffer, but it has a hole between the sample (unsigned int)
+and the timestamp. This hole is never initialized.
+
+Initialize the struct to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-2-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/adc/ti-ads1119.c b/drivers/iio/adc/ti-ads1119.c
+index e9d9d4d46d38..2615a275acb3 100644
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -506,6 +506,8 @@ static irqreturn_t ads1119_trigger_handler(int irq, void *private)
+       unsigned int index;
+       int ret;
+ 
++      memset(&scan, 0, sizeof(scan));
++
+       if (!iio_trigger_using_own(indio_dev)) {
+               index = find_first_bit(indio_dev->active_scan_mask,
+                                      iio_get_masklength(indio_dev));
+-- 
+2.48.0
+

diff --git a/queue-6.12/iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch b/queue-6.12/iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..cfd3283
--- /dev/null
+++ b/queue-6.12/iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch
@@ -0,0 +1,45 @@
+From 54d394905c92b9ecc65c1f9b2692c8e10716d8e1 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 2 Dec 2024 20:18:44 +0100
+Subject: iio: adc: ti-ads1119: fix sample size in scan struct for triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 54d394905c92b9ecc65c1f9b2692c8e10716d8e1 upstream.
+
+This device returns signed, 16-bit samples as stated in its datasheet
+(see 8.5.2 Data Format). That is in line with the scan_type definition
+for the IIO_VOLTAGE channel, but 'unsigned int' is being used to read
+and push the data to userspace.
+
+Given that the size of that type depends on the architecture (at least
+2 bytes to store values up to 65535, but its actual size is often 4
+bytes), use the 's16' type to provide the same structure in all cases.
+
+Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://patch.msgid.link/20241202-ti-ads1119_s16_chan-v1-1-fafe3136dc90@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1119.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/ti-ads1119.c b/drivers/iio/adc/ti-ads1119.c
+index 2615a275acb3..c268e27eec12 100644
+--- a/drivers/iio/adc/ti-ads1119.c
++++ b/drivers/iio/adc/ti-ads1119.c
+@@ -500,7 +500,7 @@ static irqreturn_t ads1119_trigger_handler(int irq, void *private)
+       struct iio_dev *indio_dev = pf->indio_dev;
+       struct ads1119_state *st = iio_priv(indio_dev);
+       struct {
+-              unsigned int sample;
++              s16 sample;
+               s64 timestamp __aligned(8);
+       } scan;
+       unsigned int index;
+-- 
+2.48.0
+

diff --git a/queue-6.12/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch b/queue-6.12/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch
new file mode 100644 (file)
index 0000000..5471035
--- /dev/null
+++ b/queue-6.12/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch
@@ -0,0 +1,42 @@
+From 2a8e34096ec70d73ebb6d9920688ea312700cbd9 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Fri, 22 Nov 2024 13:43:08 -0300
+Subject: iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 2a8e34096ec70d73ebb6d9920688ea312700cbd9 upstream.
+
+Using gpiod_set_value() to control the reset GPIO causes some verbose
+warnings during boot when the reset GPIO is controlled by an I2C IO
+expander.
+
+As the caller can sleep, use the gpiod_set_value_cansleep() variant to
+fix the issue.
+
+Tested on a custom i.MX93 board with a ADS124S08 ADC.
+
+Cc: stable@kernel.org
+Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Link: https://patch.msgid.link/20241122164308.390340-1-festevam@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads124s08.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads124s08.c
++++ b/drivers/iio/adc/ti-ads124s08.c
+@@ -183,9 +183,9 @@ static int ads124s_reset(struct iio_dev
+       struct ads124s_private *priv = iio_priv(indio_dev);
+ 
+       if (priv->reset_gpio) {
+-              gpiod_set_value(priv->reset_gpio, 0);
++              gpiod_set_value_cansleep(priv->reset_gpio, 0);
+               udelay(200);
+-              gpiod_set_value(priv->reset_gpio, 1);
++              gpiod_set_value_cansleep(priv->reset_gpio, 1);
+       } else {
+               return ads124s_write_cmd(indio_dev, ADS124S08_CMD_RESET);
+       }

diff --git a/queue-6.12/iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch b/queue-6.12/iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch
new file mode 100644 (file)
index 0000000..6e8d680
--- /dev/null
+++ b/queue-6.12/iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch
@@ -0,0 +1,33 @@
+From bcb394bb28e55312cace75362b8e489eb0e02a30 Mon Sep 17 00:00:00 2001
+From: Charles Han <hanchunchao@inspur.com>
+Date: Mon, 18 Nov 2024 17:02:08 +0800
+Subject: iio: adc: ti-ads1298: Add NULL check in ads1298_init
+
+From: Charles Han <hanchunchao@inspur.com>
+
+commit bcb394bb28e55312cace75362b8e489eb0e02a30 upstream.
+
+devm_kasprintf() can return a NULL pointer on failure. A check on the
+return value of such a call in ads1298_init() is missing. Add it.
+
+Fixes: 00ef7708fa60 ("iio: adc: ti-ads1298: Add driver")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Link: https://patch.msgid.link/20241118090208.14586-1-hanchunchao@inspur.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads1298.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/adc/ti-ads1298.c
++++ b/drivers/iio/adc/ti-ads1298.c
+@@ -613,6 +613,8 @@ static int ads1298_init(struct iio_dev *
+       }
+       indio_dev->name = devm_kasprintf(dev, GFP_KERNEL, "ads129%u%s",
+                                        indio_dev->num_channels, suffix);
++      if (!indio_dev->name)
++              return -ENOMEM;
+ 
+       /* Enable internal test signal, double amplitude, double frequency */
+       ret = regmap_write(priv->regmap, ADS1298_REG_CONFIG2,

diff --git a/queue-6.12/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..f0bb95a
--- /dev/null
+++ b/queue-6.12/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,37 @@
+From 2a7377ccfd940cd6e9201756aff1e7852c266e69 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:16 +0100
+Subject: iio: adc: ti-ads8688: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 2a7377ccfd940cd6e9201756aff1e7852c266e69 upstream.
+
+The 'buffer' local array is used to push data to user space from a
+triggered buffer, but it does not set values for inactive channels, as
+it only uses iio_for_each_active_channel() to assign new values.
+
+Initialize the array to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: 61fa5dfa5f52 ("iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-8-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads8688.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti-ads8688.c
++++ b/drivers/iio/adc/ti-ads8688.c
+@@ -381,7 +381,7 @@ static irqreturn_t ads8688_trigger_handl
+       struct iio_poll_func *pf = p;
+       struct iio_dev *indio_dev = pf->indio_dev;
+       /* Ensure naturally aligned timestamp */
+-      u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8);
++      u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8) = { };
+       int i, j = 0;
+ 
+       iio_for_each_active_channel(indio_dev, i) {

diff --git a/queue-6.12/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..4a27dd8
--- /dev/null
+++ b/queue-6.12/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,38 @@
+From 333be433ee908a53f283beb95585dfc14c8ffb46 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:17 +0100
+Subject: iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 333be433ee908a53f283beb95585dfc14c8ffb46 upstream.
+
+The 'data' array is allocated via kmalloc() and it is used to push data
+to user space from a triggered buffer, but it does not set values for
+inactive channels, as it only uses iio_for_each_active_channel()
+to assign new values.
+
+Use kzalloc for the memory allocation to avoid pushing uninitialized
+information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: 415f79244757 ("iio: Move IIO Dummy Driver out of staging")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-9-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dummy/iio_simple_dummy_buffer.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/dummy/iio_simple_dummy_buffer.c
++++ b/drivers/iio/dummy/iio_simple_dummy_buffer.c
+@@ -48,7 +48,7 @@ static irqreturn_t iio_simple_dummy_trig
+       int i = 0, j;
+       u16 *data;
+ 
+-      data = kmalloc(indio_dev->scan_bytes, GFP_KERNEL);
++      data = kzalloc(indio_dev->scan_bytes, GFP_KERNEL);
+       if (!data)
+               goto done;
+ 

diff --git a/queue-6.12/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch b/queue-6.12/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch
new file mode 100644 (file)
index 0000000..bacbc44
--- /dev/null
+++ b/queue-6.12/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch
@@ -0,0 +1,53 @@
+From fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 Mon Sep 17 00:00:00 2001
+From: Carlos Song <carlos.song@nxp.com>
+Date: Sat, 16 Nov 2024 10:29:45 -0500
+Subject: iio: gyro: fxas21002c: Fix missing data update in trigger handler
+
+From: Carlos Song <carlos.song@nxp.com>
+
+commit fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 upstream.
+
+The fxas21002c_trigger_handler() may fail to acquire sample data because
+the runtime PM enters the autosuspend state and sensor can not return
+sample data in standby mode..
+
+Resume the sensor before reading the sample data into the buffer within the
+trigger handler. After the data is read, place the sensor back into the
+autosuspend state.
+
+Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c")
+Signed-off-by: Carlos Song <carlos.song@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20241116152945.4006374-1-Frank.Li@nxp.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/fxas21002c_core.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/gyro/fxas21002c_core.c
++++ b/drivers/iio/gyro/fxas21002c_core.c
+@@ -730,14 +730,21 @@ static irqreturn_t fxas21002c_trigger_ha
+       int ret;
+ 
+       mutex_lock(&data->lock);
++      ret = fxas21002c_pm_get(data);
++      if (ret < 0)
++              goto out_unlock;
++
+       ret = regmap_bulk_read(data->regmap, FXAS21002C_REG_OUT_X_MSB,
+                              data->buffer, CHANNEL_SCAN_MAX * sizeof(s16));
+       if (ret < 0)
+-              goto out_unlock;
++              goto out_pm_put;
+ 
+       iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
+                                          data->timestamp);
+ 
++out_pm_put:
++      fxas21002c_pm_put(data);
++
+ out_unlock:
+       mutex_unlock(&data->lock);
+ 

diff --git a/queue-6.12/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch b/queue-6.12/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch
new file mode 100644 (file)
index 0000000..6021ad8
--- /dev/null
+++ b/queue-6.12/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch
@@ -0,0 +1,48 @@
+From 65a60a590142c54a3f3be11ff162db2d5b0e1e06 Mon Sep 17 00:00:00 2001
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Date: Wed, 13 Nov 2024 21:25:45 +0100
+Subject: iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on
+
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+
+commit 65a60a590142c54a3f3be11ff162db2d5b0e1e06 upstream.
+
+Currently suspending while sensors are one will result in timestamping
+continuing without gap at resume. It can work with monotonic clock but
+not with other clocks. Fix that by resetting timestamping.
+
+Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Link: https://patch.msgid.link/20241113-inv_icm42600-fix-timestamps-after-suspend-v1-1-dfc77c394173@tdk.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/inv_icm42600/inv_icm42600_core.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
+@@ -822,6 +822,8 @@ out_unlock:
+ static int inv_icm42600_resume(struct device *dev)
+ {
+       struct inv_icm42600_state *st = dev_get_drvdata(dev);
++      struct inv_icm42600_sensor_state *gyro_st = iio_priv(st->indio_gyro);
++      struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel);
+       int ret;
+ 
+       mutex_lock(&st->lock);
+@@ -842,9 +844,12 @@ static int inv_icm42600_resume(struct de
+               goto out_unlock;
+ 
+       /* restore FIFO data streaming */
+-      if (st->fifo.on)
++      if (st->fifo.on) {
++              inv_sensors_timestamp_reset(&gyro_st->ts);
++              inv_sensors_timestamp_reset(&accel_st->ts);
+               ret = regmap_write(st->map, INV_ICM42600_REG_FIFO_CONFIG,
+                                  INV_ICM42600_FIFO_CONFIG_STREAM);
++      }
+ 
+ out_unlock:
+       mutex_unlock(&st->lock);

diff --git a/queue-6.12/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..1006454
--- /dev/null
+++ b/queue-6.12/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,37 @@
+From 6ae053113f6a226a2303caa4936a4c37f3bfff7b Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:13 +0100
+Subject: iio: imu: kmx61: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 6ae053113f6a226a2303caa4936a4c37f3bfff7b upstream.
+
+The 'buffer' local array is used to push data to user space from a
+triggered buffer, but it does not set values for inactive channels, as
+it only uses iio_for_each_active_channel() to assign new values.
+
+Initialize the array to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: c3a23ecc0901 ("iio: imu: kmx61: Add support for data ready triggers")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-5-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/kmx61.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/kmx61.c
++++ b/drivers/iio/imu/kmx61.c
+@@ -1192,7 +1192,7 @@ static irqreturn_t kmx61_trigger_handler
+       struct kmx61_data *data = kmx61_get_data(indio_dev);
+       int bit, ret, i = 0;
+       u8 base;
+-      s16 buffer[8];
++      s16 buffer[8] = { };
+ 
+       if (indio_dev == data->acc_indio_dev)
+               base = KMX61_ACC_XOUT_L;

diff --git a/queue-6.12/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch b/queue-6.12/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
new file mode 100644 (file)
index 0000000..35b77b5
--- /dev/null
+++ b/queue-6.12/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
@@ -0,0 +1,35 @@
+From 64f43895b4457532a3cc524ab250b7a30739a1b1 Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Wed, 4 Dec 2024 20:13:42 +0900
+Subject: iio: inkern: call iio_device_put() only on mapped devices
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit 64f43895b4457532a3cc524ab250b7a30739a1b1 upstream.
+
+In the error path of iio_channel_get_all(), iio_device_put() is called
+on all IIO devices, which can cause a refcount imbalance. Fix this error
+by calling iio_device_put() only on IIO devices whose refcounts were
+previously incremented by iio_device_get().
+
+Fixes: 314be14bb893 ("iio: Rename _st_ functions to loose the bit that meant the staging version.")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Link: https://patch.msgid.link/20241204111342.1246706-1-joe@pf.is.s.u-tokyo.ac.jp
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/inkern.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/inkern.c
++++ b/drivers/iio/inkern.c
+@@ -499,7 +499,7 @@ struct iio_channel *iio_channel_get_all(
+       return_ptr(chans);
+ 
+ error_free_chans:
+-      for (i = 0; i < nummaps; i++)
++      for (i = 0; i < mapind; i++)
+               iio_device_put(chans[i].indio_dev);
+       return ERR_PTR(ret);
+ }

diff --git a/queue-6.12/iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..c3aa59b
--- /dev/null
+++ b/queue-6.12/iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,37 @@
+From b62fbe3b8eedd3cf3c9ad0b7cb9f72c3f40815f0 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:15 +0100
+Subject: iio: light: bh1745: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit b62fbe3b8eedd3cf3c9ad0b7cb9f72c3f40815f0 upstream.
+
+The 'scan' local struct is used to push data to user space from a
+triggered buffer, but it does not set values for inactive channels, as
+it only uses iio_for_each_active_channel() to assign new values.
+
+Initialize the struct to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: eab35358aae7 ("iio: light: ROHM BH1745 colour sensor")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-7-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/bh1745.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/light/bh1745.c
++++ b/drivers/iio/light/bh1745.c
+@@ -750,6 +750,8 @@ static irqreturn_t bh1745_trigger_handle
+       int i;
+       int j = 0;
+ 
++      memset(&scan, 0, sizeof(scan));
++
+       iio_for_each_active_channel(indio_dev, i) {
+               ret = regmap_bulk_read(data->regmap, BH1745_RED_LSB + 2 * i,
+                                      &value, 2);

diff --git a/queue-6.12/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..f7bec42
--- /dev/null
+++ b/queue-6.12/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,39 @@
+From 47b43e53c0a0edf5578d5d12f5fc71c019649279 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:14 +0100
+Subject: iio: light: vcnl4035: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 47b43e53c0a0edf5578d5d12f5fc71c019649279 upstream.
+
+The 'buffer' local array is used to push data to userspace from a
+triggered buffer, but it does not set an initial value for the single
+data element, which is an u16 aligned to 8 bytes. That leaves at least
+4 bytes uninitialized even after writing an integer value with
+regmap_read().
+
+Initialize the array to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: ec90b52c07c0 ("iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-6-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/vcnl4035.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/light/vcnl4035.c
++++ b/drivers/iio/light/vcnl4035.c
+@@ -105,7 +105,7 @@ static irqreturn_t vcnl4035_trigger_cons
+       struct iio_dev *indio_dev = pf->indio_dev;
+       struct vcnl4035_data *data = iio_priv(indio_dev);
+       /* Ensure naturally aligned timestamp */
+-      u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)]  __aligned(8);
++      u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)]  __aligned(8) = { };
+       int ret;
+ 
+       ret = regmap_read(data->regmap, VCNL4035_ALS_DATA, (int *)buffer);

diff --git a/queue-6.12/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch
new file mode 100644 (file)
index 0000000..67a1d82
--- /dev/null
+++ b/queue-6.12/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch
@@ -0,0 +1,38 @@
+From 6007d10c5262f6f71479627c1216899ea7f09073 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:11 +0100
+Subject: iio: pressure: zpa2326: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 6007d10c5262f6f71479627c1216899ea7f09073 upstream.
+
+The 'sample' local struct is used to push data to user space from a
+triggered buffer, but it has a hole between the temperature and the
+timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp).
+This hole is never initialized.
+
+Initialize the struct to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-3-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/pressure/zpa2326.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/pressure/zpa2326.c
++++ b/drivers/iio/pressure/zpa2326.c
+@@ -586,6 +586,8 @@ static int zpa2326_fill_sample_buffer(st
+       }   sample;
+       int err;
+ 
++      memset(&sample, 0, sizeof(sample));
++
+       if (test_bit(0, indio_dev->active_scan_mask)) {
+               /* Get current pressure from hardware FIFO. */
+               err = zpa2326_dequeue_pressure(indio_dev, &sample.pressure);

diff --git a/queue-6.12/series b/queue-6.12/series
index 403d036dbc2275365dfe49e55919e197f41027cc..d4053c10408806e51e7490707ff2a23fb3bff085 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -154,3 +154,20 @@ usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch
 usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch
 usb-host-xhci-plat-set-skip_phy_initialization-if-software-node-has-xhci_skip_phy_init-property.patch
 usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch
+iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch
+iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch
+iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch
+iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch
+iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch
+iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch
+iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch
+iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch
+iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch
+iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch
+iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch
+iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch
+iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch
+iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
+iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
+iio-adc-ad7173-fix-using-shared-static-info-struct.patch
+iio-adc-ad7124-disable-all-channels-at-probe-time.patch