--- /dev/null
+From 4be339af334c283a1a1af3cb28e7e448a0aa8a7c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@baylibre.com>
+Date: Mon, 4 Nov 2024 11:19:04 +0100
+Subject: iio: adc: ad7124: Disable all channels at probe time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+commit 4be339af334c283a1a1af3cb28e7e448a0aa8a7c upstream.
+
+When during a measurement two channels are enabled, two measurements are
+done that are reported sequencially in the DATA register. As the code
+triggered by reading one of the sysfs properties expects that only one
+channel is enabled it only reads the first data set which might or might
+not belong to the intended channel.
+
+To prevent this situation disable all channels during probe. This fixes
+a problem in practise because the reset default for channel 0 is
+enabled. So all measurements before the first measurement on channel 0
+(which disables channel 0 at the end) might report wrong values.
+
+Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Link: https://patch.msgid.link/20241104101905.845737-2-u.kleine-koenig@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7124.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -931,6 +931,9 @@ static int ad7124_setup(struct ad7124_st
+ * set all channels to this default value.
+ */
+ ad7124_set_channel_odr(st, i, 10);
++
++ /* Disable all channels to prevent unintended conversions. */
++ ad_sd_write_reg(&st->sd, AD7124_CHANNEL(i), 2, 0);
+ }
+
+ return ret;
--- /dev/null
+From de6a73bad1743e9e81ea5a24c178c67429ff510b Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Sat, 7 Dec 2024 13:30:45 +0900
+Subject: iio: adc: at91: call input_free_device() on allocated iio_dev
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit de6a73bad1743e9e81ea5a24c178c67429ff510b upstream.
+
+Current implementation of at91_ts_register() calls input_free_deivce()
+on st->ts_input, however, the err label can be reached before the
+allocated iio_dev is stored to st->ts_input. Thus call
+input_free_device() on input instead of st->ts_input.
+
+Fixes: 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens without TSMR")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Link: https://patch.msgid.link/20241207043045.1255409-1-joe@pf.is.s.u-tokyo.ac.jp
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/at91_adc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/at91_adc.c
++++ b/drivers/iio/adc/at91_adc.c
+@@ -985,7 +985,7 @@ static int at91_ts_register(struct iio_d
+ return ret;
+
+ err:
+- input_free_device(st->ts_input);
++ input_free_device(input);
+ return ret;
+ }
+
--- /dev/null
+From 2a8e34096ec70d73ebb6d9920688ea312700cbd9 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Fri, 22 Nov 2024 13:43:08 -0300
+Subject: iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 2a8e34096ec70d73ebb6d9920688ea312700cbd9 upstream.
+
+Using gpiod_set_value() to control the reset GPIO causes some verbose
+warnings during boot when the reset GPIO is controlled by an I2C IO
+expander.
+
+As the caller can sleep, use the gpiod_set_value_cansleep() variant to
+fix the issue.
+
+Tested on a custom i.MX93 board with a ADS124S08 ADC.
+
+Cc: stable@kernel.org
+Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Link: https://patch.msgid.link/20241122164308.390340-1-festevam@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads124s08.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/ti-ads124s08.c
++++ b/drivers/iio/adc/ti-ads124s08.c
+@@ -183,9 +183,9 @@ static int ads124s_reset(struct iio_dev
+ struct ads124s_private *priv = iio_priv(indio_dev);
+
+ if (priv->reset_gpio) {
+- gpiod_set_value(priv->reset_gpio, 0);
++ gpiod_set_value_cansleep(priv->reset_gpio, 0);
+ udelay(200);
+- gpiod_set_value(priv->reset_gpio, 1);
++ gpiod_set_value_cansleep(priv->reset_gpio, 1);
+ } else {
+ return ads124s_write_cmd(indio_dev, ADS124S08_CMD_RESET);
+ }
--- /dev/null
+From 2a7377ccfd940cd6e9201756aff1e7852c266e69 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:16 +0100
+Subject: iio: adc: ti-ads8688: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 2a7377ccfd940cd6e9201756aff1e7852c266e69 upstream.
+
+The 'buffer' local array is used to push data to user space from a
+triggered buffer, but it does not set values for inactive channels, as
+it only uses iio_for_each_active_channel() to assign new values.
+
+Initialize the array to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: 61fa5dfa5f52 ("iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-8-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ti-ads8688.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti-ads8688.c
++++ b/drivers/iio/adc/ti-ads8688.c
+@@ -382,7 +382,7 @@ static irqreturn_t ads8688_trigger_handl
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ /* Ensure naturally aligned timestamp */
+- u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8);
++ u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8) = { };
+ int i, j = 0;
+
+ for (i = 0; i < indio_dev->masklength; i++) {
--- /dev/null
+From 333be433ee908a53f283beb95585dfc14c8ffb46 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:17 +0100
+Subject: iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 333be433ee908a53f283beb95585dfc14c8ffb46 upstream.
+
+The 'data' array is allocated via kmalloc() and it is used to push data
+to user space from a triggered buffer, but it does not set values for
+inactive channels, as it only uses iio_for_each_active_channel()
+to assign new values.
+
+Use kzalloc for the memory allocation to avoid pushing uninitialized
+information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: 415f79244757 ("iio: Move IIO Dummy Driver out of staging")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-9-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/dummy/iio_simple_dummy_buffer.c
++++ b/drivers/iio/dummy/iio_simple_dummy_buffer.c
+@@ -48,7 +48,7 @@ static irqreturn_t iio_simple_dummy_trig
+ int i = 0, j;
+ u16 *data;
+
+- data = kmalloc(indio_dev->scan_bytes, GFP_KERNEL);
++ data = kzalloc(indio_dev->scan_bytes, GFP_KERNEL);
+ if (!data)
+ goto done;
+
--- /dev/null
+From fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 Mon Sep 17 00:00:00 2001
+From: Carlos Song <carlos.song@nxp.com>
+Date: Sat, 16 Nov 2024 10:29:45 -0500
+Subject: iio: gyro: fxas21002c: Fix missing data update in trigger handler
+
+From: Carlos Song <carlos.song@nxp.com>
+
+commit fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 upstream.
+
+The fxas21002c_trigger_handler() may fail to acquire sample data because
+the runtime PM enters the autosuspend state and sensor can not return
+sample data in standby mode..
+
+Resume the sensor before reading the sample data into the buffer within the
+trigger handler. After the data is read, place the sensor back into the
+autosuspend state.
+
+Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c")
+Signed-off-by: Carlos Song <carlos.song@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20241116152945.4006374-1-Frank.Li@nxp.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/fxas21002c_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/gyro/fxas21002c_core.c
++++ b/drivers/iio/gyro/fxas21002c_core.c
+@@ -730,14 +730,21 @@ static irqreturn_t fxas21002c_trigger_ha
+ int ret;
+
+ mutex_lock(&data->lock);
++ ret = fxas21002c_pm_get(data);
++ if (ret < 0)
++ goto out_unlock;
++
+ ret = regmap_bulk_read(data->regmap, FXAS21002C_REG_OUT_X_MSB,
+ data->buffer, CHANNEL_SCAN_MAX * sizeof(s16));
+ if (ret < 0)
+- goto out_unlock;
++ goto out_pm_put;
+
+ iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
+ data->timestamp);
+
++out_pm_put:
++ fxas21002c_pm_put(data);
++
+ out_unlock:
+ mutex_unlock(&data->lock);
+
--- /dev/null
+From 6ae053113f6a226a2303caa4936a4c37f3bfff7b Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:13 +0100
+Subject: iio: imu: kmx61: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 6ae053113f6a226a2303caa4936a4c37f3bfff7b upstream.
+
+The 'buffer' local array is used to push data to user space from a
+triggered buffer, but it does not set values for inactive channels, as
+it only uses iio_for_each_active_channel() to assign new values.
+
+Initialize the array to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: c3a23ecc0901 ("iio: imu: kmx61: Add support for data ready triggers")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-5-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/kmx61.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/kmx61.c
++++ b/drivers/iio/imu/kmx61.c
+@@ -1192,7 +1192,7 @@ static irqreturn_t kmx61_trigger_handler
+ struct kmx61_data *data = kmx61_get_data(indio_dev);
+ int bit, ret, i = 0;
+ u8 base;
+- s16 buffer[8];
++ s16 buffer[8] = { };
+
+ if (indio_dev == data->acc_indio_dev)
+ base = KMX61_ACC_XOUT_L;
--- /dev/null
+From 64f43895b4457532a3cc524ab250b7a30739a1b1 Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Wed, 4 Dec 2024 20:13:42 +0900
+Subject: iio: inkern: call iio_device_put() only on mapped devices
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit 64f43895b4457532a3cc524ab250b7a30739a1b1 upstream.
+
+In the error path of iio_channel_get_all(), iio_device_put() is called
+on all IIO devices, which can cause a refcount imbalance. Fix this error
+by calling iio_device_put() only on IIO devices whose refcounts were
+previously incremented by iio_device_get().
+
+Fixes: 314be14bb893 ("iio: Rename _st_ functions to loose the bit that meant the staging version.")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Link: https://patch.msgid.link/20241204111342.1246706-1-joe@pf.is.s.u-tokyo.ac.jp
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/inkern.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/inkern.c
++++ b/drivers/iio/inkern.c
+@@ -513,7 +513,7 @@ struct iio_channel *iio_channel_get_all(
+ return chans;
+
+ error_free_chans:
+- for (i = 0; i < nummaps; i++)
++ for (i = 0; i < mapind; i++)
+ iio_device_put(chans[i].indio_dev);
+ kfree(chans);
+ error_ret:
--- /dev/null
+From 47b43e53c0a0edf5578d5d12f5fc71c019649279 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:14 +0100
+Subject: iio: light: vcnl4035: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 47b43e53c0a0edf5578d5d12f5fc71c019649279 upstream.
+
+The 'buffer' local array is used to push data to userspace from a
+triggered buffer, but it does not set an initial value for the single
+data element, which is an u16 aligned to 8 bytes. That leaves at least
+4 bytes uninitialized even after writing an integer value with
+regmap_read().
+
+Initialize the array to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: ec90b52c07c0 ("iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-6-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/vcnl4035.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/light/vcnl4035.c
++++ b/drivers/iio/light/vcnl4035.c
+@@ -105,7 +105,7 @@ static irqreturn_t vcnl4035_trigger_cons
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct vcnl4035_data *data = iio_priv(indio_dev);
+ /* Ensure naturally aligned timestamp */
+- u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8);
++ u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8) = { };
+ int ret;
+
+ ret = regmap_read(data->regmap, VCNL4035_ALS_DATA, (int *)buffer);
--- /dev/null
+From 6007d10c5262f6f71479627c1216899ea7f09073 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Mon, 25 Nov 2024 22:16:11 +0100
+Subject: iio: pressure: zpa2326: fix information leak in triggered buffer
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 6007d10c5262f6f71479627c1216899ea7f09073 upstream.
+
+The 'sample' local struct is used to push data to user space from a
+triggered buffer, but it has a hole between the temperature and the
+timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp).
+This hole is never initialized.
+
+Initialize the struct to zero before using it to avoid pushing
+uninitialized information to userspace.
+
+Cc: stable@vger.kernel.org
+Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-3-0cb6e98d895c@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/pressure/zpa2326.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/pressure/zpa2326.c
++++ b/drivers/iio/pressure/zpa2326.c
+@@ -586,6 +586,8 @@ static int zpa2326_fill_sample_buffer(st
+ } sample;
+ int err;
+
++ memset(&sample, 0, sizeof(sample));
++
+ if (test_bit(0, indio_dev->active_scan_mask)) {
+ /* Get current pressure from hardware FIFO. */
+ err = zpa2326_dequeue_pressure(indio_dev, &sample.pressure);
usb-fix-reference-leak-in-usb_new_device.patch
usb-gadget-f_uac2-fix-incorrect-setting-of-bnumendpoints.patch
usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch
+iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch
+iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch
+iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch
+iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch
+iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch
+iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch
+iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch
+iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
+iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
+iio-adc-ad7124-disable-all-channels-at-probe-time.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
