From: Greg Kroah-Hartman Date: Mon, 9 Oct 2017 12:36:23 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.75~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35b2d84ae5e93921a3a770a1a200a837d1a1f972;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: iio-ad7793-fix-the-serial-interface-reset.patch iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch iio-adc-mcp320x-fix-oops-on-module-unload.patch iio-core-return-error-for-failed-read_reg.patch staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch uwb-ensure-that-endpoint-is-interrupt.patch uwb-properly-check-kthread_run-return-value.patch --- diff --git a/queue-3.18/iio-ad7793-fix-the-serial-interface-reset.patch b/queue-3.18/iio-ad7793-fix-the-serial-interface-reset.patch new file mode 100644 index 00000000000..1a4fcdd9c70 --- /dev/null +++ b/queue-3.18/iio-ad7793-fix-the-serial-interface-reset.patch @@ -0,0 +1,44 @@ +From 7ee3b7ebcb74714df6d94c8f500f307e1ee5dda5 Mon Sep 17 00:00:00 2001 +From: Dragos Bogdan +Date: Tue, 5 Sep 2017 15:16:13 +0300 +Subject: iio: ad7793: Fix the serial interface reset + +From: Dragos Bogdan + +commit 7ee3b7ebcb74714df6d94c8f500f307e1ee5dda5 upstream. + +The serial interface can be reset by writing 32 consecutive 1s to the device. +'ret' was initialized correctly but its value was overwritten when +ad7793_check_platform_data() was called. Since a dedicated reset function +is present now, it should be used instead. + +Fixes: 2edb769d246e ("iio:ad7793: Add support for the ad7798 and ad7799") +Signed-off-by: Dragos Bogdan +Acked-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad7793.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ad7793.c ++++ b/drivers/iio/adc/ad7793.c +@@ -257,7 +257,7 @@ static int ad7793_setup(struct iio_dev * + unsigned int vref_mv) + { + struct ad7793_state *st = iio_priv(indio_dev); +- int i, ret = -1; ++ int i, ret; + unsigned long long scale_uv; + u32 id; + +@@ -266,7 +266,7 @@ static int ad7793_setup(struct iio_dev * + return ret; + + /* reset the serial interface */ +- ret = spi_write(st->sd.spi, (u8 *)&ret, sizeof(ret)); ++ ret = ad_sd_reset(&st->sd, 32); + if (ret < 0) + goto out; + usleep_range(500, 2000); /* Wait for at least 500us */ diff --git a/queue-3.18/iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch b/queue-3.18/iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch new file mode 100644 index 00000000000..f6edcdcb43e --- /dev/null +++ b/queue-3.18/iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch @@ -0,0 +1,73 @@ +From 7fc10de8d49a748c476532c9d8e8fe19e548dd67 Mon Sep 17 00:00:00 2001 +From: Dragos Bogdan +Date: Tue, 5 Sep 2017 15:14:45 +0300 +Subject: iio: ad_sigma_delta: Implement a dedicated reset function + +From: Dragos Bogdan + +commit 7fc10de8d49a748c476532c9d8e8fe19e548dd67 upstream. + +Since most of the SD ADCs have the option of reseting the serial +interface by sending a number of SCLKs with CS = 0 and DIN = 1, +a dedicated function that can do this is usefull. + +Needed for the patch: iio: ad7793: Fix the serial interface reset +Signed-off-by: Dragos Bogdan +Acked-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ad_sigma_delta.c | 28 ++++++++++++++++++++++++++++ + include/linux/iio/adc/ad_sigma_delta.h | 3 +++ + 2 files changed, 31 insertions(+) + +--- a/drivers/iio/adc/ad_sigma_delta.c ++++ b/drivers/iio/adc/ad_sigma_delta.c +@@ -177,6 +177,34 @@ out: + } + EXPORT_SYMBOL_GPL(ad_sd_read_reg); + ++/** ++ * ad_sd_reset() - Reset the serial interface ++ * ++ * @sigma_delta: The sigma delta device ++ * @reset_length: Number of SCLKs with DIN = 1 ++ * ++ * Returns 0 on success, an error code otherwise. ++ **/ ++int ad_sd_reset(struct ad_sigma_delta *sigma_delta, ++ unsigned int reset_length) ++{ ++ uint8_t *buf; ++ unsigned int size; ++ int ret; ++ ++ size = DIV_ROUND_UP(reset_length, 8); ++ buf = kcalloc(size, sizeof(*buf), GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ memset(buf, 0xff, size); ++ ret = spi_write(sigma_delta->spi, buf, size); ++ kfree(buf); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(ad_sd_reset); ++ + static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta, + unsigned int mode, unsigned int channel) + { +--- a/include/linux/iio/adc/ad_sigma_delta.h ++++ b/include/linux/iio/adc/ad_sigma_delta.h +@@ -111,6 +111,9 @@ int ad_sd_write_reg(struct ad_sigma_delt + int ad_sd_read_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg, + unsigned int size, unsigned int *val); + ++int ad_sd_reset(struct ad_sigma_delta *sigma_delta, ++ unsigned int reset_length); ++ + int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev, + const struct iio_chan_spec *chan, int *val); + int ad_sd_calibrate_all(struct ad_sigma_delta *sigma_delta, diff --git a/queue-3.18/iio-adc-mcp320x-fix-oops-on-module-unload.patch b/queue-3.18/iio-adc-mcp320x-fix-oops-on-module-unload.patch new file mode 100644 index 00000000000..61a8d2cf4b4 --- /dev/null +++ b/queue-3.18/iio-adc-mcp320x-fix-oops-on-module-unload.patch @@ -0,0 +1,45 @@ +From 0964e40947a630a2a6f724e968246992f97bcf1c Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 22 Aug 2017 15:33:00 +0200 +Subject: iio: adc: mcp320x: Fix oops on module unload + +From: Lukas Wunner + +commit 0964e40947a630a2a6f724e968246992f97bcf1c upstream. + +The driver calls spi_get_drvdata() in its ->remove hook even though it +has never called spi_set_drvdata(). Stack trace for posterity: + +Unable to handle kernel NULL pointer dereference at virtual address 00000220 +Internal error: Oops: 5 [#1] SMP ARM +[<8072f564>] (mutex_lock) from [<7f1400d0>] (iio_device_unregister+0x24/0x7c [industrialio]) +[<7f1400d0>] (iio_device_unregister [industrialio]) from [<7f15e020>] (mcp320x_remove+0x20/0x30 [mcp320x]) +[<7f15e020>] (mcp320x_remove [mcp320x]) from [<8055a8cc>] (spi_drv_remove+0x2c/0x44) +[<8055a8cc>] (spi_drv_remove) from [<805087bc>] (__device_release_driver+0x98/0x134) +[<805087bc>] (__device_release_driver) from [<80509180>] (driver_detach+0xdc/0xe0) +[<80509180>] (driver_detach) from [<8050823c>] (bus_remove_driver+0x5c/0xb0) +[<8050823c>] (bus_remove_driver) from [<80509ab0>] (driver_unregister+0x38/0x58) +[<80509ab0>] (driver_unregister) from [<7f15e69c>] (mcp320x_driver_exit+0x14/0x1c [mcp320x]) +[<7f15e69c>] (mcp320x_driver_exit [mcp320x]) from [<801a78d0>] (SyS_delete_module+0x184/0x1d0) +[<801a78d0>] (SyS_delete_module) from [<80108100>] (ret_fast_syscall+0x0/0x1c) + +Fixes: f5ce4a7a9291 ("iio: adc: add driver for MCP3204/08 12-bit ADC") +Cc: Oskar Andero +Signed-off-by: Lukas Wunner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/mcp320x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/mcp320x.c ++++ b/drivers/iio/adc/mcp320x.c +@@ -180,6 +180,7 @@ static int mcp320x_probe(struct spi_devi + indio_dev->name = spi_get_device_id(spi)->name; + indio_dev->modes = INDIO_DIRECT_MODE; + indio_dev->info = &mcp320x_info; ++ spi_set_drvdata(spi, indio_dev); + + chip_info = &mcp3208_chip_infos[spi_get_device_id(spi)->driver_data]; + indio_dev->channels = chip_info->channels; diff --git a/queue-3.18/iio-core-return-error-for-failed-read_reg.patch b/queue-3.18/iio-core-return-error-for-failed-read_reg.patch new file mode 100644 index 00000000000..7dc604053a8 --- /dev/null +++ b/queue-3.18/iio-core-return-error-for-failed-read_reg.patch @@ -0,0 +1,37 @@ +From 3d62c78a6eb9a7d67bace9622b66ad51e81c5f9b Mon Sep 17 00:00:00 2001 +From: Matt Fornero +Date: Tue, 5 Sep 2017 16:34:10 +0200 +Subject: iio: core: Return error for failed read_reg + +From: Matt Fornero + +commit 3d62c78a6eb9a7d67bace9622b66ad51e81c5f9b upstream. + +If an IIO device returns an error code for a read access via debugfs, it +is currently ignored by the IIO core (other than emitting an error +message). Instead, return this error code to user space, so upper layers +can detect it correctly. + +Signed-off-by: Matt Fornero +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -188,8 +188,10 @@ static ssize_t iio_debugfs_read_reg(stru + ret = indio_dev->info->debugfs_reg_access(indio_dev, + indio_dev->cached_reg_addr, + 0, &val); +- if (ret) ++ if (ret) { + dev_err(indio_dev->dev.parent, "%s: read failed\n", __func__); ++ return ret; ++ } + + len = snprintf(buf, sizeof(buf), "0x%X\n", val); + diff --git a/queue-3.18/series b/queue-3.18/series index f038eaf3ce9..c9b80dd3412 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -13,3 +13,10 @@ usb-uas-fix-bug-in-handling-of-alternate-settings.patch usb-increase-quirk-delay-for-usb-devices.patch usb-fix-out-of-bounds-in-usb_set_configuration.patch xhci-fix-finding-correct-bus_state-structure-for-usb-3.1-hosts.patch +iio-ad_sigma_delta-implement-a-dedicated-reset-function.patch +staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch +iio-core-return-error-for-failed-read_reg.patch +iio-ad7793-fix-the-serial-interface-reset.patch +iio-adc-mcp320x-fix-oops-on-module-unload.patch +uwb-properly-check-kthread_run-return-value.patch +uwb-ensure-that-endpoint-is-interrupt.patch diff --git a/queue-3.18/staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch b/queue-3.18/staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch new file mode 100644 index 00000000000..1a484a51d17 --- /dev/null +++ b/queue-3.18/staging-iio-ad7192-fix-use-the-dedicated-reset-function-avoiding-dma-from-stack.patch @@ -0,0 +1,41 @@ +From f790923f146140a261ad211e5baf75d169f16fb2 Mon Sep 17 00:00:00 2001 +From: Stefan Popa +Date: Thu, 14 Sep 2017 16:50:28 +0300 +Subject: staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack. + +From: Stefan Popa + +commit f790923f146140a261ad211e5baf75d169f16fb2 upstream. + +Depends on: 691c4b95d1 ("iio: ad_sigma_delta: Implement a dedicated reset function") + +SPI host drivers can use DMA to transfer data, so the buffer should be properly allocated. +Keeping it on the stack could cause an undefined behavior. + +The dedicated reset function solves this issue. + +Signed-off-by: Stefan Popa +Acked-by: Lars-Peter Clausen +Acked-by: Michael Hennerich +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/ad7192.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -206,11 +206,9 @@ static int ad7192_setup(struct ad7192_st + struct iio_dev *indio_dev = spi_get_drvdata(st->sd.spi); + unsigned long long scale_uv; + int i, ret, id; +- u8 ones[6]; + + /* reset the serial interface */ +- memset(&ones, 0xFF, 6); +- ret = spi_write(st->sd.spi, &ones, 6); ++ ret = ad_sd_reset(&st->sd, 48); + if (ret < 0) + goto out; + usleep_range(500, 1000); /* Wait for at least 500us */ diff --git a/queue-3.18/uwb-ensure-that-endpoint-is-interrupt.patch b/queue-3.18/uwb-ensure-that-endpoint-is-interrupt.patch new file mode 100644 index 00000000000..8b472c3e769 --- /dev/null +++ b/queue-3.18/uwb-ensure-that-endpoint-is-interrupt.patch @@ -0,0 +1,91 @@ +From 70e743e4cec3733dc13559f6184b35d358b9ef3f Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Thu, 14 Sep 2017 16:52:59 +0200 +Subject: uwb: ensure that endpoint is interrupt + +From: Andrey Konovalov + +commit 70e743e4cec3733dc13559f6184b35d358b9ef3f upstream. + +hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no +check for that, which results in a WARNING in USB core code, when a bad +USB descriptor is provided from a device: + +usb 1-1: BOGUS urb xfer, pipe 1 != type 3 +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 +Modules linked in: +CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Workqueue: usb_hub_wq hub_event +task: ffff88006bdc1a00 task.stack: ffff88006bde8000 +RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448 +RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282 +RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000 +RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a +RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff +R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f +R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90 +FS: 0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0 +Call Trace: + hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710 + uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361 + hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858 + usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:385 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 + bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 + __device_attach+0x269/0x3c0 drivers/base/dd.c:682 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 + bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 + device_add+0xcf9/0x1640 drivers/base/core.c:1703 + usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932 + generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 + usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 + really_probe drivers/base/dd.c:385 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 + bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 + __device_attach+0x269/0x3c0 drivers/base/dd.c:682 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 + bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 + device_add+0xcf9/0x1640 drivers/base/core.c:1703 + usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 + hub_port_connect drivers/usb/core/hub.c:4890 + hub_port_connect_change drivers/usb/core/hub.c:4996 + port_event drivers/usb/core/hub.c:5102 + hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182 + process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 + worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 + kthread+0x324/0x3f0 kernel/kthread.c:231 + ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 +Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89 +e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f> +ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6 +---[ end trace 55d741234124cfc3 ]--- + +Check that endpoint is interrupt. + +Found by syzkaller. + +Signed-off-by: Andrey Konovalov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/hwa-rc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -827,6 +827,8 @@ static int hwarc_probe(struct usb_interf + + if (iface->cur_altsetting->desc.bNumEndpoints < 1) + return -ENODEV; ++ if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc)) ++ return -ENODEV; + + result = -ENOMEM; + uwb_rc = uwb_rc_alloc(); diff --git a/queue-3.18/uwb-properly-check-kthread_run-return-value.patch b/queue-3.18/uwb-properly-check-kthread_run-return-value.patch new file mode 100644 index 00000000000..24072b1680a --- /dev/null +++ b/queue-3.18/uwb-properly-check-kthread_run-return-value.patch @@ -0,0 +1,53 @@ +From bbf26183b7a6236ba602f4d6a2f7cade35bba043 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Thu, 14 Sep 2017 14:30:55 +0200 +Subject: uwb: properly check kthread_run return value + +From: Andrey Konovalov + +commit bbf26183b7a6236ba602f4d6a2f7cade35bba043 upstream. + +uwbd_start() calls kthread_run() and checks that the return value is +not NULL. But the return value is not NULL in case kthread_run() fails, +it takes the form of ERR_PTR(-EINTR). + +Use IS_ERR() instead. + +Also add a check to uwbd_stop(). + +Signed-off-by: Andrey Konovalov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/uwbd.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/uwb/uwbd.c ++++ b/drivers/uwb/uwbd.c +@@ -303,18 +303,22 @@ static int uwbd(void *param) + /** Start the UWB daemon */ + void uwbd_start(struct uwb_rc *rc) + { +- rc->uwbd.task = kthread_run(uwbd, rc, "uwbd"); +- if (rc->uwbd.task == NULL) ++ struct task_struct *task = kthread_run(uwbd, rc, "uwbd"); ++ if (IS_ERR(task)) { ++ rc->uwbd.task = NULL; + printk(KERN_ERR "UWB: Cannot start management daemon; " + "UWB won't work\n"); +- else ++ } else { ++ rc->uwbd.task = task; + rc->uwbd.pid = rc->uwbd.task->pid; ++ } + } + + /* Stop the UWB daemon and free any unprocessed events */ + void uwbd_stop(struct uwb_rc *rc) + { +- kthread_stop(rc->uwbd.task); ++ if (rc->uwbd.task) ++ kthread_stop(rc->uwbd.task); + uwbd_flush(rc); + } +