From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 27 Jun 2022 09:17:23 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.4.202~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e6827e458129a7c47396e3cb9e51ca4ce76502c;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch
	iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch
	iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch
	iio-trigger-sysfs-fix-use-after-free-on-remove.patch
---

diff --git a/queue-4.14/iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch b/queue-4.14/iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch
new file mode 100644
index 00000000000..cafdf2d7a18
--- /dev/null
+++ b/queue-4.14/iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch
@@ -0,0 +1,45 @@
+From e5f3205b04d7f95a2ef43bce4b454a7f264d6923 Mon Sep 17 00:00:00 2001
+From: Dmitry Rokosov <DDRokosov@sberdevices.ru>
+Date: Tue, 24 May 2022 18:14:39 +0000
+Subject: iio:accel:bma180: rearrange iio trigger get and register
+
+From: Dmitry Rokosov <DDRokosov@sberdevices.ru>
+
+commit e5f3205b04d7f95a2ef43bce4b454a7f264d6923 upstream.
+
+IIO trigger interface function iio_trigger_get() should be called after
+iio_trigger_register() (or its devm analogue) strictly, because of
+iio_trigger_get() acquires module refcnt based on the trigger->owner
+pointer, which is initialized inside iio_trigger_register() to
+THIS_MODULE.
+If this call order is wrong, the next iio_trigger_put() (from sysfs
+callback or "delete module" path) will dereference "default" module
+refcnt, which is incorrect behaviour.
+
+Fixes: 0668a4e4d297 ("iio: accel: bma180: Fix indio_dev->trig assignment")
+Signed-off-by: Dmitry Rokosov <ddrokosov@sberdevices.ru>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220524181150.9240-2-ddrokosov@sberdevices.ru
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/bma180.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/accel/bma180.c
++++ b/drivers/iio/accel/bma180.c
+@@ -782,11 +782,12 @@ static int bma180_probe(struct i2c_clien
+ 		data->trig->dev.parent = &client->dev;
+ 		data->trig->ops = &bma180_trigger_ops;
+ 		iio_trigger_set_drvdata(data->trig, indio_dev);
+-		indio_dev->trig = iio_trigger_get(data->trig);
+ 
+ 		ret = iio_trigger_register(data->trig);
+ 		if (ret)
+ 			goto err_trigger_free;
++
++		indio_dev->trig = iio_trigger_get(data->trig);
+ 	}
+ 
+ 	ret = iio_triggered_buffer_setup(indio_dev, NULL,
diff --git a/queue-4.14/iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch b/queue-4.14/iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch
new file mode 100644
index 00000000000..e1a3854831f
--- /dev/null
+++ b/queue-4.14/iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch
@@ -0,0 +1,44 @@
+From bf745142cc0a3e1723f9207fb0c073c88464b7b4 Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Wed, 15 Jun 2022 19:31:58 +0800
+Subject: iio: accel: mma8452: ignore the return value of reset operation
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit bf745142cc0a3e1723f9207fb0c073c88464b7b4 upstream.
+
+On fxls8471, after set the reset bit, the device will reset immediately,
+will not give ACK. So ignore the return value of this reset operation,
+let the following code logic to check whether the reset operation works.
+
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Fixes: ecabae713196 ("iio: mma8452: Initialise before activating")
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/1655292718-14287-1-git-send-email-haibo.chen@nxp.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/mma8452.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/accel/mma8452.c
++++ b/drivers/iio/accel/mma8452.c
+@@ -1412,10 +1412,14 @@ static int mma8452_reset(struct i2c_clie
+ 	int i;
+ 	int ret;
+ 
+-	ret = i2c_smbus_write_byte_data(client,	MMA8452_CTRL_REG2,
++	/*
++	 * Find on fxls8471, after config reset bit, it reset immediately,
++	 * and will not give ACK, so here do not check the return value.
++	 * The following code will read the reset register, and check whether
++	 * this reset works.
++	 */
++	i2c_smbus_write_byte_data(client, MMA8452_CTRL_REG2,
+ 					MMA8452_CTRL_REG2_RST);
+-	if (ret < 0)
+-		return ret;
+ 
+ 	for (i = 0; i < 10; i++) {
+ 		usleep_range(100, 200);
diff --git a/queue-4.14/iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch b/queue-4.14/iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch
new file mode 100644
index 00000000000..c9944d36ec1
--- /dev/null
+++ b/queue-4.14/iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch
@@ -0,0 +1,31 @@
+From b2f5ad97645e1deb5ca9bcb7090084b92cae35d2 Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Tue, 10 May 2022 17:24:31 +0800
+Subject: iio: gyro: mpu3050: Fix the error handling in mpu3050_power_up()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit b2f5ad97645e1deb5ca9bcb7090084b92cae35d2 upstream.
+
+The driver should disable regulators when fails at regmap_update_bits().
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220510092431.1711284-1-zheyuma97@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/mpu3050-core.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/gyro/mpu3050-core.c
++++ b/drivers/iio/gyro/mpu3050-core.c
+@@ -874,6 +874,7 @@ static int mpu3050_power_up(struct mpu30
+ 	ret = regmap_update_bits(mpu3050->map, MPU3050_PWR_MGM,
+ 				 MPU3050_PWR_MGM_SLEEP, 0);
+ 	if (ret) {
++		regulator_bulk_disable(ARRAY_SIZE(mpu3050->regs), mpu3050->regs);
+ 		dev_err(mpu3050->dev, "error setting power mode\n");
+ 		return ret;
+ 	}
diff --git a/queue-4.14/iio-trigger-sysfs-fix-use-after-free-on-remove.patch b/queue-4.14/iio-trigger-sysfs-fix-use-after-free-on-remove.patch
new file mode 100644
index 00000000000..acedacdd942
--- /dev/null
+++ b/queue-4.14/iio-trigger-sysfs-fix-use-after-free-on-remove.patch
@@ -0,0 +1,69 @@
+From 78601726d4a59a291acc5a52da1d3a0a6831e4e8 Mon Sep 17 00:00:00 2001
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Thu, 19 May 2022 11:19:25 +0200
+Subject: iio: trigger: sysfs: fix use-after-free on remove
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+commit 78601726d4a59a291acc5a52da1d3a0a6831e4e8 upstream.
+
+Ensure that the irq_work has completed before the trigger is freed.
+
+ ==================================================================
+ BUG: KASAN: use-after-free in irq_work_run_list
+ Read of size 8 at addr 0000000064702248 by task python3/25
+
+ Call Trace:
+  irq_work_run_list
+  irq_work_tick
+  update_process_times
+  tick_sched_handle
+  tick_sched_timer
+  __hrtimer_run_queues
+  hrtimer_interrupt
+
+ Allocated by task 25:
+  kmem_cache_alloc_trace
+  iio_sysfs_trig_add
+  dev_attr_store
+  sysfs_kf_write
+  kernfs_fop_write_iter
+  new_sync_write
+  vfs_write
+  ksys_write
+  sys_write
+
+ Freed by task 25:
+  kfree
+  iio_sysfs_trig_remove
+  dev_attr_store
+  sysfs_kf_write
+  kernfs_fop_write_iter
+  new_sync_write
+  vfs_write
+  ksys_write
+  sys_write
+
+ ==================================================================
+
+Fixes: f38bc926d022 ("staging:iio:sysfs-trigger: Use irq_work to properly active trigger")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Link: https://lore.kernel.org/r/20220519091925.1053897-1-vincent.whitchurch@axis.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/trigger/iio-trig-sysfs.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/trigger/iio-trig-sysfs.c
++++ b/drivers/iio/trigger/iio-trig-sysfs.c
+@@ -199,6 +199,7 @@ static int iio_sysfs_trigger_remove(int
+ 	}
+ 
+ 	iio_trigger_unregister(t->trig);
++	irq_work_sync(&t->work);
+ 	iio_trigger_free(t->trig);
+ 
+ 	list_del(&t->l);
diff --git a/queue-4.14/series b/queue-4.14/series
index aae93868807..ca2c3ff02d6 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -12,3 +12,7 @@ mips-remove-repetitive-increase-irq_err_count.patch
 igb-make-dma-faster-when-cpu-is-active-on-the-pcie-l.patch
 iio-adc-vf610-fix-conversion-mode-sysfs-node-name.patch
 usb-chipidea-udc-check-request-status-before-setting-device-address.patch
+iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch
+iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch
+iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch
+iio-trigger-sysfs-fix-use-after-free-on-remove.patch