From: Greg Kroah-Hartman Date: Mon, 27 Jun 2022 09:17:41 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.202~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b98df3c9cc988b01062af6c1e709b4d255938934;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch iio-accel-mxc4005-rearrange-iio-trigger-get-and-register.patch iio-adc-stm32-fix-adcs-iteration-in-irq-handler.patch iio-adc-stm32-fix-irqs-on-stm32f4-by-removing-custom-spurious-irqs-message.patch iio-adc-stm32-fix-maximum-clock-rate-for-stm32mp15x.patch iio-chemical-ccs811-rearrange-iio-trigger-get-and-register.patch iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch iio-imu-inv_icm42600-fix-broken-icm42600-chip-id-0-value.patch iio-trigger-sysfs-fix-use-after-free-on-remove.patch --- diff --git a/queue-5.10/iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch b/queue-5.10/iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch new file mode 100644 index 00000000000..f603388957f --- /dev/null +++ b/queue-5.10/iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch @@ -0,0 +1,45 @@ +From e5f3205b04d7f95a2ef43bce4b454a7f264d6923 Mon Sep 17 00:00:00 2001 +From: Dmitry Rokosov +Date: Tue, 24 May 2022 18:14:39 +0000 +Subject: iio:accel:bma180: rearrange iio trigger get and register + +From: Dmitry Rokosov + +commit e5f3205b04d7f95a2ef43bce4b454a7f264d6923 upstream. + +IIO trigger interface function iio_trigger_get() should be called after +iio_trigger_register() (or its devm analogue) strictly, because of +iio_trigger_get() acquires module refcnt based on the trigger->owner +pointer, which is initialized inside iio_trigger_register() to +THIS_MODULE. +If this call order is wrong, the next iio_trigger_put() (from sysfs +callback or "delete module" path) will dereference "default" module +refcnt, which is incorrect behaviour. + +Fixes: 0668a4e4d297 ("iio: accel: bma180: Fix indio_dev->trig assignment") +Signed-off-by: Dmitry Rokosov +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220524181150.9240-2-ddrokosov@sberdevices.ru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/bma180.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/accel/bma180.c ++++ b/drivers/iio/accel/bma180.c +@@ -1068,11 +1068,12 @@ static int bma180_probe(struct i2c_clien + data->trig->dev.parent = dev; + data->trig->ops = &bma180_trigger_ops; + iio_trigger_set_drvdata(data->trig, indio_dev); +- indio_dev->trig = iio_trigger_get(data->trig); + + ret = iio_trigger_register(data->trig); + if (ret) + goto err_trigger_free; ++ ++ indio_dev->trig = iio_trigger_get(data->trig); + } + + ret = iio_triggered_buffer_setup(indio_dev, NULL, diff --git a/queue-5.10/iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch b/queue-5.10/iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch new file mode 100644 index 00000000000..6417df12c82 --- /dev/null +++ b/queue-5.10/iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch @@ -0,0 +1,44 @@ +From bf745142cc0a3e1723f9207fb0c073c88464b7b4 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Wed, 15 Jun 2022 19:31:58 +0800 +Subject: iio: accel: mma8452: ignore the return value of reset operation + +From: Haibo Chen + +commit bf745142cc0a3e1723f9207fb0c073c88464b7b4 upstream. + +On fxls8471, after set the reset bit, the device will reset immediately, +will not give ACK. So ignore the return value of this reset operation, +let the following code logic to check whether the reset operation works. + +Signed-off-by: Haibo Chen +Fixes: ecabae713196 ("iio: mma8452: Initialise before activating") +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/1655292718-14287-1-git-send-email-haibo.chen@nxp.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/mma8452.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -1496,10 +1496,14 @@ static int mma8452_reset(struct i2c_clie + int i; + int ret; + +- ret = i2c_smbus_write_byte_data(client, MMA8452_CTRL_REG2, ++ /* ++ * Find on fxls8471, after config reset bit, it reset immediately, ++ * and will not give ACK, so here do not check the return value. ++ * The following code will read the reset register, and check whether ++ * this reset works. ++ */ ++ i2c_smbus_write_byte_data(client, MMA8452_CTRL_REG2, + MMA8452_CTRL_REG2_RST); +- if (ret < 0) +- return ret; + + for (i = 0; i < 10; i++) { + usleep_range(100, 200); diff --git a/queue-5.10/iio-accel-mxc4005-rearrange-iio-trigger-get-and-register.patch b/queue-5.10/iio-accel-mxc4005-rearrange-iio-trigger-get-and-register.patch new file mode 100644 index 00000000000..6db4c6d9553 --- /dev/null +++ b/queue-5.10/iio-accel-mxc4005-rearrange-iio-trigger-get-and-register.patch @@ -0,0 +1,49 @@ +From 9354c224c9b4f55847a0de3e968cba2ebf15af3b Mon Sep 17 00:00:00 2001 +From: Dmitry Rokosov +Date: Tue, 24 May 2022 18:14:43 +0000 +Subject: iio:accel:mxc4005: rearrange iio trigger get and register + +From: Dmitry Rokosov + +commit 9354c224c9b4f55847a0de3e968cba2ebf15af3b upstream. + +IIO trigger interface function iio_trigger_get() should be called after +iio_trigger_register() (or its devm analogue) strictly, because of +iio_trigger_get() acquires module refcnt based on the trigger->owner +pointer, which is initialized inside iio_trigger_register() to +THIS_MODULE. +If this call order is wrong, the next iio_trigger_put() (from sysfs +callback or "delete module" path) will dereference "default" module +refcnt, which is incorrect behaviour. + +Fixes: 47196620c82f ("iio: mxc4005: add data ready trigger for mxc4005") +Signed-off-by: Dmitry Rokosov +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220524181150.9240-4-ddrokosov@sberdevices.ru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/mxc4005.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/accel/mxc4005.c ++++ b/drivers/iio/accel/mxc4005.c +@@ -461,8 +461,6 @@ static int mxc4005_probe(struct i2c_clie + data->dready_trig->dev.parent = &client->dev; + data->dready_trig->ops = &mxc4005_trigger_ops; + iio_trigger_set_drvdata(data->dready_trig, indio_dev); +- indio_dev->trig = data->dready_trig; +- iio_trigger_get(indio_dev->trig); + ret = devm_iio_trigger_register(&client->dev, + data->dready_trig); + if (ret) { +@@ -470,6 +468,8 @@ static int mxc4005_probe(struct i2c_clie + "failed to register trigger\n"); + return ret; + } ++ ++ indio_dev->trig = iio_trigger_get(data->dready_trig); + } + + return devm_iio_device_register(&client->dev, indio_dev); diff --git a/queue-5.10/iio-adc-stm32-fix-adcs-iteration-in-irq-handler.patch b/queue-5.10/iio-adc-stm32-fix-adcs-iteration-in-irq-handler.patch new file mode 100644 index 00000000000..39ae8874e78 --- /dev/null +++ b/queue-5.10/iio-adc-stm32-fix-adcs-iteration-in-irq-handler.patch @@ -0,0 +1,79 @@ +From d2214cca4d3eadc74eac9e30301ec7cad5355f00 Mon Sep 17 00:00:00 2001 +From: Yannick Brosseau +Date: Mon, 16 May 2022 16:39:38 -0400 +Subject: iio: adc: stm32: Fix ADCs iteration in irq handler + +From: Yannick Brosseau + +commit d2214cca4d3eadc74eac9e30301ec7cad5355f00 upstream. + +The irq handler was only checking the mask for the first ADCs in the case of the +F4 and H7 generation, since it was iterating up to the num_irq value. This patch add +the maximum number of ADC in the common register, which map to the number of entries of +eoc_msk and ovr_msk in stm32_adc_common_regs. This allow the handler to check all ADCs in +that module. + +Tested on a STM32F429NIH6. + +Fixes: 695e2f5c289b ("iio: adc: stm32-adc: fix a regression when using dma and irq") +Signed-off-by: Yannick Brosseau +Reviewed-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/20220516203939.3498673-2-yannick.brosseau@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/stm32-adc-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -64,6 +64,7 @@ struct stm32_adc_priv; + * @max_clk_rate_hz: maximum analog clock rate (Hz, from datasheet) + * @has_syscfg: SYSCFG capability flags + * @num_irqs: number of interrupt lines ++ * @num_adcs: maximum number of ADC instances in the common registers + */ + struct stm32_adc_priv_cfg { + const struct stm32_adc_common_regs *regs; +@@ -71,6 +72,7 @@ struct stm32_adc_priv_cfg { + u32 max_clk_rate_hz; + unsigned int has_syscfg; + unsigned int num_irqs; ++ unsigned int num_adcs; + }; + + /** +@@ -333,7 +335,7 @@ static void stm32_adc_irq_handler(struct + * before invoking the interrupt handler (e.g. call ISR only for + * IRQ-enabled ADCs). + */ +- for (i = 0; i < priv->cfg->num_irqs; i++) { ++ for (i = 0; i < priv->cfg->num_adcs; i++) { + if ((status & priv->cfg->regs->eoc_msk[i] && + stm32_adc_eoc_enabled(priv, i)) || + (status & priv->cfg->regs->ovr_msk[i])) +@@ -784,6 +786,7 @@ static const struct stm32_adc_priv_cfg s + .clk_sel = stm32f4_adc_clk_sel, + .max_clk_rate_hz = 36000000, + .num_irqs = 1, ++ .num_adcs = 3, + }; + + static const struct stm32_adc_priv_cfg stm32h7_adc_priv_cfg = { +@@ -792,6 +795,7 @@ static const struct stm32_adc_priv_cfg s + .max_clk_rate_hz = 36000000, + .has_syscfg = HAS_VBOOSTER, + .num_irqs = 1, ++ .num_adcs = 2, + }; + + static const struct stm32_adc_priv_cfg stm32mp1_adc_priv_cfg = { +@@ -800,6 +804,7 @@ static const struct stm32_adc_priv_cfg s + .max_clk_rate_hz = 36000000, + .has_syscfg = HAS_VBOOSTER | HAS_ANASWVDD, + .num_irqs = 2, ++ .num_adcs = 2, + }; + + static const struct of_device_id stm32_adc_of_match[] = { diff --git a/queue-5.10/iio-adc-stm32-fix-irqs-on-stm32f4-by-removing-custom-spurious-irqs-message.patch b/queue-5.10/iio-adc-stm32-fix-irqs-on-stm32f4-by-removing-custom-spurious-irqs-message.patch new file mode 100644 index 00000000000..80df78fa84b --- /dev/null +++ b/queue-5.10/iio-adc-stm32-fix-irqs-on-stm32f4-by-removing-custom-spurious-irqs-message.patch @@ -0,0 +1,60 @@ +From 99bded02dae5e1e2312813506c41dc8db2fb656c Mon Sep 17 00:00:00 2001 +From: Yannick Brosseau +Date: Mon, 16 May 2022 16:39:39 -0400 +Subject: iio: adc: stm32: Fix IRQs on STM32F4 by removing custom spurious IRQs message + +From: Yannick Brosseau + +commit 99bded02dae5e1e2312813506c41dc8db2fb656c upstream. + +The check for spurious IRQs introduced in 695e2f5c289bb assumed that the bits +in the control and status registers are aligned. This is true for the H7 and MP1 +version, but not the F4. The interrupt was then never handled on the F4. + +Instead of increasing the complexity of the comparison and check each bit specifically, +we remove this check completely and rely on the generic handler for spurious IRQs. + +Fixes: 695e2f5c289b ("iio: adc: stm32-adc: fix a regression when using dma and irq") +Signed-off-by: Yannick Brosseau +Reviewed-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/20220516203939.3498673-3-yannick.brosseau@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/stm32-adc.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/drivers/iio/adc/stm32-adc.c ++++ b/drivers/iio/adc/stm32-adc.c +@@ -1265,7 +1265,6 @@ static irqreturn_t stm32_adc_threaded_is + struct stm32_adc *adc = iio_priv(indio_dev); + const struct stm32_adc_regspec *regs = adc->cfg->regs; + u32 status = stm32_adc_readl(adc, regs->isr_eoc.reg); +- u32 mask = stm32_adc_readl(adc, regs->ier_eoc.reg); + + /* Check ovr status right now, as ovr mask should be already disabled */ + if (status & regs->isr_ovr.mask) { +@@ -1280,11 +1279,6 @@ static irqreturn_t stm32_adc_threaded_is + return IRQ_HANDLED; + } + +- if (!(status & mask)) +- dev_err_ratelimited(&indio_dev->dev, +- "Unexpected IRQ: IER=0x%08x, ISR=0x%08x\n", +- mask, status); +- + return IRQ_NONE; + } + +@@ -1294,10 +1288,6 @@ static irqreturn_t stm32_adc_isr(int irq + struct stm32_adc *adc = iio_priv(indio_dev); + const struct stm32_adc_regspec *regs = adc->cfg->regs; + u32 status = stm32_adc_readl(adc, regs->isr_eoc.reg); +- u32 mask = stm32_adc_readl(adc, regs->ier_eoc.reg); +- +- if (!(status & mask)) +- return IRQ_WAKE_THREAD; + + if (status & regs->isr_ovr.mask) { + /* diff --git a/queue-5.10/iio-adc-stm32-fix-maximum-clock-rate-for-stm32mp15x.patch b/queue-5.10/iio-adc-stm32-fix-maximum-clock-rate-for-stm32mp15x.patch new file mode 100644 index 00000000000..ba69c68ebe9 --- /dev/null +++ b/queue-5.10/iio-adc-stm32-fix-maximum-clock-rate-for-stm32mp15x.patch @@ -0,0 +1,34 @@ +From 990539486e7e311fb5dab1bf4d85d1a8973ae644 Mon Sep 17 00:00:00 2001 +From: Olivier Moysan +Date: Thu, 9 Jun 2022 11:52:34 +0200 +Subject: iio: adc: stm32: fix maximum clock rate for stm32mp15x + +From: Olivier Moysan + +commit 990539486e7e311fb5dab1bf4d85d1a8973ae644 upstream. + +Change maximum STM32 ADC input clock rate to 36MHz, as specified +in STM32MP15x datasheets. + +Fixes: d58c67d1d851 ("iio: adc: stm32-adc: add support for STM32MP1") +Signed-off-by: Olivier Moysan +Reviewed-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/20220609095234.375925-1-olivier.moysan@foss.st.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/stm32-adc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -797,7 +797,7 @@ static const struct stm32_adc_priv_cfg s + static const struct stm32_adc_priv_cfg stm32mp1_adc_priv_cfg = { + .regs = &stm32h7_adc_common_regs, + .clk_sel = stm32h7_adc_clk_sel, +- .max_clk_rate_hz = 40000000, ++ .max_clk_rate_hz = 36000000, + .has_syscfg = HAS_VBOOSTER | HAS_ANASWVDD, + .num_irqs = 2, + }; diff --git a/queue-5.10/iio-chemical-ccs811-rearrange-iio-trigger-get-and-register.patch b/queue-5.10/iio-chemical-ccs811-rearrange-iio-trigger-get-and-register.patch new file mode 100644 index 00000000000..32a1e517186 --- /dev/null +++ b/queue-5.10/iio-chemical-ccs811-rearrange-iio-trigger-get-and-register.patch @@ -0,0 +1,45 @@ +From d710359c0b445e8c03e24f19ae2fb79ce7282260 Mon Sep 17 00:00:00 2001 +From: Dmitry Rokosov +Date: Tue, 24 May 2022 18:14:45 +0000 +Subject: iio:chemical:ccs811: rearrange iio trigger get and register + +From: Dmitry Rokosov + +commit d710359c0b445e8c03e24f19ae2fb79ce7282260 upstream. + +IIO trigger interface function iio_trigger_get() should be called after +iio_trigger_register() (or its devm analogue) strictly, because of +iio_trigger_get() acquires module refcnt based on the trigger->owner +pointer, which is initialized inside iio_trigger_register() to +THIS_MODULE. +If this call order is wrong, the next iio_trigger_put() (from sysfs +callback or "delete module" path) will dereference "default" module +refcnt, which is incorrect behaviour. + +Fixes: f1f065d7ac30 ("iio: chemical: ccs811: Add support for data ready trigger") +Signed-off-by: Dmitry Rokosov +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220524181150.9240-5-ddrokosov@sberdevices.ru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/chemical/ccs811.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/chemical/ccs811.c ++++ b/drivers/iio/chemical/ccs811.c +@@ -500,11 +500,11 @@ static int ccs811_probe(struct i2c_clien + data->drdy_trig->dev.parent = &client->dev; + data->drdy_trig->ops = &ccs811_trigger_ops; + iio_trigger_set_drvdata(data->drdy_trig, indio_dev); +- indio_dev->trig = data->drdy_trig; +- iio_trigger_get(indio_dev->trig); + ret = iio_trigger_register(data->drdy_trig); + if (ret) + goto err_poweroff; ++ ++ indio_dev->trig = iio_trigger_get(data->drdy_trig); + } + + ret = iio_triggered_buffer_setup(indio_dev, NULL, diff --git a/queue-5.10/iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch b/queue-5.10/iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch new file mode 100644 index 00000000000..ad6ceeca98c --- /dev/null +++ b/queue-5.10/iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch @@ -0,0 +1,31 @@ +From b2f5ad97645e1deb5ca9bcb7090084b92cae35d2 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma +Date: Tue, 10 May 2022 17:24:31 +0800 +Subject: iio: gyro: mpu3050: Fix the error handling in mpu3050_power_up() + +From: Zheyu Ma + +commit b2f5ad97645e1deb5ca9bcb7090084b92cae35d2 upstream. + +The driver should disable regulators when fails at regmap_update_bits(). + +Signed-off-by: Zheyu Ma +Reviewed-by: Linus Walleij +Cc: +Link: https://lore.kernel.org/r/20220510092431.1711284-1-zheyuma97@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/mpu3050-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -872,6 +872,7 @@ static int mpu3050_power_up(struct mpu30 + ret = regmap_update_bits(mpu3050->map, MPU3050_PWR_MGM, + MPU3050_PWR_MGM_SLEEP, 0); + if (ret) { ++ regulator_bulk_disable(ARRAY_SIZE(mpu3050->regs), mpu3050->regs); + dev_err(mpu3050->dev, "error setting power mode\n"); + return ret; + } diff --git a/queue-5.10/iio-imu-inv_icm42600-fix-broken-icm42600-chip-id-0-value.patch b/queue-5.10/iio-imu-inv_icm42600-fix-broken-icm42600-chip-id-0-value.patch new file mode 100644 index 00000000000..78dc880a4ac --- /dev/null +++ b/queue-5.10/iio-imu-inv_icm42600-fix-broken-icm42600-chip-id-0-value.patch @@ -0,0 +1,47 @@ +From 106b391e1b859100a3f38f0ad874236e9be06bde Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Thu, 9 Jun 2022 12:23:01 +0200 +Subject: iio: imu: inv_icm42600: Fix broken icm42600 (chip id 0 value) + +From: Jean-Baptiste Maneyrol + +commit 106b391e1b859100a3f38f0ad874236e9be06bde upstream. + +The 0 value used for INV_CHIP_ICM42600 was not working since the +match in i2c/spi was checking against NULL value. + +To keep this check, add a first INV_CHIP_INVALID 0 value as safe +guard. + +Fixes: 31c24c1e93c3 ("iio: imu: inv_icm42600: add core of new inv_icm42600 driver") +Signed-off-by: Jean-Baptiste Maneyrol +Link: https://lore.kernel.org/r/20220609102301.4794-1-jmaneyrol@invensense.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600.h ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600.h +@@ -17,6 +17,7 @@ + #include "inv_icm42600_buffer.h" + + enum inv_icm42600_chip { ++ INV_CHIP_INVALID, + INV_CHIP_ICM42600, + INV_CHIP_ICM42602, + INV_CHIP_ICM42605, +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +@@ -565,7 +565,7 @@ int inv_icm42600_core_probe(struct regma + bool open_drain; + int ret; + +- if (chip < 0 || chip >= INV_CHIP_NB) { ++ if (chip <= INV_CHIP_INVALID || chip >= INV_CHIP_NB) { + dev_err(dev, "invalid chip = %d\n", chip); + return -ENODEV; + } diff --git a/queue-5.10/iio-trigger-sysfs-fix-use-after-free-on-remove.patch b/queue-5.10/iio-trigger-sysfs-fix-use-after-free-on-remove.patch new file mode 100644 index 00000000000..491c2cd62b6 --- /dev/null +++ b/queue-5.10/iio-trigger-sysfs-fix-use-after-free-on-remove.patch @@ -0,0 +1,69 @@ +From 78601726d4a59a291acc5a52da1d3a0a6831e4e8 Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Thu, 19 May 2022 11:19:25 +0200 +Subject: iio: trigger: sysfs: fix use-after-free on remove + +From: Vincent Whitchurch + +commit 78601726d4a59a291acc5a52da1d3a0a6831e4e8 upstream. + +Ensure that the irq_work has completed before the trigger is freed. + + ================================================================== + BUG: KASAN: use-after-free in irq_work_run_list + Read of size 8 at addr 0000000064702248 by task python3/25 + + Call Trace: + irq_work_run_list + irq_work_tick + update_process_times + tick_sched_handle + tick_sched_timer + __hrtimer_run_queues + hrtimer_interrupt + + Allocated by task 25: + kmem_cache_alloc_trace + iio_sysfs_trig_add + dev_attr_store + sysfs_kf_write + kernfs_fop_write_iter + new_sync_write + vfs_write + ksys_write + sys_write + + Freed by task 25: + kfree + iio_sysfs_trig_remove + dev_attr_store + sysfs_kf_write + kernfs_fop_write_iter + new_sync_write + vfs_write + ksys_write + sys_write + + ================================================================== + +Fixes: f38bc926d022 ("staging:iio:sysfs-trigger: Use irq_work to properly active trigger") +Signed-off-by: Vincent Whitchurch +Reviewed-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20220519091925.1053897-1-vincent.whitchurch@axis.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/trigger/iio-trig-sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/trigger/iio-trig-sysfs.c ++++ b/drivers/iio/trigger/iio-trig-sysfs.c +@@ -196,6 +196,7 @@ static int iio_sysfs_trigger_remove(int + } + + iio_trigger_unregister(t->trig); ++ irq_work_sync(&t->work); + iio_trigger_free(t->trig); + + list_del(&t->l); diff --git a/queue-5.10/series b/queue-5.10/series index c18f9ace3e3..618202d33c8 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -70,3 +70,13 @@ usb-gadget-fix-non-unique-driver-names-in-raw-gadget-driver.patch usb-gadget-fix-double-free-bug-in-raw_gadget-driver.patch usb-chipidea-udc-check-request-status-before-setting-device-address.patch f2fs-attach-inline_data-after-setting-compression.patch +iio-chemical-ccs811-rearrange-iio-trigger-get-and-register.patch +iio-accel-bma180-rearrange-iio-trigger-get-and-register.patch +iio-accel-mxc4005-rearrange-iio-trigger-get-and-register.patch +iio-accel-mma8452-ignore-the-return-value-of-reset-operation.patch +iio-gyro-mpu3050-fix-the-error-handling-in-mpu3050_power_up.patch +iio-trigger-sysfs-fix-use-after-free-on-remove.patch +iio-adc-stm32-fix-maximum-clock-rate-for-stm32mp15x.patch +iio-imu-inv_icm42600-fix-broken-icm42600-chip-id-0-value.patch +iio-adc-stm32-fix-adcs-iteration-in-irq-handler.patch +iio-adc-stm32-fix-irqs-on-stm32f4-by-removing-custom-spurious-irqs-message.patch