git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From f2bf22dc9ea8ead180fc0221874bd556bf1d2685 Mon Sep 17 00:00:00 2001
   2 From: Hans de Goede <hdegoede@redhat.com>
   3 Date: Sun, 23 May 2021 19:00:55 +0200
   4 Subject: iio: accel: bmc150: Fix dereferencing the wrong pointer in bmc150_get/set_second_device
   5
   6 From: Hans de Goede <hdegoede@redhat.com>
   7
   8 commit f2bf22dc9ea8ead180fc0221874bd556bf1d2685 upstream.
   9
  10 The drvdata for iio-parent devices points to the struct iio_dev for
  11 the iio-device. So by directly casting the return from i2c_get_clientdata()
  12 to struct bmc150_accel_data * the code was ending up storing the second_dev
  13 pointer in (and retrieving it from) some semi-random offset inside
  14 struct iio_dev, rather then storing it in the second_dev member of the
  15 bmc150_accel_data struct.
  16
  17 Fix the code to get the struct bmc150_accel_data * pointer to call
  18 iio_priv() on the struct iio_dev * returned by i2c_get_clientdata(),
  19 so that the correct pointer gets dereferenced.
  20
  21 This fixes the following oops on rmmod, caused by trying to
  22 dereference the wrong return of bmc150_get_second_device():
  23
  24 [  238.980737] BUG: unable to handle page fault for address: 0000000000004710
  25 [  238.980755] #PF: supervisor read access in kernel mode
  26 [  238.980760] #PF: error_code(0x0000) - not-present page
  27 ...
  28 [  238.980841]  i2c_unregister_device.part.0+0x19/0x60
  29 [  238.980856]  0xffffffffc0815016
  30 [  238.980863]  i2c_device_remove+0x25/0xb0
  31 [  238.980869]  __device_release_driver+0x180/0x240
  32 [  238.980876]  driver_detach+0xd4/0x120
  33 [  238.980882]  bus_remove_driver+0x5b/0xd0
  34 [  238.980888]  i2c_del_driver+0x44/0x70
  35
  36 While at it also remove the now no longer sensible checks for data
  37 being NULL, iio_priv never returns NULL for an iio_dev with non 0
  38 sized private-data.
  39
  40 Fixes: 5bfb3a4bd8f6 ("iio: accel: bmc150: Check for a second ACPI device for BOSC0200")
  41 Cc: Jeremy Cline <jeremy@jcline.org>
  42 Signed-off-by: Hans de Goede <hdegoede@redhat.com>
  43 Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
  44 Cc: <Stable@vger.kernel.org>
  45 Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
  46 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  47
  48 ---
  49  drivers/iio/accel/bmc150-accel-core.c |   10 +++-------
  50  1 file changed, 3 insertions(+), 7 deletions(-)
  51
  52 --- a/drivers/iio/accel/bmc150-accel-core.c
  53 +++ b/drivers/iio/accel/bmc150-accel-core.c
  54 @@ -1810,10 +1810,7 @@ EXPORT_SYMBOL_GPL(bmc150_accel_core_prob
  55
  56  struct i2c_client *bmc150_get_second_device(struct i2c_client *client)
  57  {
  58 -       struct bmc150_accel_data *data = i2c_get_clientdata(client);
  59 -
  60 -       if (!data)
  61 -               return NULL;
  62 +       struct bmc150_accel_data *data = iio_priv(i2c_get_clientdata(client));
  63
  64         return data->second_device;
  65  }
  66 @@ -1821,10 +1818,9 @@ EXPORT_SYMBOL_GPL(bmc150_get_second_devi
  67
  68  void bmc150_set_second_device(struct i2c_client *client)
  69  {
  70 -       struct bmc150_accel_data *data = i2c_get_clientdata(client);
  71 +       struct bmc150_accel_data *data = iio_priv(i2c_get_clientdata(client));
  72
  73 -       if (data)
  74 -               data->second_device = client;
  75 +       data->second_device = client;
  76  }
  77  EXPORT_SYMBOL_GPL(bmc150_set_second_device);
  78