From: Greg Kroah-Hartman Date: Mon, 13 Jan 2025 10:44:18 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.1.125~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5f715f382b021e8f0f7386ce50bd8996790a827c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch iio-inkern-call-iio_device_put-only-on-mapped-devices.patch iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch --- diff --git a/queue-5.4/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch b/queue-5.4/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch new file mode 100644 index 00000000000..6f3c71c9240 --- /dev/null +++ b/queue-5.4/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch @@ -0,0 +1,35 @@ +From de6a73bad1743e9e81ea5a24c178c67429ff510b Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Sat, 7 Dec 2024 13:30:45 +0900 +Subject: iio: adc: at91: call input_free_device() on allocated iio_dev + +From: Joe Hattori + +commit de6a73bad1743e9e81ea5a24c178c67429ff510b upstream. + +Current implementation of at91_ts_register() calls input_free_deivce() +on st->ts_input, however, the err label can be reached before the +allocated iio_dev is stored to st->ts_input. Thus call +input_free_device() on input instead of st->ts_input. + +Fixes: 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens without TSMR") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20241207043045.1255409-1-joe@pf.is.s.u-tokyo.ac.jp +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -1139,7 +1139,7 @@ static int at91_ts_register(struct at91_ + return ret; + + err: +- input_free_device(st->ts_input); ++ input_free_device(input); + return ret; + } + diff --git a/queue-5.4/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch b/queue-5.4/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch new file mode 100644 index 00000000000..a7d39639e56 --- /dev/null +++ b/queue-5.4/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch @@ -0,0 +1,42 @@ +From 2a8e34096ec70d73ebb6d9920688ea312700cbd9 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 22 Nov 2024 13:43:08 -0300 +Subject: iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() + +From: Fabio Estevam + +commit 2a8e34096ec70d73ebb6d9920688ea312700cbd9 upstream. + +Using gpiod_set_value() to control the reset GPIO causes some verbose +warnings during boot when the reset GPIO is controlled by an I2C IO +expander. + +As the caller can sleep, use the gpiod_set_value_cansleep() variant to +fix the issue. + +Tested on a custom i.MX93 board with a ADS124S08 ADC. + +Cc: stable@kernel.org +Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") +Signed-off-by: Fabio Estevam +Link: https://patch.msgid.link/20241122164308.390340-1-festevam@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads124s08.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ti-ads124s08.c ++++ b/drivers/iio/adc/ti-ads124s08.c +@@ -182,9 +182,9 @@ static int ads124s_reset(struct iio_dev + struct ads124s_private *priv = iio_priv(indio_dev); + + if (priv->reset_gpio) { +- gpiod_set_value(priv->reset_gpio, 0); ++ gpiod_set_value_cansleep(priv->reset_gpio, 0); + udelay(200); +- gpiod_set_value(priv->reset_gpio, 1); ++ gpiod_set_value_cansleep(priv->reset_gpio, 1); + } else { + return ads124s_write_cmd(indio_dev, ADS124S08_CMD_RESET); + } diff --git a/queue-5.4/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch b/queue-5.4/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..c23f36186c8 --- /dev/null +++ b/queue-5.4/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,37 @@ +From 2a7377ccfd940cd6e9201756aff1e7852c266e69 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:16 +0100 +Subject: iio: adc: ti-ads8688: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 2a7377ccfd940cd6e9201756aff1e7852c266e69 upstream. + +The 'buffer' local array is used to push data to user space from a +triggered buffer, but it does not set values for inactive channels, as +it only uses iio_for_each_active_channel() to assign new values. + +Initialize the array to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 61fa5dfa5f52 ("iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-8-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads8688.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads8688.c ++++ b/drivers/iio/adc/ti-ads8688.c +@@ -384,7 +384,7 @@ static irqreturn_t ads8688_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + /* Ensure naturally aligned timestamp */ +- u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8); ++ u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8) = { }; + int i, j = 0; + + for (i = 0; i < indio_dev->masklength; i++) { diff --git a/queue-5.4/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch b/queue-5.4/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..557eb1c36a0 --- /dev/null +++ b/queue-5.4/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,38 @@ +From 333be433ee908a53f283beb95585dfc14c8ffb46 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:17 +0100 +Subject: iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 333be433ee908a53f283beb95585dfc14c8ffb46 upstream. + +The 'data' array is allocated via kmalloc() and it is used to push data +to user space from a triggered buffer, but it does not set values for +inactive channels, as it only uses iio_for_each_active_channel() +to assign new values. + +Use kzalloc for the memory allocation to avoid pushing uninitialized +information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 415f79244757 ("iio: Move IIO Dummy Driver out of staging") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-9-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dummy/iio_simple_dummy_buffer.c ++++ b/drivers/iio/dummy/iio_simple_dummy_buffer.c +@@ -48,7 +48,7 @@ static irqreturn_t iio_simple_dummy_trig + int len = 0; + u16 *data; + +- data = kmalloc(indio_dev->scan_bytes, GFP_KERNEL); ++ data = kzalloc(indio_dev->scan_bytes, GFP_KERNEL); + if (!data) + goto done; + diff --git a/queue-5.4/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch b/queue-5.4/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch new file mode 100644 index 00000000000..a8b1d54c760 --- /dev/null +++ b/queue-5.4/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch @@ -0,0 +1,53 @@ +From fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 Mon Sep 17 00:00:00 2001 +From: Carlos Song +Date: Sat, 16 Nov 2024 10:29:45 -0500 +Subject: iio: gyro: fxas21002c: Fix missing data update in trigger handler + +From: Carlos Song + +commit fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 upstream. + +The fxas21002c_trigger_handler() may fail to acquire sample data because +the runtime PM enters the autosuspend state and sensor can not return +sample data in standby mode.. + +Resume the sensor before reading the sample data into the buffer within the +trigger handler. After the data is read, place the sensor back into the +autosuspend state. + +Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c") +Signed-off-by: Carlos Song +Signed-off-by: Frank Li +Link: https://patch.msgid.link/20241116152945.4006374-1-Frank.Li@nxp.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/fxas21002c_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/gyro/fxas21002c_core.c ++++ b/drivers/iio/gyro/fxas21002c_core.c +@@ -664,14 +664,21 @@ static irqreturn_t fxas21002c_trigger_ha + int ret; + + mutex_lock(&data->lock); ++ ret = fxas21002c_pm_get(data); ++ if (ret < 0) ++ goto out_unlock; ++ + ret = regmap_bulk_read(data->regmap, FXAS21002C_REG_OUT_X_MSB, + data->buffer, CHANNEL_SCAN_MAX * sizeof(s16)); + if (ret < 0) +- goto out_unlock; ++ goto out_pm_put; + + iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, + data->timestamp); + ++out_pm_put: ++ fxas21002c_pm_put(data); ++ + out_unlock: + mutex_unlock(&data->lock); + diff --git a/queue-5.4/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch b/queue-5.4/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..9de7fa1d5be --- /dev/null +++ b/queue-5.4/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,37 @@ +From 6ae053113f6a226a2303caa4936a4c37f3bfff7b Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:13 +0100 +Subject: iio: imu: kmx61: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 6ae053113f6a226a2303caa4936a4c37f3bfff7b upstream. + +The 'buffer' local array is used to push data to user space from a +triggered buffer, but it does not set values for inactive channels, as +it only uses iio_for_each_active_channel() to assign new values. + +Initialize the array to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: c3a23ecc0901 ("iio: imu: kmx61: Add support for data ready triggers") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-5-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/kmx61.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/kmx61.c ++++ b/drivers/iio/imu/kmx61.c +@@ -1198,7 +1198,7 @@ static irqreturn_t kmx61_trigger_handler + struct kmx61_data *data = kmx61_get_data(indio_dev); + int bit, ret, i = 0; + u8 base; +- s16 buffer[8]; ++ s16 buffer[8] = { }; + + if (indio_dev == data->acc_indio_dev) + base = KMX61_ACC_XOUT_L; diff --git a/queue-5.4/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch b/queue-5.4/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch new file mode 100644 index 00000000000..9d43d028b60 --- /dev/null +++ b/queue-5.4/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch @@ -0,0 +1,35 @@ +From 64f43895b4457532a3cc524ab250b7a30739a1b1 Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Wed, 4 Dec 2024 20:13:42 +0900 +Subject: iio: inkern: call iio_device_put() only on mapped devices + +From: Joe Hattori + +commit 64f43895b4457532a3cc524ab250b7a30739a1b1 upstream. + +In the error path of iio_channel_get_all(), iio_device_put() is called +on all IIO devices, which can cause a refcount imbalance. Fix this error +by calling iio_device_put() only on IIO devices whose refcounts were +previously incremented by iio_device_get(). + +Fixes: 314be14bb893 ("iio: Rename _st_ functions to loose the bit that meant the staging version.") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20241204111342.1246706-1-joe@pf.is.s.u-tokyo.ac.jp +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -466,7 +466,7 @@ struct iio_channel *iio_channel_get_all( + return chans; + + error_free_chans: +- for (i = 0; i < nummaps; i++) ++ for (i = 0; i < mapind; i++) + iio_device_put(chans[i].indio_dev); + kfree(chans); + error_ret: diff --git a/queue-5.4/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch b/queue-5.4/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..f7bec42e124 --- /dev/null +++ b/queue-5.4/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,39 @@ +From 47b43e53c0a0edf5578d5d12f5fc71c019649279 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:14 +0100 +Subject: iio: light: vcnl4035: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 47b43e53c0a0edf5578d5d12f5fc71c019649279 upstream. + +The 'buffer' local array is used to push data to userspace from a +triggered buffer, but it does not set an initial value for the single +data element, which is an u16 aligned to 8 bytes. That leaves at least +4 bytes uninitialized even after writing an integer value with +regmap_read(). + +Initialize the array to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: ec90b52c07c0 ("iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-6-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/vcnl4035.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/vcnl4035.c ++++ b/drivers/iio/light/vcnl4035.c +@@ -105,7 +105,7 @@ static irqreturn_t vcnl4035_trigger_cons + struct iio_dev *indio_dev = pf->indio_dev; + struct vcnl4035_data *data = iio_priv(indio_dev); + /* Ensure naturally aligned timestamp */ +- u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8); ++ u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8) = { }; + int ret; + + ret = regmap_read(data->regmap, VCNL4035_ALS_DATA, (int *)buffer); diff --git a/queue-5.4/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch b/queue-5.4/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..1e29cabd000 --- /dev/null +++ b/queue-5.4/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,38 @@ +From 6007d10c5262f6f71479627c1216899ea7f09073 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:11 +0100 +Subject: iio: pressure: zpa2326: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 6007d10c5262f6f71479627c1216899ea7f09073 upstream. + +The 'sample' local struct is used to push data to user space from a +triggered buffer, but it has a hole between the temperature and the +timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp). +This hole is never initialized. + +Initialize the struct to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-3-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/zpa2326.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/pressure/zpa2326.c ++++ b/drivers/iio/pressure/zpa2326.c +@@ -585,6 +585,8 @@ static int zpa2326_fill_sample_buffer(st + } sample; + int err; + ++ memset(&sample, 0, sizeof(sample)); ++ + if (test_bit(0, indio_dev->active_scan_mask)) { + /* Get current pressure from hardware FIFO. */ + err = zpa2326_dequeue_pressure(indio_dev, &sample.pressure); diff --git a/queue-5.4/series b/queue-5.4/series index 9271f07d62d..7f04bb2b26b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -26,3 +26,12 @@ usb-usblp-return-error-when-setting-unsupported-protocol.patch usb-core-disable-lpm-only-for-non-suspended-ports.patch usb-fix-reference-leak-in-usb_new_device.patch usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch +iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch +iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch +iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch +iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch +iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch +iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch +iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch +iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch +iio-inkern-call-iio_device_put-only-on-mapped-devices.patch