From: Greg Kroah-Hartman Date: Fri, 17 Jul 2020 15:10:31 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.231~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=615ab0fab78179b3f443c5d22ffa474386ff3c68;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: iio-health-afe4403-fix-timestamp-alignment-and-prevent-data-leak.patch iio-magnetometer-ak8974-fix-alignment-and-data-leak-issues.patch iio-magnetometer-ak8974-fix-runtime-pm-imbalance-on-error.patch iio-mma8452-add-missed-iio_device_unregister-call-in-mma8452_probe.patch iio-pressure-ms5611-fix-buffer-element-alignment.patch iio-pressure-zpa2326-handle-pm_runtime_get_sync-failure.patch --- diff --git a/queue-4.9/iio-health-afe4403-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-4.9/iio-health-afe4403-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..e102645f3ae --- /dev/null +++ b/queue-4.9/iio-health-afe4403-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,81 @@ +From 3f9c6d38797e9903937b007a341dad0c251765d6 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 17 May 2020 18:29:56 +0100 +Subject: iio:health:afe4403 Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit 3f9c6d38797e9903937b007a341dad0c251765d6 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 32 byte array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data with alignment +explicitly requested. This data is allocated with kzalloc so no +data can leak appart from previous readings. + +Fixes: eec96d1e2d31 ("iio: health: Add driver for the TI AFE4403 heart monitor") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Acked-by: Andrew F. Davis +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/health/afe4403.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/iio/health/afe4403.c ++++ b/drivers/iio/health/afe4403.c +@@ -71,6 +71,7 @@ static const struct reg_field afe4403_re + * @regulator: Pointer to the regulator for the IC + * @trig: IIO trigger for this device + * @irq: ADC_RDY line interrupt number ++ * @buffer: Used to construct data layout to push into IIO buffer. + */ + struct afe4403_data { + struct device *dev; +@@ -80,6 +81,8 @@ struct afe4403_data { + struct regulator *regulator; + struct iio_trigger *trig; + int irq; ++ /* Ensure suitable alignment for timestamp */ ++ s32 buffer[8] __aligned(8); + }; + + enum afe4403_chan_id { +@@ -318,7 +321,6 @@ static irqreturn_t afe4403_trigger_handl + struct iio_dev *indio_dev = pf->indio_dev; + struct afe4403_data *afe = iio_priv(indio_dev); + int ret, bit, i = 0; +- s32 buffer[8]; + u8 tx[4] = {AFE440X_CONTROL0, 0x0, 0x0, AFE440X_CONTROL0_READ}; + u8 rx[3]; + +@@ -335,9 +337,9 @@ static irqreturn_t afe4403_trigger_handl + if (ret) + goto err; + +- buffer[i++] = (rx[0] << 16) | +- (rx[1] << 8) | +- (rx[2]); ++ afe->buffer[i++] = (rx[0] << 16) | ++ (rx[1] << 8) | ++ (rx[2]); + } + + /* Disable reading from the device */ +@@ -346,7 +348,8 @@ static irqreturn_t afe4403_trigger_handl + if (ret) + goto err; + +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp); ++ iio_push_to_buffers_with_timestamp(indio_dev, afe->buffer, ++ pf->timestamp); + err: + iio_trigger_notify_done(indio_dev->trig); + diff --git a/queue-4.9/iio-magnetometer-ak8974-fix-alignment-and-data-leak-issues.patch b/queue-4.9/iio-magnetometer-ak8974-fix-alignment-and-data-leak-issues.patch new file mode 100644 index 00000000000..58eb6fe3ea2 --- /dev/null +++ b/queue-4.9/iio-magnetometer-ak8974-fix-alignment-and-data-leak-issues.patch @@ -0,0 +1,69 @@ +From 838e00b13bfd4cac8b24df25bfc58e2eb99bcc70 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 7 Jun 2020 16:53:49 +0100 +Subject: iio:magnetometer:ak8974: Fix alignment and data leak issues + +From: Jonathan Cameron + +commit 838e00b13bfd4cac8b24df25bfc58e2eb99bcc70 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data. + +This data is allocated with kzalloc so no data can leak appart from +previous readings. + +Fixes: 7c94a8b2ee8cf ("iio: magn: add a driver for AK8974") +Reported-by: Lars-Peter Clausen +Reviewed-by: Linus Walleij +Signed-off-by: Jonathan Cameron +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/ak8974.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/iio/magnetometer/ak8974.c ++++ b/drivers/iio/magnetometer/ak8974.c +@@ -153,6 +153,11 @@ struct ak8974 { + bool drdy_irq; + struct completion drdy_complete; + bool drdy_active_low; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ __le16 channels[3]; ++ s64 ts __aligned(8); ++ } scan; + }; + + static const char ak8974_reg_avdd[] = "avdd"; +@@ -494,7 +499,6 @@ static void ak8974_fill_buffer(struct ii + { + struct ak8974 *ak8974 = iio_priv(indio_dev); + int ret; +- s16 hw_values[8]; /* Three axes + 64bit padding */ + + pm_runtime_get_sync(&ak8974->i2c->dev); + mutex_lock(&ak8974->lock); +@@ -504,13 +508,13 @@ static void ak8974_fill_buffer(struct ii + dev_err(&ak8974->i2c->dev, "error triggering measure\n"); + goto out_unlock; + } +- ret = ak8974_getresult(ak8974, hw_values); ++ ret = ak8974_getresult(ak8974, ak8974->scan.channels); + if (ret) { + dev_err(&ak8974->i2c->dev, "error getting measures\n"); + goto out_unlock; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, hw_values, ++ iio_push_to_buffers_with_timestamp(indio_dev, &ak8974->scan, + iio_get_time_ns(indio_dev)); + + out_unlock: diff --git a/queue-4.9/iio-magnetometer-ak8974-fix-runtime-pm-imbalance-on-error.patch b/queue-4.9/iio-magnetometer-ak8974-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..3cf5c4374b2 --- /dev/null +++ b/queue-4.9/iio-magnetometer-ak8974-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,90 @@ +From 0187294d227dfc42889e1da8f8ce1e44fc25f147 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Tue, 26 May 2020 18:47:17 +0800 +Subject: iio: magnetometer: ak8974: Fix runtime PM imbalance on error + +From: Dinghao Liu + +commit 0187294d227dfc42889e1da8f8ce1e44fc25f147 upstream. + +When devm_regmap_init_i2c() returns an error code, a pairing +runtime PM usage counter decrement is needed to keep the +counter balanced. For error paths after ak8974_set_power(), +ak8974_detect() and ak8974_reset(), things are the same. + +However, When iio_triggered_buffer_setup() returns an error +code, there will be two PM usgae counter decrements. + +Signed-off-by: Dinghao Liu +Fixes: 7c94a8b2ee8c ("iio: magn: add a driver for AK8974") +Reviewed-by: Linus Walleij +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/ak8974.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/iio/magnetometer/ak8974.c ++++ b/drivers/iio/magnetometer/ak8974.c +@@ -675,19 +675,21 @@ static int ak8974_probe(struct i2c_clien + ak8974->map = devm_regmap_init_i2c(i2c, &ak8974_regmap_config); + if (IS_ERR(ak8974->map)) { + dev_err(&i2c->dev, "failed to allocate register map\n"); ++ pm_runtime_put_noidle(&i2c->dev); ++ pm_runtime_disable(&i2c->dev); + return PTR_ERR(ak8974->map); + } + + ret = ak8974_set_power(ak8974, AK8974_PWR_ON); + if (ret) { + dev_err(&i2c->dev, "could not power on\n"); +- goto power_off; ++ goto disable_pm; + } + + ret = ak8974_detect(ak8974); + if (ret) { + dev_err(&i2c->dev, "neither AK8974 nor AMI305 found\n"); +- goto power_off; ++ goto disable_pm; + } + + ret = ak8974_selftest(ak8974); +@@ -697,14 +699,9 @@ static int ak8974_probe(struct i2c_clien + ret = ak8974_reset(ak8974); + if (ret) { + dev_err(&i2c->dev, "AK8974 reset failed\n"); +- goto power_off; ++ goto disable_pm; + } + +- pm_runtime_set_autosuspend_delay(&i2c->dev, +- AK8974_AUTOSUSPEND_DELAY); +- pm_runtime_use_autosuspend(&i2c->dev); +- pm_runtime_put(&i2c->dev); +- + indio_dev->dev.parent = &i2c->dev; + indio_dev->channels = ak8974_channels; + indio_dev->num_channels = ARRAY_SIZE(ak8974_channels); +@@ -757,6 +754,11 @@ no_irq: + goto cleanup_buffer; + } + ++ pm_runtime_set_autosuspend_delay(&i2c->dev, ++ AK8974_AUTOSUSPEND_DELAY); ++ pm_runtime_use_autosuspend(&i2c->dev); ++ pm_runtime_put(&i2c->dev); ++ + return 0; + + cleanup_buffer: +@@ -765,7 +767,6 @@ disable_pm: + pm_runtime_put_noidle(&i2c->dev); + pm_runtime_disable(&i2c->dev); + ak8974_set_power(ak8974, AK8974_PWR_OFF); +-power_off: + regulator_bulk_disable(ARRAY_SIZE(ak8974->regs), ak8974->regs); + + return ret; diff --git a/queue-4.9/iio-mma8452-add-missed-iio_device_unregister-call-in-mma8452_probe.patch b/queue-4.9/iio-mma8452-add-missed-iio_device_unregister-call-in-mma8452_probe.patch new file mode 100644 index 00000000000..ccfe333ccd6 --- /dev/null +++ b/queue-4.9/iio-mma8452-add-missed-iio_device_unregister-call-in-mma8452_probe.patch @@ -0,0 +1,41 @@ +From d7369ae1f4d7cffa7574d15e1f787dcca184c49d Mon Sep 17 00:00:00 2001 +From: Chuhong Yuan +Date: Thu, 28 May 2020 14:41:21 +0800 +Subject: iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe() + +From: Chuhong Yuan + +commit d7369ae1f4d7cffa7574d15e1f787dcca184c49d upstream. + +The function iio_device_register() was called in mma8452_probe(). +But the function iio_device_unregister() was not called after +a call of the function mma8452_set_freefall_mode() failed. +Thus add the missed function call for one error case. + +Fixes: 1a965d405fc6 ("drivers:iio:accel:mma8452: added cleanup provision in case of failure.") +Signed-off-by: Chuhong Yuan +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/mma8452.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -1576,10 +1576,13 @@ static int mma8452_probe(struct i2c_clie + + ret = mma8452_set_freefall_mode(data, false); + if (ret < 0) +- goto buffer_cleanup; ++ goto unregister_device; + + return 0; + ++unregister_device: ++ iio_device_unregister(indio_dev); ++ + buffer_cleanup: + iio_triggered_buffer_cleanup(indio_dev); + diff --git a/queue-4.9/iio-pressure-ms5611-fix-buffer-element-alignment.patch b/queue-4.9/iio-pressure-ms5611-fix-buffer-element-alignment.patch new file mode 100644 index 00000000000..cf986fdd06a --- /dev/null +++ b/queue-4.9/iio-pressure-ms5611-fix-buffer-element-alignment.patch @@ -0,0 +1,59 @@ +From 8db4afe163bbdd93dca6fcefbb831ef12ecc6b4d Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 7 Jun 2020 16:53:57 +0100 +Subject: iio:pressure:ms5611 Fix buffer element alignment + +From: Jonathan Cameron + +commit 8db4afe163bbdd93dca6fcefbb831ef12ecc6b4d upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +Here there is no data leak possibility so use an explicit structure +on the stack to ensure alignment and nice readable fashion. + +The forced alignment of ts isn't strictly necessary in this driver +as the padding will be correct anyway (there isn't any). However +it is probably less fragile to have it there and it acts as +documentation of the requirement. + +Fixes: 713bbb4efb9dc ("iio: pressure: ms5611: Add triggered buffer support") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Acked-by: Tomasz Duszynski +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/pressure/ms5611_core.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/iio/pressure/ms5611_core.c ++++ b/drivers/iio/pressure/ms5611_core.c +@@ -215,16 +215,21 @@ static irqreturn_t ms5611_trigger_handle + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct ms5611_state *st = iio_priv(indio_dev); +- s32 buf[4]; /* s32 (pressure) + s32 (temp) + 2 * s32 (timestamp) */ ++ /* Ensure buffer elements are naturally aligned */ ++ struct { ++ s32 channels[2]; ++ s64 ts __aligned(8); ++ } scan; + int ret; + + mutex_lock(&st->lock); +- ret = ms5611_read_temp_and_pressure(indio_dev, &buf[1], &buf[0]); ++ ret = ms5611_read_temp_and_pressure(indio_dev, &scan.channels[1], ++ &scan.channels[0]); + mutex_unlock(&st->lock); + if (ret < 0) + goto err; + +- iio_push_to_buffers_with_timestamp(indio_dev, buf, ++ iio_push_to_buffers_with_timestamp(indio_dev, &scan, + iio_get_time_ns(indio_dev)); + + err: diff --git a/queue-4.9/iio-pressure-zpa2326-handle-pm_runtime_get_sync-failure.patch b/queue-4.9/iio-pressure-zpa2326-handle-pm_runtime_get_sync-failure.patch new file mode 100644 index 00000000000..3629eb2d89e --- /dev/null +++ b/queue-4.9/iio-pressure-zpa2326-handle-pm_runtime_get_sync-failure.patch @@ -0,0 +1,37 @@ +From d88de040e1df38414fc1e4380be9d0e997ab4d58 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 4 Jun 2020 21:44:44 -0500 +Subject: iio: pressure: zpa2326: handle pm_runtime_get_sync failure + +From: Navid Emamdoost + +commit d88de040e1df38414fc1e4380be9d0e997ab4d58 upstream. + +Calling pm_runtime_get_sync increments the counter even in case of +failure, causing incorrect ref count. Call pm_runtime_put if +pm_runtime_get_sync fails. + +Signed-off-by: Navid Emamdoost +Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/pressure/zpa2326.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/pressure/zpa2326.c ++++ b/drivers/iio/pressure/zpa2326.c +@@ -676,8 +676,10 @@ static int zpa2326_resume(const struct i + int err; + + err = pm_runtime_get_sync(indio_dev->dev.parent); +- if (err < 0) ++ if (err < 0) { ++ pm_runtime_put(indio_dev->dev.parent); + return err; ++ } + + if (err > 0) { + /* diff --git a/queue-4.9/series b/queue-4.9/series index 4527ce7647c..655501a58f1 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -38,3 +38,9 @@ tcp-md5-allow-changing-md5-keys-in-all-socket-states.patch cgroup-fix-cgroup_sk_alloc-for-sk_clone_lock.patch cgroup-fix-sock_cgroup_data-on-big-endian.patch i2c-eg20t-load-module-automatically-if-id-matches.patch +iio-magnetometer-ak8974-fix-alignment-and-data-leak-issues.patch +iio-magnetometer-ak8974-fix-runtime-pm-imbalance-on-error.patch +iio-mma8452-add-missed-iio_device_unregister-call-in-mma8452_probe.patch +iio-pressure-zpa2326-handle-pm_runtime_get_sync-failure.patch +iio-pressure-ms5611-fix-buffer-element-alignment.patch +iio-health-afe4403-fix-timestamp-alignment-and-prevent-data-leak.patch