From: Greg Kroah-Hartman Date: Mon, 13 Jan 2025 10:45:25 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.1.125~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6361f08951b3e6964536fa8640356d1538bfa3fb;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: iio-adc-ad7124-disable-all-channels-at-probe-time.patch iio-adc-ad7173-fix-using-shared-static-info-struct.patch iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch iio-inkern-call-iio_device_put-only-on-mapped-devices.patch iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch --- diff --git a/queue-6.12/iio-adc-ad7124-disable-all-channels-at-probe-time.patch b/queue-6.12/iio-adc-ad7124-disable-all-channels-at-probe-time.patch new file mode 100644 index 00000000000..ce04e2f2b62 --- /dev/null +++ b/queue-6.12/iio-adc-ad7124-disable-all-channels-at-probe-time.patch @@ -0,0 +1,46 @@ +From 4be339af334c283a1a1af3cb28e7e448a0aa8a7c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Mon, 4 Nov 2024 11:19:04 +0100 +Subject: iio: adc: ad7124: Disable all channels at probe time +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 4be339af334c283a1a1af3cb28e7e448a0aa8a7c upstream. + +When during a measurement two channels are enabled, two measurements are +done that are reported sequencially in the DATA register. As the code +triggered by reading one of the sysfs properties expects that only one +channel is enabled it only reads the first data set which might or might +not belong to the intended channel. + +To prevent this situation disable all channels during probe. This fixes +a problem in practise because the reset default for channel 0 is +enabled. So all measurements before the first measurement on channel 0 +(which disables channel 0 at the end) might report wrong values. + +Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels") +Reviewed-by: Nuno Sa +Signed-off-by: Uwe Kleine-König +Link: https://patch.msgid.link/20241104101905.845737-2-u.kleine-koenig@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7124.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -917,6 +917,9 @@ static int ad7124_setup(struct ad7124_st + * set all channels to this default value. + */ + ad7124_set_channel_odr(st, i, 10); ++ ++ /* Disable all channels to prevent unintended conversions. */ ++ ad_sd_write_reg(&st->sd, AD7124_CHANNEL(i), 2, 0); + } + + ret = ad_sd_write_reg(&st->sd, AD7124_ADC_CONTROL, 2, st->adc_control); diff --git a/queue-6.12/iio-adc-ad7173-fix-using-shared-static-info-struct.patch b/queue-6.12/iio-adc-ad7173-fix-using-shared-static-info-struct.patch new file mode 100644 index 00000000000..c559caffe3d --- /dev/null +++ b/queue-6.12/iio-adc-ad7173-fix-using-shared-static-info-struct.patch @@ -0,0 +1,73 @@ +From 36a44e05cd807a54e5ffad4b96d0d67f68ad8576 Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Wed, 27 Nov 2024 14:01:53 -0600 +Subject: iio: adc: ad7173: fix using shared static info struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Lechner + +commit 36a44e05cd807a54e5ffad4b96d0d67f68ad8576 upstream. + +Fix a possible race condition during driver probe in the ad7173 driver +due to using a shared static info struct. If more that one instance of +the driver is probed at the same time, some of the info could be +overwritten by the other instance, leading to incorrect operation. + +To fix this, make the static info struct const so that it is read-only +and make a copy of the info struct for each instance of the driver that +can be modified. + +Reported-by: Uwe Kleine-König +Fixes: 76a1e6a42802 ("iio: adc: ad7173: add AD7173 driver") +Signed-off-by: David Lechner +Tested-by: Guillaume Ranquet +Link: https://patch.msgid.link/20241127-iio-adc-ad7313-fix-non-const-info-struct-v2-1-b6d7022b7466@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7173.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ad7173.c ++++ b/drivers/iio/adc/ad7173.c +@@ -198,6 +198,7 @@ struct ad7173_channel { + + struct ad7173_state { + struct ad_sigma_delta sd; ++ struct ad_sigma_delta_info sigma_delta_info; + const struct ad7173_device_info *info; + struct ad7173_channel *channels; + struct regulator_bulk_data regulators[3]; +@@ -733,7 +734,7 @@ static int ad7173_disable_one(struct ad_ + return ad_sd_write_reg(sd, AD7173_REG_CH(chan), 2, 0); + } + +-static struct ad_sigma_delta_info ad7173_sigma_delta_info = { ++static const struct ad_sigma_delta_info ad7173_sigma_delta_info = { + .set_channel = ad7173_set_channel, + .append_status = ad7173_append_status, + .disable_all = ad7173_disable_all, +@@ -1371,7 +1372,7 @@ static int ad7173_fw_parse_device_config + if (ret < 0) + return dev_err_probe(dev, ret, "Interrupt 'rdy' is required\n"); + +- ad7173_sigma_delta_info.irq_line = ret; ++ st->sigma_delta_info.irq_line = ret; + + return ad7173_fw_parse_channel_config(indio_dev); + } +@@ -1404,8 +1405,9 @@ static int ad7173_probe(struct spi_devic + spi->mode = SPI_MODE_3; + spi_setup(spi); + +- ad7173_sigma_delta_info.num_slots = st->info->num_configs; +- ret = ad_sd_init(&st->sd, indio_dev, spi, &ad7173_sigma_delta_info); ++ st->sigma_delta_info = ad7173_sigma_delta_info; ++ st->sigma_delta_info.num_slots = st->info->num_configs; ++ ret = ad_sd_init(&st->sd, indio_dev, spi, &st->sigma_delta_info); + if (ret) + return ret; + diff --git a/queue-6.12/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch b/queue-6.12/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch new file mode 100644 index 00000000000..c294dd0d8c4 --- /dev/null +++ b/queue-6.12/iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch @@ -0,0 +1,35 @@ +From de6a73bad1743e9e81ea5a24c178c67429ff510b Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Sat, 7 Dec 2024 13:30:45 +0900 +Subject: iio: adc: at91: call input_free_device() on allocated iio_dev + +From: Joe Hattori + +commit de6a73bad1743e9e81ea5a24c178c67429ff510b upstream. + +Current implementation of at91_ts_register() calls input_free_deivce() +on st->ts_input, however, the err label can be reached before the +allocated iio_dev is stored to st->ts_input. Thus call +input_free_device() on input instead of st->ts_input. + +Fixes: 84882b060301 ("iio: adc: at91_adc: Add support for touchscreens without TSMR") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20241207043045.1255409-1-joe@pf.is.s.u-tokyo.ac.jp +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/at91_adc.c ++++ b/drivers/iio/adc/at91_adc.c +@@ -979,7 +979,7 @@ static int at91_ts_register(struct iio_d + return ret; + + err: +- input_free_device(st->ts_input); ++ input_free_device(input); + return ret; + } + diff --git a/queue-6.12/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..626027ac821 --- /dev/null +++ b/queue-6.12/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,37 @@ +From 38724591364e1e3b278b4053f102b49ea06ee17c Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:12 +0100 +Subject: iio: adc: rockchip_saradc: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 38724591364e1e3b278b4053f102b49ea06ee17c upstream. + +The 'data' local struct is used to push data to user space from a +triggered buffer, but it does not set values for inactive channels, as +it only uses iio_for_each_active_channel() to assign new values. + +Initialize the struct to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 4e130dc7b413 ("iio: adc: rockchip_saradc: Add support iio buffers") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-4-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/rockchip_saradc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/rockchip_saradc.c ++++ b/drivers/iio/adc/rockchip_saradc.c +@@ -368,6 +368,8 @@ static irqreturn_t rockchip_saradc_trigg + int ret; + int i, j = 0; + ++ memset(&data, 0, sizeof(data)); ++ + mutex_lock(&info->lock); + + iio_for_each_active_channel(i_dev, i) { diff --git a/queue-6.12/iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..77e5a67c364 --- /dev/null +++ b/queue-6.12/iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,43 @@ +From 75f339d3ecd38cb1ce05357d647189d4a7f7ed08 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:10 +0100 +Subject: iio: adc: ti-ads1119: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 75f339d3ecd38cb1ce05357d647189d4a7f7ed08 upstream. + +The 'scan' local struct is used to push data to user space from a +triggered buffer, but it has a hole between the sample (unsigned int) +and the timestamp. This hole is never initialized. + +Initialize the struct to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver") +Signed-off-by: Javier Carrasco +Reviewed-by: Francesco Dolcini +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-2-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads1119.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/adc/ti-ads1119.c b/drivers/iio/adc/ti-ads1119.c +index e9d9d4d46d38..2615a275acb3 100644 +--- a/drivers/iio/adc/ti-ads1119.c ++++ b/drivers/iio/adc/ti-ads1119.c +@@ -506,6 +506,8 @@ static irqreturn_t ads1119_trigger_handler(int irq, void *private) + unsigned int index; + int ret; + ++ memset(&scan, 0, sizeof(scan)); ++ + if (!iio_trigger_using_own(indio_dev)) { + index = find_first_bit(indio_dev->active_scan_mask, + iio_get_masklength(indio_dev)); +-- +2.48.0 + diff --git a/queue-6.12/iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch b/queue-6.12/iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch new file mode 100644 index 00000000000..cfd32839b3a --- /dev/null +++ b/queue-6.12/iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch @@ -0,0 +1,45 @@ +From 54d394905c92b9ecc65c1f9b2692c8e10716d8e1 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 2 Dec 2024 20:18:44 +0100 +Subject: iio: adc: ti-ads1119: fix sample size in scan struct for triggered buffer + +From: Javier Carrasco + +commit 54d394905c92b9ecc65c1f9b2692c8e10716d8e1 upstream. + +This device returns signed, 16-bit samples as stated in its datasheet +(see 8.5.2 Data Format). That is in line with the scan_type definition +for the IIO_VOLTAGE channel, but 'unsigned int' is being used to read +and push the data to userspace. + +Given that the size of that type depends on the architecture (at least +2 bytes to store values up to 65535, but its actual size is often 4 +bytes), use the 's16' type to provide the same structure in all cases. + +Fixes: a9306887eba4 ("iio: adc: ti-ads1119: Add driver") +Signed-off-by: Javier Carrasco +Reviewed-by: Francesco Dolcini +Link: https://patch.msgid.link/20241202-ti-ads1119_s16_chan-v1-1-fafe3136dc90@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads1119.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ti-ads1119.c b/drivers/iio/adc/ti-ads1119.c +index 2615a275acb3..c268e27eec12 100644 +--- a/drivers/iio/adc/ti-ads1119.c ++++ b/drivers/iio/adc/ti-ads1119.c +@@ -500,7 +500,7 @@ static irqreturn_t ads1119_trigger_handler(int irq, void *private) + struct iio_dev *indio_dev = pf->indio_dev; + struct ads1119_state *st = iio_priv(indio_dev); + struct { +- unsigned int sample; ++ s16 sample; + s64 timestamp __aligned(8); + } scan; + unsigned int index; +-- +2.48.0 + diff --git a/queue-6.12/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch b/queue-6.12/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch new file mode 100644 index 00000000000..54710358bf8 --- /dev/null +++ b/queue-6.12/iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch @@ -0,0 +1,42 @@ +From 2a8e34096ec70d73ebb6d9920688ea312700cbd9 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 22 Nov 2024 13:43:08 -0300 +Subject: iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() + +From: Fabio Estevam + +commit 2a8e34096ec70d73ebb6d9920688ea312700cbd9 upstream. + +Using gpiod_set_value() to control the reset GPIO causes some verbose +warnings during boot when the reset GPIO is controlled by an I2C IO +expander. + +As the caller can sleep, use the gpiod_set_value_cansleep() variant to +fix the issue. + +Tested on a custom i.MX93 board with a ADS124S08 ADC. + +Cc: stable@kernel.org +Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") +Signed-off-by: Fabio Estevam +Link: https://patch.msgid.link/20241122164308.390340-1-festevam@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads124s08.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/ti-ads124s08.c ++++ b/drivers/iio/adc/ti-ads124s08.c +@@ -183,9 +183,9 @@ static int ads124s_reset(struct iio_dev + struct ads124s_private *priv = iio_priv(indio_dev); + + if (priv->reset_gpio) { +- gpiod_set_value(priv->reset_gpio, 0); ++ gpiod_set_value_cansleep(priv->reset_gpio, 0); + udelay(200); +- gpiod_set_value(priv->reset_gpio, 1); ++ gpiod_set_value_cansleep(priv->reset_gpio, 1); + } else { + return ads124s_write_cmd(indio_dev, ADS124S08_CMD_RESET); + } diff --git a/queue-6.12/iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch b/queue-6.12/iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch new file mode 100644 index 00000000000..6e8d680204d --- /dev/null +++ b/queue-6.12/iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch @@ -0,0 +1,33 @@ +From bcb394bb28e55312cace75362b8e489eb0e02a30 Mon Sep 17 00:00:00 2001 +From: Charles Han +Date: Mon, 18 Nov 2024 17:02:08 +0800 +Subject: iio: adc: ti-ads1298: Add NULL check in ads1298_init + +From: Charles Han + +commit bcb394bb28e55312cace75362b8e489eb0e02a30 upstream. + +devm_kasprintf() can return a NULL pointer on failure. A check on the +return value of such a call in ads1298_init() is missing. Add it. + +Fixes: 00ef7708fa60 ("iio: adc: ti-ads1298: Add driver") +Signed-off-by: Charles Han +Link: https://patch.msgid.link/20241118090208.14586-1-hanchunchao@inspur.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads1298.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/ti-ads1298.c ++++ b/drivers/iio/adc/ti-ads1298.c +@@ -613,6 +613,8 @@ static int ads1298_init(struct iio_dev * + } + indio_dev->name = devm_kasprintf(dev, GFP_KERNEL, "ads129%u%s", + indio_dev->num_channels, suffix); ++ if (!indio_dev->name) ++ return -ENOMEM; + + /* Enable internal test signal, double amplitude, double frequency */ + ret = regmap_write(priv->regmap, ADS1298_REG_CONFIG2, diff --git a/queue-6.12/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..f0bb95a51cd --- /dev/null +++ b/queue-6.12/iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,37 @@ +From 2a7377ccfd940cd6e9201756aff1e7852c266e69 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:16 +0100 +Subject: iio: adc: ti-ads8688: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 2a7377ccfd940cd6e9201756aff1e7852c266e69 upstream. + +The 'buffer' local array is used to push data to user space from a +triggered buffer, but it does not set values for inactive channels, as +it only uses iio_for_each_active_channel() to assign new values. + +Initialize the array to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 61fa5dfa5f52 ("iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-8-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads8688.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads8688.c ++++ b/drivers/iio/adc/ti-ads8688.c +@@ -381,7 +381,7 @@ static irqreturn_t ads8688_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + /* Ensure naturally aligned timestamp */ +- u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8); ++ u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8) = { }; + int i, j = 0; + + iio_for_each_active_channel(indio_dev, i) { diff --git a/queue-6.12/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..4a27dd85c12 --- /dev/null +++ b/queue-6.12/iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,38 @@ +From 333be433ee908a53f283beb95585dfc14c8ffb46 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:17 +0100 +Subject: iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 333be433ee908a53f283beb95585dfc14c8ffb46 upstream. + +The 'data' array is allocated via kmalloc() and it is used to push data +to user space from a triggered buffer, but it does not set values for +inactive channels, as it only uses iio_for_each_active_channel() +to assign new values. + +Use kzalloc for the memory allocation to avoid pushing uninitialized +information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 415f79244757 ("iio: Move IIO Dummy Driver out of staging") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-9-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dummy/iio_simple_dummy_buffer.c ++++ b/drivers/iio/dummy/iio_simple_dummy_buffer.c +@@ -48,7 +48,7 @@ static irqreturn_t iio_simple_dummy_trig + int i = 0, j; + u16 *data; + +- data = kmalloc(indio_dev->scan_bytes, GFP_KERNEL); ++ data = kzalloc(indio_dev->scan_bytes, GFP_KERNEL); + if (!data) + goto done; + diff --git a/queue-6.12/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch b/queue-6.12/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch new file mode 100644 index 00000000000..bacbc441f19 --- /dev/null +++ b/queue-6.12/iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch @@ -0,0 +1,53 @@ +From fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 Mon Sep 17 00:00:00 2001 +From: Carlos Song +Date: Sat, 16 Nov 2024 10:29:45 -0500 +Subject: iio: gyro: fxas21002c: Fix missing data update in trigger handler + +From: Carlos Song + +commit fa13ac6cdf9b6c358e7d77c29fb60145c7a87965 upstream. + +The fxas21002c_trigger_handler() may fail to acquire sample data because +the runtime PM enters the autosuspend state and sensor can not return +sample data in standby mode.. + +Resume the sensor before reading the sample data into the buffer within the +trigger handler. After the data is read, place the sensor back into the +autosuspend state. + +Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c") +Signed-off-by: Carlos Song +Signed-off-by: Frank Li +Link: https://patch.msgid.link/20241116152945.4006374-1-Frank.Li@nxp.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/fxas21002c_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/gyro/fxas21002c_core.c ++++ b/drivers/iio/gyro/fxas21002c_core.c +@@ -730,14 +730,21 @@ static irqreturn_t fxas21002c_trigger_ha + int ret; + + mutex_lock(&data->lock); ++ ret = fxas21002c_pm_get(data); ++ if (ret < 0) ++ goto out_unlock; ++ + ret = regmap_bulk_read(data->regmap, FXAS21002C_REG_OUT_X_MSB, + data->buffer, CHANNEL_SCAN_MAX * sizeof(s16)); + if (ret < 0) +- goto out_unlock; ++ goto out_pm_put; + + iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, + data->timestamp); + ++out_pm_put: ++ fxas21002c_pm_put(data); ++ + out_unlock: + mutex_unlock(&data->lock); + diff --git a/queue-6.12/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch b/queue-6.12/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch new file mode 100644 index 00000000000..6021ad891f4 --- /dev/null +++ b/queue-6.12/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch @@ -0,0 +1,48 @@ +From 65a60a590142c54a3f3be11ff162db2d5b0e1e06 Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Wed, 13 Nov 2024 21:25:45 +0100 +Subject: iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on + +From: Jean-Baptiste Maneyrol + +commit 65a60a590142c54a3f3be11ff162db2d5b0e1e06 upstream. + +Currently suspending while sensors are one will result in timestamping +continuing without gap at resume. It can work with monotonic clock but +not with other clocks. Fix that by resetting timestamping. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Cc: stable@vger.kernel.org +Signed-off-by: Jean-Baptiste Maneyrol +Link: https://patch.msgid.link/20241113-inv_icm42600-fix-timestamps-after-suspend-v1-1-dfc77c394173@tdk.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +@@ -822,6 +822,8 @@ out_unlock: + static int inv_icm42600_resume(struct device *dev) + { + struct inv_icm42600_state *st = dev_get_drvdata(dev); ++ struct inv_icm42600_sensor_state *gyro_st = iio_priv(st->indio_gyro); ++ struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); + int ret; + + mutex_lock(&st->lock); +@@ -842,9 +844,12 @@ static int inv_icm42600_resume(struct de + goto out_unlock; + + /* restore FIFO data streaming */ +- if (st->fifo.on) ++ if (st->fifo.on) { ++ inv_sensors_timestamp_reset(&gyro_st->ts); ++ inv_sensors_timestamp_reset(&accel_st->ts); + ret = regmap_write(st->map, INV_ICM42600_REG_FIFO_CONFIG, + INV_ICM42600_FIFO_CONFIG_STREAM); ++ } + + out_unlock: + mutex_unlock(&st->lock); diff --git a/queue-6.12/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..1006454d0b7 --- /dev/null +++ b/queue-6.12/iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,37 @@ +From 6ae053113f6a226a2303caa4936a4c37f3bfff7b Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:13 +0100 +Subject: iio: imu: kmx61: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 6ae053113f6a226a2303caa4936a4c37f3bfff7b upstream. + +The 'buffer' local array is used to push data to user space from a +triggered buffer, but it does not set values for inactive channels, as +it only uses iio_for_each_active_channel() to assign new values. + +Initialize the array to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: c3a23ecc0901 ("iio: imu: kmx61: Add support for data ready triggers") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-5-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/kmx61.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/kmx61.c ++++ b/drivers/iio/imu/kmx61.c +@@ -1192,7 +1192,7 @@ static irqreturn_t kmx61_trigger_handler + struct kmx61_data *data = kmx61_get_data(indio_dev); + int bit, ret, i = 0; + u8 base; +- s16 buffer[8]; ++ s16 buffer[8] = { }; + + if (indio_dev == data->acc_indio_dev) + base = KMX61_ACC_XOUT_L; diff --git a/queue-6.12/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch b/queue-6.12/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch new file mode 100644 index 00000000000..35b77b51378 --- /dev/null +++ b/queue-6.12/iio-inkern-call-iio_device_put-only-on-mapped-devices.patch @@ -0,0 +1,35 @@ +From 64f43895b4457532a3cc524ab250b7a30739a1b1 Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Wed, 4 Dec 2024 20:13:42 +0900 +Subject: iio: inkern: call iio_device_put() only on mapped devices + +From: Joe Hattori + +commit 64f43895b4457532a3cc524ab250b7a30739a1b1 upstream. + +In the error path of iio_channel_get_all(), iio_device_put() is called +on all IIO devices, which can cause a refcount imbalance. Fix this error +by calling iio_device_put() only on IIO devices whose refcounts were +previously incremented by iio_device_get(). + +Fixes: 314be14bb893 ("iio: Rename _st_ functions to loose the bit that meant the staging version.") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20241204111342.1246706-1-joe@pf.is.s.u-tokyo.ac.jp +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -499,7 +499,7 @@ struct iio_channel *iio_channel_get_all( + return_ptr(chans); + + error_free_chans: +- for (i = 0; i < nummaps; i++) ++ for (i = 0; i < mapind; i++) + iio_device_put(chans[i].indio_dev); + return ERR_PTR(ret); + } diff --git a/queue-6.12/iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..c3aa59b9d94 --- /dev/null +++ b/queue-6.12/iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,37 @@ +From b62fbe3b8eedd3cf3c9ad0b7cb9f72c3f40815f0 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:15 +0100 +Subject: iio: light: bh1745: fix information leak in triggered buffer + +From: Javier Carrasco + +commit b62fbe3b8eedd3cf3c9ad0b7cb9f72c3f40815f0 upstream. + +The 'scan' local struct is used to push data to user space from a +triggered buffer, but it does not set values for inactive channels, as +it only uses iio_for_each_active_channel() to assign new values. + +Initialize the struct to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: eab35358aae7 ("iio: light: ROHM BH1745 colour sensor") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-7-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/bh1745.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/light/bh1745.c ++++ b/drivers/iio/light/bh1745.c +@@ -750,6 +750,8 @@ static irqreturn_t bh1745_trigger_handle + int i; + int j = 0; + ++ memset(&scan, 0, sizeof(scan)); ++ + iio_for_each_active_channel(indio_dev, i) { + ret = regmap_bulk_read(data->regmap, BH1745_RED_LSB + 2 * i, + &value, 2); diff --git a/queue-6.12/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..f7bec42e124 --- /dev/null +++ b/queue-6.12/iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,39 @@ +From 47b43e53c0a0edf5578d5d12f5fc71c019649279 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:14 +0100 +Subject: iio: light: vcnl4035: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 47b43e53c0a0edf5578d5d12f5fc71c019649279 upstream. + +The 'buffer' local array is used to push data to userspace from a +triggered buffer, but it does not set an initial value for the single +data element, which is an u16 aligned to 8 bytes. That leaves at least +4 bytes uninitialized even after writing an integer value with +regmap_read(). + +Initialize the array to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: ec90b52c07c0 ("iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-6-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/vcnl4035.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/vcnl4035.c ++++ b/drivers/iio/light/vcnl4035.c +@@ -105,7 +105,7 @@ static irqreturn_t vcnl4035_trigger_cons + struct iio_dev *indio_dev = pf->indio_dev; + struct vcnl4035_data *data = iio_priv(indio_dev); + /* Ensure naturally aligned timestamp */ +- u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8); ++ u8 buffer[ALIGN(sizeof(u16), sizeof(s64)) + sizeof(s64)] __aligned(8) = { }; + int ret; + + ret = regmap_read(data->regmap, VCNL4035_ALS_DATA, (int *)buffer); diff --git a/queue-6.12/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch b/queue-6.12/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 00000000000..67a1d82f4b6 --- /dev/null +++ b/queue-6.12/iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,38 @@ +From 6007d10c5262f6f71479627c1216899ea7f09073 Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:11 +0100 +Subject: iio: pressure: zpa2326: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 6007d10c5262f6f71479627c1216899ea7f09073 upstream. + +The 'sample' local struct is used to push data to user space from a +triggered buffer, but it has a hole between the temperature and the +timestamp (u32 pressure, u16 temperature, GAP, u64 timestamp). +This hole is never initialized. + +Initialize the struct to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-3-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/zpa2326.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/pressure/zpa2326.c ++++ b/drivers/iio/pressure/zpa2326.c +@@ -586,6 +586,8 @@ static int zpa2326_fill_sample_buffer(st + } sample; + int err; + ++ memset(&sample, 0, sizeof(sample)); ++ + if (test_bit(0, indio_dev->active_scan_mask)) { + /* Get current pressure from hardware FIFO. */ + err = zpa2326_dequeue_pressure(indio_dev, &sample.pressure); diff --git a/queue-6.12/series b/queue-6.12/series index 403d036dbc2..d4053c10408 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -154,3 +154,20 @@ usb-gadget-f_fs-remove-warn_on-in-functionfs_bind.patch usb-gadget-configfs-ignore-trailing-lf-for-user-strings-to-cdev.patch usb-host-xhci-plat-set-skip_phy_initialization-if-software-node-has-xhci_skip_phy_init-property.patch usb-typec-fix-pm-usage-counter-imbalance-in-ucsi_ccg_sync_control.patch +iio-pressure-zpa2326-fix-information-leak-in-triggered-buffer.patch +iio-dummy-iio_simply_dummy_buffer-fix-information-leak-in-triggered-buffer.patch +iio-light-vcnl4035-fix-information-leak-in-triggered-buffer.patch +iio-light-bh1745-fix-information-leak-in-triggered-buffer.patch +iio-imu-kmx61-fix-information-leak-in-triggered-buffer.patch +iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch +iio-adc-ti-ads8688-fix-information-leak-in-triggered-buffer.patch +iio-adc-ti-ads1119-fix-information-leak-in-triggered-buffer.patch +iio-adc-ti-ads1119-fix-sample-size-in-scan-struct-for-triggered-buffer.patch +iio-gyro-fxas21002c-fix-missing-data-update-in-trigger-handler.patch +iio-adc-ti-ads1298-add-null-check-in-ads1298_init.patch +iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch +iio-adc-ti-ads124s08-use-gpiod_set_value_cansleep.patch +iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch +iio-inkern-call-iio_device_put-only-on-mapped-devices.patch +iio-adc-ad7173-fix-using-shared-static-info-struct.patch +iio-adc-ad7124-disable-all-channels-at-probe-time.patch