<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/iio/common, branch linux-6.5.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data()</title>
<updated>2023-10-19T21:11:03+00:00</updated>
<author>
<name>Tzung-Bi Shih</name>
<email>tzungbi@kernel.org</email>
</author>
<published>2023-08-29T03:06:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=83342393005076d58410d30c8b4d56fd512afb31'/>
<id>83342393005076d58410d30c8b4d56fd512afb31</id>
<content type='text'>
commit 7771c8c80d62ad065637ef74ed2962983f6c5f6d upstream.

cros_ec_sensors_push_data() reads `indio_dev-&gt;active_scan_mask` and
calls iio_push_to_buffers_with_timestamp() without making sure the
`indio_dev` stays in buffer mode.  There is a race if `indio_dev` exits
buffer mode right before cros_ec_sensors_push_data() accesses them.

An use-after-free on `indio_dev-&gt;active_scan_mask` was observed.  The
call trace:
[...]
 _find_next_bit
 cros_ec_sensors_push_data
 cros_ec_sensorhub_event
 blocking_notifier_call_chain
 cros_ec_irq_thread

It was caused by a race condition: one thread just freed
`active_scan_mask` at [1]; while another thread tried to access the
memory at [2].

Fix it by calling iio_device_claim_buffer_mode() to ensure the
`indio_dev` can't exit buffer mode during cros_ec_sensors_push_data().

[1]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/industrialio-buffer.c#L1189
[2]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c#L198

Cc: stable@vger.kernel.org
Fixes: aa984f1ba4a4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO")
Signed-off-by: Tzung-Bi Shih &lt;tzungbi@kernel.org&gt;
Reviewed-by: Guenter Roeck &lt;groeck@chromium.org&gt;
Reviewed-by: Stephen Boyd &lt;swboyd@chromium.org&gt;
Link: https://lore.kernel.org/r/20230829030622.1571852-1-tzungbi@kernel.org
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7771c8c80d62ad065637ef74ed2962983f6c5f6d upstream.

cros_ec_sensors_push_data() reads `indio_dev-&gt;active_scan_mask` and
calls iio_push_to_buffers_with_timestamp() without making sure the
`indio_dev` stays in buffer mode.  There is a race if `indio_dev` exits
buffer mode right before cros_ec_sensors_push_data() accesses them.

An use-after-free on `indio_dev-&gt;active_scan_mask` was observed.  The
call trace:
[...]
 _find_next_bit
 cros_ec_sensors_push_data
 cros_ec_sensorhub_event
 blocking_notifier_call_chain
 cros_ec_irq_thread

It was caused by a race condition: one thread just freed
`active_scan_mask` at [1]; while another thread tried to access the
memory at [2].

Fix it by calling iio_device_claim_buffer_mode() to ensure the
`indio_dev` can't exit buffer mode during cros_ec_sensors_push_data().

[1]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/industrialio-buffer.c#L1189
[2]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c#L198

Cc: stable@vger.kernel.org
Fixes: aa984f1ba4a4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO")
Signed-off-by: Tzung-Bi Shih &lt;tzungbi@kernel.org&gt;
Reviewed-by: Guenter Roeck &lt;groeck@chromium.org&gt;
Reviewed-by: Stephen Boyd &lt;swboyd@chromium.org&gt;
Link: https://lore.kernel.org/r/20230829030622.1571852-1-tzungbi@kernel.org
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: cros_ec: Fix the allocation size for cros_ec_command</title>
<updated>2023-07-29T11:21:21+00:00</updated>
<author>
<name>Yiyuan Guo</name>
<email>yguoaz@gmail.com</email>
</author>
<published>2023-06-30T14:37:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a4629055ef55177b5b63dab1ecce676bd8cccdd'/>
<id>8a4629055ef55177b5b63dab1ecce676bd8cccdd</id>
<content type='text'>
The struct cros_ec_command contains several integer fields and a
trailing array. An allocation size neglecting the integer fields can
lead to buffer overrun.

Reviewed-by: Tzung-Bi Shih &lt;tzungbi@kernel.org&gt;
Signed-off-by: Yiyuan Guo &lt;yguoaz@gmail.com&gt;
Fixes: 974e6f02e27e ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.")
Link: https://lore.kernel.org/r/20230630143719.1513906-1-yguoaz@gmail.com
Cc: &lt;Stable@vger.kerenl.org&gt;
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The struct cros_ec_command contains several integer fields and a
trailing array. An allocation size neglecting the integer fields can
lead to buffer overrun.

Reviewed-by: Tzung-Bi Shih &lt;tzungbi@kernel.org&gt;
Signed-off-by: Yiyuan Guo &lt;yguoaz@gmail.com&gt;
Fixes: 974e6f02e27e ("iio: cros_ec_sensors_core: Add common functions for the ChromeOS EC Sensor Hub.")
Link: https://lore.kernel.org/r/20230630143719.1513906-1-yguoaz@gmail.com
Cc: &lt;Stable@vger.kerenl.org&gt;
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: Rename iio_trigger_poll_chained and add kernel-doc</title>
<updated>2023-03-11T12:18:29+00:00</updated>
<author>
<name>Mehdi Djait</name>
<email>mehdi.djait.k@gmail.com</email>
</author>
<published>2023-03-02T13:04:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f700e55ef6ef9ec723164659ed4385900981c872'/>
<id>f700e55ef6ef9ec723164659ed4385900981c872</id>
<content type='text'>
Rename the function to iio_trigger_poll_nested. Add kernel-doc with
a note on the context where the function is expected to be called.

Signed-off-by: Mehdi Djait &lt;mehdi.djait.k@gmail.com&gt;
Link: https://lore.kernel.org/r/841b533cba28ca25a8e87280c44e45979166e8e2.1677761379.git.mehdi.djait.k@gmail.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Rename the function to iio_trigger_poll_nested. Add kernel-doc with
a note on the context where the function is expected to be called.

Signed-off-by: Mehdi Djait &lt;mehdi.djait.k@gmail.com&gt;
Link: https://lore.kernel.org/r/841b533cba28ca25a8e87280c44e45979166e8e2.1677761379.git.mehdi.djait.k@gmail.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: common: scmi_iio: use sysfs_emit() to instead of scnprintf()</title>
<updated>2022-12-28T17:19:45+00:00</updated>
<author>
<name>ye xingchen</name>
<email>ye.xingchen@zte.com.cn</email>
</author>
<published>2022-12-01T03:56:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f9e51aacc740935bd0201565e040fd7b36f645aa'/>
<id>f9e51aacc740935bd0201565e040fd7b36f645aa</id>
<content type='text'>
Replace the open-code with sysfs_emit() to simplify the code.

Signed-off-by: ye xingchen &lt;ye.xingchen@zte.com.cn&gt;
Link: https://lore.kernel.org/r/202212011156314630626@zte.com.cn
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Replace the open-code with sysfs_emit() to simplify the code.

Signed-off-by: ye xingchen &lt;ye.xingchen@zte.com.cn&gt;
Link: https://lore.kernel.org/r/202212011156314630626@zte.com.cn
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: Don't silently expect attribute types</title>
<updated>2022-11-23T19:44:04+00:00</updated>
<author>
<name>Matti Vaittinen</name>
<email>mazziesaccount@gmail.com</email>
</author>
<published>2022-10-03T08:13:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0a33755c4b01ed62a6d025cb585928304f9653d7'/>
<id>0a33755c4b01ed62a6d025cb585928304f9653d7</id>
<content type='text'>
The iio_triggered_buffer_setup_ext() and the
devm_iio_kfifo_buffer_setup_ext() were changed by
commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
to silently expect that all attributes given in buffer_attrs array are
device-attributes. This expectation was not forced by the API - and some
drivers did register attributes created by IIO_CONST_ATTR().

When using IIO_CONST_ATTRs the added attribute "wrapping" does not copy
the pointer to stored string constant and when the sysfs file is read the
kernel will access to invalid location.

Change the function signatures to expect an array of iio_dev_attrs to
avoid similar errors in the future.

Merge conflict resolved whilst applying due to patch crossing with
two new drivers (kx022a accelerometer and ad4130 ADC).

Signed-off-by: Matti Vaittinen &lt;mazziesaccount@gmail.com&gt;
Tested-by: Claudiu Beznea &lt;claudiu.beznea@microchip.com&gt;
Link: https://lore.kernel.org/r/63f54787a684eb1232f1c5d275a09c786987fe4a.1664782676.git.mazziesaccount@gmail.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The iio_triggered_buffer_setup_ext() and the
devm_iio_kfifo_buffer_setup_ext() were changed by
commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
to silently expect that all attributes given in buffer_attrs array are
device-attributes. This expectation was not forced by the API - and some
drivers did register attributes created by IIO_CONST_ATTR().

When using IIO_CONST_ATTRs the added attribute "wrapping" does not copy
the pointer to stored string constant and when the sysfs file is read the
kernel will access to invalid location.

Change the function signatures to expect an array of iio_dev_attrs to
avoid similar errors in the future.

Merge conflict resolved whilst applying due to patch crossing with
two new drivers (kx022a accelerometer and ad4130 ADC).

Signed-off-by: Matti Vaittinen &lt;mazziesaccount@gmail.com&gt;
Tested-by: Claudiu Beznea &lt;claudiu.beznea@microchip.com&gt;
Link: https://lore.kernel.org/r/63f54787a684eb1232f1c5d275a09c786987fe4a.1664782676.git.mazziesaccount@gmail.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: st_sensors: core and lsm9ds0 switch to devm_regulator_bulk_get_enable()</title>
<updated>2022-11-23T19:44:01+00:00</updated>
<author>
<name>Jonathan Cameron</name>
<email>Jonathan.Cameron@huawei.com</email>
</author>
<published>2022-10-16T16:34:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9e855d77b1ec57704d23e25761a97e6e64abed66'/>
<id>9e855d77b1ec57704d23e25761a97e6e64abed66</id>
<content type='text'>
These drivers only turns the power on at probe and off via a custom
devm_add_action_or_reset() callback. The two regulators were handled
separately so also switch to bulk registration.
The new devm_regulator_bulk_get_enable() replaces all this boilerplate
code.

Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
Cc: Linus Walleij &lt;linus.walleij@linaro.org&gt;
Cc: Andy Shevchenko &lt;andriy.shevchenko@linux.intel.com&gt;
Reviewed-by: Matti Vaittinen &lt;mazziesaccount@gmail.com&gt;
Reviewed-by: Nuno Sá &lt;nuno.sa@analog.com&gt;
Link: https://lore.kernel.org/r/20221016163409.320197-8-jic23@kernel.org
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
These drivers only turns the power on at probe and off via a custom
devm_add_action_or_reset() callback. The two regulators were handled
separately so also switch to bulk registration.
The new devm_regulator_bulk_get_enable() replaces all this boilerplate
code.

Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
Cc: Linus Walleij &lt;linus.walleij@linaro.org&gt;
Cc: Andy Shevchenko &lt;andriy.shevchenko@linux.intel.com&gt;
Reviewed-by: Matti Vaittinen &lt;mazziesaccount@gmail.com&gt;
Reviewed-by: Nuno Sá &lt;nuno.sa@analog.com&gt;
Link: https://lore.kernel.org/r/20221016163409.320197-8-jic23@kernel.org
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: common: scmi_iio: do not use internal iio_dev lock</title>
<updated>2022-11-23T19:43:58+00:00</updated>
<author>
<name>Nuno Sá</name>
<email>nuno.sa@analog.com</email>
</author>
<published>2022-10-04T13:49:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d711a5a7eff4855deb0e2c2663e679dc205e2d9f'/>
<id>d711a5a7eff4855deb0e2c2663e679dc205e2d9f</id>
<content type='text'>
The iio_device lock is only meant for internal use. Hence define a
device local lock to protect against concurrent accesses.

While at it, properly include "mutex.h" for mutex related APIs.

Signed-off-by: Nuno Sá &lt;nuno.sa@analog.com&gt;
Link: https://lore.kernel.org/r/20221004134909.1692021-12-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The iio_device lock is only meant for internal use. Hence define a
device local lock to protect against concurrent accesses.

While at it, properly include "mutex.h" for mutex related APIs.

Signed-off-by: Nuno Sá &lt;nuno.sa@analog.com&gt;
Link: https://lore.kernel.org/r/20221004134909.1692021-12-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: common: scmi_sensors: use HZ macro from units.h</title>
<updated>2022-08-28T15:57:56+00:00</updated>
<author>
<name>Dmitry Rokosov</name>
<email>DDRokosov@sberdevices.ru</email>
</author>
<published>2022-08-12T16:52:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c05c3e5d4e563ac84624c093addee644194984eb'/>
<id>c05c3e5d4e563ac84624c093addee644194984eb</id>
<content type='text'>
Remove duplicated definition of UHZ_PER_HZ, because it's available in
the units.h as MICROHZ_PER_HZ.

Signed-off-by: Dmitry Rokosov &lt;ddrokosov@sberdevices.ru&gt;
Reviewed-by: Andy Shevchenko &lt;andy.shevchenko@gmail.com&gt;
Link: https://lore.kernel.org/r/20220812165243.22177-5-ddrokosov@sberdevices.ru
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Remove duplicated definition of UHZ_PER_HZ, because it's available in
the units.h as MICROHZ_PER_HZ.

Signed-off-by: Dmitry Rokosov &lt;ddrokosov@sberdevices.ru&gt;
Reviewed-by: Andy Shevchenko &lt;andy.shevchenko@gmail.com&gt;
Link: https://lore.kernel.org/r/20220812165243.22177-5-ddrokosov@sberdevices.ru
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: st_sensors: move from strlcpy with unused retval to strscpy</title>
<updated>2022-08-19T17:23:14+00:00</updated>
<author>
<name>Wolfram Sang</name>
<email>wsa+renesas@sang-engineering.com</email>
</author>
<published>2022-08-18T21:00:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ae2c9cf14c1ee451cd2215584b21619f1568d9e1'/>
<id>ae2c9cf14c1ee451cd2215584b21619f1568d9e1</id>
<content type='text'>
Follow the advice of the below link and prefer 'strscpy' in this
subsystem. Conversion is 1:1 because the return value is not used.
Generated by a coccinelle script.

Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
Signed-off-by: Wolfram Sang &lt;wsa+renesas@sang-engineering.com&gt;
Link: https://lore.kernel.org/r/20220818210017.6817-1-wsa+renesas@sang-engineering.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Follow the advice of the below link and prefer 'strscpy' in this
subsystem. Conversion is 1:1 because the return value is not used.
Generated by a coccinelle script.

Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
Signed-off-by: Wolfram Sang &lt;wsa+renesas@sang-engineering.com&gt;
Link: https://lore.kernel.org/r/20220818210017.6817-1-wsa+renesas@sang-engineering.com
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>iio: cros: Register FIFO callback after sensor is registered</title>
<updated>2022-07-18T17:29:13+00:00</updated>
<author>
<name>Gwendal Grignou</name>
<email>gwendal@chromium.org</email>
</author>
<published>2022-07-11T14:47:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0b4ae3f6d1210c11f9baf159009c7227eacf90f2'/>
<id>0b4ae3f6d1210c11f9baf159009c7227eacf90f2</id>
<content type='text'>
Instead of registering callback to process sensor events right at
initialization time, wait for the sensor to be register in the iio
subsystem.

Events can come at probe time (in case the kernel rebooted abruptly
without switching the sensor off for  instance), and be sent to IIO core
before the sensor is fully registered.

Fixes: aa984f1ba4a4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO")
Reported-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Signed-off-by: Gwendal Grignou &lt;gwendal@chromium.org&gt;
Reviewed-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Link: https://lore.kernel.org/r/20220711144716.642617-1-gwendal@chromium.org
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Instead of registering callback to process sensor events right at
initialization time, wait for the sensor to be register in the iio
subsystem.

Events can come at probe time (in case the kernel rebooted abruptly
without switching the sensor off for  instance), and be sent to IIO core
before the sensor is fully registered.

Fixes: aa984f1ba4a4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO")
Reported-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Signed-off-by: Gwendal Grignou &lt;gwendal@chromium.org&gt;
Reviewed-by: Douglas Anderson &lt;dianders@chromium.org&gt;
Link: https://lore.kernel.org/r/20220711144716.642617-1-gwendal@chromium.org
Signed-off-by: Jonathan Cameron &lt;Jonathan.Cameron@huawei.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
