tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'char-misc-6.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc driver fixes from Greg KH:
"Here are some small char/misc/other driver fixes for 6.11-rc7. It's
nothing huge, just a bunch of small fixes of reported problems,
including:

- lots of tiny iio driver fixes

- nvmem driver fixex

- binder UAF bugfix

- uio driver crash fix

- other small fixes

All of these have been in linux-next this week with no reported
problems"

* tag 'char-misc-6.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (21 commits)
VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
misc: keba: Fix sysfs group creation
dt-bindings: nvmem: Use soc-nvmem node name instead of nvmem
nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
nvmem: u-boot-env: error if NVMEM device is too small
misc: fastrpc: Fix double free of 'buf' in error path
binder: fix UAF caused by offsets overwrite
iio: imu: inv_mpu6050: fix interrupt status read for old buggy chips
iio: adc: ad7173: fix GPIO device info
iio: adc: ad7124: fix DT configuration parsing
iio: adc: ad_sigma_delta: fix irq_flags on irq request
iio: adc: ads1119: Fix IRQ flags
iio: fix scale application in iio_convert_raw_to_processed_unlocked
iio: adc: ad7124: fix config comparison
iio: adc: ad7124: fix chip ID mismatch
iio: adc: ad7173: Fix incorrect compatible string
iio: buffer-dmaengine: fix releasing dma channel on error
iio: adc: ad7606: remove frstdata check for serial mode
...

Linus Torvalds 5dadc1be 51c4d5f1

+122 -78
+1 -1
Documentation/devicetree/bindings/nvmem/xlnx,zynqmp-nvmem.yaml
··· 28 28 29 29 examples: 30 30 - | 31 - nvmem { 31 + soc-nvmem { 32 32 compatible = "xlnx,zynqmp-nvmem-fw"; 33 33 nvmem-layout { 34 34 compatible = "fixed-layout";
+1
drivers/android/binder.c
··· 3422 3422 */ 3423 3423 copy_size = object_offset - user_offset; 3424 3424 if (copy_size && (user_offset > object_offset || 3425 + object_offset > tr->data_size || 3425 3426 binder_alloc_copy_user_to_buffer( 3426 3427 &target_proc->alloc, 3427 3428 t->buffer, user_offset,
+1
drivers/hv/vmbus_drv.c
··· 1952 1952 */ 1953 1953 device_unregister(&device_obj->device); 1954 1954 } 1955 + EXPORT_SYMBOL_GPL(vmbus_device_unregister); 1955 1956 1956 1957 #ifdef CONFIG_ACPI 1957 1958 /*
+17 -13
drivers/iio/adc/ad7124.c
··· 147 147 struct ad7124_channel_config { 148 148 bool live; 149 149 unsigned int cfg_slot; 150 - enum ad7124_ref_sel refsel; 151 - bool bipolar; 152 - bool buf_positive; 153 - bool buf_negative; 154 - unsigned int vref_mv; 155 - unsigned int pga_bits; 156 - unsigned int odr; 157 - unsigned int odr_sel_bits; 158 - unsigned int filter_type; 150 + /* Following fields are used to compare equality. */ 151 + struct_group(config_props, 152 + enum ad7124_ref_sel refsel; 153 + bool bipolar; 154 + bool buf_positive; 155 + bool buf_negative; 156 + unsigned int vref_mv; 157 + unsigned int pga_bits; 158 + unsigned int odr; 159 + unsigned int odr_sel_bits; 160 + unsigned int filter_type; 161 + ); 159 162 }; 160 163 161 164 struct ad7124_channel { ··· 337 334 ptrdiff_t cmp_size; 338 335 int i; 339 336 340 - cmp_size = (u8 *)&cfg->live - (u8 *)cfg; 337 + cmp_size = sizeof_field(struct ad7124_channel_config, config_props); 341 338 for (i = 0; i < st->num_channels; i++) { 342 339 cfg_aux = &st->channels[i].cfg; 343 340 344 - if (cfg_aux->live && !memcmp(cfg, cfg_aux, cmp_size)) 341 + if (cfg_aux->live && 342 + !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size)) 345 343 return cfg_aux; 346 344 } 347 345 ··· 768 764 if (ret < 0) 769 765 return ret; 770 766 767 + fsleep(200); 771 768 timeout = 100; 772 769 do { 773 770 ret = ad_sd_read_reg(&st->sd, AD7124_STATUS, 1, &readval); ··· 844 839 st->channels = channels; 845 840 846 841 device_for_each_child_node_scoped(dev, child) { 847 - cfg = &st->channels[channel].cfg; 848 - 849 842 ret = fwnode_property_read_u32(child, "reg", &channel); 850 843 if (ret) 851 844 return ret; ··· 861 858 st->channels[channel].ain = AD7124_CHANNEL_AINP(ain[0]) | 862 859 AD7124_CHANNEL_AINM(ain[1]); 863 860 861 + cfg = &st->channels[channel].cfg; 864 862 cfg->bipolar = fwnode_property_read_bool(child, "bipolar"); 865 863 866 864 ret = fwnode_property_read_u32(child, "adi,reference-select", &tmp);
+5 -8
drivers/iio/adc/ad7173.c
··· 302 302 .num_configs = 8, 303 303 .num_voltage_in = 16, 304 304 .num_gpios = 4, 305 - .higher_gpio_bits = true, 306 305 .has_vincom_input = true, 307 306 .has_temp = true, 308 307 .has_input_buf = true, ··· 319 320 .num_configs = 8, 320 321 .num_voltage_in = 16, 321 322 .num_gpios = 4, 322 - .higher_gpio_bits = true, 323 323 .has_vincom_input = true, 324 324 .has_temp = true, 325 325 .has_input_buf = true, ··· 336 338 .num_configs = 8, 337 339 .num_voltage_in = 16, 338 340 .num_gpios = 4, 339 - .higher_gpio_bits = true, 340 341 .has_vincom_input = true, 341 342 .has_temp = true, 342 343 .has_input_buf = true, ··· 1432 1435 } 1433 1436 1434 1437 static const struct of_device_id ad7173_of_match[] = { 1435 - { .compatible = "ad4111", .data = &ad4111_device_info }, 1436 - { .compatible = "ad4112", .data = &ad4112_device_info }, 1437 - { .compatible = "ad4114", .data = &ad4114_device_info }, 1438 - { .compatible = "ad4115", .data = &ad4115_device_info }, 1439 - { .compatible = "ad4116", .data = &ad4116_device_info }, 1438 + { .compatible = "adi,ad4111", .data = &ad4111_device_info }, 1439 + { .compatible = "adi,ad4112", .data = &ad4112_device_info }, 1440 + { .compatible = "adi,ad4114", .data = &ad4114_device_info }, 1441 + { .compatible = "adi,ad4115", .data = &ad4115_device_info }, 1442 + { .compatible = "adi,ad4116", .data = &ad4116_device_info }, 1440 1443 { .compatible = "adi,ad7172-2", .data = &ad7172_2_device_info }, 1441 1444 { .compatible = "adi,ad7172-4", .data = &ad7172_4_device_info }, 1442 1445 { .compatible = "adi,ad7173-8", .data = &ad7173_8_device_info },
+2 -26
drivers/iio/adc/ad7606.c
··· 49 49 1, 2, 4, 8, 16, 32, 64, 128, 50 50 }; 51 51 52 - static int ad7606_reset(struct ad7606_state *st) 52 + int ad7606_reset(struct ad7606_state *st) 53 53 { 54 54 if (st->gpio_reset) { 55 55 gpiod_set_value(st->gpio_reset, 1); ··· 60 60 61 61 return -ENODEV; 62 62 } 63 + EXPORT_SYMBOL_NS_GPL(ad7606_reset, IIO_AD7606); 63 64 64 65 static int ad7606_reg_access(struct iio_dev *indio_dev, 65 66 unsigned int reg, ··· 89 88 { 90 89 unsigned int num = st->chip_info->num_channels - 1; 91 90 u16 *data = st->data; 92 - int ret; 93 - 94 - /* 95 - * The frstdata signal is set to high while and after reading the sample 96 - * of the first channel and low for all other channels. This can be used 97 - * to check that the incoming data is correctly aligned. During normal 98 - * operation the data should never become unaligned, but some glitch or 99 - * electrostatic discharge might cause an extra read or clock cycle. 100 - * Monitoring the frstdata signal allows to recover from such failure 101 - * situations. 102 - */ 103 - 104 - if (st->gpio_frstdata) { 105 - ret = st->bops->read_block(st->dev, 1, data); 106 - if (ret) 107 - return ret; 108 - 109 - if (!gpiod_get_value(st->gpio_frstdata)) { 110 - ad7606_reset(st); 111 - return -EIO; 112 - } 113 - 114 - data++; 115 - num--; 116 - } 117 91 118 92 return st->bops->read_block(st->dev, num, data); 119 93 }
+2
drivers/iio/adc/ad7606.h
··· 151 151 const char *name, unsigned int id, 152 152 const struct ad7606_bus_ops *bops); 153 153 154 + int ad7606_reset(struct ad7606_state *st); 155 + 154 156 enum ad7606_supported_device_ids { 155 157 ID_AD7605_4, 156 158 ID_AD7606_8,
+44 -2
drivers/iio/adc/ad7606_par.c
··· 7 7 8 8 #include <linux/mod_devicetable.h> 9 9 #include <linux/module.h> 10 + #include <linux/gpio/consumer.h> 10 11 #include <linux/platform_device.h> 11 12 #include <linux/types.h> 12 13 #include <linux/err.h> ··· 22 21 struct iio_dev *indio_dev = dev_get_drvdata(dev); 23 22 struct ad7606_state *st = iio_priv(indio_dev); 24 23 25 - insw((unsigned long)st->base_address, buf, count); 26 24 25 + /* 26 + * On the parallel interface, the frstdata signal is set to high while 27 + * and after reading the sample of the first channel and low for all 28 + * other channels. This can be used to check that the incoming data is 29 + * correctly aligned. During normal operation the data should never 30 + * become unaligned, but some glitch or electrostatic discharge might 31 + * cause an extra read or clock cycle. Monitoring the frstdata signal 32 + * allows to recover from such failure situations. 33 + */ 34 + int num = count; 35 + u16 *_buf = buf; 36 + 37 + if (st->gpio_frstdata) { 38 + insw((unsigned long)st->base_address, _buf, 1); 39 + if (!gpiod_get_value(st->gpio_frstdata)) { 40 + ad7606_reset(st); 41 + return -EIO; 42 + } 43 + _buf++; 44 + num--; 45 + } 46 + insw((unsigned long)st->base_address, _buf, num); 27 47 return 0; 28 48 } 29 49 ··· 57 35 { 58 36 struct iio_dev *indio_dev = dev_get_drvdata(dev); 59 37 struct ad7606_state *st = iio_priv(indio_dev); 38 + /* 39 + * On the parallel interface, the frstdata signal is set to high while 40 + * and after reading the sample of the first channel and low for all 41 + * other channels. This can be used to check that the incoming data is 42 + * correctly aligned. During normal operation the data should never 43 + * become unaligned, but some glitch or electrostatic discharge might 44 + * cause an extra read or clock cycle. Monitoring the frstdata signal 45 + * allows to recover from such failure situations. 46 + */ 47 + int num = count; 48 + u16 *_buf = buf; 60 49 61 - insb((unsigned long)st->base_address, buf, count * 2); 50 + if (st->gpio_frstdata) { 51 + insb((unsigned long)st->base_address, _buf, 2); 52 + if (!gpiod_get_value(st->gpio_frstdata)) { 53 + ad7606_reset(st); 54 + return -EIO; 55 + } 56 + _buf++; 57 + num--; 58 + } 59 + insb((unsigned long)st->base_address, _buf, num * 2); 62 60 63 61 return 0; 64 62 }
+1 -1
drivers/iio/adc/ad_sigma_delta.c
··· 569 569 static int devm_ad_sd_probe_trigger(struct device *dev, struct iio_dev *indio_dev) 570 570 { 571 571 struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev); 572 - unsigned long irq_flags = irq_get_trigger_type(sigma_delta->spi->irq); 572 + unsigned long irq_flags = irq_get_trigger_type(sigma_delta->irq_line); 573 573 int ret; 574 574 575 575 if (dev != &sigma_delta->spi->dev) {
+1 -1
drivers/iio/adc/ti-ads1119.c
··· 735 735 if (client->irq > 0) { 736 736 ret = devm_request_threaded_irq(dev, client->irq, 737 737 ads1119_irq_handler, 738 - NULL, IRQF_TRIGGER_FALLING, 738 + NULL, IRQF_ONESHOT, 739 739 "ads1119", indio_dev); 740 740 if (ret) 741 741 return dev_err_probe(dev, ret,
+3 -1
drivers/iio/buffer/industrialio-buffer-dmaengine.c
··· 237 237 238 238 ret = dma_get_slave_caps(chan, &caps); 239 239 if (ret < 0) 240 - goto err_free; 240 + goto err_release; 241 241 242 242 /* Needs to be aligned to the maximum of the minimums */ 243 243 if (caps.src_addr_widths) ··· 263 263 264 264 return &dmaengine_buffer->queue.buffer; 265 265 266 + err_release: 267 + dma_release_channel(chan); 266 268 err_free: 267 269 kfree(dmaengine_buffer); 268 270 return ERR_PTR(ret);
+11 -2
drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c
··· 248 248 int result; 249 249 250 250 switch (st->chip_type) { 251 + case INV_MPU6000: 251 252 case INV_MPU6050: 253 + case INV_MPU9150: 254 + /* 255 + * WoM is not supported and interrupt status read seems to be broken for 256 + * some chips. Since data ready is the only interrupt, bypass interrupt 257 + * status read and always assert data ready bit. 258 + */ 259 + wom_bits = 0; 260 + int_status = INV_MPU6050_BIT_RAW_DATA_RDY_INT; 261 + goto data_ready_interrupt; 252 262 case INV_MPU6500: 253 263 case INV_MPU6515: 254 264 case INV_MPU6880: 255 - case INV_MPU6000: 256 - case INV_MPU9150: 257 265 case INV_MPU9250: 258 266 case INV_MPU9255: 259 267 wom_bits = INV_MPU6500_BIT_WOM_INT; ··· 287 279 } 288 280 } 289 281 282 + data_ready_interrupt: 290 283 /* handle raw data interrupt */ 291 284 if (int_status & INV_MPU6050_BIT_RAW_DATA_RDY_INT) { 292 285 indio_dev->pollfunc->timestamp = st->it_timestamp;
+4 -4
drivers/iio/inkern.c
··· 647 647 break; 648 648 case IIO_VAL_INT_PLUS_MICRO: 649 649 if (scale_val2 < 0) 650 - *processed = -raw64 * scale_val; 650 + *processed = -raw64 * scale_val * scale; 651 651 else 652 - *processed = raw64 * scale_val; 652 + *processed = raw64 * scale_val * scale; 653 653 *processed += div_s64(raw64 * (s64)scale_val2 * scale, 654 654 1000000LL); 655 655 break; 656 656 case IIO_VAL_INT_PLUS_NANO: 657 657 if (scale_val2 < 0) 658 - *processed = -raw64 * scale_val; 658 + *processed = -raw64 * scale_val * scale; 659 659 else 660 - *processed = raw64 * scale_val; 660 + *processed = raw64 * scale_val * scale; 661 661 *processed += div_s64(raw64 * (s64)scale_val2 * scale, 662 662 1000000000LL); 663 663 break;
+2 -3
drivers/misc/fastrpc.c
··· 1910 1910 &args[0]); 1911 1911 if (err) { 1912 1912 dev_err(dev, "mmap error (len 0x%08llx)\n", buf->size); 1913 - goto err_invoke; 1913 + fastrpc_buf_free(buf); 1914 + return err; 1914 1915 } 1915 1916 1916 1917 /* update the buffer to be able to deallocate the memory on the DSP */ ··· 1949 1948 1950 1949 err_assign: 1951 1950 fastrpc_req_munmap_impl(fl, buf); 1952 - err_invoke: 1953 - fastrpc_buf_free(buf); 1954 1951 1955 1952 return err; 1956 1953 }
+4 -10
drivers/misc/keba/cp500.c
··· 212 212 } 213 213 static DEVICE_ATTR_RW(keep_cfg); 214 214 215 - static struct attribute *attrs[] = { 215 + static struct attribute *cp500_attrs[] = { 216 216 &dev_attr_version.attr, 217 217 &dev_attr_keep_cfg.attr, 218 218 NULL 219 219 }; 220 - static const struct attribute_group attrs_group = { .attrs = attrs }; 220 + ATTRIBUTE_GROUPS(cp500); 221 221 222 222 static void cp500_i2c_release(struct device *dev) 223 223 { ··· 396 396 397 397 pci_set_drvdata(pci_dev, cp500); 398 398 399 - ret = sysfs_create_group(&pci_dev->dev.kobj, &attrs_group); 400 - if (ret != 0) 401 - goto out_free_irq; 402 399 403 400 ret = cp500_enable(cp500); 404 401 if (ret != 0) 405 - goto out_remove_group; 402 + goto out_free_irq; 406 403 407 404 cp500_register_auxiliary_devs(cp500); 408 405 409 406 return 0; 410 407 411 - out_remove_group: 412 - sysfs_remove_group(&pci_dev->dev.kobj, &attrs_group); 413 408 out_free_irq: 414 409 pci_free_irq_vectors(pci_dev); 415 410 out_disable: ··· 421 426 cp500_unregister_auxiliary_devs(cp500); 422 427 423 428 cp500_disable(cp500); 424 - 425 - sysfs_remove_group(&pci_dev->dev.kobj, &attrs_group); 426 429 427 430 pci_set_drvdata(pci_dev, 0); 428 431 ··· 443 450 .id_table = cp500_ids, 444 451 .probe = cp500_probe, 445 452 .remove = cp500_remove, 453 + .dev_groups = cp500_groups, 446 454 }; 447 455 module_pci_driver(cp500_driver); 448 456
+2 -1
drivers/misc/vmw_vmci/vmci_resource.c
··· 144 144 spin_lock(&vmci_resource_table.lock); 145 145 146 146 hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) { 147 - if (vmci_handle_is_equal(r->handle, resource->handle)) { 147 + if (vmci_handle_is_equal(r->handle, resource->handle) && 148 + resource->type == r->type) { 148 149 hlist_del_init_rcu(&r->node); 149 150 break; 150 151 }
+3 -3
drivers/nvmem/core.c
··· 1276 1276 EXPORT_SYMBOL_GPL(nvmem_device_put); 1277 1277 1278 1278 /** 1279 - * devm_nvmem_device_get() - Get nvmem cell of device form a given id 1279 + * devm_nvmem_device_get() - Get nvmem device of device form a given id 1280 1280 * 1281 1281 * @dev: Device that requests the nvmem device. 1282 1282 * @id: name id for the requested nvmem device. 1283 1283 * 1284 - * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_cell 1285 - * on success. The nvmem_cell will be freed by the automatically once the 1284 + * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_device 1285 + * on success. The nvmem_device will be freed by the automatically once the 1286 1286 * device is freed. 1287 1287 */ 1288 1288 struct nvmem_device *devm_nvmem_device_get(struct device *dev, const char *id)
+7
drivers/nvmem/u-boot-env.c
··· 176 176 data_offset = offsetof(struct u_boot_env_image_broadcom, data); 177 177 break; 178 178 } 179 + 180 + if (dev_size < data_offset) { 181 + dev_err(dev, "Device too small for u-boot-env\n"); 182 + err = -EIO; 183 + goto err_kfree; 184 + } 185 + 179 186 crc32_addr = (__le32 *)(buf + crc32_offset); 180 187 crc32 = le32_to_cpu(*crc32_addr); 181 188 crc32_data_len = dev_size - crc32_data_offset;
+1 -1
drivers/staging/iio/frequency/ad9834.c
··· 114 114 115 115 clk_freq = clk_get_rate(st->mclk); 116 116 117 - if (fout > (clk_freq / 2)) 117 + if (!clk_freq || fout > (clk_freq / 2)) 118 118 return -EINVAL; 119 119 120 120 regval = ad9834_calc_freqreg(clk_freq, fout);
+10 -1
drivers/uio/uio_hv_generic.c
··· 106 106 107 107 /* 108 108 * Callback from vmbus_event when channel is rescinded. 109 + * It is meant for rescind of primary channels only. 109 110 */ 110 111 static void hv_uio_rescind(struct vmbus_channel *channel) 111 112 { 112 - struct hv_device *hv_dev = channel->primary_channel->device_obj; 113 + struct hv_device *hv_dev = channel->device_obj; 113 114 struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev); 114 115 115 116 /* ··· 121 120 122 121 /* Wake up reader */ 123 122 uio_event_notify(&pdata->info); 123 + 124 + /* 125 + * With rescind callback registered, rescind path will not unregister the device 126 + * from vmbus when the primary channel is rescinded. 127 + * Without it, rescind handling is incomplete and next onoffer msg does not come. 128 + * Unregister the device from vmbus here. 129 + */ 130 + vmbus_device_unregister(channel->device_obj); 124 131 } 125 132 126 133 /* Sysfs API to allow mmap of the ring buffers