Jonathan writes:
First set of IIO fixes for the 5.16 cycle
As these are very late in the 5.15 cycle and non are particularly urgent,
they can wait for the merge window.
Key element in this set is Yang Yingliang has identified a number of
issues in error paths introduced recently when we added multiple
buffer support.
Other fixes:
* adi,ad5662
- Fix handling of i2c_master_send() return value.
* adi,ad5766
- Fix a wrong dt-property name that indicated wrong units and
did not mach the bindings.
- Associated 'fix' of the bindings example to have a possible scale.
* st,pressure-spi
- Add some missing entries to the spi_device_id table to ensure
auto-loading works.
* ti,tsc2046
- Fix a backwards comparison leading to a false dev_warn
* tag 'iio-fixes-for-5.16a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio:
iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask()
iio: adc: tsc2046: fix scan interval warning
iio: core: fix double free in iio_device_unregister_sysfs()
iio: core: check return value when calling dev_set_name()
iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups()
iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()
iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask()
iio: buffer: check return value of kstrdup_const()
iio: dac: ad5446: Fix ad5622_write() return value
Documentation:devicetree:bindings:iio:dac: Fix val
drivers: iio: dac: ad5766: Fix dt property name
iio: st_pressure_spi: Add missing entries SPI to device ID table
Georgi writes:
interconnect changes for 5.16
Here are the changes for the 5.16-rc1 merge window consisting of just
driver updates. The highlight is the refactoring of some existing drivers
into common code and expanding some macros that will make adding QoS
support much easier.
Driver changes:
- icc-rpm: move bus clocks handling into qnoc_probe
- sdm660: expand DEFINE_QNODE macros
- sdm660: drop default/unused values
- sdm660: merge common code into icc-rpm
- icc-rpm: add support for QoS reg offset
- msm8916: expand DEFINE_QNODE macros
- msm8916: add support for AP-owned nodes
- msm8939: expand DEFINE_QNODE macros
- msm8939: add support for AP-owned nodes
- qcs404: expand DEFINE_QNODE macros
- qcom: drop DEFINE_QNODE macro
- samsung: describe drivers in KConfig
Signed-off-by: Georgi Djakov <djakov@kernel.org>
* tag 'icc-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/djakov/icc:
interconnect: samsung: describe drivers in KConfig
interconnect: qcom: drop DEFINE_QNODE macro
interconnect: qcs404: expand DEFINE_QNODE macros
interconnect: msm8939: add support for AP-owned nodes
interconnect: msm8939: expand DEFINE_QNODE macros
interconnect: msm8916: add support for AP-owned nodes
interconnect: msm8916: expand DEFINE_QNODE macros
interconnect: icc-rpm: add support for QoS reg offset
interconnect: sdm660: merge common code into icc-rpm
interconnect: sdm660: drop default/unused values
interconnect: sdm660: expand DEFINE_QNODE macros
interconnect: icc-rpm: move bus clocks handling into qnoc_probe
Joel writes:
FSI changes for v5.16
- SBEFIFO usersapce interfaces to perform FFDC (First Failure
Data Capture) and detect timeouts
- A fix to handle multiple messages in flight
* tag 'fsi-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/joel/fsi:
fsi: sbefifo: Use interruptible mutex locking
fsi: sbefifo: Add sysfs file indicating a timeout error
docs: ABI: testing: Document the SBEFIFO timeout interface
hwmon: (occ) Provide the SBEFIFO FFDC in binary sysfs
docs: ABI: testing: Document the OCC hwmon FFDC binary interface
fsi: occ: Store the SBEFIFO FFDC in the user response buffer
fsi: occ: Use a large buffer for responses
hwmon: (occ) Remove sequence numbering and checksum calculation
fsi: occ: Force sequence numbering per OCC
Some SBE operations have extremely large responses and can require
several minutes to process the response. During this time, the device
lock must be held. If another process attempts an operation, it will
wait for the mutex for longer than the kernel hung task watchdog
allows. Therefore, use the interruptible function to lock the mutex.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Link: https://lore.kernel.org/r/20210803213016.44739-1-eajames@linux.ibm.com
Signed-off-by: Joel Stanley <joel@jms.id.au>
If the SBEFIFO response indicates an error, store the response in the
user buffer and return an error. Previously, the user had no way of
obtaining the SBEFIFO FFDC.
The user's buffer now contains data in the event of a failure. No change
in the event of a successful transfer.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20211019205307.36946-3-eajames@linux.ibm.com
Signed-off-by: Joel Stanley <joel@jms.id.au>
Allocate a large buffer for each OCC to handle response data. This
removes memory allocation during an operation, and also allows for
the maximum amount of SBE FFDC.
Previously for the putsram and attn commands, only 32 words would have
been available, and for getsram, only up to the size of the transfer.
SBE FFDC might be up to 8Kb.
The SBE interface expects data to be specified in units of words (4
bytes), defined as OCC_MAX_RESP_WORDS.
This change allows the full FFDC capture to be implemented, where before
it was not available.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20211019205307.36946-2-eajames@linux.ibm.com
Signed-off-by: Joel Stanley <joel@jms.id.au>
A race condition is possible when writing to events_queue_size where the
events kfifo is freed during the execution of a kfifo_in(), resulting in
a use-after-free. This patch prevents such a scenario by protecting the
events queue in operation with a spinlock and locking before performing
the events queue size adjustment.
The existing events_lock mutex is renamed to events_out_lock to reflect
that it only protects events queue out operations. Because the events
queue in operations can occur in an interrupt context, a new
events_in_lock spinlock is introduced and utilized.
Fixes: feff17a550 ("counter: Implement events_queue_size sysfs attribute")
Cc: David Lechner <david@lechnology.com>
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Link: https://lore.kernel.org/r/20211021103540.955639-1-vilhelm.gray@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When 'iio_dev_opaque->buffer_ioctl_handler' alloc fails in
iio_buffers_alloc_sysfs_and_mask(), the 'attrs' allocated in
iio_buffer_register_legacy_sysfs_groups() will be leaked:
unreferenced object 0xffff888108568d00 (size 128):
comm "88", pid 2014, jiffies 4294963294 (age 26.920s)
hex dump (first 32 bytes):
80 3e da 02 80 88 ff ff 00 3a da 02 80 88 ff ff .>.......:......
00 35 da 02 80 88 ff ff 00 38 da 02 80 88 ff ff .5.......8......
backtrace:
[<0000000095a9e51e>] __kmalloc+0x1a3/0x2f0
[<00000000faa3735e>] iio_buffers_alloc_sysfs_and_mask+0xfa3/0x1480 [industrialio]
[<00000000a46384dc>] __iio_device_register+0x52e/0x1b40 [industrialio]
[<00000000210af05e>] __devm_iio_device_register+0x22/0x80 [industrialio]
[<00000000730d7b41>] adjd_s311_probe+0x195/0x200 [adjd_s311]
[<00000000c0f70eb9>] i2c_device_probe+0xa07/0xbb0
The iio_buffer_register_legacy_sysfs_groups() is
called in __iio_buffer_alloc_sysfs_and_mask(),
so move the iio_buffer_unregister_legacy_sysfs_groups()
into __iio_buffer_free_sysfs_and_mask(), then the memory
will be freed.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: d9a625744e ("iio: core: merge buffer/ & scan_elements/ attributes")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211018063718.1971240-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Jonathan writes:
First set of IIO new device and feature support for the 5.16 cycle
Counter subsystem changes now sent separately.
This has been a busy cycle, so lots here and a few more stragglers to
come next week.
Big new feature in this cycle is probably output buffer support.
This has been in the works for a very long time so it's great to see
Mihail pick up the challenge and build upon his predecessors work to finally
bring this feature to mainline.
New device support
------------------
* adi,adxl313
- New driver and dt bindings for this low power accelerometer.
* adi,adxl355
- New driver and dt bindings for this accelerometer.
- Later series adds buffer support.
* asahi-kasei,ak8975
- Minor additions to driver to support ak09916
* aspeed,aspeed-adc
- Substantial rework plus feature additions to add support for the
ast2600 including a new dt bindings doc.
* atmel,at91_sama5d2
- Rework and support introduced for the sama7g5 parts.
* maxim,max31865
- New driver and bindings for this RTD temperature sensor chip.
* nxp,imx8qxp
- New driver and bindings for the ADC found on the i.MX 8QuadXPlus Soc.
* senseair,sunrise
- New driver and bindings for this family of carbon dioxide gas sensors.
* sensiron,scd4x
- New driver and bindings for this carbon dioxide gas sensor.
New features
------------
* Output buffer support. Works in a similar fashion to input buffers, but
in this case userspace pushes data into the kfifo which is then drained
to the device when a trigger occurs. Support added to the ad5766 DAC
driver.
* Core, devm_iio_map_array_register() to avoid need for
devm_add_action_or_reset() based cleanup in fully managed allocation
drivers.
* Core iio_push_to_buffers_with_ts_unaligned() function to safely handle a
few drivers where it really hard to ensure the correct data alignment in
an iio_push_to_buffers_with_timestamp() call. Note this uses a bounce
buffer so should be avoided whenever possible. Used in the ti,adc108s102,
invense,mpu3050 and adi,adis16400. This closes the last known set
of drivers with alignment issues at this interface.
* maxim,max1027
- Substantial rework to this driver main target of which was supporting
use of other triggers than it's own EOC interrupt.
- Transfer optimization.
* nxp,fxls8962af
- Threshold even support including using it as a wakeup source.
Cleanups, minor fixes etc
-------------------------
Chances of a common type to multiple drivers:
* devm_ conversion and drop of .remove() callbacks in:
- adi,ad5064
- adi,ad7291
- adi,ad7303
- adi,ad7746
- adi,ad9832
- adi,adis16080
- dialog,da9150-gpadc
- intel,mrfld_adc
- marvell,berlin2
- maxim,max1363
- maxim,max44000
- nuvoton,nau7802
- st_sensors (includes a lot of rework!)
- ti,ads8344
- ti,lp8788
* devm_platform_ioremap_resource() used to reduce boilerplate
- cirrus,ep93xx
- rockchip,saradc
- stm,stm32-dac
* Use dev_err_probe() in more places to both not print on deferred probe and
ensure a reason for the deferral is available for debug purposes.
- adi,ad8801
- capella,cm36651
- linear,ltc1660
- maxim,ds4424
- maxim,max5821
- microchip,mcp4922
- nxp,lpc18xx
- onnn,noa1305
- st,lsm9ds0
- st,st_sensors
- st,stm32-dac
- ti,afe4403
- ti,afe4404
- ti,dac7311
* Drop error returns in SPI and I2C remove() functions as they are ignored and
long term plan is to change these all over to returning void. In some cases
these patches just make it 'obvious' they always return 0 where it was the
case before but not easy to tell.
- adi,ad5380
- adi,ad5446
- adi,ad5686
- adi,ad5592r
- bosch,bma400
- bosch,bmc150
- fsl,mma7455
- honeywell,hmc5843
- kionix,kxsd9
- maxim,max5487
- meas,ms5611
- ti,afe4403
Driver specific changes
* adi,ad5770r
- Bring driver inline with documented bindings.
* adi,ad7746
- Trivial style fix
* adi,ad7949
- Express some magic values as the underlying parts via new #defines.
- Make it work with SPI controllers that don't support 14 or 16 bit messages
- Support selection of voltage reference from dt including expanding the
dt-bindings to cover this new functionality.
* adi,ad799x
- Implement selection of external reference voltage on AD7991, AD7995 and
AD7999.
- Add missing dt-bindings doc for devices supported by this driver.
* adi,adislib
- Move interrupt startup to better location in startup flow.
- Handle devices that cannot mask/unmask the drdy pin and must instead mask
at the interrupt controller. Applies to the adis16460 and adis16475 from
which we then drop equivalent code.
* adi,ltc2983
- Add support for optional reset pin.
- Fail to probe if no channels specified in dt binding.
* asahi-kasei,ak8975
- dt-binding additions of missing vid-supply regulator.
* aspeed,aspeed-adc
- Typo fix.
* fsl,mma7660
- Mark acpi_device_id table __maybe_unused to avoid build warning.
* fsl,imx25-gcq
- Avoid initializing regulators that aren't used.
* invensense,mpu3050
- Drop a dead protection against a clash with the old input driver.
* invensense,mpu6050
- Rework code to not use strcpy() and hence avoid possibility of wrong sized
buffers. Note this wasn't a bug, but the new code is a lot more readable.
- Mark acpi_device_id table __maybe_unused to avoid build warning.
* kionix,kxcjk1013
- dt-binding addition to note it supports interrupts.
* marvell,berlin2-adc
- Enable COMPILE_TEST building.
* maxim,max1027
- Avoid returning success in an error path.
* nxp,imx8qxp
- Fix warning when runtime pm not enabled via __maybe_unused.
* ricoh,rn5t618
- Use the new devm_iio_map_array_register() instead of open coding the same.
* samsung,exynos_adc
- Improve kconfig help text.
* st,lsm6dsx
- Move max_fifo_size into the fifo_ops structure where the other configuration
parameters are found.
* st,st_sensors:
- Reorder to ensure we turn the power off after removing userspace interfaces.
* senseair,sunrise
- Add missing I2C dependency.
* ti,twl6030
- Small code tidy up.
* tag 'iio-for-5.16a-split-take4' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio: (148 commits)
iio: imx8qxp-adc: mark PM functions as __maybe_unused
iio: pressure: ms5611: Make ms5611_remove() return void
iio: potentiometer: max5487: Don't return an error in .remove()
iio: magn: hmc5843: Make hmc5843_common_remove() return void
iio: health: afe4403: Don't return an error in .remove()
iio: dac: ad5686: Make ad5686_remove() return void
iio: dac: ad5592r: Make ad5592r_remove() return void
iio: dac: ad5446: Make ad5446_remove() return void
iio: dac: ad5380: Make ad5380_remove() return void
iio: accel: mma7455: Make mma7455_core_remove() return void
iio: accel: kxsd9: Make kxsd9_common_remove() return void
iio: accel: bmi088: Make bmi088_accel_core_remove() return void
iio: accel: bmc150: Make bmc150_accel_core_remove() return void
iio: accel: bma400: Make bma400_remove() return void
drivers:iio:dac:ad5766.c: Add trigger buffer
iio: triggered-buffer: extend support to configure output buffers
iio: kfifo-buffer: Add output buffer support
iio: Add output buffer support
iio: documentation: Document scd4x calibration use
drivers: iio: chemical: Add support for Sensirion SCD4x CO2 sensor
...
When endpoint_alloc() return failed in xillyusb_setup_base_eps(),
'xdev->msg_ep' will be freed but not set to NULL. That lets program
enter fail handling to cleanup_dev() in xillyusb_probe(). Check for
'xdev->msg_ep' is invalid in cleanup_dev() because 'xdev->msg_ep' did
not set to NULL when was freed. So the UAF problem for 'xdev->msg_ep'
is triggered.
==================================================================
BUG: KASAN: use-after-free in fifo_mem_release+0x1f4/0x210
CPU: 0 PID: 166 Comm: kworker/0:2 Not tainted 5.15.0-rc5+ #19
Call Trace:
dump_stack_lvl+0xe2/0x152
print_address_description.constprop.0+0x21/0x140
? fifo_mem_release+0x1f4/0x210
kasan_report.cold+0x7f/0x11b
? xillyusb_probe+0x530/0x700
? fifo_mem_release+0x1f4/0x210
fifo_mem_release+0x1f4/0x210
? __sanitizer_cov_trace_pc+0x1d/0x50
endpoint_dealloc+0x35/0x2b0
cleanup_dev+0x90/0x120
xillyusb_probe+0x59a/0x700
...
Freed by task 166:
kasan_save_stack+0x1b/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x109/0x140
kfree+0x117/0x4c0
xillyusb_probe+0x606/0x700
Set 'xdev->msg_ep' to NULL after being freed in xillyusb_setup_base_eps()
to fix the UAF problem.
Fixes: a53d1202ae ("char: xillybus: Add driver for XillyUSB (Xillybus variant for USB)")
Cc: stable <stable@vger.kernel.org>
Acked-by: Eli Billauer <eli.billauer@gmail.com>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Link: https://lore.kernel.org/r/20211016052047.1611983-1-william.xuanziyang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When freeing txn buffers, binder_transaction_buffer_release()
attempts to detect whether the current context is the target by
comparing current->group_leader to proc->tsk. This is an unreliable
test. Instead explicitly pass an 'is_failure' boolean.
Detecting the sender was being used as a way to tell if the
transaction failed to be sent. When cleaning up after
failing to send a transaction, there is no need to close
the fds associated with a BINDER_TYPE_FDA object. Now
'is_failure' can be used to accurately detect this case.
Fixes: 44d8047f1d ("binder: use standard functions to allocate fds")
Cc: stable <stable@vger.kernel.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20211015233811.3532235-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Oded writes:
This tag contains habanalabs driver changes for v5.16:
- Add a new uAPI (under the memory ioctl) to request from the driver
to export a DMA-BUF object that represents a memory region on
the device's DRAM. This is needed to enable peer-to-peer over PCIe
between habana device and an RDMA adapter (e.g. mlnx5 or efa
rdma adapter).
- Add debugfs node to dynamically configure CS timeout. Up until now,
it was only configurable through kernel module parameter.
- Fetch more comprehensive power information from the firmware.
- Always take timestamp when waiting for user interrupt, as the user
needs that information to optimize the graph runtime compilation.
- Modify user interrupt to look on 64-bit user value as fence, instead
of 32-bit.
- Bypass reset in case of repeated h/w error event after device reset.
This is to prevent endless loop of resets to the device.
- Fix several bugs in multi CS completion code.
- Fix race condition in fd close/open.
- Update to latest firmware headers
- Add select CRC32 in kconfig
- Small fixes, cosmetics
* tag 'misc-habanalabs-next-2021-10-18' of https://git.kernel.org/pub/scm/linux/kernel/git/ogabbay/linux: (25 commits)
habanalabs: refactor fence handling in hl_cs_poll_fences
habanalabs: context cleanup cosmetics
habanalabs: simplify wait for interrupt with timestamp flow
habanalabs: initialize hpriv fields before adding new node
habanalabs: Unify frequency set/get functionality
habanalabs: select CRC32
habanalabs: add support for dma-buf exporter
habanalabs: define uAPI to export FD for DMA-BUF
habanalabs: fix NULL pointer dereference
habanalabs: fix race condition in multi CS completion
habanalabs: use only u32
habanalabs: update firmware files
habanalabs: bypass reset for continuous h/w error event
habanalabs: take timestamp on wait for interrupt
habanalabs: prevent race between fd close/open
habanalabs: refactor reset log message
habanalabs: define soft-reset as inference op
habanalabs: fix debugfs device memory MMU VA translation
habanalabs: add support for a long interrupt target value
habanalabs: remove redundant cs validity checks
...
Without CONFIG_PM_SLEEP, the runtime suspend/resume functions
are unused, producing a warning:
drivers/iio/adc/imx8qxp-adc.c:433:12: error: 'imx8qxp_adc_runtime_resume' defined but not used [-Werror=unused-function]
433 | static int imx8qxp_adc_runtime_resume(struct device *dev)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/iio/adc/imx8qxp-adc.c:419:12: error: 'imx8qxp_adc_runtime_suspend' defined but not used [-Werror=unused-function]
419 | static int imx8qxp_adc_runtime_suspend(struct device *dev)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark them as __maybe_unused to shut up the compiler.
Fixes: 1e23dcaa1a ("iio: imx8qxp-adc: Add driver support for NXP IMX8QXP ADC")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Cai Huoqing <caihuoqing@baidu.com>
Link: https://lore.kernel.org/r/20211013144338.2261316-1-arnd@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Now that output (kfifo) buffers are supported, we need to extend the
{devm_}iio_triggered_buffer_setup_ext() parameter list to take a direction
parameter.
This allows us to attach an output triggered buffer to a DAC device.
Unfortunately it's a bit difficult to add another macro to avoid changing 5
drivers where {devm_}iio_triggered_buffer_setup_ext() is used.
Well, it's doable, but may not be worth the trouble vs just updating all
these 5 drivers.
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Mihail Chindris <mihail.chindris@analog.com>
Link: https://lore.kernel.org/r/20211007080035.2531-4-mihail.chindris@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Currently IIO only supports buffer mode for capture devices like ADCs. Add
support for buffered mode for output devices like DACs.
The output buffer implementation is analogous to the input buffer
implementation. Instead of using read() to get data from the buffer write()
is used to copy data into the buffer.
poll() with POLLOUT will wakeup if there is space available.
Drivers can remove data from a buffer using iio_pop_from_buffer(), the
function can e.g. called from a trigger handler to write the data to
hardware.
A buffer can only be either a output buffer or an input, but not both. So,
for a device that has an ADC and DAC path, this will mean 2 IIO buffers
(one for each direction).
The direction of the buffer is decided by the new direction field of the
iio_buffer struct and should be set after allocating and before registering
it.
Co-developed-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Co-developed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Mihail Chindris <mihail.chindris@analog.com>
Link: https://lore.kernel.org/r/20211007080035.2531-2-mihail.chindris@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
This is a driver for the SCD4x CO2 sensor from Sensirion. The sensor is
able to measure CO2 concentration, temperature and relative humdity.
The sensor uses a photoacoustic principle for measuring CO2 concentration.
An I2C interface is supported by this driver in order to communicate with
the sensor.
Signed-off-by: Roan van Dijk <roan@protonic.nl>
Link: https://lore.kernel.org/r/20211008101706.755942-4-roan@protonic.nl
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
