Jonathan writes:
4th set of IIO fixes for 6.1
Single patch fixing a memory leak in an error path.
Fine to queue either for 6.2 if too late for 6.1
* tag 'iio-fixes-for-6.1d' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio:
iio: fix memory leak in iio_device_register_eventset()
dt-bindings: iio: adc: Remove the property "aspeed,trim-data-valid"
iio: adc: aspeed: Remove the trim valid dts property.
iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails
iio: accel: bma400: Fix memory leak in bma400_get_steps_reg()
iio: light: rpr0521: add missing Kconfig dependencies
iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
iio: health: afe4403: Fix oob read in afe4403_read_raw
iio: light: apds9960: fix wrong register for gesture gain
The pattern used in this device does not quite fit in the
iio_device_claim_direct_mode() typical usage. In this case, we want to
know if we are in buffered mode or not to know if the device is powered
(buffer mode) or not. And depending on that max30102_get_temp() will
power on the device if needed. Hence, in order to keep the same
functionality, we try to:
1. Claim Buffered mode;
2: If 1) succeeds call max30102_get_temp() without powering on the
device;
3: Release Buffered mode;
4: If 1) fails, Claim Direct mode;
5: If 4) succeeds call max30102_get_temp() with powering on the device;
6: Release Direct mode;
7: If 4) fails, goto to 1) and try again.
This dance between buffered and direct mode is not particularly pretty
(as well as the loop introduced by the goto statement) but it does allow
us to get rid of the mlock usage while keeping the same behavior.
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20221012151620.1725215-4-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
The pattern used in this device does not quite fit in the
iio_device_claim_direct_mode() typical usage. In this case,
iio_buffer_enabled() was being used not to prevent the raw
access but to allow it. Hence, let's make use of the new
iio_device_claim_buffer_mode() API to make sure we stay in
buffered mode during the complete read.
Note that we are shadowing the error code returned by
iio_device_claim_buffer_mode() so that we keep the original one
(-EAGAIN). The reason is that some userspace stack might already be
relying on this particular code so that we are not taking chances and
leave it alone.
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20221012151620.1725215-3-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
KASAN report out-of-bounds read as follows:
BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
Read of size 4 at addr ffffffffc00e4658 by task cat/278
Call Trace:
afe4404_read_raw
iio_read_channel_info
dev_attr_show
The buggy address belongs to the variable:
afe4404_channel_leds+0x18/0xffffffffffffe9c0
This issue can be reproduce by singe command:
$ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw
The array size of afe4404_channel_leds and afe4404_channel_offdacs
are less than channels, so access with chan->address cause OOB read
in afe4404_[read|write]_raw. Fix it by moving access before use them.
Fixes: b36e825764 ("iio: health/afe440x: Use regmap fields")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Andrew Davis <afd@ti.com>
Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
KASAN report out-of-bounds read as follows:
BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
Read of size 4 at addr ffffffffc02ac638 by task cat/279
Call Trace:
afe4403_read_raw
iio_read_channel_info
dev_attr_show
The buggy address belongs to the variable:
afe4403_channel_leds+0x18/0xffffffffffffe9e0
This issue can be reproduced by singe command:
$ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw
The array size of afe4403_channel_leds is less than channels, so access
with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
access before use it.
Fixes: b36e825764 ("iio: health/afe440x: Use regmap fields")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Andrew Davis <afd@ti.com>
Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Returning an error value in an i2c remove callback results in an error
message being emitted by the i2c core, but otherwise it doesn't make a
difference.
As afe4404_remove() already emits an error message on failure and the
additional error message by the i2c core doesn't add any useful
information, change the return value to zero to suppress this message.
This patch is a preparation for making i2c remove callbacks return void.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20220514130432.304674-1-u.kleine-koenig@pengutronix.de
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
The IIO core handles a trigger ops with all NULL callbacks the
same as if the trigger ops itself was NULL.
Remove the empty trigger ops from the interrupt trigger driver to slightly
reduce the boilerplate code. Object size of the driver module is also
slightly reduced.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20211031142130.20791-5-lars@metafoo.de
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
The IIO core handles a trigger ops with all NULL callbacks the
same as if the trigger ops itself was NULL.
Remove the empty trigger ops from the interrupt trigger driver to slightly
reduce the boilerplate code. Object size of the driver module is also
slightly reduced.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20211031142130.20791-4-lars@metafoo.de
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Continuing from Alexandru Ardelean's introduction of the split between
driver modifiable fields and those that should only be set by the core.
This could have been done in two steps to make the actual move after
introducing iio_device_id() but there seemed limited point to that
given how mechanical the majority of the patch is.
Includes fixup from Alex for missing mxs-lradc-adc conversion.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Link: https://lore.kernel.org/r/20210426174911.397061-2-jic23@kernel.org
All drivers that already call devm_iio_kfifo_allocate() &
iio_device_attach_buffer() are simple to convert to
iio_device_attach_kfifo_buffer() in a single go.
This change does that; the unwind order is preserved.
What is important, is that the devm_iio_kfifo_buffer_setup() be called
after the indio_dev->modes is assigned, to make sure that
INDIO_BUFFER_SOFTWARE flag is set and not overridden by the assignment to
indio_dev->modes.
Also, the INDIO_BUFFER_SOFTWARE has been removed from the assignments of
'indio_dev->modes' because it is set by devm_iio_kfifo_buffer_setup().
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-by: Matt Ranostay <matt.ranostay@konsulko.com>x
Link: https://lore.kernel.org/r/20210215104043.91251-4-alexandru.ardelean@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Jonathan writes:
Second set of features and cleanups for IIO in 5.10
We have a couple of changes that apply to large sets of drivers, so
I have grouped those to keep this short.
There are a few late breaking fixes in here that can wait for the
merge window.
dt yaml conversions
-------------------
* adi,ad7768-1
* adi,ad7949
* aspeed,ast2400
* cosmic,10001-adc
* dlg,da9150-gpadc
* fsl,imx25-gcq
* fsl,imx7d-adc
* fsl,vf610
* holt,hi8435
* marvell,berlin2-adc
* motorola,cpcap-adc
* nuvoton,nau7802
* nuvoton,npcm750-adc
* nxp,lpc1850-adc
* nxp,lpc3220
* sprd,sc2720-adc
* st,stmpe-adc
* ti,adc12138
* ti,ads1015
* ti,ads7950
* ti,twl4030-madc
Features
--------
* adxrs290
- Add triggered buffer support and expose data ready signal as a possible
trigger. Includes updating bindings.
- Add debugfs hooks for register access.
* mlx90632
- Add a clear user interface to override the measured ambient temperature.
* vl53l0x
- Add IRQ support including dt bindings.
Cleanups and minor fixes
------------------------
(groups)
Replace mlock with local lock:
* adf4350
* exynos-adc
* fls-imx25-gcq
* stm32-dac
devm use to simplify probe error handling and remove functions.
* adis16201
* adis16203
* adis16209
* adis16240
* adis16136
* adis16260
* adis16400
* adis16460
* adis16480
* adis library - drop unused adis_setup_buffer_and_trigger()
of_match_ptr removal and incorrect ACPI binding removal
of_match_ptr() rarely makes sense in an IIO driver as space saving
is trivial and it breaks ACPI PRP0001 based instantiation.
Mostly this series is about removing examples that get copied into new
drivers.
* ad2s1200
* ad5272
* ad5446
* ad5592r
* ad5593r
* ad5703
* ak8974
* ak8975
* ams-iaq-core
* as3935
* atlas-sensor
* ds1803
* hdc100x
* htu21
* icp10100
* lmp91000
* pulsedlight
* max30102
* max5432
* max5481
* mcp4018
* mcp4131
* mcp4531
* mcp4725
* ms5611
* ms5637
* si7020
* sgp30
* ti-dac082s085
* ti-dac5571
* tmp007
* tsys01
* vz89x
* zpa2326
kernel-doc fixes
* iio-core
* ad7303
* ad7947
* adis16080
* adis16400
* iio_dummy_evgen
* sgp30
Fixes for buffer alignment when passed to iio_push_to_buffers_with_timestamp()
This is a long running effort. There are a few more drivers to come.
* inv_mpu6050
* itg3200
* si1145
* st_lsm6dsx
* ti-adc0832
* ti-adc12138
(not driver focused)
* MAINTAINERS
- Consolidate Analog Device IIO entries whilst removing Beniamin Bia.
- Remove Hartmut Knaack as a listed IIO maintainer as he hasn't been
active for a long time and people are getting intermitted bounces.
* Add __printf() markings to a few functions that were missing them.
* drop some rotted documentation from staging.
* rework buffer sysfs file creation (precursor to multiple buffer support)
(individual drivers)
* ad5592r
- Fix use of true for IIO_SHARED_BY_TYPE
- Tidy up locking and indentation.
* ad9467
- Improve error message on chip-id missmatch.
- Use more appropriate error value if chip-id not recognised.
* adis-library
- Simplify burst mode handling.
* adxrs290
- Make sure to switch device to standby mode during remove.
* as73211
- Increase measurement timeout as seems some devices are slower.
* bma180
- Fix use of true fo IIO_SHARED_BY_TYPE
* exynos_adc
- Update binding to require second interrut with touch screen.
- Update binding to not require syscon on S5Pv210
* hmc5843
- Fix use of true for IIO_SHARED_BY_TYPE
* inv_mpu6050
- Use regmap_noinc_read() for fifo reading.
* palmas_gpadc
- Use module_platform_driver() to remove boilerplate.
* meson-saradc
- style consistency fixes
* rockchip_saradc
- Allow compile testing with !ARM.
* st_lsm6dsx
- Changing scaling factor to use IIO_VAL_INT_PLUS_NANO to improve precision.
- Fix an issue with unchecked return value.
* stm32-adc
- Fix a missing return introduced in dev_err_probe() patch earlier in
cycle.
* sx9310
- Prefer async mode for probe as paticularly slow startup.
* vcnl4000
- Add missing interrupt property to dt binding.
* tag 'iio-for-5.10b-take2' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio: (126 commits)
dt-bindings: iio: vishay,vcnl4000: add interrupts property
iio:imu:inv_mpu6050: Use regmap_noinc_read for fifo reads.
iio:imu:inv_mpu6050 Fix dma and ts alignment and data leak issues.
iio:adc:ti-adc12138 Fix alignment issue with timestamp
iio:adc:ti-adc0832 Fix alignment issue with timestamp
iio:imu:st_lsm6dsx Fix alignment and data leak issues
iio:light:si1145: Fix timestamp alignment and prevent data leak.
iio:gyro:itg3200: Fix timestamp alignment and prevent data leak.
iio:imu:st_lsm6dsx: check st_lsm6dsx_shub_read_output return
iio: adc: exynos_adc: Replace indio_dev->mlock with own device lock
dt-bindings:iio:adc:holt,hi8435 yaml conversion
dt-bindings:iio:adc:adi,ad7768-1 yaml conversion
dt-bindings:iio:adc:adi,ad7949 yaml conversion
dt-bindings:iio:adc:dlg,da9150-gpadc yaml conversion
dt-bindings:iio:adc:motorola,cpcap-adc yaml conversion
dt-bindings:iio:adc:nxp,lpc3220-adc yaml conversion
dt-bindings:iio:adc:nxp,lpc1850-adc yaml conversion
dt-bindings:iio:adc:fsl,imx25-gcq yaml conversion
dt-bindings:iio:adc:fsl,imx7d-adc yaml conversion
dt-bindings:iio:adc:ti,ads1015 yaml conversion
...
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.
Deterministic algorithm:
For each file:
If not .svg:
For each line:
If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
Replace HTTP with HTTPS.
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes). This is not guaranteed in
this driver which uses a 40 byte array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here. We close both issues by
moving to a suitable structure in the iio_priv() data with alignment
explicitly requested. This data is allocated with kzalloc so no
data can leak appart from previous readings.
Fixes: 87aec56e27 ("iio: health: Add driver for the TI AFE4404 heart monitor")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Acked-by: Andrew F. Davis <afd@ti.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes). This is not guaranteed in
this driver which uses a 32 byte array of smaller elements on the stack.
As Lars also noted this anti pattern can involve a leak of data to
userspace and that indeed can happen here. We close both issues by
moving to a suitable structure in the iio_priv() data with alignment
explicitly requested. This data is allocated with kzalloc so no
data can leak appart from previous readings.
Fixes: eec96d1e2d ("iio: health: Add driver for the TI AFE4403 heart monitor")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Acked-by: Andrew F. Davis <afd@ti.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
These were found by doing some shell magic:
------------
for file in $(git grep -w devm_iio_device_alloc | cut -d: -f1 | sort | uniq) ; do
if grep 'parent =' $file | grep -v trig | grep -vq devm_; then
echo "$file -> $(grep "parent =" $file)"
fi
done
-----------
The output is bearable [after the semantic patch is applied].
There is a mix of trigger assignments with some iio device parent
assignments that are removed via this patch.
JC: A few more added via inspection of all parent =
statements in drivers/iio. Some of these may just have crossed with this
series, others were less obvious to scripting due to some cross
file / module boundary calls.
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
This patch applies the semantic patch:
@@
expression I, P, SP;
@@
I = devm_iio_device_alloc(P, SP);
...
- I->dev.parent = P;
It updates 302 files and does 307 deletions.
This semantic patch also removes some comments like
'/* Establish that the iio_dev is a child of the i2c device */'
But this is is only done in case where the block is left empty.
The patch does not seem to cover all cases. It looks like in some cases a
different variable is used in some cases to assign the parent, but it
points to the same reference.
In other cases, the block covered by ... may be just too big to be covered
by the semantic patch.
However, this looks pretty good as well, as it does cover a big bulk of the
drivers that should remove the parent assignment.
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Instead of of_property_read_xxx use device_property_read_xxx as it is
compatible with ACPI too as opposed to only device tree.
Signed-off-by: Rohit Sarkar <rohitsarkar5398@gmail.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation this program is
distributed in the hope that it will be useful but without any
warranty without even the implied warranty of merchantability or
fitness for a particular purpose see the gnu general public license
for more details
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 655 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070034.575739538@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Based on 3 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version [author] [kishon] [vijay] [abraham]
[i] [kishon]@[ti] [com] this program is distributed in the hope that
it will be useful but without any warranty without even the implied
warranty of merchantability or fitness for a particular purpose see
the gnu general public license for more details
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version [author] [graeme] [gregory]
[gg]@[slimlogic] [co] [uk] [author] [kishon] [vijay] [abraham] [i]
[kishon]@[ti] [com] [based] [on] [twl6030]_[usb] [c] [author] [hema]
[hk] [hemahk]@[ti] [com] this program is distributed in the hope
that it will be useful but without any warranty without even the
implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 1105 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.202006027@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Add SPDX license identifiers to all Make/Kconfig files which:
- Have no license information of any form
These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:
GPL-2.0-only
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.
Notice that in this particular case, I placed the "fall through"
annotation at the bottom of the case, which is what GCC is expecting
to find.
Addresses-Coverity-ID: 1458342 ("Missing break in switch")
Addresses-Coverity-ID: 1458345 ("Missing break in switch")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
This resolves the merge issue pointed out by Stephen in
drivers/iio/adc/meson_saradc.c.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Maxim MAX30105 part adds a third LED (green) and uses a multi-LED
measuring mode producing three measurements
Signed-off-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Move the programming of the mode setting from init() to
buffer_postenable()
Split out a separate function to
only update the power/shutdown bit
This changes permits to more easily implement different
modes of measurements in further patches
Signed-off-by: Peter Meerwald-Stadler <pmeerw@pmeerw.net>
Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
