USB bulk and interrupt message timeouts are specified in milliseconds
and should specifically not vary with CONFIG_HZ.
Note that the bulk-out transfer timeout was set to the endpoint
bInterval value, which should be ignored for bulk endpoints and is
typically set to zero. This meant that a failing bulk-out transfer
would never time out.
Assume that the 10 second timeout used for all other transfers is more
than enough also for the bulk-out endpoint.
Fixes: 985cafccbf ("Staging: Comedi: vmk80xx: Add k8061 support")
Fixes: 951348b377 ("staging: comedi: vmk80xx: wait for URBs to complete")
Cc: stable@vger.kernel.org # 2.6.31
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211025114532.4599-6-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The driver uses endpoint-sized USB transfer buffers but up until
recently had no sanity checks on the sizes.
Commit e1f13c879a ("staging: comedi: check validity of wMaxPacketSize
of usb endpoints found") inadvertently fixed NULL-pointer dereferences
when accessing the transfer buffers in case a malicious device has a
zero wMaxPacketSize.
Make sure to allocate buffers large enough to handle also the other
accesses that are done without a size check (e.g. byte 18 in
vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond
the buffers, for example, when doing descriptor fuzzing.
The original driver was for a low-speed device with 8-byte buffers.
Support was later added for a device that uses bulk transfers and is
presumably a full-speed device with a maximum 64-byte wMaxPacketSize.
Fixes: 985cafccbf ("Staging: Comedi: vmk80xx: Add k8061 support")
Cc: stable@vger.kernel.org # 2.6.31
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211025114532.4599-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Some LKDTM tests need to be run more than once (usually to setup and
then later trigger). Until now, the only case was the SOFT_LOCKUP test,
which wasn't useful to run in the bulk selftests. The coming stack canary
checking needs to run twice, so support this with a new test output prefix
"repeat".
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20211022223826.330653-2-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Vinod writes:
soundwire updates for 5.16-rc1
- Update on sysfs wildcard documentation
- debugfs update for core and qcom driver
- invalid slave pointer fix for bus
* tag 'soundwire-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
soundwire: qcom: add debugfs entry for soundwire register dump
soundwire: bus: stop dereferencing invalid slave pointer
ABI: sysfs-bus-soundwire-slave: use wildcards on What definitions
ABI: sysfs-bus-soundwire-master: use wildcards on What definitions
soundwire: debugfs: use controller id and link_id for debugfs
Jonathan writes:
2nd set of IIO new driver, cleanups and features for the 5.16 cycle
New device support
* adrf6780 microwave upconverter.
- New driver for this interesting device including bindings.
Features
* lite-on ltr501
- Add dt-bindings including vendor ID and of_device_id table.
- Add regulator support.
* sensiron,scd4x
- Add reporting of channel scale.
Cleanups including fixes for things in this cycle
* Tree wide: Another set of dev_err_probe() introductions to reduce
noise in logs when deferred probing is needed and provide more debug
info. Devices included this time:
- amlogic,meson_saradc
- capella,cm3605
- fsl,imx7d
- maxim,max1118
- maxim,max1241
- nxp,lpc18xx
- qcom,pm8xxxx-xoadc
- rockchip,saradc
- sharp,gp2ap002
- sterricson,ab8500
- ti,ads7950
* core - iio:buffer
- Fix a path where a ret value is not intialized.
* channel-mux
- Add support to mux core subsystem for a settling delay and use
it in the iio-channel-mux driver.
- Fix a few dt binding warnings.
* nxp,lpc18xx
- Convert to devm_ functions for all of probe and drop remove()
* st,lsm6dsx
- Suppress a warning due to lack of handling of an enum *_MAX entry
that is just there to get the size.
* st,stm32-adc
- Add generic channel binding, deprecating the old approach.
- Add nvmem support to get calibration data for the vrefint channel and
use it to perform such calibration.
- Add a binding for sample-time to the generic channel description as it
can be per channel.
* ti,adc128s052
- Use devm_ managed functions and drop remove()
* vti,sca3000
- Use sign_extend32() rather than opencoding.
* xilinx,xadc
- Drop irq field from state structure as now just used in probe.
* tag 'iio-for-5.16b' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio: (36 commits)
dt-bindings: iio: frequency: add adrf6780 doc
iio: frequency: adrf6780: add support for ADRF6780
iio: chemical: scd4x: Add a scale for the co2 concentration reading
dt-bindings: iio: io-channel-mux: allow duplicate channel, labels
dt-bindings: iio: io-channel-mux: add optional #io-channel-cells
iio: adc: adc128s052: Simplify adc128_probe()
iio: multiplexer: iio-mux: Support settle-time-us property
dt-bindings: iio: io-channel-mux: Add property for settle time
mux: add support for delay after muxing
iio: adc: stm32-adc: use generic binding for sample-time
iio: adc: stm32-adc: add vrefint calibration support
iio: adc: stm32-adc: add support of internal channels
iio: adc: stm32-adc: add support of generic channels binding
iio: adc: stm32-adc: split channel init into several routines
dt-bindings: iio: stm32-adc: add nvmem support for vrefint internal channel
dt-bindings: iio: stm32-adc: add generic channel binding
iio: accel: sca3000: Use sign_extend32() instead of opencoding sign extension.
iio: xilinx-xadc: Remove `irq` field from state struct
iio: imu: st_lsm6dsx: Avoid potential array overflow in st_lsm6dsx_set_odr()
iio: light: gp2ap002: Make use of the helper function dev_err_probe()
...
Jonathan writes:
First set of IIO fixes for the 5.16 cycle
As these are very late in the 5.15 cycle and non are particularly urgent,
they can wait for the merge window.
Key element in this set is Yang Yingliang has identified a number of
issues in error paths introduced recently when we added multiple
buffer support.
Other fixes:
* adi,ad5662
- Fix handling of i2c_master_send() return value.
* adi,ad5766
- Fix a wrong dt-property name that indicated wrong units and
did not mach the bindings.
- Associated 'fix' of the bindings example to have a possible scale.
* st,pressure-spi
- Add some missing entries to the spi_device_id table to ensure
auto-loading works.
* ti,tsc2046
- Fix a backwards comparison leading to a false dev_warn
* tag 'iio-fixes-for-5.16a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio:
iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask()
iio: adc: tsc2046: fix scan interval warning
iio: core: fix double free in iio_device_unregister_sysfs()
iio: core: check return value when calling dev_set_name()
iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups()
iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()
iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask()
iio: buffer: check return value of kstrdup_const()
iio: dac: ad5446: Fix ad5622_write() return value
Documentation:devicetree:bindings:iio:dac: Fix val
drivers: iio: dac: ad5766: Fix dt property name
iio: st_pressure_spi: Add missing entries SPI to device ID table
Georgi writes:
interconnect changes for 5.16
Here are the changes for the 5.16-rc1 merge window consisting of just
driver updates. The highlight is the refactoring of some existing drivers
into common code and expanding some macros that will make adding QoS
support much easier.
Driver changes:
- icc-rpm: move bus clocks handling into qnoc_probe
- sdm660: expand DEFINE_QNODE macros
- sdm660: drop default/unused values
- sdm660: merge common code into icc-rpm
- icc-rpm: add support for QoS reg offset
- msm8916: expand DEFINE_QNODE macros
- msm8916: add support for AP-owned nodes
- msm8939: expand DEFINE_QNODE macros
- msm8939: add support for AP-owned nodes
- qcs404: expand DEFINE_QNODE macros
- qcom: drop DEFINE_QNODE macro
- samsung: describe drivers in KConfig
Signed-off-by: Georgi Djakov <djakov@kernel.org>
* tag 'icc-5.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/djakov/icc:
interconnect: samsung: describe drivers in KConfig
interconnect: qcom: drop DEFINE_QNODE macro
interconnect: qcs404: expand DEFINE_QNODE macros
interconnect: msm8939: add support for AP-owned nodes
interconnect: msm8939: expand DEFINE_QNODE macros
interconnect: msm8916: add support for AP-owned nodes
interconnect: msm8916: expand DEFINE_QNODE macros
interconnect: icc-rpm: add support for QoS reg offset
interconnect: sdm660: merge common code into icc-rpm
interconnect: sdm660: drop default/unused values
interconnect: sdm660: expand DEFINE_QNODE macros
interconnect: icc-rpm: move bus clocks handling into qnoc_probe
Joel writes:
FSI changes for v5.16
- SBEFIFO usersapce interfaces to perform FFDC (First Failure
Data Capture) and detect timeouts
- A fix to handle multiple messages in flight
* tag 'fsi-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/joel/fsi:
fsi: sbefifo: Use interruptible mutex locking
fsi: sbefifo: Add sysfs file indicating a timeout error
docs: ABI: testing: Document the SBEFIFO timeout interface
hwmon: (occ) Provide the SBEFIFO FFDC in binary sysfs
docs: ABI: testing: Document the OCC hwmon FFDC binary interface
fsi: occ: Store the SBEFIFO FFDC in the user response buffer
fsi: occ: Use a large buffer for responses
hwmon: (occ) Remove sequence numbering and checksum calculation
fsi: occ: Force sequence numbering per OCC
Some SBE operations have extremely large responses and can require
several minutes to process the response. During this time, the device
lock must be held. If another process attempts an operation, it will
wait for the mutex for longer than the kernel hung task watchdog
allows. Therefore, use the interruptible function to lock the mutex.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Link: https://lore.kernel.org/r/20210803213016.44739-1-eajames@linux.ibm.com
Signed-off-by: Joel Stanley <joel@jms.id.au>
If the SBEFIFO response indicates an error, store the response in the
user buffer and return an error. Previously, the user had no way of
obtaining the SBEFIFO FFDC.
The user's buffer now contains data in the event of a failure. No change
in the event of a successful transfer.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20211019205307.36946-3-eajames@linux.ibm.com
Signed-off-by: Joel Stanley <joel@jms.id.au>
Allocate a large buffer for each OCC to handle response data. This
removes memory allocation during an operation, and also allows for
the maximum amount of SBE FFDC.
Previously for the putsram and attn commands, only 32 words would have
been available, and for getsram, only up to the size of the transfer.
SBE FFDC might be up to 8Kb.
The SBE interface expects data to be specified in units of words (4
bytes), defined as OCC_MAX_RESP_WORDS.
This change allows the full FFDC capture to be implemented, where before
it was not available.
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20211019205307.36946-2-eajames@linux.ibm.com
Signed-off-by: Joel Stanley <joel@jms.id.au>
This is needed since an empty channel label is used to indicate an
unused channel, and there can be more that one of those.
Fixes the following problem reported by dtbs_check:
envelope-detector-mux: channels: ['', '', 'sync-1', 'in', 'out', 'sync-2', 'sys-reg', 'ana-reg'] has non-unique elements
arch/arm/boot/dts/at91-tse850-3.dt.yaml
Suggested-by: Rob Herring <robh@kernel.org>
Signed-off-by: Peter Rosin <peda@axentia.se>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Needed for in-kernel use of the child channels of the mux.
Fixes problems like this, reported by dtbs_check:
adc0mux: '#io-channel-cells' does not match any of the regexes: 'pinctrl-[0-9]+'
arch/arm/boot/dts/aspeed-bmc-ampere-mtjade.dt.yaml
Suggested-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Peter Rosin <peda@axentia.se>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
A race condition is possible when writing to events_queue_size where the
events kfifo is freed during the execution of a kfifo_in(), resulting in
a use-after-free. This patch prevents such a scenario by protecting the
events queue in operation with a spinlock and locking before performing
the events queue size adjustment.
The existing events_lock mutex is renamed to events_out_lock to reflect
that it only protects events queue out operations. Because the events
queue in operations can occur in an interrupt context, a new
events_in_lock spinlock is introduced and utilized.
Fixes: feff17a550 ("counter: Implement events_queue_size sysfs attribute")
Cc: David Lechner <david@lechnology.com>
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com>
Link: https://lore.kernel.org/r/20211021103540.955639-1-vilhelm.gray@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
When 'iio_dev_opaque->buffer_ioctl_handler' alloc fails in
iio_buffers_alloc_sysfs_and_mask(), the 'attrs' allocated in
iio_buffer_register_legacy_sysfs_groups() will be leaked:
unreferenced object 0xffff888108568d00 (size 128):
comm "88", pid 2014, jiffies 4294963294 (age 26.920s)
hex dump (first 32 bytes):
80 3e da 02 80 88 ff ff 00 3a da 02 80 88 ff ff .>.......:......
00 35 da 02 80 88 ff ff 00 38 da 02 80 88 ff ff .5.......8......
backtrace:
[<0000000095a9e51e>] __kmalloc+0x1a3/0x2f0
[<00000000faa3735e>] iio_buffers_alloc_sysfs_and_mask+0xfa3/0x1480 [industrialio]
[<00000000a46384dc>] __iio_device_register+0x52e/0x1b40 [industrialio]
[<00000000210af05e>] __devm_iio_device_register+0x22/0x80 [industrialio]
[<00000000730d7b41>] adjd_s311_probe+0x195/0x200 [adjd_s311]
[<00000000c0f70eb9>] i2c_device_probe+0xa07/0xbb0
The iio_buffer_register_legacy_sysfs_groups() is
called in __iio_buffer_alloc_sysfs_and_mask(),
so move the iio_buffer_unregister_legacy_sysfs_groups()
into __iio_buffer_free_sysfs_and_mask(), then the memory
will be freed.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: d9a625744e ("iio: core: merge buffer/ & scan_elements/ attributes")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211018063718.1971240-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Slave pointer is invalid after end of list iteration, using this
would result in below Memory abort.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
...
Call trace:
__dev_printk+0x34/0x7c
_dev_warn+0x6c/0x90
sdw_bus_exit_clk_stop+0x194/0x1d0
swrm_runtime_resume+0x13c/0x238
pm_generic_runtime_resume+0x2c/0x48
__rpm_callback+0x44/0x150
rpm_callback+0x6c/0x78
rpm_resume+0x314/0x558
rpm_resume+0x378/0x558
rpm_resume+0x378/0x558
__pm_runtime_resume+0x3c/0x88
Use bus->dev instead to print this error message.
Fixes: b50bb8ba36 ("soundwire: bus: handle -ENODATA errors in clock stop/start sequences")
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20211012101521.32087-1-srinivas.kandagatla@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Add support of vrefint calibration.
If a channel is labeled as vrefint, get vrefint calibration
from non volatile memory for this channel.
vrefint channel is exposed as a processed channel returning
the actual value of vrefp:
vrefp = 3.3 x vrefint_cal / vrefint_data
A conversion on vrefint channel allows to update scale
factor according to vrefint deviation, compared to vrefint
calibration value.
Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
Reviewed-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Link: https://lore.kernel.org/r/20211014131228.4692-7-olivier.moysan@foss.st.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Since commit 2a9685d1a3 ("iio: adc: xilinx: use more devres helpers and
remove remove()") the `irq` field from XADC driver state struct is only
used in the `probe()` function.
Use the local `irq` variable throughout the `probe()` function and remove
the now unused field from the state struct.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20211017121551.24063-1-lars@metafoo.de
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
The length of hw->settings->odr_table is 2 and ref_sensor->id is an enum
variable whose value is between 0 and 5.
However, the value ST_LSM6DSX_ID_MAX (i.e. 5) is not caught properly in
switch (sensor->id) {
If ref_sensor->id is ST_LSM6DSX_ID_MAX, an array overflow will ocurrs in
function st_lsm6dsx_check_odr():
odr_table = &sensor->hw->settings->odr_table[sensor->id];
and in function st_lsm6dsx_set_odr():
reg = &hw->settings->odr_table[ref_sensor->id].reg;
To avoid this array overflow, handle ST_LSM6DSX_ID_GYRO explicitly and
return -EINVAL for the default case.
The enum value ST_LSM6DSX_ID_MAX is only present as an easy way to check
the limit and as such is never used, however this is not locally obvious.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/20211011114003.976221-1-starmiku1207184332@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
When possible use dev_err_probe help to properly deal with the
PROBE_DEFER error, the benefit is that DEFER issue will be logged
in the devices_deferred debugfs file.
Using dev_err_probe() can reduce code size, and the error value
gets printed.
BTW, change the return value from 'ENXIO' to 'ENODEV',
perfer ENODEV which means no such device.
Signed-off-by: Cai Huoqing <caihuoqing@baidu.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20211008092858.495-7-caihuoqing@baidu.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
