Commit ffb384c2 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'char-misc-6.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc 

Pull char/misc driver fixes from Greg KH:
 "Here are some small char/misc and other driver fixes for 6.0-rc4.

  Included in here are:

   - binder fixes for previous fixes, and a few more fixes uncovered by
     them.

   - iio driver fixes

   - soundwire driver fixes

   - fastrpc driver fixes for memory corruption on some hardware

   - peci driver fix

   - mhi driver fix

  All of these have been in linux-next with no reported problems"

* tag 'char-misc-6.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  binder: fix alloc->vma_vm_mm null-ptr dereference
  misc: fastrpc: increase maximum session count
  misc: fastrpc: fix memory corruption on open
  misc: fastrpc: fix memory corruption on probe
  soundwire: qcom: fix device status array range
  bus: mhi: host: Fix up null pointer access in mhi_irq_handler
  soundwire: qcom: remove duplicate reset control get
  iio: light: cm32181: make cm32181_pm_ops static
  iio: ad7292: Prevent regulator double disable
  dt-bindings: iio: gyroscope: bosch,bmg160: correct number of pins
  iio: adc: mcp3911: use correct formula for AD conversion
  iio: adc: mcp3911: correct "microchip,device-addr" property
  Revert "binder_alloc: Add missing mmap_lock calls when using the VMA"
  binder_alloc: Add missing mmap_lock calls when using the VMA
  binder: fix UAF of ref->proc caused by race condition
  iio: light: cm3605: Fix an error handling path in cm3605_probe()
  iio: adc: mcp3911: make use of the sign bit
  peci: cpu: Fix use-after-free in adev_release()
  peci: aspeed: fix error check return value of platform_get_irq()
parents fd59585c 0f022aaa

Documentation/devicetree/bindings/iio/gyroscope/bosch,bmg160.yaml

+2 −0
Original line number Diff line number Diff line
@@ -24,8 +24,10 @@ properties: 


  interrupts:

    minItems: 1

    maxItems: 2

    description:

      Should be configured with type IRQ_TYPE_EDGE_RISING.

      If two interrupts are provided, expected order is INT1 and INT2.



required:

  - compatible

drivers/android/binder.c

+12 −0
Original line number Diff line number Diff line
@@ -1385,6 +1385,18 @@ static int binder_inc_ref_for_node(struct binder_proc *proc, 
	}

	ret = binder_inc_ref_olocked(ref, strong, target_list);

	*rdata = ref->data;

	if (ret && ref == new_ref) {

		/*

		 * Cleanup the failed reference here as the target

		 * could now be dead and have already released its

		 * references by now. Calling on the new reference

		 * with strong=0 and a tmp_refs will not decrement

		 * the node. The new_ref gets kfree'd below.

		 */

		binder_cleanup_ref_olocked(new_ref);

		ref = NULL;

	}



	binder_proc_unlock(proc);

	if (new_ref && ref != new_ref)

		/*

drivers/android/binder_alloc.c

+2 −2
Original line number Diff line number Diff line
@@ -322,7 +322,6 @@ static inline void binder_alloc_set_vma(struct binder_alloc *alloc, 
	 */

	if (vma) {

		vm_start = vma->vm_start;

		alloc->vma_vm_mm = vma->vm_mm;

		mmap_assert_write_locked(alloc->vma_vm_mm);

	} else {

		mmap_assert_locked(alloc->vma_vm_mm);
@@ -795,7 +794,6 @@ int binder_alloc_mmap_handler(struct binder_alloc *alloc, 
	binder_insert_free_buffer(alloc, buffer);

	alloc->free_async_space = alloc->buffer_size / 2;

	binder_alloc_set_vma(alloc, vma);

	mmgrab(alloc->vma_vm_mm);



	return 0;
@@ -1091,6 +1089,8 @@ static struct shrinker binder_shrinker = { 
void binder_alloc_init(struct binder_alloc *alloc)

{

	alloc->pid = current->group_leader->pid;

	alloc->vma_vm_mm = current->mm;

	mmgrab(alloc->vma_vm_mm);

	mutex_init(&alloc->mutex);

	INIT_LIST_HEAD(&alloc->buffers);

}

drivers/bus/mhi/host/main.c

+16 −3
Original line number Diff line number Diff line
@@ -430,12 +430,25 @@ irqreturn_t mhi_irq_handler(int irq_number, void *dev) 
{

	struct mhi_event *mhi_event = dev;

	struct mhi_controller *mhi_cntrl = mhi_event->mhi_cntrl;

	struct mhi_event_ctxt *er_ctxt =

		&mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index];

	struct mhi_event_ctxt *er_ctxt;

	struct mhi_ring *ev_ring = &mhi_event->ring;

	dma_addr_t ptr = le64_to_cpu(er_ctxt->rp);

	dma_addr_t ptr;

	void *dev_rp;



	/*

	 * If CONFIG_DEBUG_SHIRQ is set, the IRQ handler will get invoked during __free_irq()

	 * and by that time mhi_ctxt() would've freed. So check for the existence of mhi_ctxt

	 * before handling the IRQs.

	 */

	if (!mhi_cntrl->mhi_ctxt) {

		dev_dbg(&mhi_cntrl->mhi_dev->dev,

			"mhi_ctxt has been freed\n");

		return IRQ_HANDLED;

	}



	er_ctxt = &mhi_cntrl->mhi_ctxt->er_ctxt[mhi_event->er_index];

	ptr = le64_to_cpu(er_ctxt->rp);



	if (!is_valid_ring_ptr(ev_ring, ptr)) {

		dev_err(&mhi_cntrl->mhi_dev->dev,

			"Event ring rp points outside of the event ring\n");

drivers/iio/adc/ad7292.c

+1 −3
Original line number Diff line number Diff line
@@ -287,10 +287,8 @@ static int ad7292_probe(struct spi_device *spi) 


		ret = devm_add_action_or_reset(&spi->dev,

					       ad7292_regulator_disable, st);

		if (ret) {

			regulator_disable(st->reg);

		if (ret)

			return ret;

		}



		ret = regulator_get_voltage(st->reg);

		if (ret < 0)