| Message ID | 20250310142501.29535-1-s.seva@4sigma.it (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [v2] iio: imu: st_lsm6dsx: fix possible lockup during FIFO read | expand |
On Mon, 10 Mar 2025 15:19:17 +0100 Silvano Seva <s.seva@4sigma.it> wrote: > Prevent st_lsm6dsx_read_fifo and st_lsm6dsx_read_tagged_fifo functions > from falling in an infinite loop in case pattern_len is equal to zero and > the device FIFO is not empty. > > Fixes: 290a6ce11d93 ("iio: imu: add support to lsm6dsx driver") > Fixes: 801a6e0af0c6 ("iio: imu: st_lsm6dsx: add support to LSM6DSO") That's going to make a messy backport. I assume each fixes tag refers to one instance below? If so would you mind splitting the patch into two parts, with appropriate single fix tag for each? That would hopefully remove need for manual backporting to older kernels. Thanks, Jonathan > Signed-off-by: Silvano Seva <s.seva@4sigma.it> > --- > > Changes since v1: > * st_lsm6dsx_read_fifo: moved check for zero pattern_len before fifo_len assignment > * st_lsm6dsx_read_fifo: dropped check for zero fifo_len > * added Fixes tags in commit message > > drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c > index 0a7cd8c1aa33..8a9d2593576a 100644 > --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c > +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c > @@ -392,6 +392,9 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) > if (fifo_status & cpu_to_le16(ST_LSM6DSX_FIFO_EMPTY_MASK)) > return 0; > > + if (!pattern_len) > + pattern_len = ST_LSM6DSX_SAMPLE_SIZE; > + > fifo_len = (le16_to_cpu(fifo_status) & fifo_diff_mask) * > ST_LSM6DSX_CHAN_SIZE; > fifo_len = (fifo_len / pattern_len) * pattern_len; > @@ -623,6 +626,9 @@ int st_lsm6dsx_read_tagged_fifo(struct st_lsm6dsx_hw *hw) > if (!fifo_len) > return 0; > > + if (!pattern_len) > + pattern_len = ST_LSM6DSX_TAGGED_SAMPLE_SIZE; > + > for (read_len = 0; read_len < fifo_len; read_len += pattern_len) { > err = st_lsm6dsx_read_block(hw, > ST_LSM6DSX_REG_FIFO_OUT_TAG_ADDR,
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c index 0a7cd8c1aa33..8a9d2593576a 100644 --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c @@ -392,6 +392,9 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) if (fifo_status & cpu_to_le16(ST_LSM6DSX_FIFO_EMPTY_MASK)) return 0; + if (!pattern_len) + pattern_len = ST_LSM6DSX_SAMPLE_SIZE; + fifo_len = (le16_to_cpu(fifo_status) & fifo_diff_mask) * ST_LSM6DSX_CHAN_SIZE; fifo_len = (fifo_len / pattern_len) * pattern_len; @@ -623,6 +626,9 @@ int st_lsm6dsx_read_tagged_fifo(struct st_lsm6dsx_hw *hw) if (!fifo_len) return 0; + if (!pattern_len) + pattern_len = ST_LSM6DSX_TAGGED_SAMPLE_SIZE; + for (read_len = 0; read_len < fifo_len; read_len += pattern_len) { err = st_lsm6dsx_read_block(hw, ST_LSM6DSX_REG_FIFO_OUT_TAG_ADDR,
Prevent st_lsm6dsx_read_fifo and st_lsm6dsx_read_tagged_fifo functions from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty. Fixes: 290a6ce11d93 ("iio: imu: add support to lsm6dsx driver") Fixes: 801a6e0af0c6 ("iio: imu: st_lsm6dsx: add support to LSM6DSO") Signed-off-by: Silvano Seva <s.seva@4sigma.it> --- Changes since v1: * st_lsm6dsx_read_fifo: moved check for zero pattern_len before fifo_len assignment * st_lsm6dsx_read_fifo: dropped check for zero fifo_len * added Fixes tags in commit message drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 6 ++++++ 1 file changed, 6 insertions(+)