This is a note to let you know that I've just added the patch titled iio: inv_mpu6050: Fully validate gyro and accel scale writes to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: iio-inv_mpu6050-fully-validate-gyro-and-accel-scale-writes.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e09fe9135399807b8397798a53160e055dc6c29f Mon Sep 17 00:00:00 2001 From: Lars-Peter Clausen <lars@xxxxxxxxxx> Date: Mon, 5 Apr 2021 13:44:41 +0200 Subject: iio: inv_mpu6050: Fully validate gyro and accel scale writes From: Lars-Peter Clausen <lars@xxxxxxxxxx> commit e09fe9135399807b8397798a53160e055dc6c29f upstream. When setting the gyro or accelerometer scale the inv_mpu6050 driver ignores the integer part of the value. As a result e.g. all of 0.13309, 1.13309, 12345.13309, ... are accepted as a valid gyro scale and 0.13309 is the scale that gets set in all those cases. Make sure to check that the integer part of the scale value is 0 and reject it otherwise. Fixes: 09a642b78523 ("Invensense MPU6050 Device Driver.") Signed-off-by: Lars-Peter Clausen <lars@xxxxxxxxxx> Acked-by: Jean-Baptiste Maneyrol <jmaneyrol@xxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20210405114441.24167-1-lars@xxxxxxxxxx Cc: <Stable@xxxxxxxxxxxxxxx> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) --- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c @@ -723,12 +723,16 @@ inv_mpu6050_read_raw(struct iio_dev *ind } } -static int inv_mpu6050_write_gyro_scale(struct inv_mpu6050_state *st, int val) +static int inv_mpu6050_write_gyro_scale(struct inv_mpu6050_state *st, int val, + int val2) { int result, i; + if (val != 0) + return -EINVAL; + for (i = 0; i < ARRAY_SIZE(gyro_scale_6050); ++i) { - if (gyro_scale_6050[i] == val) { + if (gyro_scale_6050[i] == val2) { result = inv_mpu6050_set_gyro_fsr(st, i); if (result) return result; @@ -759,13 +763,17 @@ static int inv_write_raw_get_fmt(struct return -EINVAL; } -static int inv_mpu6050_write_accel_scale(struct inv_mpu6050_state *st, int val) +static int inv_mpu6050_write_accel_scale(struct inv_mpu6050_state *st, int val, + int val2) { int result, i; u8 d; + if (val != 0) + return -EINVAL; + for (i = 0; i < ARRAY_SIZE(accel_scale); ++i) { - if (accel_scale[i] == val) { + if (accel_scale[i] == val2) { d = (i << INV_MPU6050_ACCL_CONFIG_FSR_SHIFT); result = regmap_write(st->map, st->reg->accl_config, d); if (result) @@ -806,10 +814,10 @@ static int inv_mpu6050_write_raw(struct case IIO_CHAN_INFO_SCALE: switch (chan->type) { case IIO_ANGL_VEL: - result = inv_mpu6050_write_gyro_scale(st, val2); + result = inv_mpu6050_write_gyro_scale(st, val, val2); break; case IIO_ACCEL: - result = inv_mpu6050_write_accel_scale(st, val2); + result = inv_mpu6050_write_accel_scale(st, val, val2); break; default: result = -EINVAL; Patches currently in stable-queue which might be from lars@xxxxxxxxxx are queue-5.10/iio-inv_mpu6050-fully-validate-gyro-and-accel-scale-writes.patch