--- /dev/null
+From foo@baz Wed Jan 6 07:09:58 PM CET 2021
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:39 +0100
+Subject: iio:imu:bmi160: Fix alignment and data leak issues
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 7b6b51234df6cd8b04fe736b0b89c25612d896b8 upstream
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
+to the size of the timestamp (8 bytes). This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here. We close both issues by
+moving to a suitable array in the iio_priv() data with alignment
+explicitly requested. This data is allocated with kzalloc() so no
+data can leak apart from previous readings.
+
+In this driver, depending on which channels are enabled, the timestamp
+can be in a number of locations. Hence we cannot use a structure
+to specify the data layout without it being misleading.
+
+Fixes: 77c4ad2d6a9b ("iio: imu: Add initial support for Bosch BMI160")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@oss.nxp.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-6-jic23@kernel.org
+[sudip: adjust context and use bmi160_data in old location]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/bmi160/bmi160_core.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/imu/bmi160/bmi160_core.c
++++ b/drivers/iio/imu/bmi160/bmi160_core.c
+@@ -110,6 +110,13 @@ enum bmi160_sensor_type {
+
+ struct bmi160_data {
+ struct regmap *regmap;
++ /*
++ * Ensure natural alignment for timestamp if present.
++ * Max length needed: 2 * 3 channels + 4 bytes padding + 8 byte ts.
++ * If fewer channels are enabled, less space may be needed, as
++ * long as the timestamp is still aligned to 8 bytes.
++ */
++ __le16 buf[12] __aligned(8);
+ };
+
+ const struct regmap_config bmi160_regmap_config = {
+@@ -385,8 +392,6 @@ static irqreturn_t bmi160_trigger_handle
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct bmi160_data *data = iio_priv(indio_dev);
+- __le16 buf[12];
+- /* 2 sens x 3 axis x __le16 + 2 x __le16 pad + 4 x __le16 tstamp */
+ int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L;
+ __le16 sample;
+
+@@ -396,10 +401,10 @@ static irqreturn_t bmi160_trigger_handle
+ &sample, sizeof(sample));
+ if (ret < 0)
+ goto done;
+- buf[j++] = sample;
++ data->buf[j++] = sample;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, buf,
++ iio_push_to_buffers_with_timestamp(indio_dev, data->buf,
+ iio_get_time_ns(indio_dev));
+ done:
+ iio_trigger_notify_done(indio_dev->trig);
--- /dev/null
+From foo@baz Wed Jan 6 07:11:37 PM CET 2021
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:37 +0100
+Subject: iio:magnetometer:mag3110: Fix alignment and data leak issues.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 89deb1334252ea4a8491d47654811e28b0790364 upstream
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned
+to the size of the timestamp (8 bytes). This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here. We close both issues by
+moving to a suitable structure in the iio_priv() data.
+This data is allocated with kzalloc() so no data can leak apart from
+previous readings.
+
+The explicit alignment of ts is not necessary in this case but
+does make the code slightly less fragile so I have included it.
+
+Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-4-jic23@kernel.org
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/magnetometer/mag3110.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/magnetometer/mag3110.c
++++ b/drivers/iio/magnetometer/mag3110.c
+@@ -56,6 +56,12 @@ struct mag3110_data {
+ struct mutex lock;
+ u8 ctrl_reg1;
+ int sleep_val;
++ /* Ensure natural alignment of timestamp */
++ struct {
++ __be16 channels[3];
++ u8 temperature;
++ s64 ts __aligned(8);
++ } scan;
+ };
+
+ static int mag3110_request(struct mag3110_data *data)
+@@ -387,10 +393,9 @@ static irqreturn_t mag3110_trigger_handl
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct mag3110_data *data = iio_priv(indio_dev);
+- u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */
+ int ret;
+
+- ret = mag3110_read(data, (__be16 *) buffer);
++ ret = mag3110_read(data, data->scan.channels);
+ if (ret < 0)
+ goto done;
+
+@@ -399,10 +404,10 @@ static irqreturn_t mag3110_trigger_handl
+ MAG3110_DIE_TEMP);
+ if (ret < 0)
+ goto done;
+- buffer[6] = ret;
++ data->scan.temperature = ret;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+
+ done:
projects / thirdparty / kernel / stable-queue.git / commitdiff
