--- /dev/null
+From foo@baz Wed Jan 6 07:09:39 PM CET 2021
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:39 +0100
+Subject: iio:imu:bmi160: Fix alignment and data leak issues
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 7b6b51234df6cd8b04fe736b0b89c25612d896b8 upstream
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
+to the size of the timestamp (8 bytes). This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here. We close both issues by
+moving to a suitable array in the iio_priv() data with alignment
+explicitly requested. This data is allocated with kzalloc() so no
+data can leak apart from previous readings.
+
+In this driver, depending on which channels are enabled, the timestamp
+can be in a number of locations. Hence we cannot use a structure
+to specify the data layout without it being misleading.
+
+Fixes: 77c4ad2d6a9b ("iio: imu: Add initial support for Bosch BMI160")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: Daniel Baluta <daniel.baluta@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@oss.nxp.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-6-jic23@kernel.org
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/bmi160/bmi160.h | 7 +++++++
+ drivers/iio/imu/bmi160/bmi160_core.c | 6 ++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/imu/bmi160/bmi160.h
++++ b/drivers/iio/imu/bmi160/bmi160.h
+@@ -7,6 +7,13 @@
+ struct bmi160_data {
+ struct regmap *regmap;
+ struct iio_trigger *trig;
++ /*
++ * Ensure natural alignment for timestamp if present.
++ * Max length needed: 2 * 3 channels + 4 bytes padding + 8 byte ts.
++ * If fewer channels are enabled, less space may be needed, as
++ * long as the timestamp is still aligned to 8 bytes.
++ */
++ __le16 buf[12] __aligned(8);
+ };
+
+ extern const struct regmap_config bmi160_regmap_config;
+--- a/drivers/iio/imu/bmi160/bmi160_core.c
++++ b/drivers/iio/imu/bmi160/bmi160_core.c
+@@ -411,8 +411,6 @@ static irqreturn_t bmi160_trigger_handle
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct bmi160_data *data = iio_priv(indio_dev);
+- __le16 buf[12];
+- /* 2 sens x 3 axis x __le16 + 2 x __le16 pad + 4 x __le16 tstamp */
+ int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L;
+ __le16 sample;
+
+@@ -422,10 +420,10 @@ static irqreturn_t bmi160_trigger_handle
+ &sample, sizeof(sample));
+ if (ret)
+ goto done;
+- buf[j++] = sample;
++ data->buf[j++] = sample;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, buf, pf->timestamp);
++ iio_push_to_buffers_with_timestamp(indio_dev, data->buf, pf->timestamp);
+ done:
+ iio_trigger_notify_done(indio_dev->trig);
+ return IRQ_HANDLED;
projects / thirdparty / kernel / stable-queue.git / commitdiff
