4.4-stable patches

added patches:
	iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch

diff --git a/queue-4.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch b/queue-4.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch
new file mode 100644 (file)
index 0000000..78eb789
--- /dev/null
+++ b/queue-4.4/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch
@@ -0,0 +1,75 @@
+From foo@baz Wed Jan  6 07:12:53 PM CET 2021
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:37 +0100
+Subject: iio:magnetometer:mag3110: Fix alignment and data leak issues.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 89deb1334252ea4a8491d47654811e28b0790364 upstream
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned
+to the size of the timestamp (8 bytes).  This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here.  We close both issues by
+moving to a suitable structure in the iio_priv() data.
+This data is allocated with kzalloc() so no data can leak apart from
+previous readings.
+
+The explicit alignment of ts is not necessary in this case but
+does make the code slightly less fragile so I have included it.
+
+Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-4-jic23@kernel.org
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/magnetometer/mag3110.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/magnetometer/mag3110.c
++++ b/drivers/iio/magnetometer/mag3110.c
+@@ -52,6 +52,12 @@ struct mag3110_data {
+       struct i2c_client *client;
+       struct mutex lock;
+       u8 ctrl_reg1;
++      /* Ensure natural alignment of timestamp */
++      struct {
++              __be16 channels[3];
++              u8 temperature;
++              s64 ts __aligned(8);
++      } scan;
+ };
+ 
+ static int mag3110_request(struct mag3110_data *data)
+@@ -245,10 +251,9 @@ static irqreturn_t mag3110_trigger_handl
+       struct iio_poll_func *pf = p;
+       struct iio_dev *indio_dev = pf->indio_dev;
+       struct mag3110_data *data = iio_priv(indio_dev);
+-      u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */
+       int ret;
+ 
+-      ret = mag3110_read(data, (__be16 *) buffer);
++      ret = mag3110_read(data, data->scan.channels);
+       if (ret < 0)
+               goto done;
+ 
+@@ -257,10 +262,10 @@ static irqreturn_t mag3110_trigger_handl
+                       MAG3110_DIE_TEMP);
+               if (ret < 0)
+                       goto done;
+-              buffer[6] = ret;
++              data->scan.temperature = ret;
+       }
+ 
+-      iio_push_to_buffers_with_timestamp(indio_dev, buffer,
++      iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+               iio_get_time_ns());
+ 
+ done:

diff --git a/queue-4.4/series b/queue-4.4/series
index f6ac951963207de731b9ef77807239ae0026f6f4..88deca66e833b46f9787d81e11c5fb824fa108d9 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -18,3 +18,4 @@ module-set-module_state_going-state-when-a-module-fa.patch
 quota-don-t-overflow-quota-file-offsets.patch
 powerpc-sysdev-add-missing-iounmap-on-error-in-mpic_.patch
 module-delay-kobject-uevent-until-after-module-init-.patch
+iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch