From: Greg Kroah-Hartman Date: Mon, 14 Sep 2020 11:55:24 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.19.146~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=024885118ef3752dbdf31825ac88f53ee71cc9eb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: iio-accel-bmc150-accel-fix-timestamp-alignment-and-prevent-data-leak.patch iio-adc-ina2xx-fix-timestamp-alignment-issue.patch iio-adc-mcp3422-fix-locking-scope.patch iio-adc-ti-ads1015-fix-conversion-when-config_pm-is-not-set.patch iio-light-ltr501-fix-timestamp-alignment-issue.patch --- diff --git a/queue-4.9/iio-accel-bmc150-accel-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-4.9/iio-accel-bmc150-accel-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..43844ed9c26 --- /dev/null +++ b/queue-4.9/iio-accel-bmc150-accel-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,74 @@ +From a6f86f724394de3629da63fe5e1b7a4ab3396efe Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:39 +0100 +Subject: iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit a6f86f724394de3629da63fe5e1b7a4ab3396efe upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 16 byte array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by moving +to a suitable structure in the iio_priv() data with alignment +ensured by use of an explicit c structure. This data is allocated +with kzalloc so no data can leak appart from previous readings. + +Fixes tag is beyond some major refactoring so likely manual backporting +would be needed to get that far back. + +Whilst the force alignment of the ts is not strictly necessary, it +does make the code less fragile. + +Fixes: 3bbec9773389 ("iio: bmc150_accel: add support for hardware fifo") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Acked-by: Srinivas Pandruvada +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/bmc150-accel-core.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/bmc150-accel-core.c ++++ b/drivers/iio/accel/bmc150-accel-core.c +@@ -197,6 +197,14 @@ struct bmc150_accel_data { + struct mutex mutex; + u8 fifo_mode, watermark; + s16 buffer[8]; ++ /* ++ * Ensure there is sufficient space and correct alignment for ++ * the timestamp if enabled ++ */ ++ struct { ++ __le16 channels[3]; ++ s64 ts __aligned(8); ++ } scan; + u8 bw_bits; + u32 slope_dur; + u32 slope_thres; +@@ -933,15 +941,16 @@ static int __bmc150_accel_fifo_flush(str + * now. + */ + for (i = 0; i < count; i++) { +- u16 sample[8]; + int j, bit; + + j = 0; + for_each_set_bit(bit, indio_dev->active_scan_mask, + indio_dev->masklength) +- memcpy(&sample[j++], &buffer[i * 3 + bit], 2); ++ memcpy(&data->scan.channels[j++], &buffer[i * 3 + bit], ++ sizeof(data->scan.channels[0])); + +- iio_push_to_buffers_with_timestamp(indio_dev, sample, tstamp); ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, ++ tstamp); + + tstamp += sample_period; + } diff --git a/queue-4.9/iio-adc-ina2xx-fix-timestamp-alignment-issue.patch b/queue-4.9/iio-adc-ina2xx-fix-timestamp-alignment-issue.patch new file mode 100644 index 00000000000..c7dded8dae7 --- /dev/null +++ b/queue-4.9/iio-adc-ina2xx-fix-timestamp-alignment-issue.patch @@ -0,0 +1,78 @@ +From f8cd222feb82ecd82dcf610fcc15186f55f9c2b5 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:51:02 +0100 +Subject: iio:adc:ina2xx Fix timestamp alignment issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +commit f8cd222feb82ecd82dcf610fcc15186f55f9c2b5 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 32 byte array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data with alignment +explicitly requested. This data is allocated with kzalloc so no +data can leak apart from previous readings. The explicit alignment +isn't technically needed here, but it reduced fragility and avoids +cut and paste into drivers where it will be needed. + +If we want this in older stables will need manual backport due to +driver reworks. + +Fixes: c43a102e67db ("iio: ina2xx: add support for TI INA2xx Power Monitors") +Reported-by: Lars-Peter Clausen +Cc: Stefan Brüns +Cc: Marc Titinger +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ina2xx-adc.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ina2xx-adc.c ++++ b/drivers/iio/adc/ina2xx-adc.c +@@ -117,6 +117,11 @@ struct ina2xx_chip_info { + int int_time_vbus; /* Bus voltage integration time uS */ + int int_time_vshunt; /* Shunt voltage integration time uS */ + bool allow_async_readout; ++ /* data buffer needs space for channel data and timestamp */ ++ struct { ++ u16 chan[4]; ++ u64 ts __aligned(8); ++ } scan; + }; + + static const struct ina2xx_config ina2xx_config[] = { +@@ -459,7 +464,6 @@ static const struct iio_chan_spec ina2xx + static int ina2xx_work_buffer(struct iio_dev *indio_dev) + { + struct ina2xx_chip_info *chip = iio_priv(indio_dev); +- unsigned short data[8]; + int bit, ret, i = 0; + s64 time_a, time_b; + unsigned int alert; +@@ -500,13 +504,12 @@ static int ina2xx_work_buffer(struct iio + if (ret < 0) + return ret; + +- data[i++] = val; ++ chip->scan.chan[i++] = val; + } + + time_b = iio_get_time_ns(indio_dev); + +- iio_push_to_buffers_with_timestamp(indio_dev, +- (unsigned int *)data, time_a); ++ iio_push_to_buffers_with_timestamp(indio_dev, &chip->scan, time_a); + + return (unsigned long)(time_b - time_a) / 1000; + }; diff --git a/queue-4.9/iio-adc-mcp3422-fix-locking-scope.patch b/queue-4.9/iio-adc-mcp3422-fix-locking-scope.patch new file mode 100644 index 00000000000..72274558d61 --- /dev/null +++ b/queue-4.9/iio-adc-mcp3422-fix-locking-scope.patch @@ -0,0 +1,67 @@ +From 3f1093d83d7164e4705e4232ccf76da54adfda85 Mon Sep 17 00:00:00 2001 +From: Angelo Compagnucci +Date: Wed, 19 Aug 2020 09:55:25 +0200 +Subject: iio: adc: mcp3422: fix locking scope + +From: Angelo Compagnucci + +commit 3f1093d83d7164e4705e4232ccf76da54adfda85 upstream. + +Locking should be held for the entire reading sequence involving setting +the channel, waiting for the channel switch and reading from the +channel. +If not, reading from a channel can result mixing with the reading from +another channel. + +Fixes: 07914c84ba30 ("iio: adc: Add driver for Microchip MCP3422/3/4 high resolution ADC") +Signed-off-by: Angelo Compagnucci +Link: https://lore.kernel.org/r/20200819075525.1395248-1-angelo.compagnucci@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/mcp3422.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/iio/adc/mcp3422.c ++++ b/drivers/iio/adc/mcp3422.c +@@ -99,16 +99,12 @@ static int mcp3422_update_config(struct + { + int ret; + +- mutex_lock(&adc->lock); +- + ret = i2c_master_send(adc->i2c, &newconfig, 1); + if (ret > 0) { + adc->config = newconfig; + ret = 0; + } + +- mutex_unlock(&adc->lock); +- + return ret; + } + +@@ -141,6 +137,8 @@ static int mcp3422_read_channel(struct m + u8 config; + u8 req_channel = channel->channel; + ++ mutex_lock(&adc->lock); ++ + if (req_channel != MCP3422_CHANNEL(adc->config)) { + config = adc->config; + config &= ~MCP3422_CHANNEL_MASK; +@@ -155,7 +153,11 @@ static int mcp3422_read_channel(struct m + msleep(mcp3422_read_times[MCP3422_SAMPLE_RATE(adc->config)]); + } + +- return mcp3422_read(adc, value, &config); ++ ret = mcp3422_read(adc, value, &config); ++ ++ mutex_unlock(&adc->lock); ++ ++ return ret; + } + + static int mcp3422_read_raw(struct iio_dev *iio, diff --git a/queue-4.9/iio-adc-ti-ads1015-fix-conversion-when-config_pm-is-not-set.patch b/queue-4.9/iio-adc-ti-ads1015-fix-conversion-when-config_pm-is-not-set.patch new file mode 100644 index 00000000000..cea352d3362 --- /dev/null +++ b/queue-4.9/iio-adc-ti-ads1015-fix-conversion-when-config_pm-is-not-set.patch @@ -0,0 +1,57 @@ +From e71e6dbe96ac80ac2aebe71a6a942e7bd60e7596 Mon Sep 17 00:00:00 2001 +From: Maxim Kochetkov +Date: Mon, 3 Aug 2020 08:04:05 +0300 +Subject: iio: adc: ti-ads1015: fix conversion when CONFIG_PM is not set + +From: Maxim Kochetkov + +commit e71e6dbe96ac80ac2aebe71a6a942e7bd60e7596 upstream. + +To stop conversion ads1015_set_power_state() function call unimplemented +function __pm_runtime_suspend() from pm_runtime_put_autosuspend() +if CONFIG_PM is not set. +In case of CONFIG_PM is not set: __pm_runtime_suspend() returns -ENOSYS, +so ads1015_read_raw() failed because ads1015_set_power_state() returns an +error. + +If CONFIG_PM is disabled, there is no need to start/stop conversion. +Fix it by adding return 0 function variant if CONFIG_PM is not set. + +Signed-off-by: Maxim Kochetkov +Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") +Tested-by: Maxim Kiselev +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-ads1015.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/iio/adc/ti-ads1015.c ++++ b/drivers/iio/adc/ti-ads1015.c +@@ -220,6 +220,7 @@ static const struct iio_chan_spec ads111 + IIO_CHAN_SOFT_TIMESTAMP(ADS1015_TIMESTAMP), + }; + ++#ifdef CONFIG_PM + static int ads1015_set_power_state(struct ads1015_data *data, bool on) + { + int ret; +@@ -237,6 +238,15 @@ static int ads1015_set_power_state(struc + return ret < 0 ? ret : 0; + } + ++#else /* !CONFIG_PM */ ++ ++static int ads1015_set_power_state(struct ads1015_data *data, bool on) ++{ ++ return 0; ++} ++ ++#endif /* !CONFIG_PM */ ++ + static + int ads1015_get_adc_result(struct ads1015_data *data, int chan, int *val) + { diff --git a/queue-4.9/iio-light-ltr501-fix-timestamp-alignment-issue.patch b/queue-4.9/iio-light-ltr501-fix-timestamp-alignment-issue.patch new file mode 100644 index 00000000000..9e56ccfc2c6 --- /dev/null +++ b/queue-4.9/iio-light-ltr501-fix-timestamp-alignment-issue.patch @@ -0,0 +1,79 @@ +From 2684d5003490df5398aeafe2592ba9d4a4653998 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:48 +0100 +Subject: iio:light:ltr501 Fix timestamp alignment issue. + +From: Jonathan Cameron + +commit 2684d5003490df5398aeafe2592ba9d4a4653998 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +Here we use a structure on the stack. The driver already did an +explicit memset so no data leak was possible. + +Forced alignment of ts is not strictly necessary but probably makes +the code slightly less fragile. + +Note there has been some rework in this driver of the years, so no +way this will apply cleanly all the way back. + +Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/ltr501.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/iio/light/ltr501.c ++++ b/drivers/iio/light/ltr501.c +@@ -1218,13 +1218,16 @@ static irqreturn_t ltr501_trigger_handle + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct ltr501_data *data = iio_priv(indio_dev); +- u16 buf[8]; ++ struct { ++ u16 channels[3]; ++ s64 ts __aligned(8); ++ } scan; + __le16 als_buf[2]; + u8 mask = 0; + int j = 0; + int ret, psdata; + +- memset(buf, 0, sizeof(buf)); ++ memset(&scan, 0, sizeof(scan)); + + /* figure out which data needs to be ready */ + if (test_bit(0, indio_dev->active_scan_mask) || +@@ -1243,9 +1246,9 @@ static irqreturn_t ltr501_trigger_handle + if (ret < 0) + return ret; + if (test_bit(0, indio_dev->active_scan_mask)) +- buf[j++] = le16_to_cpu(als_buf[1]); ++ scan.channels[j++] = le16_to_cpu(als_buf[1]); + if (test_bit(1, indio_dev->active_scan_mask)) +- buf[j++] = le16_to_cpu(als_buf[0]); ++ scan.channels[j++] = le16_to_cpu(als_buf[0]); + } + + if (mask & LTR501_STATUS_PS_RDY) { +@@ -1253,10 +1256,10 @@ static irqreturn_t ltr501_trigger_handle + &psdata, 2); + if (ret < 0) + goto done; +- buf[j++] = psdata & LTR501_PS_DATA_MASK; ++ scan.channels[j++] = psdata & LTR501_PS_DATA_MASK; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, buf, ++ iio_push_to_buffers_with_timestamp(indio_dev, &scan, + iio_get_time_ns(indio_dev)); + + done: diff --git a/queue-4.9/series b/queue-4.9/series index 030f214ce74..e7720bcb397 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -13,3 +13,8 @@ irqchip-eznps-fix-build-error-for-arc700-builds.patch drivers-net-wan-hdlc_cisco-add-hard_header_len.patch alsa-hda-fix-a-runtime-pm-issue-in-sof-when-integrat.patch gcov-disable-gcov-build-with-gcc-10.patch +iio-adc-mcp3422-fix-locking-scope.patch +iio-adc-ti-ads1015-fix-conversion-when-config_pm-is-not-set.patch +iio-light-ltr501-fix-timestamp-alignment-issue.patch +iio-accel-bmc150-accel-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-adc-ina2xx-fix-timestamp-alignment-issue.patch