From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 6 Jan 2021 18:16:37 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.250~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=564c223a7265de3e9156d3f4fc350e4f11f6b12f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	iio-imu-bmi160-fix-alignment-and-data-leak-issues.patch
	iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch
---

diff --git a/queue-4.19/iio-imu-bmi160-fix-alignment-and-data-leak-issues.patch b/queue-4.19/iio-imu-bmi160-fix-alignment-and-data-leak-issues.patch
new file mode 100644
index 00000000000..faa512d2166
--- /dev/null
+++ b/queue-4.19/iio-imu-bmi160-fix-alignment-and-data-leak-issues.patch
@@ -0,0 +1,76 @@
+From foo@baz Wed Jan  6 07:09:58 PM CET 2021
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:39 +0100
+Subject: iio:imu:bmi160: Fix alignment and data leak issues
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 7b6b51234df6cd8b04fe736b0b89c25612d896b8 upstream
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
+to the size of the timestamp (8 bytes).  This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here.  We close both issues by
+moving to a suitable array in the iio_priv() data with alignment
+explicitly requested.  This data is allocated with kzalloc() so no
+data can leak apart from previous readings.
+
+In this driver, depending on which channels are enabled, the timestamp
+can be in a number of locations.  Hence we cannot use a structure
+to specify the data layout without it being misleading.
+
+Fixes: 77c4ad2d6a9b ("iio: imu: Add initial support for Bosch BMI160")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: Daniel Baluta  <daniel.baluta@gmail.com>
+Cc: Daniel Baluta <daniel.baluta@oss.nxp.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-6-jic23@kernel.org
+[sudip: adjust context and use bmi160_data in old location]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/bmi160/bmi160_core.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/imu/bmi160/bmi160_core.c
++++ b/drivers/iio/imu/bmi160/bmi160_core.c
+@@ -110,6 +110,13 @@ enum bmi160_sensor_type {
+ 
+ struct bmi160_data {
+ 	struct regmap *regmap;
++	/*
++	 * Ensure natural alignment for timestamp if present.
++	 * Max length needed: 2 * 3 channels + 4 bytes padding + 8 byte ts.
++	 * If fewer channels are enabled, less space may be needed, as
++	 * long as the timestamp is still aligned to 8 bytes.
++	 */
++	__le16 buf[12] __aligned(8);
+ };
+ 
+ const struct regmap_config bmi160_regmap_config = {
+@@ -385,8 +392,6 @@ static irqreturn_t bmi160_trigger_handle
+ 	struct iio_poll_func *pf = p;
+ 	struct iio_dev *indio_dev = pf->indio_dev;
+ 	struct bmi160_data *data = iio_priv(indio_dev);
+-	__le16 buf[12];
+-	/* 2 sens x 3 axis x __le16 + 2 x __le16 pad + 4 x __le16 tstamp */
+ 	int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L;
+ 	__le16 sample;
+ 
+@@ -396,10 +401,10 @@ static irqreturn_t bmi160_trigger_handle
+ 				       &sample, sizeof(sample));
+ 		if (ret < 0)
+ 			goto done;
+-		buf[j++] = sample;
++		data->buf[j++] = sample;
+ 	}
+ 
+-	iio_push_to_buffers_with_timestamp(indio_dev, buf,
++	iio_push_to_buffers_with_timestamp(indio_dev, data->buf,
+ 					   iio_get_time_ns(indio_dev));
+ done:
+ 	iio_trigger_notify_done(indio_dev->trig);
diff --git a/queue-4.19/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch b/queue-4.19/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch
new file mode 100644
index 00000000000..d53e7d6973f
--- /dev/null
+++ b/queue-4.19/iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch
@@ -0,0 +1,75 @@
+From foo@baz Wed Jan  6 07:11:37 PM CET 2021
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 20 Sep 2020 12:27:37 +0100
+Subject: iio:magnetometer:mag3110: Fix alignment and data leak issues.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 89deb1334252ea4a8491d47654811e28b0790364 upstream
+
+One of a class of bugs pointed out by Lars in a recent review.
+iio_push_to_buffers_with_timestamp() assumes the buffer used is aligned
+to the size of the timestamp (8 bytes).  This is not guaranteed in
+this driver which uses an array of smaller elements on the stack.
+As Lars also noted this anti pattern can involve a leak of data to
+userspace and that indeed can happen here.  We close both issues by
+moving to a suitable structure in the iio_priv() data.
+This data is allocated with kzalloc() so no data can leak apart from
+previous readings.
+
+The explicit alignment of ts is not necessary in this case but
+does make the code slightly less fragile so I have included it.
+
+Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver")
+Reported-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200920112742.170751-4-jic23@kernel.org
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/magnetometer/mag3110.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/magnetometer/mag3110.c
++++ b/drivers/iio/magnetometer/mag3110.c
+@@ -56,6 +56,12 @@ struct mag3110_data {
+ 	struct mutex lock;
+ 	u8 ctrl_reg1;
+ 	int sleep_val;
++	/* Ensure natural alignment of timestamp */
++	struct {
++		__be16 channels[3];
++		u8 temperature;
++		s64 ts __aligned(8);
++	} scan;
+ };
+ 
+ static int mag3110_request(struct mag3110_data *data)
+@@ -387,10 +393,9 @@ static irqreturn_t mag3110_trigger_handl
+ 	struct iio_poll_func *pf = p;
+ 	struct iio_dev *indio_dev = pf->indio_dev;
+ 	struct mag3110_data *data = iio_priv(indio_dev);
+-	u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */
+ 	int ret;
+ 
+-	ret = mag3110_read(data, (__be16 *) buffer);
++	ret = mag3110_read(data, data->scan.channels);
+ 	if (ret < 0)
+ 		goto done;
+ 
+@@ -399,10 +404,10 @@ static irqreturn_t mag3110_trigger_handl
+ 			MAG3110_DIE_TEMP);
+ 		if (ret < 0)
+ 			goto done;
+-		buffer[6] = ret;
++		data->scan.temperature = ret;
+ 	}
+ 
+-	iio_push_to_buffers_with_timestamp(indio_dev, buffer,
++	iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ 		iio_get_time_ns(indio_dev));
+ 
+ done:
diff --git a/queue-4.19/series b/queue-4.19/series
index 7272174bfbc..4b69e73ba13 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -3,3 +3,5 @@ dmaengine-at_hdmac-substitute-kzalloc-with-kmalloc.patch
 dmaengine-at_hdmac-add-missing-put_device-call-in-at_dma_xlate.patch
 dmaengine-at_hdmac-add-missing-kfree-call-in-at_dma_xlate.patch
 kdev_t-always-inline-major-minor-helper-functions.patch
+iio-imu-bmi160-fix-alignment-and-data-leak-issues.patch
+iio-magnetometer-mag3110-fix-alignment-and-data-leak-issues.patch