From 4ec11ff7dfde59a44be283b7d9048d26b42e37e5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 14 Sep 2020 14:19:10 +0200 Subject: [PATCH] 5.4-stable patches added patches: iio-accel-kxsd9-fix-alignment-of-local-buffer.patch iio-accel-mma7455-fix-timestamp-alignment-and-prevent-data-leak.patch iio-accel-mma8452-fix-timestamp-alignment-and-prevent-data-leak.patch iio-adc-ti-adc081c-fix-alignment-and-data-leak-issues.patch iio-chemical-ccs811-fix-timestamp-alignment-and-prevent-data-leak.patch iio-light-max44000-fix-timestamp-alignment-and-prevent-data-leak.patch iio-magnetometer-ak8975-fix-alignment-and-data-leak-issues.patch staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_probe_usb.patch --- ...-kxsd9-fix-alignment-of-local-buffer.patch | 64 ++++++++++++++ ...tamp-alignment-and-prevent-data-leak.patch | 74 ++++++++++++++++ ...tamp-alignment-and-prevent-data-leak.patch | 67 +++++++++++++++ ...c-fix-alignment-and-data-leak-issues.patch | 66 +++++++++++++++ ...tamp-alignment-and-prevent-data-leak.patch | 70 ++++++++++++++++ ...tamp-alignment-and-prevent-data-leak.patch | 77 +++++++++++++++++ ...5-fix-alignment-and-data-leak-issues.patch | 78 +++++++++++++++++ queue-5.4/series | 8 ++ ...f-bounds-read-in-prism2sta_probe_usb.patch | 84 +++++++++++++++++++ 9 files changed, 588 insertions(+) create mode 100644 queue-5.4/iio-accel-kxsd9-fix-alignment-of-local-buffer.patch create mode 100644 queue-5.4/iio-accel-mma7455-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-5.4/iio-accel-mma8452-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-5.4/iio-adc-ti-adc081c-fix-alignment-and-data-leak-issues.patch create mode 100644 queue-5.4/iio-chemical-ccs811-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-5.4/iio-light-max44000-fix-timestamp-alignment-and-prevent-data-leak.patch create mode 100644 queue-5.4/iio-magnetometer-ak8975-fix-alignment-and-data-leak-issues.patch create mode 100644 queue-5.4/staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_probe_usb.patch diff --git a/queue-5.4/iio-accel-kxsd9-fix-alignment-of-local-buffer.patch b/queue-5.4/iio-accel-kxsd9-fix-alignment-of-local-buffer.patch new file mode 100644 index 00000000000..6f414840885 --- /dev/null +++ b/queue-5.4/iio-accel-kxsd9-fix-alignment-of-local-buffer.patch @@ -0,0 +1,64 @@ +From 95ad67577de4ea08eb8e441394e698aa4addcc0b Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:37 +0100 +Subject: iio: accel: kxsd9: Fix alignment of local buffer. + +From: Jonathan Cameron + +commit 95ad67577de4ea08eb8e441394e698aa4addcc0b upstream. + +iio_push_to_buffers_with_timestamp assumes 8 byte alignment which +is not guaranteed by an array of smaller elements. + +Note that whilst in this particular case the alignment forcing +of the ts element is not strictly necessary it acts as good +documentation. Doing this where not necessary should cut +down on the number of cut and paste introduced errors elsewhere. + +Fixes: 0427a106a98a ("iio: accel: kxsd9: Add triggered buffer handling") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/kxsd9.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/iio/accel/kxsd9.c ++++ b/drivers/iio/accel/kxsd9.c +@@ -209,14 +209,20 @@ static irqreturn_t kxsd9_trigger_handler + const struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct kxsd9_state *st = iio_priv(indio_dev); ++ /* ++ * Ensure correct positioning and alignment of timestamp. ++ * No need to zero initialize as all elements written. ++ */ ++ struct { ++ __be16 chan[4]; ++ s64 ts __aligned(8); ++ } hw_values; + int ret; +- /* 4 * 16bit values AND timestamp */ +- __be16 hw_values[8]; + + ret = regmap_bulk_read(st->map, + KXSD9_REG_X, +- &hw_values, +- 8); ++ hw_values.chan, ++ sizeof(hw_values.chan)); + if (ret) { + dev_err(st->dev, + "error reading data\n"); +@@ -224,7 +230,7 @@ static irqreturn_t kxsd9_trigger_handler + } + + iio_push_to_buffers_with_timestamp(indio_dev, +- hw_values, ++ &hw_values, + iio_get_time_ns(indio_dev)); + iio_trigger_notify_done(indio_dev->trig); + diff --git a/queue-5.4/iio-accel-mma7455-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-5.4/iio-accel-mma7455-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..d5e97f7317d --- /dev/null +++ b/queue-5.4/iio-accel-mma7455-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,74 @@ +From 7e5ac1f2206eda414f90c698fe1820dee873394d Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:40 +0100 +Subject: iio:accel:mma7455: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit 7e5ac1f2206eda414f90c698fe1820dee873394d upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 16 byte u8 array on the stack As Lars also noted +this anti pattern can involve a leak of data to userspace and that +indeed can happen here. We close both issues by moving to +a suitable structure in the iio_priv() data with alignment +ensured by use of an explicit c structure. This data is allocated +with kzalloc so no data can leak appart from previous readings. + +The force alignment of ts is not strictly necessary in this particularly +case but does make the code less fragile. + +Fixes: a84ef0d181d9 ("iio: accel: add Freescale MMA7455L/MMA7456L 3-axis accelerometer driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Cc: +Reviewed-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/mma7455_core.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/iio/accel/mma7455_core.c ++++ b/drivers/iio/accel/mma7455_core.c +@@ -52,6 +52,14 @@ + + struct mma7455_data { + struct regmap *regmap; ++ /* ++ * Used to reorganize data. Will ensure correct alignment of ++ * the timestamp if present ++ */ ++ struct { ++ __le16 channels[3]; ++ s64 ts __aligned(8); ++ } scan; + }; + + static int mma7455_drdy(struct mma7455_data *mma7455) +@@ -82,19 +90,19 @@ static irqreturn_t mma7455_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct mma7455_data *mma7455 = iio_priv(indio_dev); +- u8 buf[16]; /* 3 x 16-bit channels + padding + ts */ + int ret; + + ret = mma7455_drdy(mma7455); + if (ret) + goto done; + +- ret = regmap_bulk_read(mma7455->regmap, MMA7455_REG_XOUTL, buf, +- sizeof(__le16) * 3); ++ ret = regmap_bulk_read(mma7455->regmap, MMA7455_REG_XOUTL, ++ mma7455->scan.channels, ++ sizeof(mma7455->scan.channels)); + if (ret) + goto done; + +- iio_push_to_buffers_with_timestamp(indio_dev, buf, ++ iio_push_to_buffers_with_timestamp(indio_dev, &mma7455->scan, + iio_get_time_ns(indio_dev)); + + done: diff --git a/queue-5.4/iio-accel-mma8452-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-5.4/iio-accel-mma8452-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..19eb43ace93 --- /dev/null +++ b/queue-5.4/iio-accel-mma8452-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,67 @@ +From 89226a296d816727405d3fea684ef69e7d388bd8 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:38 +0100 +Subject: iio:accel:mma8452: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit 89226a296d816727405d3fea684ef69e7d388bd8 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 16 byte u8 array on the stack. As Lars also noted +this anti pattern can involve a leak of data to userspace and that +indeed can happen here. We close both issues by moving to +a suitable structure in the iio_priv() data with alignment +ensured by use of an explicit c structure. This data is allocated +with kzalloc so no data can leak appart from previous readings. + +The additional forcing of the 8 byte alignment of the timestamp +is not strictly necessary but makes the code less fragile by +making this explicit. + +Fixes: c7eeea93ac60 ("iio: Add Freescale MMA8452Q 3-axis accelerometer driver") +Reported-by: Lars-Peter Clausen +Cc: Peter Meerwald +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/mma8452.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -110,6 +110,12 @@ struct mma8452_data { + int sleep_val; + struct regulator *vdd_reg; + struct regulator *vddio_reg; ++ ++ /* Ensure correct alignment of time stamp when present */ ++ struct { ++ __be16 channels[3]; ++ s64 ts __aligned(8); ++ } buffer; + }; + + /** +@@ -1091,14 +1097,13 @@ static irqreturn_t mma8452_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct mma8452_data *data = iio_priv(indio_dev); +- u8 buffer[16]; /* 3 16-bit channels + padding + ts */ + int ret; + +- ret = mma8452_read(data, (__be16 *)buffer); ++ ret = mma8452_read(data, data->buffer.channels); + if (ret < 0) + goto done; + +- iio_push_to_buffers_with_timestamp(indio_dev, buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->buffer, + iio_get_time_ns(indio_dev)); + + done: diff --git a/queue-5.4/iio-adc-ti-adc081c-fix-alignment-and-data-leak-issues.patch b/queue-5.4/iio-adc-ti-adc081c-fix-alignment-and-data-leak-issues.patch new file mode 100644 index 00000000000..1486a0eac20 --- /dev/null +++ b/queue-5.4/iio-adc-ti-adc081c-fix-alignment-and-data-leak-issues.patch @@ -0,0 +1,66 @@ +From 54f82df2ba86e2a8e9cbf4036d192366e3905c89 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:56 +0100 +Subject: iio:adc:ti-adc081c Fix alignment and data leak issues + +From: Jonathan Cameron + +commit 54f82df2ba86e2a8e9cbf4036d192366e3905c89 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv(). + +This data is allocated with kzalloc so no data can leak apart +from previous readings. + +The eplicit alignment of ts is necessary to ensure correct padding +on x86_32 where s64 is only aligned to 4 bytes. + +Fixes: 08e05d1fce5c ("ti-adc081c: Initial triggered buffer support") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/ti-adc081c.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/iio/adc/ti-adc081c.c ++++ b/drivers/iio/adc/ti-adc081c.c +@@ -33,6 +33,12 @@ struct adc081c { + + /* 8, 10 or 12 */ + int bits; ++ ++ /* Ensure natural alignment of buffer elements */ ++ struct { ++ u16 channel; ++ s64 ts __aligned(8); ++ } scan; + }; + + #define REG_CONV_RES 0x00 +@@ -128,14 +134,13 @@ static irqreturn_t adc081c_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct adc081c *data = iio_priv(indio_dev); +- u16 buf[8]; /* 2 bytes data + 6 bytes padding + 8 bytes timestamp */ + int ret; + + ret = i2c_smbus_read_word_swapped(data->i2c, REG_CONV_RES); + if (ret < 0) + goto out; +- buf[0] = ret; +- iio_push_to_buffers_with_timestamp(indio_dev, buf, ++ data->scan.channel = ret; ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + out: + iio_trigger_notify_done(indio_dev->trig); diff --git a/queue-5.4/iio-chemical-ccs811-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-5.4/iio-chemical-ccs811-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..7aebb1e38a0 --- /dev/null +++ b/queue-5.4/iio-chemical-ccs811-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,70 @@ +From eb1a148ef41d8ae8d9201efc3f1b145976290331 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:43 +0100 +Subject: iio:chemical:ccs811: Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit eb1a148ef41d8ae8d9201efc3f1b145976290331 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data with alignment +explicitly requested. This data is allocated with kzalloc so no +data can leak appart from previous readings. + +The explicit alignment of ts is necessary to ensure consistent +padding for x86_32 in which the ts would otherwise be 4 byte aligned. + +Fixes: 283d26917ad6 ("iio: chemical: ccs811: Add triggered buffer support") +Reported-by: Lars-Peter Clausen +Cc: Narcisa Ana Maria Vasile +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/chemical/ccs811.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/iio/chemical/ccs811.c ++++ b/drivers/iio/chemical/ccs811.c +@@ -75,6 +75,11 @@ struct ccs811_data { + struct ccs811_reading buffer; + struct iio_trigger *drdy_trig; + bool drdy_trig_on; ++ /* Ensures correct alignment of timestamp if present */ ++ struct { ++ s16 channels[2]; ++ s64 ts __aligned(8); ++ } scan; + }; + + static const struct iio_chan_spec ccs811_channels[] = { +@@ -306,17 +311,17 @@ static irqreturn_t ccs811_trigger_handle + struct iio_dev *indio_dev = pf->indio_dev; + struct ccs811_data *data = iio_priv(indio_dev); + struct i2c_client *client = data->client; +- s16 buf[8]; /* s16 eCO2 + s16 TVOC + padding + 8 byte timestamp */ + int ret; + +- ret = i2c_smbus_read_i2c_block_data(client, CCS811_ALG_RESULT_DATA, 4, +- (u8 *)&buf); ++ ret = i2c_smbus_read_i2c_block_data(client, CCS811_ALG_RESULT_DATA, ++ sizeof(data->scan.channels), ++ (u8 *)data->scan.channels); + if (ret != 4) { + dev_err(&client->dev, "cannot read sensor data\n"); + goto err; + } + +- iio_push_to_buffers_with_timestamp(indio_dev, buf, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + + err: diff --git a/queue-5.4/iio-light-max44000-fix-timestamp-alignment-and-prevent-data-leak.patch b/queue-5.4/iio-light-max44000-fix-timestamp-alignment-and-prevent-data-leak.patch new file mode 100644 index 00000000000..e12479942a5 --- /dev/null +++ b/queue-5.4/iio-light-max44000-fix-timestamp-alignment-and-prevent-data-leak.patch @@ -0,0 +1,77 @@ +From 523628852a5f5f34a15252b2634d0498d3cfb347 Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:45 +0100 +Subject: iio:light:max44000 Fix timestamp alignment and prevent data leak. + +From: Jonathan Cameron + +commit 523628852a5f5f34a15252b2634d0498d3cfb347 upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses a 16 byte array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv(). +This data is allocated with kzalloc so no data can leak appart +from previous readings. + +It is necessary to force the alignment of ts to avoid the padding +on x86_32 being different from 64 bit platorms (it alows for +4 bytes aligned 8 byte types. + +Fixes: 06ad7ea10e2b ("max44000: Initial triggered buffer support") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/light/max44000.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/iio/light/max44000.c ++++ b/drivers/iio/light/max44000.c +@@ -75,6 +75,11 @@ + struct max44000_data { + struct mutex lock; + struct regmap *regmap; ++ /* Ensure naturally aligned timestamp */ ++ struct { ++ u16 channels[2]; ++ s64 ts __aligned(8); ++ } scan; + }; + + /* Default scale is set to the minimum of 0.03125 or 1 / (1 << 5) lux */ +@@ -488,7 +493,6 @@ static irqreturn_t max44000_trigger_hand + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct max44000_data *data = iio_priv(indio_dev); +- u16 buf[8]; /* 2x u16 + padding + 8 bytes timestamp */ + int index = 0; + unsigned int regval; + int ret; +@@ -498,17 +502,17 @@ static irqreturn_t max44000_trigger_hand + ret = max44000_read_alsval(data); + if (ret < 0) + goto out_unlock; +- buf[index++] = ret; ++ data->scan.channels[index++] = ret; + } + if (test_bit(MAX44000_SCAN_INDEX_PRX, indio_dev->active_scan_mask)) { + ret = regmap_read(data->regmap, MAX44000_REG_PRX_DATA, ®val); + if (ret < 0) + goto out_unlock; +- buf[index] = regval; ++ data->scan.channels[index] = regval; + } + mutex_unlock(&data->lock); + +- iio_push_to_buffers_with_timestamp(indio_dev, buf, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); + iio_trigger_notify_done(indio_dev->trig); + return IRQ_HANDLED; diff --git a/queue-5.4/iio-magnetometer-ak8975-fix-alignment-and-data-leak-issues.patch b/queue-5.4/iio-magnetometer-ak8975-fix-alignment-and-data-leak-issues.patch new file mode 100644 index 00000000000..5b418eb453c --- /dev/null +++ b/queue-5.4/iio-magnetometer-ak8975-fix-alignment-and-data-leak-issues.patch @@ -0,0 +1,78 @@ +From 02ad21cefbac4d89ac443866f25b90449527737b Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Wed, 22 Jul 2020 16:50:49 +0100 +Subject: iio:magnetometer:ak8975 Fix alignment and data leak issues. + +From: Jonathan Cameron + +commit 02ad21cefbac4d89ac443866f25b90449527737b upstream. + +One of a class of bugs pointed out by Lars in a recent review. +iio_push_to_buffers_with_timestamp assumes the buffer used is aligned +to the size of the timestamp (8 bytes). This is not guaranteed in +this driver which uses an array of smaller elements on the stack. +As Lars also noted this anti pattern can involve a leak of data to +userspace and that indeed can happen here. We close both issues by +moving to a suitable structure in the iio_priv() data. + +This data is allocated with kzalloc so no data can leak apart from +previous readings. + +The explicit alignment of ts is not necessary in this case as by +coincidence the padding will end up the same, however I consider +it to make the code less fragile and have included it. + +Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support") +Reported-by: Lars-Peter Clausen +Cc: Gregor Boirie +Cc: Linus Walleij +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/magnetometer/ak8975.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/iio/magnetometer/ak8975.c ++++ b/drivers/iio/magnetometer/ak8975.c +@@ -368,6 +368,12 @@ struct ak8975_data { + struct iio_mount_matrix orientation; + struct regulator *vdd; + struct regulator *vid; ++ ++ /* Ensure natural alignment of timestamp */ ++ struct { ++ s16 channels[3]; ++ s64 ts __aligned(8); ++ } scan; + }; + + /* Enable attached power regulator if any. */ +@@ -805,7 +811,6 @@ static void ak8975_fill_buffer(struct ii + const struct i2c_client *client = data->client; + const struct ak_def *def = data->def; + int ret; +- s16 buff[8]; /* 3 x 16 bits axis values + 1 aligned 64 bits timestamp */ + __le16 fval[3]; + + mutex_lock(&data->lock); +@@ -828,12 +833,13 @@ static void ak8975_fill_buffer(struct ii + mutex_unlock(&data->lock); + + /* Clamp to valid range. */ +- buff[0] = clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range); +- buff[1] = clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range); +- buff[2] = clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range); ++ data->scan.channels[0] = clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range); ++ data->scan.channels[1] = clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range); ++ data->scan.channels[2] = clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range); + +- iio_push_to_buffers_with_timestamp(indio_dev, buff, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + iio_get_time_ns(indio_dev)); ++ + return; + + unlock: diff --git a/queue-5.4/series b/queue-5.4/series index ddec7cd00d2..9225d97921a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -80,3 +80,11 @@ iio-accel-bmc150-accel-fix-timestamp-alignment-and-prevent-data-leak.patch iio-adc-ti-adc084s021-fix-alignment-and-data-leak-issues.patch iio-adc-ina2xx-fix-timestamp-alignment-issue.patch iio-adc-max1118-fix-alignment-of-timestamp-and-data-leak-issues.patch +iio-adc-ti-adc081c-fix-alignment-and-data-leak-issues.patch +iio-magnetometer-ak8975-fix-alignment-and-data-leak-issues.patch +iio-light-max44000-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-chemical-ccs811-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-accel-kxsd9-fix-alignment-of-local-buffer.patch +iio-accel-mma7455-fix-timestamp-alignment-and-prevent-data-leak.patch +iio-accel-mma8452-fix-timestamp-alignment-and-prevent-data-leak.patch +staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_probe_usb.patch diff --git a/queue-5.4/staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_probe_usb.patch b/queue-5.4/staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_probe_usb.patch new file mode 100644 index 00000000000..5bbb098be02 --- /dev/null +++ b/queue-5.4/staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_probe_usb.patch @@ -0,0 +1,84 @@ +From fea22e159d51c766ba70473f473a0ec914cc7e92 Mon Sep 17 00:00:00 2001 +From: Rustam Kovhaev +Date: Tue, 4 Aug 2020 07:56:14 -0700 +Subject: staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() + +From: Rustam Kovhaev + +commit fea22e159d51c766ba70473f473a0ec914cc7e92 upstream. + +let's use usb_find_common_endpoints() to discover endpoints, it does all +necessary checks for type and xfer direction + +remove memset() in hfa384x_create(), because we now assign endpoints in +prism2sta_probe_usb() and because create_wlan() uses kzalloc() to +allocate hfa384x struct before calling hfa384x_create() + +Fixes: faaff9765664 ("staging: wlan-ng: properly check endpoint types") +Reported-and-tested-by: syzbot+22794221ab96b0bab53a@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=22794221ab96b0bab53a +Signed-off-by: Rustam Kovhaev +Cc: stable +Link: https://lore.kernel.org/r/20200804145614.104320-1-rkovhaev@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/hfa384x_usb.c | 5 ----- + drivers/staging/wlan-ng/prism2usb.c | 19 ++++++------------- + 2 files changed, 6 insertions(+), 18 deletions(-) + +--- a/drivers/staging/wlan-ng/hfa384x_usb.c ++++ b/drivers/staging/wlan-ng/hfa384x_usb.c +@@ -526,13 +526,8 @@ static void hfa384x_usb_defer(struct wor + */ + void hfa384x_create(struct hfa384x *hw, struct usb_device *usb) + { +- memset(hw, 0, sizeof(*hw)); + hw->usb = usb; + +- /* set up the endpoints */ +- hw->endp_in = usb_rcvbulkpipe(usb, 1); +- hw->endp_out = usb_sndbulkpipe(usb, 2); +- + /* Set up the waitq */ + init_waitqueue_head(&hw->cmdq); + +--- a/drivers/staging/wlan-ng/prism2usb.c ++++ b/drivers/staging/wlan-ng/prism2usb.c +@@ -61,23 +61,14 @@ static int prism2sta_probe_usb(struct us + const struct usb_device_id *id) + { + struct usb_device *dev; +- const struct usb_endpoint_descriptor *epd; +- const struct usb_host_interface *iface_desc = interface->cur_altsetting; ++ struct usb_endpoint_descriptor *bulk_in, *bulk_out; ++ struct usb_host_interface *iface_desc = interface->cur_altsetting; + struct wlandevice *wlandev = NULL; + struct hfa384x *hw = NULL; + int result = 0; + +- if (iface_desc->desc.bNumEndpoints != 2) { +- result = -ENODEV; +- goto failed; +- } +- +- result = -EINVAL; +- epd = &iface_desc->endpoint[1].desc; +- if (!usb_endpoint_is_bulk_in(epd)) +- goto failed; +- epd = &iface_desc->endpoint[2].desc; +- if (!usb_endpoint_is_bulk_out(epd)) ++ result = usb_find_common_endpoints(iface_desc, &bulk_in, &bulk_out, NULL, NULL); ++ if (result) + goto failed; + + dev = interface_to_usbdev(interface); +@@ -96,6 +87,8 @@ static int prism2sta_probe_usb(struct us + } + + /* Initialize the hw data */ ++ hw->endp_in = usb_rcvbulkpipe(dev, bulk_in->bEndpointAddress); ++ hw->endp_out = usb_sndbulkpipe(dev, bulk_out->bEndpointAddress); + hfa384x_create(hw, dev); + hw->wlandev = wlandev; + -- 2.47.3