From patchwork Thu Jan 7 14:33:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 358242 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp535586jai; Thu, 7 Jan 2021 06:33:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJzvU1A7/NtUPwieX4SqSJOyq2m6boGRp1rwVYw1VkTEFlPevXM0UEgCjUA21yA2/2t5g8Br X-Received: by 2002:a50:fc83:: with SMTP id f3mr1905055edq.219.1610030035470; Thu, 07 Jan 2021 06:33:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610030035; cv=none; d=google.com; s=arc-20160816; b=eD+w/P33P/7upmDTM/JWu3aqhBwKmI7JW+sPvoBUIzir64ekCpR37qe1Oh6mTW3YkJ ZLEt0okl3v9OtGFCVAOTzA+Fpm5nY8T9qqaDffRoCnh5CmcWn+mimO/4I4RTiCrl8yJU YLEYSZrsBMZoRQyIOnBeOTjIT3Sf0fRPR9lXQv2QsELsb428So4s2THK7ZchJqaRim3A 0iTFZt3QGbKdH1/KXyd1IABBZraB1/ZkXknkfNZAgtdjPCc3c+1RapS9dEWdXLFBKYzi I7ZJNUbfTGtD3j7BYKg9GTZ3MjtfZD1PY2/q04nDFaiTnt+hNFYyH1R2Zs7e0jB79CTw ibCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vkKYxCaLKZDTuQ/lcVmWKMngLvrbuXn8bINb0wJbz5c=; b=YLka1xp0ob+3ePb0csXjHGKlPVLLW6tut9NDwKhY5SVhc4U67YZbQXrJWk5+b1SsEe jMyxCkgI12p8QXQzeShyffl/2DTwb9gphCtxjyZxBEFids/gmjWUh98qZOb8jQxaDYrT IjVL2pTQGih+RxUsv3LdOAc/r6rD2Le3NTAd0CPIyf3/QwIzSNQYAIQzLj9lzBwjgwvO Zesj3aSjbFN/q3L5fLCKFB5BumDZ4/2oU0Ey1aAimSsXL0ihM82iNMJqXSXv4n1Qjy6E xxEtNiFY/cCq2DDeq8Cnqx/K6/fqfaU+Vae3UZK5nqzc4zW8ZKfFO6w05U8cILUVm1J5 FCGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=z9Nvnbgz; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g1si2386904ejf.377.2021.01.07.06.33.55; Thu, 07 Jan 2021 06:33:55 -0800 (PST) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=z9Nvnbgz; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729386AbhAGOcs (ORCPT + 14 others); Thu, 7 Jan 2021 09:32:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:46548 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729352AbhAGOcr (ORCPT ); Thu, 7 Jan 2021 09:32:47 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7865D208A9; Thu, 7 Jan 2021 14:32:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610029951; bh=N3PZtG78ADE2uVsTpZOHR9obgvRVlWQnjE9Zf2DP8eY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=z9NvnbgztgxWG6VpqZyvBZdeT+Zb92GitARik3qEK7Usbc5kKmU1Ds9rUl41z1vaS GIof8o9TLewEM1JBhAebsk9AcAMnk+BhQLO9RrAKRn3coPFXcTgGfBbFjTJ0owQ+bq SHjASnXnwcfW/2HYRLwPMroQLAM9xbtdUf1btBwo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Jonathan Cameron , Alexandru Ardelean , Daniel Baluta , Daniel Baluta , Stable@vger.kernel.org, Sudip Mukherjee Subject: [PATCH 5.4 07/13] iio:imu:bmi160: Fix alignment and data leak issues Date: Thu, 7 Jan 2021 15:33:26 +0100 Message-Id: <20210107143050.898156644@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210107143049.929352526@linuxfoundation.org> References: <20210107143049.929352526@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron commit 7b6b51234df6cd8b04fe736b0b89c25612d896b8 upstream One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable array in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc() so no data can leak apart from previous readings. In this driver, depending on which channels are enabled, the timestamp can be in a number of locations. Hence we cannot use a structure to specify the data layout without it being misleading. Fixes: 77c4ad2d6a9b ("iio: imu: Add initial support for Bosch BMI160") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Reviewed-by: Alexandru Ardelean Cc: Daniel Baluta Cc: Daniel Baluta Cc: Link: https://lore.kernel.org/r/20200920112742.170751-6-jic23@kernel.org [sudip: adjust context] Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman --- drivers/iio/imu/bmi160/bmi160.h | 7 +++++++ drivers/iio/imu/bmi160/bmi160_core.c | 6 ++---- 2 files changed, 9 insertions(+), 4 deletions(-) --- a/drivers/iio/imu/bmi160/bmi160.h +++ b/drivers/iio/imu/bmi160/bmi160.h @@ -7,6 +7,13 @@ struct bmi160_data { struct regmap *regmap; struct iio_trigger *trig; + /* + * Ensure natural alignment for timestamp if present. + * Max length needed: 2 * 3 channels + 4 bytes padding + 8 byte ts. + * If fewer channels are enabled, less space may be needed, as + * long as the timestamp is still aligned to 8 bytes. + */ + __le16 buf[12] __aligned(8); }; extern const struct regmap_config bmi160_regmap_config; --- a/drivers/iio/imu/bmi160/bmi160_core.c +++ b/drivers/iio/imu/bmi160/bmi160_core.c @@ -411,8 +411,6 @@ static irqreturn_t bmi160_trigger_handle struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct bmi160_data *data = iio_priv(indio_dev); - __le16 buf[12]; - /* 2 sens x 3 axis x __le16 + 2 x __le16 pad + 4 x __le16 tstamp */ int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L; __le16 sample; @@ -422,10 +420,10 @@ static irqreturn_t bmi160_trigger_handle &sample, sizeof(sample)); if (ret) goto done; - buf[j++] = sample; + data->buf[j++] = sample; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, data->buf, pf->timestamp); done: iio_trigger_notify_done(indio_dev->trig); return IRQ_HANDLED;