From patchwork Mon Jul 20 15:36:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237553 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2138546ilg; Mon, 20 Jul 2020 09:38:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxM48dn8KEzu9Eg0++f4dIsKLikr9bjk0SEWT5p3eGwL6YgjGcFXAJaz6g39MvJzIIbqEX7 X-Received: by 2002:a17:907:11db:: with SMTP id va27mr22540603ejb.175.1595263104550; Mon, 20 Jul 2020 09:38:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595263104; cv=none; d=google.com; s=arc-20160816; b=uVo/I8mirYceGNBhk3AYyyDsNHZ8XiB7078SHZBcCEbGcc0HajG6zlmMaHCqLw9mRi n9/MKPkxWd7i1FyReCY9Y9usuNB4kZAULlj2Rud0fGZ6+ZOEWbEm0ZxAl+CO0wRjM88p QnQ/ISTsbuN0IUUYz2BIJqmjGOVs39b5ylMzoFmXi0wHAmXb2wXWPT2KgGNTiEjgjoNs uW3197U0O354/qrlQXa/VdC6U8Vztcb58jIXtqeBMTkslrGIBDf/YKd+R6A2PYMhjEdH TvI4tJzcZyEK2GGRafbOcrX90QNK5P/VFNeXVoB4OyOMmcMoyedMTpirOsVgD1jqkZ/B 65pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=eQtVbe6znlR9R7VfItITVGcijKYjgJKGnecMY/Ga6Yo=; b=X7NUwvMav2+X4Yl65KlYwgkSYSJAuomjqPBdRrXOOo6nZ3zi7wsI0gAhvq0aLy6w9M zb4Xksb1lAo12YR0I6BYzMtxhJAiquplElTU8gxrl+WpOk1bUXqZGWbV4Qq2xkcH2nko uKjLzfe07K+0x5JQczX3E52qXz5G6vRqRiWvkAI9MHHQR+KHeYDXQ++rzatNfik5sKqP 4Xb2/NkmoOVRllQUutohjsBr2gvbGKckwEKzzG29zt0a253JynuS4wekxfk0cdUYQ7nn S0ys5BIlfKTlQFzoWVWtE3zYTDU/sAsudRfSRrI5J91M65xxyNaTzmvPNO+2i5ULbFPE WTOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="OfPqu1/l"; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v22si9699342ejf.411.2020.07.20.09.38.24; Mon, 20 Jul 2020 09:38:24 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="OfPqu1/l"; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730497AbgGTPuk (ORCPT + 15 others); Mon, 20 Jul 2020 11:50:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:47168 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730427AbgGTPug (ORCPT ); Mon, 20 Jul 2020 11:50:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7A05E2065E; Mon, 20 Jul 2020 15:50:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260235; bh=CxX0AJT363wpSILQqMtjxZO6oSEWTDFfl6+P8HsqE2E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OfPqu1/lkxImMUtDcILKydIZqAw2jbCc2P4E+35QVh+wpaeqD7l1YKlebroLVpFEl HiD1gFYdP/sDTt8K9KtPxMldnSMm4CHvoGjEoLcsUseMy+nxYxGNm5WQctqijY4/3t UrN92q7xlZlSeBMSNutLnXrc09kIGK3NsFaOijUk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Linus Walleij , Jonathan Cameron , Stable@vger.kernel.org Subject: [PATCH 4.19 029/133] iio:magnetometer:ak8974: Fix alignment and data leak issues Date: Mon, 20 Jul 2020 17:36:16 +0200 Message-Id: <20200720152805.143300701@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron commit 838e00b13bfd4cac8b24df25bfc58e2eb99bcc70 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 7c94a8b2ee8cf ("iio: magn: add a driver for AK8974") Reported-by: Lars-Peter Clausen Reviewed-by: Linus Walleij Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman --- drivers/iio/magnetometer/ak8974.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/iio/magnetometer/ak8974.c +++ b/drivers/iio/magnetometer/ak8974.c @@ -184,6 +184,11 @@ struct ak8974 { bool drdy_irq; struct completion drdy_complete; bool drdy_active_low; + /* Ensure timestamp is naturally aligned */ + struct { + __le16 channels[3]; + s64 ts __aligned(8); + } scan; }; static const char ak8974_reg_avdd[] = "avdd"; @@ -580,7 +585,6 @@ static void ak8974_fill_buffer(struct ii { struct ak8974 *ak8974 = iio_priv(indio_dev); int ret; - __le16 hw_values[8]; /* Three axes + 64bit padding */ pm_runtime_get_sync(&ak8974->i2c->dev); mutex_lock(&ak8974->lock); @@ -590,13 +594,13 @@ static void ak8974_fill_buffer(struct ii dev_err(&ak8974->i2c->dev, "error triggering measure\n"); goto out_unlock; } - ret = ak8974_getresult(ak8974, hw_values); + ret = ak8974_getresult(ak8974, ak8974->scan.channels); if (ret) { dev_err(&ak8974->i2c->dev, "error getting measures\n"); goto out_unlock; } - iio_push_to_buffers_with_timestamp(indio_dev, hw_values, + iio_push_to_buffers_with_timestamp(indio_dev, &ak8974->scan, iio_get_time_ns(indio_dev)); out_unlock: From patchwork Mon Jul 20 15:36:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237303 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2098268ilg; Mon, 20 Jul 2020 08:50:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw2y3lwWfG+nFnVExkIo48Mbvz8MTZo4Q3t9cYqOXk8Vu5Dp2u/yGc58q4UC9EOFipjTuX+ X-Received: by 2002:a17:906:fad4:: with SMTP id lu20mr19436712ejb.1.1595260253081; Mon, 20 Jul 2020 08:50:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595260253; cv=none; d=google.com; s=arc-20160816; b=uVylannxgfVJXpj03hpFZLuqpsUwupm+i3MMuEaiJ1Ry33fuAqXG2vIwdbyneTZws9 1uWTVQtR3oxWWSICCgUVNonSqEMcwDa5sLyr91mQenTQT8G/+tyqVvHhkGtjTlWoQrMd M/BvS25pCl1t5nj44959MkpP/wcxPzc4WZfCgh0TRFo3x9mqhApzBztrCcBgC82L/8L0 9BFZhCqYA4LTbImRWMUNpquV+ZjFPxLGCdzDAA7jH0W9vAvlNFFPS3ueHe/Quo0Yvj3X sMbXrbWBDyKxXqgt7gDQUFGe/hSXVhf1F8thbSdJQt4eEZ72Aio/s/qVyMjBLii6v0fp pvTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=l8KnzwoKf7gRZ0Fx41brVh3Q/lLjum33UsNQCpM7H/I=; b=iUjBRrNWLZS7gSzbPTV5lfEVPOECl5mk/IeHBESjkzhmU2+jFO3OEvrdwb3w3hJm96 0Lf7psoq7Xc2BMLgmtDw5q27OGv4ibOlryc7lxW4xE6S0ZeGOeP7+OYwbamNJ1n9QOTr XtoqBVgPdQTqFv3odJb4U4NG3fSWKq3jpYHnESy6HUQ1AZRE1/Zftd4uD2RxMGEwvG50 oz6Mu/qAgfHMbneb/JrMYiHhxI5uY2VZzMsTjGcpWyhfbsaTlKkYnUmOI2tsnu5gPvAi LXwU8z+3nHLDsu2duS5C2+bhZ3LYGrhDIynrYeAUAHZNNp0R4ajc3aFJEhwLzGXLkFnk 6xpA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vsvGioOl; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r23si10730077eja.287.2020.07.20.08.50.52; Mon, 20 Jul 2020 08:50:53 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vsvGioOl; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730427AbgGTPuo (ORCPT + 15 others); Mon, 20 Jul 2020 11:50:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:47272 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731148AbgGTPum (ORCPT ); Mon, 20 Jul 2020 11:50:42 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D651E206E9; Mon, 20 Jul 2020 15:50:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260241; bh=bYcsp+lTAjYQXjg17ZAbSyfn2+pSwrVpblngizYvBnQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vsvGioOlssbVPZ78droZfVkvWIqqm1p58xHXC+B8uzbCVkzusX/TenLU18S+QyBUI XBVgIUeixFGsdQp7WFlISI9gaBHnhJFSVD0ayENr1ieDUXUJWdXBvGfBzvc4wFa4vM AKjjjjrGwt88uQvEvhW5PmbaukuKihOi1b4hkcDM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Matt Ranostay , Alison Schofield , Jonathan Cameron , Stable@vger.kernel.org Subject: [PATCH 4.19 030/133] iio:humidity:hdc100x Fix alignment and data leak issues Date: Mon, 20 Jul 2020 17:36:17 +0200 Message-Id: <20200720152805.191228617@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron commit ea5e7a7bb6205d24371373cd80325db1bc15eded upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 16bf793f86b2 ("iio: humidity: hdc100x: add triggered buffer support for HDC100X") Reported-by: Lars-Peter Clausen Acked-by: Matt Ranostay Cc: Alison Schofield Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman --- drivers/iio/humidity/hdc100x.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/iio/humidity/hdc100x.c +++ b/drivers/iio/humidity/hdc100x.c @@ -38,6 +38,11 @@ struct hdc100x_data { /* integration time of the sensor */ int adc_int_us[2]; + /* Ensure natural alignment of timestamp */ + struct { + __be16 channels[2]; + s64 ts __aligned(8); + } scan; }; /* integration time in us */ @@ -319,7 +324,6 @@ static irqreturn_t hdc100x_trigger_handl struct i2c_client *client = data->client; int delay = data->adc_int_us[0] + data->adc_int_us[1]; int ret; - s16 buf[8]; /* 2x s16 + padding + 8 byte timestamp */ /* dual read starts at temp register */ mutex_lock(&data->lock); @@ -330,13 +334,13 @@ static irqreturn_t hdc100x_trigger_handl } usleep_range(delay, delay + 1000); - ret = i2c_master_recv(client, (u8 *)buf, 4); + ret = i2c_master_recv(client, (u8 *)data->scan.channels, 4); if (ret < 0) { dev_err(&client->dev, "cannot read sensor data\n"); goto err; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); err: mutex_unlock(&data->lock); From patchwork Mon Jul 20 15:36:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237551 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2137437ilg; Mon, 20 Jul 2020 09:36:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkdfXXDlqTB6tad1qx1Ahqr5FCY1u2Y3R0K6E6rfR3Z4DNCqL18fcQ5CVl+zaSfDMfue5b X-Received: by 2002:a17:906:3f82:: with SMTP id b2mr22285927ejj.240.1595263018771; Mon, 20 Jul 2020 09:36:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595263018; cv=none; d=google.com; s=arc-20160816; b=PYHZUfVbtdtZP1uhkFfSp3vT+JWHthm/aFSVip/nyBSVjsexaGlkDPxDvEkkdn1HUh 7XZrB1Xu82pKUR8FNhQgVw8J+zm2PrxOWlBxM2YS+rh1qyRpfXlbCrEVPesOMJ2ftufA 1Pgfw6Dc+oERIvHNuB9Lmiv9WUfSYyqiTTWUnqbAejJQR1XgUI+pDA5KodeEbvRjgCWI w2DOtYIU07w8ikhBjTWIEOr80spu9pTTR1vdlo/QkIff3ITGynUB6sWJ5k3S3yv45VaZ 0Ewes3MwljbK94KbQPSyqdwen9rj2/VWrISwtXP0ucsmhpdUHY/l7n/k2G48JB/drJcv VL5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rhwSJd5e69+OeMjKfBu93EOvMzSetGaHc9LBPA3Y/1Y=; b=eHM7HReu9MHArsId15Jei5NorTMKCmgUOtOtblSgmTtwii+N5svcJexhvnAzkxJsaG /cU5dF0xht9mpC1CoJluskunVF9kewY1jGmcL1i9aEdpMIedwb0+5tOcdFRwzSn6FoIl 6KRqFg2N8wqkem2DF5TMY9X4Q+/eiYOqqumcGu3Ho/rw7GzHoN8EkQlS/ckzB+pKjAci CpBqW0VcgXHlcbFLRkgUA8w5vdY+cRAl7QXE2Afouuy0vVbQBPzWELHI70AQwcGFjM2f NP6RDlnfclya01FiCT9Ll379dPpwyjxEBIMEQNEhC3ioCSsnFeR/lrFA9utrTAcHNp/h K9FA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Z1Z3fRe4; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g27si8262727ejb.556.2020.07.20.09.36.58; Mon, 20 Jul 2020 09:36:58 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Z1Z3fRe4; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731338AbgGTQg5 (ORCPT + 15 others); Mon, 20 Jul 2020 12:36:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:49496 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731316AbgGTPwF (ORCPT ); Mon, 20 Jul 2020 11:52:05 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4E8042064B; Mon, 20 Jul 2020 15:52:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260324; bh=aaTkkjTThiK4kO48WcJTrCLmtM7O9Qdc/8N21SoD+Mk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z1Z3fRe4mlAyQ7nd5hLQZbNcQ8lcLQ6CQM44tp3A+BYtHG1IshtgFm+3eJwzsqmlA 7DMDy9orKXjiki51MYk6/csOdp8dctTydYbgyxTNj2xtCCFanOnveNl8nn2UFMB1Dy dYxqe75x9p0LS0cXJiVWDyc4sbJYonHiYmXLV1MM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Lorenzo Bianconi , Jonathan Cameron , Stable@vger.kernel.org Subject: [PATCH 4.19 034/133] iio:humidity:hts221 Fix alignment and data leak issues Date: Mon, 20 Jul 2020 17:36:21 +0200 Message-Id: <20200720152805.365344523@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron commit 5c49056ad9f3c786f7716da2dd47e4488fc6bd25 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Explicit alignment of ts needed to ensure consistent padding on all architectures (particularly x86_32 with it's 4 byte alignment of s64) Fixes: e4a70e3e7d84 ("iio: humidity: add support to hts221 rh/temp combo device") Reported-by: Lars-Peter Clausen Acked-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman --- drivers/iio/humidity/hts221.h | 7 +++++-- drivers/iio/humidity/hts221_buffer.c | 9 +++++---- 2 files changed, 10 insertions(+), 6 deletions(-) --- a/drivers/iio/humidity/hts221.h +++ b/drivers/iio/humidity/hts221.h @@ -15,8 +15,6 @@ #include -#define HTS221_DATA_SIZE 2 - enum hts221_sensor_type { HTS221_SENSOR_H, HTS221_SENSOR_T, @@ -40,6 +38,11 @@ struct hts221_hw { bool enabled; u8 odr; + /* Ensure natural alignment of timestamp */ + struct { + __le16 channels[2]; + s64 ts __aligned(8); + } scan; }; extern const struct dev_pm_ops hts221_pm_ops; --- a/drivers/iio/humidity/hts221_buffer.c +++ b/drivers/iio/humidity/hts221_buffer.c @@ -163,7 +163,6 @@ static const struct iio_buffer_setup_ops static irqreturn_t hts221_buffer_handler_thread(int irq, void *p) { - u8 buffer[ALIGN(2 * HTS221_DATA_SIZE, sizeof(s64)) + sizeof(s64)]; struct iio_poll_func *pf = p; struct iio_dev *iio_dev = pf->indio_dev; struct hts221_hw *hw = iio_priv(iio_dev); @@ -173,18 +172,20 @@ static irqreturn_t hts221_buffer_handler /* humidity data */ ch = &iio_dev->channels[HTS221_SENSOR_H]; err = regmap_bulk_read(hw->regmap, ch->address, - buffer, HTS221_DATA_SIZE); + &hw->scan.channels[0], + sizeof(hw->scan.channels[0])); if (err < 0) goto out; /* temperature data */ ch = &iio_dev->channels[HTS221_SENSOR_T]; err = regmap_bulk_read(hw->regmap, ch->address, - buffer + HTS221_DATA_SIZE, HTS221_DATA_SIZE); + &hw->scan.channels[1], + sizeof(hw->scan.channels[1])); if (err < 0) goto out; - iio_push_to_buffers_with_timestamp(iio_dev, buffer, + iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan, iio_get_time_ns(iio_dev)); out: From patchwork Mon Jul 20 15:36:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237324 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2099407ilg; Mon, 20 Jul 2020 08:52:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwjU/lXUHTbTldtWzmnzfB5Jsnxj9OjFdbVG6HlEZW+t8GyVfXdRIuOqfzgaZGsF6EOdlfM X-Received: by 2002:a17:906:f91a:: with SMTP id lc26mr20511130ejb.372.1595260338726; Mon, 20 Jul 2020 08:52:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595260338; cv=none; d=google.com; s=arc-20160816; b=YSX9SQi+s69Ru8RmS2Eeq0fLeRo+a2HTGeWrCnDRNMYR6Pg+l4DLVV2odTy1GMG37I v6XqHo3aWM1LM5mvXNBfDE0Z33H8/dycWFqBIj3rw5znLaYdlIH47EJ/pnR1U+h/07ng r2ZwrOBR49oauM6MbmjWuHN8dknz0XCV/U4fys2a1oJPEcyjFkj3VgEdDt0gcxhhizdQ DRqrXewg9gVgG88tuApqF7xLRwyBV2n1HGaZCSI60TQbH98fPBOYwWfCfE3zZqBb6M4Q j0ltHfHlX11tqRpt8RlaEpDnugH7zrgd9WPg0YqUxNWRjBzLM5st5PUg5l0VSe6ww8O9 EWcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FyEfiEanleHIkCwrmFojBZ2sZnDFFvemdHTFLx31pNg=; b=PDuhqoJIxarX8mjN5EGB0d6KErvbUTKlKpVjFoBDlQZhjws9eG829hH7GA3WDhBseX Dz7O4o1xrmUHPAf9fh4TaFs8Si6dwr9htD6gZH0iYDRdrUjP+I77gOmRqCL6b9qsLPdK XD/9NZiQ2dFMmJzp/fDJesdlIAZXJScQP0mpJWJlker8gk7WhaTlvQPSrtJ9BIysldJ8 jauvzhxWh86Bspwadxiso1mgP7nr2UOrujJsodBQcnCWfZymTnO7MBttdwNqjGdwAt5o NJdGaCfGA6RfaTPYG3EKGaBl+f2ePRyhrfnqgeJBFC3R4u6DsBC+rVolqw1iEz6lHeDF A6mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ffhlf+wy; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y5si11201992edw.306.2020.07.20.08.52.18; Mon, 20 Jul 2020 08:52:18 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ffhlf+wy; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731348AbgGTPwR (ORCPT + 15 others); Mon, 20 Jul 2020 11:52:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:49924 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731323AbgGTPwN (ORCPT ); Mon, 20 Jul 2020 11:52:13 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7DC9722D3E; Mon, 20 Jul 2020 15:52:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260333; bh=eVx2whG+iEhdi/wNAA8mHJvtFWijfFiSbn2YqjBTA2Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ffhlf+wyWKlt1EOsFMRQxL6uqruTbLcx3XxYiM2ZZ1nIkGOLsfoHASzXtyNWHiKhu 790JoGvzUVGDpSz6QX1HzLyeGmTRS8YVcmy/YRSmqEpu3/9uOcbsF17aDKfDmHDbtN 0Pa0IESpTlXc8/4qTOP7rJxcf4Tlz75XzPpudK2Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Jonathan Cameron , Tomasz Duszynski , Stable@vger.kernel.org Subject: [PATCH 4.19 035/133] iio:pressure:ms5611 Fix buffer element alignment Date: Mon, 20 Jul 2020 17:36:22 +0200 Message-Id: <20200720152805.415751582@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron commit 8db4afe163bbdd93dca6fcefbb831ef12ecc6b4d upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here there is no data leak possibility so use an explicit structure on the stack to ensure alignment and nice readable fashion. The forced alignment of ts isn't strictly necessary in this driver as the padding will be correct anyway (there isn't any). However it is probably less fragile to have it there and it acts as documentation of the requirement. Fixes: 713bbb4efb9dc ("iio: pressure: ms5611: Add triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Tomasz Duszynski Cc: Signed-off-by: Greg Kroah-Hartman --- drivers/iio/pressure/ms5611_core.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/drivers/iio/pressure/ms5611_core.c +++ b/drivers/iio/pressure/ms5611_core.c @@ -215,16 +215,21 @@ static irqreturn_t ms5611_trigger_handle struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ms5611_state *st = iio_priv(indio_dev); - s32 buf[4]; /* s32 (pressure) + s32 (temp) + 2 * s32 (timestamp) */ + /* Ensure buffer elements are naturally aligned */ + struct { + s32 channels[2]; + s64 ts __aligned(8); + } scan; int ret; mutex_lock(&st->lock); - ret = ms5611_read_temp_and_pressure(indio_dev, &buf[1], &buf[0]); + ret = ms5611_read_temp_and_pressure(indio_dev, &scan.channels[1], + &scan.channels[0]); mutex_unlock(&st->lock); if (ret < 0) goto err; - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev)); err: From patchwork Mon Jul 20 15:36:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237322 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2099404ilg; Mon, 20 Jul 2020 08:52:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7rY6/pGTzztDAGSQYvrRQzYPPdsUzUqLW5g3SFvYr3suk5Xv8xd5f+GS7TEULLH1kMHfR X-Received: by 2002:a05:6402:94f:: with SMTP id h15mr22447408edz.313.1595260338271; Mon, 20 Jul 2020 08:52:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595260338; cv=none; d=google.com; s=arc-20160816; b=GhDiCYrxLBTc8++UqmpGXm06AHbgOVtVcG5xao23h7F4zfa7TWer8uUcFS+ChNa/4H qm0Ddso8unNlEMS3CrzgrEwrwT+rU+2mxUur9I7TYN8Yltvt5al1X1wetlJULBDPdXEP fJ+EhWfBYgHCbWvb16Ak/YJdg3RbDpE8wPKOZCEnqFfvcTQ8cXGeIBuMTNEdU4mbTIB9 4CkHbcwjzYrf5h4f2jdGmwCY0VQIHkug3iig/4HeuuUFDfQzS+YhsP3QfUwjp0VoJZcJ KmJAKAAcXxuZTRm58YmtX3yUqCyR+J0MI9eV/22KPMnMbo4pGAS+UW4MJ+mFojOxVJxB vyjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gedeHIuF8YWqnloFMKLuYlci7PPgMceJ2me0PXj3YFI=; b=VQIiNLEx+uI+wmmCGv1x3+Jn5z8Annr52eBLtOWvfji2AxxaC5iHCuvuSvU9DJL17X 2diMAsRM32o5iNZeLU7u436jtfwgh8ibOzMMF+aWn5iE3gyCOLe++NzMCE9bL/ebuOVP Fb9q7wFC1b8EPdz2+oxGogRH6FKn+mSRg05E80ppc8aOmdd4o4lsfpFPCV0U1VADW3zs Mh/6jMMMK7kBND2pimJWrJKbyjnUN6hiZJlRl3VdKFwqu0yNc5QRPCTpR2h3C+xTYKMJ HAeaktAceRiVMCdkMCEpkyf/ydM1cNdHJxFJgspUOKLxIRYUwFkYoJsuJhQBMfJQ/Ly3 pvgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="tC/VI29v"; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y5si11201992edw.306.2020.07.20.08.52.18; Mon, 20 Jul 2020 08:52:18 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="tC/VI29v"; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731345AbgGTPwR (ORCPT + 15 others); Mon, 20 Jul 2020 11:52:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:50024 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731334AbgGTPwQ (ORCPT ); Mon, 20 Jul 2020 11:52:16 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 116A62065E; Mon, 20 Jul 2020 15:52:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260335; bh=a22zVVN/NvJGBrt6FAWnyk1s+vGlWcTw0O9Xcqc6ys8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tC/VI29vpSgmueeUMcKM4JXBTnKlRvPVkgv2zDELM4xGkBmKfrm40/abZnlk2LmBy rr9MvyyZbICdvnf+INIECpz/j6d5Wa0+BeB++/gO4oiZ8gnYUNbSK74B4vCUQYmn+D vtY7wH4okoLa95FuN+fpIZOI8UkVIPExpfn9ncko= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Jonathan Cameron , "Andrew F. Davis" , Stable@vger.kernel.org Subject: [PATCH 4.19 036/133] iio:health:afe4403 Fix timestamp alignment and prevent data leak. Date: Mon, 20 Jul 2020 17:36:23 +0200 Message-Id: <20200720152805.462507150@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron commit 3f9c6d38797e9903937b007a341dad0c251765d6 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 32 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: eec96d1e2d31 ("iio: health: Add driver for the TI AFE4403 heart monitor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Andrew F. Davis Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/iio/health/afe4403.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) --- a/drivers/iio/health/afe4403.c +++ b/drivers/iio/health/afe4403.c @@ -71,6 +71,7 @@ static const struct reg_field afe4403_re * @regulator: Pointer to the regulator for the IC * @trig: IIO trigger for this device * @irq: ADC_RDY line interrupt number + * @buffer: Used to construct data layout to push into IIO buffer. */ struct afe4403_data { struct device *dev; @@ -80,6 +81,8 @@ struct afe4403_data { struct regulator *regulator; struct iio_trigger *trig; int irq; + /* Ensure suitable alignment for timestamp */ + s32 buffer[8] __aligned(8); }; enum afe4403_chan_id { @@ -317,7 +320,6 @@ static irqreturn_t afe4403_trigger_handl struct iio_dev *indio_dev = pf->indio_dev; struct afe4403_data *afe = iio_priv(indio_dev); int ret, bit, i = 0; - s32 buffer[8]; u8 tx[4] = {AFE440X_CONTROL0, 0x0, 0x0, AFE440X_CONTROL0_READ}; u8 rx[3]; @@ -334,9 +336,9 @@ static irqreturn_t afe4403_trigger_handl if (ret) goto err; - buffer[i++] = (rx[0] << 16) | - (rx[1] << 8) | - (rx[2]); + afe->buffer[i++] = (rx[0] << 16) | + (rx[1] << 8) | + (rx[2]); } /* Disable reading from the device */ @@ -345,7 +347,8 @@ static irqreturn_t afe4403_trigger_handl if (ret) goto err; - iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, afe->buffer, + pf->timestamp); err: iio_trigger_notify_done(indio_dev->trig); From patchwork Mon Jul 20 15:36:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237314 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2099167ilg; Mon, 20 Jul 2020 08:51:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy3knw438xu8D9bUMZc5XEl00HFB1kGkAkEqwXptMv2rD6MBCC+zAVfhMot8tzrBW/KNOmy X-Received: by 2002:a17:906:cc13:: with SMTP id ml19mr21003786ejb.288.1595260319183; Mon, 20 Jul 2020 08:51:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595260319; cv=none; d=google.com; s=arc-20160816; b=UoNEXkGhB0ttRzGOeyHpcwACOj+ti/yLaTGEd8Z/7hcKV4UVp/1vjuHlZD4my1tcHE Ggc6INbsjMC7VMennsdxI/FImUN9pY0W+P4BniluDcdtxeA6WoQ451xW8Qm30Ie/Ullt XgiR+lQJI09q4FL2em65+rbZwhXzQ6mtNkdxQ/prE5lIGUdMJyF1BTpHSvTUjgDwomWu F81aPBVWN7dXSmd6e0HRseO3QmH3gm90fBmYCv/PTHXDsKWzJ9hxN+hOnwRvwvxM7Act RBVBBw2mg8tht7X9S9R4WlxOnYZwnYNHHFEwG9YVi1CWnxaLp2+HDXFXzSPFqqzqkcSc IXOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=flTiEZMqUeJ/sZ1LVgPAWXgYm0ABDekDzA3PMVsTgbc=; b=zjuUxHCzKcndzHRpkIIpm+8y7NVla/JGy4voA32aTqOzuoFONu6H2mH0DHA+wZjsV0 2uAZiHDQ03/Ey4jIyksHLifVIkc25FMF02Kb1vXSe1MwWh1VA0LVSJIuB5XFrhqsHphO yMZ54SB4c5Hzu6nrPGkvGLhBS6N/5ZBjuBHsJYWuN5ePBvTCxx8npxiWm1efgRGv61xc oTw0WkQ2KNbPGwRBj0FfD6bVYJ8/Y0mR81KBMlJMKnfP++jP5JYpLY3bchvu+KtDGN+H 3QrPV/MqNykGd450o1yYrwLW+3CRlRBaAKRS5h+4nk5uAZRtbAKKvR2IEEVVH2zDwb1/ JlZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lmX8lAGV; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f12si10234025ejq.334.2020.07.20.08.51.58; Mon, 20 Jul 2020 08:51:59 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lmX8lAGV; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731285AbgGTPv6 (ORCPT + 15 others); Mon, 20 Jul 2020 11:51:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:49130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730999AbgGTPv5 (ORCPT ); Mon, 20 Jul 2020 11:51:57 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EF0EF2065E; Mon, 20 Jul 2020 15:51:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260316; bh=4hKcacuzSJxqP6yYZUginvZpXGohejSQrLJwU190vW4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lmX8lAGVUttjKBJhxfbr78/aW3eGFuBCYh1JndhQvDRtSGNVxwLFVPw1xoCXUpgDH O7ucC0g3/bEB2kPh24zjXiDdyarWN4bgbUL0lo22vJMA8g2DdZSg3aWGb929rMN92d iuiVAvIW21Td5S8hUj4/GPCzrn4HTbhkl1tp/+Sg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lars-Peter Clausen , Jonathan Cameron , "Andrew F. Davis" , Sasha Levin Subject: [PATCH 4.19 058/133] iio:health:afe4404 Fix timestamp alignment and prevent data leak. Date: Mon, 20 Jul 2020 17:36:45 +0200 Message-Id: <20200720152806.530074469@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jonathan Cameron [ Upstream commit f88ecccac4be348bbcc6d056bdbc622a8955c04d ] One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 40 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 87aec56e27ef ("iio: health: Add driver for the TI AFE4404 heart monitor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Andrew F. Davis Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin --- drivers/iio/health/afe4404.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) -- 2.25.1 diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c index 11910922e6556..23e1ac6501a1a 100644 --- a/drivers/iio/health/afe4404.c +++ b/drivers/iio/health/afe4404.c @@ -91,6 +91,7 @@ static const struct reg_field afe4404_reg_fields[] = { * @regulator: Pointer to the regulator for the IC * @trig: IIO trigger for this device * @irq: ADC_RDY line interrupt number + * @buffer: Used to construct a scan to push to the iio buffer. */ struct afe4404_data { struct device *dev; @@ -99,6 +100,7 @@ struct afe4404_data { struct regulator *regulator; struct iio_trigger *trig; int irq; + s32 buffer[10] __aligned(8); }; enum afe4404_chan_id { @@ -336,17 +338,17 @@ static irqreturn_t afe4404_trigger_handler(int irq, void *private) struct iio_dev *indio_dev = pf->indio_dev; struct afe4404_data *afe = iio_priv(indio_dev); int ret, bit, i = 0; - s32 buffer[10]; for_each_set_bit(bit, indio_dev->active_scan_mask, indio_dev->masklength) { ret = regmap_read(afe->regmap, afe4404_channel_values[bit], - &buffer[i++]); + &afe->buffer[i++]); if (ret) goto err; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, afe->buffer, + pf->timestamp); err: iio_trigger_notify_done(indio_dev->trig); From patchwork Mon Jul 20 15:36:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237552 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2137603ilg; Mon, 20 Jul 2020 09:37:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+pjVn447K5ZwZspJS+GWVKad+ojtJxVkwPbf+vYTj/EEdlOetExk2s0QGmxR3NmuvFSsi X-Received: by 2002:a50:e60d:: with SMTP id y13mr21765693edm.225.1595263032119; Mon, 20 Jul 2020 09:37:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595263032; cv=none; d=google.com; s=arc-20160816; b=x7jp5o0Psa7Vguq5YOUgkK9WQFrV6SWRhLhIIhodJNDItpcVxR0VBpKmTJRxcyEzWY qXepPf4ce4dRfVZtdvo/wRCUMjZUBJ18ymX2drfPuFJpz2E7tlko9Zg6SDsTitLQG799 jQf7NTt5xQ8lKnyMSyppIvYupvtsVn64rypbIt4GUTiSHAwYBI5fQ6Ctxt5op74Rm0+y ngNVXRHN/yfkX7DWC3c8aj5+3COhHBRJV5ZCW7S+x9/SbGu0g7e7+naOpdqyGfrS42Cb nRr06Kz/N+NrMtl/Dm+2npQYH+0YGBN5i81CcSO6udBM/32OBA1tZmy5gocJ1g3EwY7s K4Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=je5xkWGt25gBXOGJ4t4FCIY3k9lWNtRZMXQmW1Qoymg=; b=ipvejTPOgglGln2qPLJ+yAn1VQE1+8WlPe0/KqVCnOCrCAUKtVjA+3wL66/nvdAnNy 95sjnlCY0FDOZkbbsMpu6sVih7EJrssOgLWmQG22mrd7nfme0vJRM7kgW4l0bkDuZHRt 1zYR0jZVNjAtw7UAeOH0RLbKMffoYD5gfNQfo+sWgj5HuY3TGxPV8c2OX8+VH21NUyAz ho5MEl/WtHhGpszEl1oNqQLFwJ4X2pe/HpcU8aGOeakNXc4rrVugQIPbhtAa7hftrDdB tiwzu/yM31GebgL/NLE7wWP8A8/e783CPqKvmPhBdes8BPkM6RUEQvYV81lvuY7AuGuW kOIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M0SotcvC; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dt18si11934185ejc.258.2020.07.20.09.37.11; Mon, 20 Jul 2020 09:37:12 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M0SotcvC; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731312AbgGTPwE (ORCPT + 15 others); Mon, 20 Jul 2020 11:52:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:49372 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730041AbgGTPwC (ORCPT ); Mon, 20 Jul 2020 11:52:02 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A12A32064B; Mon, 20 Jul 2020 15:52:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260322; bh=dMpZKAoREPt/Ph4s1EySu309CYTNsehZNf+8JaSdUCY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M0SotcvCudK0dcDVXHivGVJLzjKTWRGuh/CHp9TQGMqy3TDRRlJ6QA5A5MppHTDXn 48OK+yYaeOvYo8hDuVzBNcffA+NH+oujrKAGLO7Npr78a2FlbFWopVAJ/NKcma6o5w 0jXd+WBwo1MLoOfeLxZUjXXyiFCwvymHKrjbwRPM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jerome Brunet , Kevin Hilman , Neil Armstrong , Sasha Levin Subject: [PATCH 4.19 060/133] arm64: dts: meson: add missing gxl rng clock Date: Mon, 20 Jul 2020 17:36:47 +0200 Message-Id: <20200720152806.628720493@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jerome Brunet [ Upstream commit 95ca6f06dd4827ff63be5154120c7a8511cd9a41 ] The peripheral clock of the RNG is missing for gxl while it is present for gxbb. Fixes: 1b3f6d148692 ("ARM64: dts: meson-gx: add clock CLKID_RNG0 to hwrng node") Signed-off-by: Jerome Brunet Signed-off-by: Kevin Hilman Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20200617125346.1163527-1-jbrunet@baylibre.com Signed-off-by: Sasha Levin --- arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 5 +++++ 1 file changed, 5 insertions(+) -- 2.25.1 diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi index 8f0bb3c44bd6d..5d7724b3a6123 100644 --- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi @@ -266,6 +266,11 @@ clkc: clock-controller { }; }; +&hwrng { + clocks = <&clkc CLKID_RNG0>; + clock-names = "core"; +}; + &i2c_A { clocks = <&clkc CLKID_I2C>; }; From patchwork Mon Jul 20 15:37:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 237342 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2101944ilg; Mon, 20 Jul 2020 08:55:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzOfAcyRKPGfWoRLoHfTdj7EBXuGLBajwXPQqpWgHbJ+m7IDO+sfx9F4FNi7d78fhmbdaE X-Received: by 2002:a50:cf09:: with SMTP id c9mr22665621edk.90.1595260515803; Mon, 20 Jul 2020 08:55:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595260515; cv=none; d=google.com; s=arc-20160816; b=VS8Nbyue8BYETlg6KJSx+ZXbLAsyz36Qvsv4qX0TY8Ot/xo0W2girSJ2bD7jYxmeMU Yodc6hjmR2akkVWIEzVtyY+CmXsGsBK0VahXiBRcWgFMwYOZzdKgDIZOnMp+Liw8H38V +X+8CeNuzaLSW6Jzert/kBvtLJkBIigKeCRN4mS6kN/aW+OpWoFunU//75CG7RfOQGQx IC8L0YAFoBZeUQd+pwr5ug82s61yk2zbmai3XOUtqZdhBtr6rOaaR7ncgYm1+ScAW3X0 xCZOy258H3wgYXSBLVX52gru9IaGqm+MenG8L2HK7c+PnwdJlvfpN+ZnJI5GgUF+IVY6 Hyiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xGJvVJawFfOO+D6q8YMfy3kv+zPhJxVbZ7mdEyuJFxk=; b=d/2QwO4e8QTMYe6Ihn8gorfNhEf8j/bhN/o08jtkyd+PxKU/G9xKBbUUNADxjrjJ+H fZ6fDYme2PnR9AJWnqP7g2n/SBgzRx/gA1DZPncNiNNN2FUjdR7fqMhoFZOIB1ZTBrzM TafM+Bj57+Kbmxztmajp7mfRw02WmxgCYytQ8iFHR3anMLsGmthPEDUYxwySX6RIjxeu qJqHdMvF2YP5gK8QT8MsAHk+d568rYs39YAiloVK/Eoq6FFE7NupB3F9IztqBogRg+o7 98k/JurRlg8AivMTj8jYTHMw882GTa9GfQE0wQKc/Mq6UOdIMeRaAPWF4poPmiNgReKP JYBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TAXbPgCL; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bo3si11017681ejb.494.2020.07.20.08.55.15; Mon, 20 Jul 2020 08:55:15 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TAXbPgCL; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731652AbgGTPzO (ORCPT + 15 others); Mon, 20 Jul 2020 11:55:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:54286 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730883AbgGTPzN (ORCPT ); Mon, 20 Jul 2020 11:55:13 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3D20922CF7; Mon, 20 Jul 2020 15:55:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595260512; bh=4ZY40wPsG4R+zjJrb68bpGinEpdKm4iPk7mTNF7io1k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TAXbPgCLymx4G2UpAKclXH6WBZRnXBifPNAcZchobD8lrwjRNGyCWqWuQhKD6Sgk1 eJRELOzCWjAJCZsUrCidNKCq8wY2sgmW1EpTaIfbMu4c/daKZz3FtnVMFz5a18uZgn sWFzoMYrVOwqUperUXiUOJXWpXc1k9WOvpQ2e/qg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vincent Guittot , "Peter Zijlstra (Intel)" , Valentin Schneider , Dietmar Eggemann Subject: [PATCH 4.19 128/133] sched/fair: handle case of task_h_load() returning 0 Date: Mon, 20 Jul 2020 17:37:55 +0200 Message-Id: <20200720152809.917993544@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200720152803.732195882@linuxfoundation.org> References: <20200720152803.732195882@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Vincent Guittot commit 01cfcde9c26d8555f0e6e9aea9d6049f87683998 upstream. task_h_load() can return 0 in some situations like running stress-ng mmapfork, which forks thousands of threads, in a sched group on a 224 cores system. The load balance doesn't handle this correctly because env->imbalance never decreases and it will stop pulling tasks only after reaching loop_max, which can be equal to the number of running tasks of the cfs. Make sure that imbalance will be decreased by at least 1. misfit task is the other feature that doesn't handle correctly such situation although it's probably more difficult to face the problem because of the smaller number of CPUs and running tasks on heterogenous system. We can't simply ensure that task_h_load() returns at least one because it would imply to handle underflow in other places. Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Reviewed-by: Dietmar Eggemann Tested-by: Dietmar Eggemann Cc: # v4.4+ Link: https://lkml.kernel.org/r/20200710152426.16981-1-vincent.guittot@linaro.org Signed-off-by: Greg Kroah-Hartman --- kernel/sched/fair.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -7337,7 +7337,15 @@ static int detach_tasks(struct lb_env *e if (!can_migrate_task(p, env)) goto next; - load = task_h_load(p); + /* + * Depending of the number of CPUs and tasks and the + * cgroup hierarchy, task_h_load() can return a null + * value. Make sure that env->imbalance decreases + * otherwise detach_tasks() will stop only after + * detaching up to loop_max tasks. + */ + load = max_t(unsigned long, task_h_load(p), 1); + if (sched_feat(LB_MIN) && load < 16 && !env->sd->nr_balance_failed) goto next;