[v3,12/27] iio:light:ltr501 Fix timestamp alignment issue.

Message ID	20200722155103.979802-13-jic23@kernel.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=Obq9=BB=vger.kernel.org=linux-iio-owner@kernel.org> From: Jonathan Cameron <jic23@kernel.org> To: linux-iio@vger.kernel.org Cc: Andy Shevchenko <andy.shevchenko@gmail.com>, Lars-Peter Clausen <lars@metafoo.de>, Peter Meerwald <pmeerw@pmeerw.net>, Jonathan Cameron <Jonathan.Cameron@huawei.com> Subject: [PATCH v3 12/27] iio:light:ltr501 Fix timestamp alignment issue. Date: Wed, 22 Jul 2020 16:50:48 +0100 Message-Id: <20200722155103.979802-13-jic23@kernel.org> In-Reply-To: <20200722155103.979802-1-jic23@kernel.org> References: <20200722155103.979802-1-jic23@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-iio-owner@vger.kernel.org Precedence: bulk
Series	IIO: Fused set 1 and 2 of timestamp alignment fixes \| expand [v3,00/27] IIO: Fused set 1 and 2 of timestamp alignment fixes [v3,01/27] iio: accel: kxsd9: Fix alignment of local buffer. [v3,02/27] iio:accel:mma8452: Fix timestamp alignment and prevent data leak. [v3,03/27] iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak. [v3,04/27] iio:accel:mma7455: Fix timestamp alignment and prevent data leak. [v3,05/27] iio:gyro:itg3200: Fix timestamp alignment and prevent data leak. [v3,06/27] iio:proximity:mb1232: Fix timestamp alignment and prevent data leak. [v3,07/27] iio:chemical:ccs811: Fix timestamp alignment and prevent data leak. [v3,08/27] iio:light:si1145: Fix timestamp alignment and prevent data leak. [v3,09/27] iio:light:max44000 Fix timestamp alignment and prevent data leak. [v3,10/27] iio:light:rpr0521 Fix timestamp alignment and prevent data leak. [v3,11/27] iio:light:st_uvis25 Fix timestamp alignment and prevent data leak. [v3,12/27] iio:light:ltr501 Fix timestamp alignment issue. [v3,13/27] iio:magnetometer:ak8975 Fix alignment and data leak issues. [v3,14/27] iio:magnetometer:mag3110 Fix alignment and data leak issues. [v3,15/27] iio:imu:bmi160 Fix alignment and data leak issues [v3,16/27] iio:imu:st_lsm6dsx Fix alignment and data leak issues [v3,17/27] iio:imu:inv_mpu6050 Fix dma and ts alignment and data leak issues. [v3,18/27] iio:imu:inv_mpu6050: Use regmap_noinc_read for fifo reads. [v3,19/27] iio:pressure:mpl3115 Force alignment of buffer [v3,20/27] iio:adc:ti-adc081c Fix alignment and data leak issues [v3,21/27] iio:adc:ti-adc084s021 Fix alignment and data leak issues. [v3,22/27] iio:adc:ti-adc084s021 Tidy up endian types [v3,23/27] iio:adc:ti-ads124s08 Fix alignment and data leak issues. [v3,24/27] iio:adc:ti-adc0832 Fix alignment issue with timestamp [v3,25/27] iio:adc:ti-adc12138 Fix alignment issue with timestamp [v3,26/27] iio:adc:ina2xx Fix timestamp alignment issue. [v3,27/27] iio:adc:max1118 Fix alignment of timestamp and data leak issues

Message ID

20200722155103.979802-13-jic23@kernel.org (mailing list archive)

State

New, archived

Headers

From: Jonathan Cameron <jic23@kernel.org>
To: linux-iio@vger.kernel.org
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>,
        Lars-Peter Clausen <lars@metafoo.de>,
        Peter Meerwald <pmeerw@pmeerw.net>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>
Subject: [PATCH v3 12/27] iio:light:ltr501 Fix timestamp alignment issue.
Date: Wed, 22 Jul 2020 16:50:48 +0100
Message-Id: <20200722155103.979802-13-jic23@kernel.org>
In-Reply-To: <20200722155103.979802-1-jic23@kernel.org>
References: <20200722155103.979802-1-jic23@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-iio-owner@vger.kernel.org
Precedence: bulk

Series

IIO: Fused set 1 and 2 of timestamp alignment fixes | expand

Commit Message

Jonathan Cameron July 22, 2020, 3:50 p.m. UTC

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
Here we use a structure on the stack.  The driver already did an
explicit memset so no data leak was possible.

Forced alignment of ts is not strictly necessary but probably makes
the code slightly less fragile.

Note there has been some rework in this driver of the years, so no
way this will apply cleanly all the way back.

Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 drivers/iio/light/ltr501.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

Comments

Jonathan Cameron Aug. 9, 2020, 5:27 p.m. UTC | #1

On Wed, 22 Jul 2020 16:50:48 +0100
Jonathan Cameron <jic23@kernel.org> wrote:

> From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
> 
> One of a class of bugs pointed out by Lars in a recent review.
> iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
> to the size of the timestamp (8 bytes).  This is not guaranteed in
> this driver which uses an array of smaller elements on the stack.
> Here we use a structure on the stack.  The driver already did an
> explicit memset so no data leak was possible.
> 
> Forced alignment of ts is not strictly necessary but probably makes
> the code slightly less fragile.
> 
> Note there has been some rework in this driver of the years, so no
> way this will apply cleanly all the way back.
> 
> Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
> Reported-by: Lars-Peter Clausen <lars@metafoo.de>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Applied and marked for stable.

Thanks,

Jonathan

> ---
>  drivers/iio/light/ltr501.c | 15 +++++++++------
>  1 file changed, 9 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/iio/light/ltr501.c b/drivers/iio/light/ltr501.c
> index 4bac0646398d..b4323d2db0b1 100644
> --- a/drivers/iio/light/ltr501.c
> +++ b/drivers/iio/light/ltr501.c
> @@ -1243,13 +1243,16 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p)
>  	struct iio_poll_func *pf = p;
>  	struct iio_dev *indio_dev = pf->indio_dev;
>  	struct ltr501_data *data = iio_priv(indio_dev);
> -	u16 buf[8];
> +	struct {
> +		u16 channels[3];
> +		s64 ts __aligned(8);
> +	} scan;
>  	__le16 als_buf[2];
>  	u8 mask = 0;
>  	int j = 0;
>  	int ret, psdata;
>  
> -	memset(buf, 0, sizeof(buf));
> +	memset(&scan, 0, sizeof(scan));
>  
>  	/* figure out which data needs to be ready */
>  	if (test_bit(0, indio_dev->active_scan_mask) ||
> @@ -1268,9 +1271,9 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p)
>  		if (ret < 0)
>  			return ret;
>  		if (test_bit(0, indio_dev->active_scan_mask))
> -			buf[j++] = le16_to_cpu(als_buf[1]);
> +			scan.channels[j++] = le16_to_cpu(als_buf[1]);
>  		if (test_bit(1, indio_dev->active_scan_mask))
> -			buf[j++] = le16_to_cpu(als_buf[0]);
> +			scan.channels[j++] = le16_to_cpu(als_buf[0]);
>  	}
>  
>  	if (mask & LTR501_STATUS_PS_RDY) {
> @@ -1278,10 +1281,10 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p)
>  				       &psdata, 2);
>  		if (ret < 0)
>  			goto done;
> -		buf[j++] = psdata & LTR501_PS_DATA_MASK;
> +		scan.channels[j++] = psdata & LTR501_PS_DATA_MASK;
>  	}
>  
> -	iio_push_to_buffers_with_timestamp(indio_dev, buf,
> +	iio_push_to_buffers_with_timestamp(indio_dev, &scan,
>  					   iio_get_time_ns(indio_dev));
>  
>  done:

diff --git a/drivers/iio/light/ltr501.c b/drivers/iio/light/ltr501.c
index 4bac0646398d..b4323d2db0b1 100644
--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1243,13 +1243,16 @@  static irqreturn_t ltr501_trigger_handler(int irq, void *p)
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct ltr501_data *data = iio_priv(indio_dev);
-	u16 buf[8];
+	struct {
+		u16 channels[3];
+		s64 ts __aligned(8);
+	} scan;
 	__le16 als_buf[2];
 	u8 mask = 0;
 	int j = 0;
 	int ret, psdata;
 
-	memset(buf, 0, sizeof(buf));
+	memset(&scan, 0, sizeof(scan));
 
 	/* figure out which data needs to be ready */
 	if (test_bit(0, indio_dev->active_scan_mask) ||
@@ -1268,9 +1271,9 @@  static irqreturn_t ltr501_trigger_handler(int irq, void *p)
 		if (ret < 0)
 			return ret;
 		if (test_bit(0, indio_dev->active_scan_mask))
-			buf[j++] = le16_to_cpu(als_buf[1]);
+			scan.channels[j++] = le16_to_cpu(als_buf[1]);
 		if (test_bit(1, indio_dev->active_scan_mask))
-			buf[j++] = le16_to_cpu(als_buf[0]);
+			scan.channels[j++] = le16_to_cpu(als_buf[0]);
 	}
 
 	if (mask & LTR501_STATUS_PS_RDY) {
@@ -1278,10 +1281,10 @@  static irqreturn_t ltr501_trigger_handler(int irq, void *p)
 				       &psdata, 2);
 		if (ret < 0)
 			goto done;
-		buf[j++] = psdata & LTR501_PS_DATA_MASK;
+		scan.channels[j++] = psdata & LTR501_PS_DATA_MASK;
 	}
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buf,
+	iio_push_to_buffers_with_timestamp(indio_dev, &scan,
 					   iio_get_time_ns(indio_dev));
 
 done:

[v3,12/27] iio:light:ltr501 Fix timestamp alignment issue.

Commit Message

Comments

Patch