From patchwork Sun Jun 7 15:53:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591661 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4E552159A for ; Sun, 7 Jun 2020 15:56:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2DD0120748 for ; Sun, 7 Jun 2020 15:56:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545377; bh=gz5kZNLwrLpN0degyhBiEQQPZnWilh2D4G1LHb3gwX8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=xaxzRxfK92+X/jTfnlPqhAMppZ0wzo4GtSf4iVg3Ma1GRHGRrHaux5okSclTuxcqK RAvq5R11kzsZWFb93kZ16S8IkLVG/xveko0N6b9/ldSOHxIgUJBM0aAncnMmsiaZw/ YVemsMGTLYTFxxJUbrUIQyaCMbKVr+bs/ag7BMFc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726661AbgFGP4Q (ORCPT ); Sun, 7 Jun 2020 11:56:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:57188 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4Q (ORCPT ); Sun, 7 Jun 2020 11:56:16 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 39353206C3; Sun, 7 Jun 2020 15:56:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545376; bh=gz5kZNLwrLpN0degyhBiEQQPZnWilh2D4G1LHb3gwX8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y5zuM/TcZfkwfaJlsdU9cmUWPHk+3U7Juvggftv7Dim7t/q5kohWB9oyWbKS5lV7v tsexgbTExdUo+YvwXMaNuK5Z3oOfWC4uqT7psrBlw5fFXyfx+26c02sYMjSYKbIBBZ qMYC3chxMYUt4Ev5uQJRoKQ5mHsYvsi73CT0SI9Y= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 01/32] iio: accel: kxsd9: Fix alignment of local buffer. Date: Sun, 7 Jun 2020 16:53:37 +0100 Message-Id: <20200607155408.958437-2-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron iio_push_to_buffers_with_timestamp assumes 8 byte alignment which is not guaranteed by an array of smaller elements. Note that whilst in this particular case the alignment forcing of the ts element is not strictly necessary it acts as good documentation. Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/accel/kxsd9.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c index 63b1d8ee6c6f..85e3c46494d3 100644 --- a/drivers/iio/accel/kxsd9.c +++ b/drivers/iio/accel/kxsd9.c @@ -209,14 +209,20 @@ static irqreturn_t kxsd9_trigger_handler(int irq, void *p) const struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct kxsd9_state *st = iio_priv(indio_dev); + /* + * Ensure correct positioning and alignment of timestamp. + * No need to zero initialize as all elements written. + */ + struct { + __be16 chan[4]; + s64 ts __aligned(8); + } hw_values; int ret; - /* 4 * 16bit values AND timestamp */ - __be16 hw_values[8]; ret = regmap_bulk_read(st->map, KXSD9_REG_X, - &hw_values, - 8); + hw_values.chan, + sizeof(hw_values.chan)); if (ret) { dev_err(st->dev, "error reading data\n"); @@ -224,7 +230,7 @@ static irqreturn_t kxsd9_trigger_handler(int irq, void *p) } iio_push_to_buffers_with_timestamp(indio_dev, - hw_values, + &hw_values, iio_get_time_ns(indio_dev)); iio_trigger_notify_done(indio_dev->trig); From patchwork Sun Jun 7 15:53:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591663 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CB1BF912 for ; Sun, 7 Jun 2020 15:56:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A3DD82075A for ; Sun, 7 Jun 2020 15:56:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545378; bh=rjkMoZ+extP8HeW0stl/HFc3GphsLQokQhYBIPctZwE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Q8PcjxgueCYrZmAP9vbwFm1aRW7mJPokw1iQ792Va5j6zsdPCBn6t/SCLBqP2RSUa ij6koN4eicdJJvUceDKSm+l+/XFWJsjoJhhAE++jU7ZYySfS5ktSh1T4nqyhSZsvYJ wAiPGFv24c8qQ5zZ1sHs2ecXHKuN3+ow3xXiu9Oc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726662AbgFGP4S (ORCPT ); Sun, 7 Jun 2020 11:56:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:57214 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4R (ORCPT ); Sun, 7 Jun 2020 11:56:17 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 75431206F6; Sun, 7 Jun 2020 15:56:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545377; bh=rjkMoZ+extP8HeW0stl/HFc3GphsLQokQhYBIPctZwE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vNn4Oj4vlCHoKlElHFf7stKqE3MbCIzQoCiTEGw7KCYAe19GR37rGf1V8lq1rQ8Wc YZ1wuK/1tO1i1iecKwLvufxUuHKvIrcqN/0O3f53bEe0oRnwUWeZ78eRN+4g3lzQnY bFRStZsBBY0cMUR+76o+SdlJG6P0sBIHV6bW6zDs= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Peter Meerwald Subject: [PATCH 02/32] iio:accel:mma8452: Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:38 +0100 Message-Id: <20200607155408.958437-3-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 16 byte u8 array on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment ensured by use of an explicit c structure. This data is allocated with kzalloc so no data can leak appart from previous readings. The additional forcing of the 8 byte alignment of the timestamp is not strictly necessary but makes the code less fragile by making this explicit. Fixes: c7eeea93ac60 ("iio: Add Freescale MMA8452Q 3-axis accelerometer driver") Reported-by: Lars-Peter Clausen Cc: Peter Meerwald Signed-off-by: Jonathan Cameron --- drivers/iio/accel/mma8452.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c index ef3df402fc3c..e58fcc3741c4 100644 --- a/drivers/iio/accel/mma8452.c +++ b/drivers/iio/accel/mma8452.c @@ -110,6 +110,12 @@ struct mma8452_data { int sleep_val; struct regulator *vdd_reg; struct regulator *vddio_reg; + + /* Ensure correct alignment of time stamp when present */ + struct { + __be16 channels[3]; + s64 ts __aligned(8); + } buffer; }; /** @@ -1091,14 +1097,13 @@ static irqreturn_t mma8452_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct mma8452_data *data = iio_priv(indio_dev); - u8 buffer[16]; /* 3 16-bit channels + padding + ts */ int ret; - ret = mma8452_read(data, (__be16 *)buffer); + ret = mma8452_read(data, data->buffer.channels); if (ret < 0) goto done; - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, &data->buffer, iio_get_time_ns(indio_dev)); done: From patchwork Sun Jun 7 15:53:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591665 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 582C8912 for ; Sun, 7 Jun 2020 15:56:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 37CF12076A for ; Sun, 7 Jun 2020 15:56:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545380; bh=9kiqwp1rYM2CUyFROitiUwFxoc+sCvxLnU5Nt/Os72M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Uckkqq/c+tR0FFaTeR7j1f95bh5Bu21aL3HR5he31r/PlOIAlBwddYn2tDbcX3Ra9 iLU6iiBB5h9O2/24nGZQ0ba66CsfFG04kX3DuhPzRYFDHpqcVPWa8YMURPeHimfMJ4 SnFizDkj+2TXCM5v1dUxndkerdQd2Ll8B84coMSk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726663AbgFGP4T (ORCPT ); Sun, 7 Jun 2020 11:56:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:57232 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4T (ORCPT ); Sun, 7 Jun 2020 11:56:19 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D4A2620723; Sun, 7 Jun 2020 15:56:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545378; bh=9kiqwp1rYM2CUyFROitiUwFxoc+sCvxLnU5Nt/Os72M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=W9EcXawmQgt4Nmz00IWf8X9PHgmyBW8qb/9WvM97Eu013gecuMFGIf8OB82R9BnPS ndiezIRyDlM27ZcmRyi1BasEs9qWRMRvhWaHFI/yK95V+u9A/px/pDIUzR7H/Pu/CY +roEldfiHaA2jsC5B0HqhevnRdDFqQGacv9tOGa0= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Srinivas Pandruvada Subject: [PATCH 03/32] iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:39 +0100 Message-Id: <20200607155408.958437-4-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 16 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment ensured by use of an explicit c structure. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes tag is beyond some major refactoring so likely manual backporting would be needed to get that far back. Whilst the force alignment of the ts is not strictly necessary, it does make the code less fragile. Fixes: 3bbec9773389 ("iio: bmc150_accel: add support for hardware fifo") Reported-by: Lars-Peter Clausen Cc: Srinivas Pandruvada Signed-off-by: Jonathan Cameron --- drivers/iio/accel/bmc150-accel-core.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/iio/accel/bmc150-accel-core.c b/drivers/iio/accel/bmc150-accel-core.c index 8f60d0727ee8..049f2632cf7a 100644 --- a/drivers/iio/accel/bmc150-accel-core.c +++ b/drivers/iio/accel/bmc150-accel-core.c @@ -189,6 +189,14 @@ struct bmc150_accel_data { struct mutex mutex; u8 fifo_mode, watermark; s16 buffer[8]; + /* + * Ensure there is sufficient space and correct alignment for + * the timestamp if enabled + */ + struct { + __le16 channels[3]; + s64 ts __aligned(8); + } scan; u8 bw_bits; u32 slope_dur; u32 slope_thres; @@ -922,15 +930,16 @@ static int __bmc150_accel_fifo_flush(struct iio_dev *indio_dev, * now. */ for (i = 0; i < count; i++) { - u16 sample[8]; int j, bit; j = 0; for_each_set_bit(bit, indio_dev->active_scan_mask, indio_dev->masklength) - memcpy(&sample[j++], &buffer[i * 3 + bit], 2); + memcpy(&data->scan.channels[j++], &buffer[i * 3 + bit], + 2); - iio_push_to_buffers_with_timestamp(indio_dev, sample, tstamp); + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + tstamp); tstamp += sample_period; } From patchwork Sun Jun 7 15:53:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591667 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7CAAD913 for ; Sun, 7 Jun 2020 15:56:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6564C20659 for ; Sun, 7 Jun 2020 15:56:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545381; bh=c5onn80lT01q31EJJU3E2Jx+ZMccZWKb1BdZ3Bnz7dc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Fiv9XVJS12l9RWXTfPlkPaL3WxEinGk9F+NJiR6SRbellUv95zr09l7BL/lreOOQO H4y4xWZ+H9+iOdkFhNZWJvbqN/Be+UTocmlydbIRK8zcn0i+rzWCfwVOToVW/9UFly HAGNdbSeXEnNWhRPblg4itGyiKsBqMOVkK06GpCc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726673AbgFGP4U (ORCPT ); Sun, 7 Jun 2020 11:56:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:57242 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4U (ORCPT ); Sun, 7 Jun 2020 11:56:20 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 40B2C20748; Sun, 7 Jun 2020 15:56:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545380; bh=c5onn80lT01q31EJJU3E2Jx+ZMccZWKb1BdZ3Bnz7dc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=0qW42az7+n4gjznyRV41DVjPnAitf747OchBv7qV3bMdsxbV1+UXPi40zxEN8PpuX nWbCX6I0iMfjCOuWpYtXQEd0859hTiy+nNuTdD5C9Ys+Ri7ThBHwOQO706Utyjetjk ixP9fJmyVp1wWYLt4d3fss5U+oGGIWnAo3KvUszU= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 04/32] iio:accel:mma7455: Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:40 +0100 Message-Id: <20200607155408.958437-5-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 16 byte u8 array on the stack As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment ensured by use of an explicit c structure. This data is allocated with kzalloc so no data can leak appart from previous readings. The force alignment of ts is not strictly necessary in this particularly case but does make the code less fragile. Fixes: a84ef0d181d9 ("iio: accel: add Freescale MMA7455L/MMA7456L 3-axis accelerometer driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/accel/mma7455_core.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/iio/accel/mma7455_core.c b/drivers/iio/accel/mma7455_core.c index 7e99bcb3398d..922bd38ff6ea 100644 --- a/drivers/iio/accel/mma7455_core.c +++ b/drivers/iio/accel/mma7455_core.c @@ -52,6 +52,14 @@ struct mma7455_data { struct regmap *regmap; + /* + * Used to reorganize data. Will ensure correct alignment of + * the timestamp if present + */ + struct { + __le16 channels[3]; + s64 ts __aligned(8); + } scan; }; static int mma7455_drdy(struct mma7455_data *mma7455) @@ -82,19 +90,19 @@ static irqreturn_t mma7455_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct mma7455_data *mma7455 = iio_priv(indio_dev); - u8 buf[16]; /* 3 x 16-bit channels + padding + ts */ int ret; ret = mma7455_drdy(mma7455); if (ret) goto done; - ret = regmap_bulk_read(mma7455->regmap, MMA7455_REG_XOUTL, buf, - sizeof(__le16) * 3); + ret = regmap_bulk_read(mma7455->regmap, MMA7455_REG_XOUTL, + mma7455->scan.channels, + sizeof(mma7455->scan.channels)); if (ret) goto done; - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &mma7455->scan, iio_get_time_ns(indio_dev)); done: From patchwork Sun Jun 7 15:53:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591669 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F03A1913 for ; Sun, 7 Jun 2020 15:56:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CB0D320774 for ; Sun, 7 Jun 2020 15:56:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545382; bh=f81nAf9BqkdQk8vYQ1vXUOwvadJk4lSnv1mV+jpZpas=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=PNCfr903lJsRXTTkUXQPGq/djUHalqWd0uuJSEs3WvciaCXNGbJIeKJdinwV7z0Cm NhozrDT/5BBANBRybErd+/uytl3lTTuf1l0oi2jDG2CPQv2Y/b+NdV5zgeotB7YJAw nmoZ6OiW8FYih3S4JYtcu0ZJRz6f+zCMJMDhTE6Y= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726679AbgFGP4W (ORCPT ); Sun, 7 Jun 2020 11:56:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:57256 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4V (ORCPT ); Sun, 7 Jun 2020 11:56:21 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 84C622075A; Sun, 7 Jun 2020 15:56:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545381; bh=f81nAf9BqkdQk8vYQ1vXUOwvadJk4lSnv1mV+jpZpas=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sNGiMvjCvrq+cpbZmUyOpfpKULeZUczZ6jqElT9ppqzK1+weEfNh/8cRaQyEfZeGx pNjMwkFrmCu+o8tADLzkDB6FC2kmaHYoD6KMzoFXZRlmCKcuHp2drYYKaCd/Vrj4oU CsqGfgxpIqihEMtoUYubiu/jHuqbTYwMPBntLw40= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 05/32] iio:gyro:itg3200: Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:41 +0100 Message-Id: <20200607155408.958437-6-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 16 byte array of smaller elements on the stack. This is fixed by using an explicit c structure. As there are no holes in the structure, there is no possiblity of data leakage in this case. The explicit alignment of ts is not strictly necessary but potentially makes the code slightly less fragile. Fixes: 36e0371e7764 ("iio:itg3200: Use iio_push_to_buffers_with_timestamp()") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/gyro/itg3200_buffer.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/iio/gyro/itg3200_buffer.c b/drivers/iio/gyro/itg3200_buffer.c index d3fbe9d86467..1c3c1bd53374 100644 --- a/drivers/iio/gyro/itg3200_buffer.c +++ b/drivers/iio/gyro/itg3200_buffer.c @@ -46,13 +46,20 @@ static irqreturn_t itg3200_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct itg3200 *st = iio_priv(indio_dev); - __be16 buf[ITG3200_SCAN_ELEMENTS + sizeof(s64)/sizeof(u16)]; - - int ret = itg3200_read_all_channels(st->i2c, buf); + /* + * Ensure correct alignment and padding including for the + * timestamp that may be inserted. + */ + struct { + __be16 buf[ITG3200_SCAN_ELEMENTS]; + s64 ts __aligned(8); + } scan; + + int ret = itg3200_read_all_channels(st->i2c, scan.buf); if (ret < 0) goto error_ret; - iio_push_to_buffers_with_timestamp(indio_dev, buf, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, &scan, pf->timestamp); iio_trigger_notify_done(indio_dev->trig); From patchwork Sun Jun 7 15:53:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591671 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1DC41912 for ; Sun, 7 Jun 2020 15:56:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 059D72077D for ; Sun, 7 Jun 2020 15:56:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545384; bh=/7HMEYxm0+mVyu1uPDL2YHgHNIiwgf7MN4rKB8pGQ3I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=dzwRUJJlor+c3My0jHxw4roNELm7zSpMtygksQt1NAWd+gcrHgtmkMCfQkxKC1QAD ezJqYWplNiFfqwZgaJBf1uYAiI6LdSF9OMKAUrUhS6WzZzqLgagS6R9PPLNvAjtwbr F0+0F93laRLrTyO4HRhx+8w3zzYhQPS3b8oaKev8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726683AbgFGP4X (ORCPT ); Sun, 7 Jun 2020 11:56:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:57268 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4X (ORCPT ); Sun, 7 Jun 2020 11:56:23 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BE53020659; Sun, 7 Jun 2020 15:56:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545382; bh=/7HMEYxm0+mVyu1uPDL2YHgHNIiwgf7MN4rKB8pGQ3I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kgYoFIEIWlEREVKJt4s9ZQm7Qpi9gKcxEbtGn1Q0NbMJd4bvku+ckaAs6Q94XW+zB EeTsJR4OBesRsbJ17IqMsqk6k4umBtDPSHCXwnriiRQRJCrplMvKmx+8RZPxyZt4tZ hup2HMGUUivNNsoLj8xn6gZRmbidIueScVlnMfns= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Andreas Klinger Subject: [PATCH 06/32] iio:proximity:mb1232: Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:42 +0100 Message-Id: <20200607155408.958437-7-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 16 byte s16 array on the stack As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment ensured by use of an explicit c structure. This data is allocated with kzalloc so no data can leak appart from previous readings. In this case the forced alignment of the ts is necessary to ensure correct padding on x86_32 where the s64 would only be 4 byte aligned. Fixes: 16b05261537e ("mb1232.c: add distance iio sensor with i2c") Reported-by: Lars-Peter Clausen Cc: Andreas Klinger Signed-off-by: Jonathan Cameron --- drivers/iio/proximity/mb1232.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/drivers/iio/proximity/mb1232.c b/drivers/iio/proximity/mb1232.c index 654564c45248..ad4b1fb2607a 100644 --- a/drivers/iio/proximity/mb1232.c +++ b/drivers/iio/proximity/mb1232.c @@ -40,6 +40,11 @@ struct mb1232_data { */ struct completion ranging; int irqnr; + /* Ensure correct alignment of data to push to IIO buffer */ + struct { + s16 distance; + s64 ts __aligned(8); + } scan; }; static irqreturn_t mb1232_handle_irq(int irq, void *dev_id) @@ -113,17 +118,13 @@ static irqreturn_t mb1232_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct mb1232_data *data = iio_priv(indio_dev); - /* - * triggered buffer - * 16-bit channel + 48-bit padding + 64-bit timestamp - */ - s16 buffer[8] = { 0 }; - buffer[0] = mb1232_read_distance(data); - if (buffer[0] < 0) + data->scan.distance = mb1232_read_distance(data); + if (data->scan.distance < 0) goto err; - iio_push_to_buffers_with_timestamp(indio_dev, buffer, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); err: iio_trigger_notify_done(indio_dev->trig); From patchwork Sun Jun 7 15:53:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591673 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 75615913 for ; Sun, 7 Jun 2020 15:56:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 58EF92078C for ; Sun, 7 Jun 2020 15:56:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545385; bh=CS28lnsBO+exFHAiBdT6MA64+4LUqQXykTjN1/Az7R4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=wc5qUh2g3vgO1eT5Z95lVJUKgHInSWxkd5kBdtqDZPkoHdLckwVMtgNvGGIITnQw5 KqD0Vm+HBnD6nZcPM8rEQC9wc5h/5JGLmbUG9C8yxbRo1hS30PU+ybvJq5k/Q/H2mq i1OoHt4ubEchQS1x259lo2PCsgMpqORo2l7/k98Y= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726688AbgFGP4Y (ORCPT ); Sun, 7 Jun 2020 11:56:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:57288 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4Y (ORCPT ); Sun, 7 Jun 2020 11:56:24 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 282BB2076A; Sun, 7 Jun 2020 15:56:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545384; bh=CS28lnsBO+exFHAiBdT6MA64+4LUqQXykTjN1/Az7R4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=e2NMQfbUF+XgzhHP3ztWhKIDIL+k8yFhJwMTohLvnMMvbebhkxJ1rdNoDaEIG5ODT l0SeAvhLeRABjTHpYaj6YZ0GsppkOvy6y5jJsBiRum2NVkpL4AlbgBADxkW/xA7AyG yBQAG/rwAcGx3LiH7BvR32AHyp5StzAqH2MBjQso= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Narcisa Ana Maria Vasile Subject: [PATCH 07/32] iio:chemical:ccs811: Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:43 +0100 Message-Id: <20200607155408.958437-8-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. The explicit alignment of ts is necessary to ensure consistent padding for x86_32 in which the ts would otherwise be 4 byte aligned. Fixes: 283d26917ad6 ("iio: chemical: ccs811: Add triggered buffer support") Reported-by: Lars-Peter Clausen Cc: Narcisa Ana Maria Vasile Signed-off-by: Jonathan Cameron --- drivers/iio/chemical/ccs811.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/iio/chemical/ccs811.c b/drivers/iio/chemical/ccs811.c index 2b007e7568b2..60dd87e96f5f 100644 --- a/drivers/iio/chemical/ccs811.c +++ b/drivers/iio/chemical/ccs811.c @@ -78,6 +78,11 @@ struct ccs811_data { struct iio_trigger *drdy_trig; struct gpio_desc *wakeup_gpio; bool drdy_trig_on; + /* Ensures correct alignment of timestamp if present */ + struct { + s16 channels[2]; + s64 ts __aligned(8); + } scan; }; static const struct iio_chan_spec ccs811_channels[] = { @@ -327,17 +332,17 @@ static irqreturn_t ccs811_trigger_handler(int irq, void *p) struct iio_dev *indio_dev = pf->indio_dev; struct ccs811_data *data = iio_priv(indio_dev); struct i2c_client *client = data->client; - s16 buf[8]; /* s16 eCO2 + s16 TVOC + padding + 8 byte timestamp */ int ret; - ret = i2c_smbus_read_i2c_block_data(client, CCS811_ALG_RESULT_DATA, 4, - (u8 *)&buf); + ret = i2c_smbus_read_i2c_block_data(client, CCS811_ALG_RESULT_DATA, + sizeof(data->scan.channels), + (u8 *)data->scan.channels); if (ret != 4) { dev_err(&client->dev, "cannot read sensor data\n"); goto err; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); err: From patchwork Sun Jun 7 15:53:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591675 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E4175912 for ; Sun, 7 Jun 2020 15:56:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CD983207C3 for ; Sun, 7 Jun 2020 15:56:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545386; bh=Qa0PTvT+TZfKmIYSONfUAPX9vxxkYEnSVb1RnyUP/Zg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=yidlfnmdNaAVabedeUrndQHeIojaKGYENDn0BI8Oe64+/5LCZ7xFNPlm539n3NWpN 5Pcp9JlleMvAkqLHAyCVT36do5RLwl06mdXY7SiWDl7vMlLlsGeyThfBcoH3mrIvkc R9U+wH45Fp6BDEms9BRCvXbNEIe4h5pQzLsPOJio= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726692AbgFGP40 (ORCPT ); Sun, 7 Jun 2020 11:56:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:57304 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP4Z (ORCPT ); Sun, 7 Jun 2020 11:56:25 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8BD3920774; Sun, 7 Jun 2020 15:56:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545385; bh=Qa0PTvT+TZfKmIYSONfUAPX9vxxkYEnSVb1RnyUP/Zg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vx1gqlpISGv5L9Nu/+OGQx/CE8/XDSf2gOmxt2q9qJz0rC+CY3Z5nVH9XEYZIIyOf Vb5jIfA6/qewa2FrxPdIhksPXOU8Y0FzEPYqOgLCHPiy2hafhooXKmjYK4TteJSbyB LY8Up1NuSDWnbqzkwVeos851I0UOp13ERFBLzeEk= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Peter Meerwald-Stadler Subject: [PATCH 08/32] iio:light:si1145: Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:44 +0100 Message-Id: <20200607155408.958437-9-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 24 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable array in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: ac45e57f1590 ("iio: light: Add driver for Silabs si1132, si1141/2/3 and si1145/6/7 ambient light, uv index and proximity sensors") Reported-by: Lars-Peter Clausen Cc: Peter Meerwald-Stadler Signed-off-by: Jonathan Cameron --- drivers/iio/light/si1145.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/iio/light/si1145.c b/drivers/iio/light/si1145.c index e1f989dd3a3d..16958160cf63 100644 --- a/drivers/iio/light/si1145.c +++ b/drivers/iio/light/si1145.c @@ -179,6 +179,8 @@ struct si1145_data { bool autonomous; struct iio_trigger *trig; int meas_rate; + /* Ensure timestamp will be naturally aligned if present */ + u8 buffer[24] __aligned(8); }; /** @@ -445,7 +447,6 @@ static irqreturn_t si1145_trigger_handler(int irq, void *private) * 6*2 bytes channels data + 4 bytes alignment + * 8 bytes timestamp */ - u8 buffer[24]; int i, j = 0; int ret; u8 irq_status = 0; @@ -478,7 +479,7 @@ static irqreturn_t si1145_trigger_handler(int irq, void *private) ret = i2c_smbus_read_i2c_block_data_or_emulated( data->client, indio_dev->channels[i].address, - sizeof(u16) * run, &buffer[j]); + sizeof(u16) * run, &data->buffer[j]); if (ret < 0) goto done; j += run * sizeof(u16); @@ -493,7 +494,7 @@ static irqreturn_t si1145_trigger_handler(int irq, void *private) goto done; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, iio_get_time_ns(indio_dev)); done: From patchwork Sun Jun 7 15:53:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591677 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 24B58912 for ; Sun, 7 Jun 2020 15:56:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0D94A207C3 for ; Sun, 7 Jun 2020 15:56:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545388; bh=kjVkMyHoJBjLj1sXC/JYIQ00cKMGLqMTsjg0E4teTiM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=h2dmmOPBLwKMiAMOJwv5p14n6kutK1mCqSsVmgNRE6WDuoYK1TCIpuFBIRsHnQHjo hGMTzOO0LPg4DL7UXNCde+zn5LZYmf6VNO3sYXR3TtLpjyedF+NveujwuYmQnPIFtV 2Q4K613B8bTM6DEb5yogdW0mILfxxS42Vm6E8HkI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726694AbgFGP41 (ORCPT ); Sun, 7 Jun 2020 11:56:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:57320 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP41 (ORCPT ); Sun, 7 Jun 2020 11:56:27 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E741C2077D; Sun, 7 Jun 2020 15:56:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545386; bh=kjVkMyHoJBjLj1sXC/JYIQ00cKMGLqMTsjg0E4teTiM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ThSQzA1SwaFGnaq1fj5FxgzH1aGjQrYXdTkTCNTKGU4kPC38FHp/Z2reTzt6iD1Hg gDvTWnwfUtbOLgo/adqb4K7KSSryL9YYO4KDOY2s24/w2ToMGvgCtX0BK/M2AYunVh MAqvWmn5GwHWrR3nMrjmzvwPS5alHTBwxoJoMAVE= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 09/32] iio:light:max44000 Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:45 +0100 Message-Id: <20200607155408.958437-10-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 16 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak appart from previous readings. It is necessary to force the alignment of ts to avoid the padding on x86_32 being different from 64 bit platorms (it alows for 4 bytes aligned 8 byte types. Fixes: 06ad7ea10e2b ("max44000: Initial triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/light/max44000.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/iio/light/max44000.c b/drivers/iio/light/max44000.c index aa8ed1e3e89a..b8e721bced5b 100644 --- a/drivers/iio/light/max44000.c +++ b/drivers/iio/light/max44000.c @@ -75,6 +75,11 @@ struct max44000_data { struct mutex lock; struct regmap *regmap; + /* Ensure naturally aligned timestamp */ + struct { + u16 channels[2]; + s64 ts __aligned(8); + } scan; }; /* Default scale is set to the minimum of 0.03125 or 1 / (1 << 5) lux */ @@ -488,7 +493,6 @@ static irqreturn_t max44000_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct max44000_data *data = iio_priv(indio_dev); - u16 buf[8]; /* 2x u16 + padding + 8 bytes timestamp */ int index = 0; unsigned int regval; int ret; @@ -498,17 +502,17 @@ static irqreturn_t max44000_trigger_handler(int irq, void *p) ret = max44000_read_alsval(data); if (ret < 0) goto out_unlock; - buf[index++] = ret; + data->scan.channels[index++] = ret; } if (test_bit(MAX44000_SCAN_INDEX_PRX, indio_dev->active_scan_mask)) { ret = regmap_read(data->regmap, MAX44000_REG_PRX_DATA, ®val); if (ret < 0) goto out_unlock; - buf[index] = regval; + data->scan.channels[index] = regval; } mutex_unlock(&data->lock); - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); iio_trigger_notify_done(indio_dev->trig); return IRQ_HANDLED; From patchwork Sun Jun 7 15:53:46 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591679 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7F4FA912 for ; Sun, 7 Jun 2020 15:56:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 69698207C3 for ; Sun, 7 Jun 2020 15:56:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545389; bh=duArOxpewVlEIEs0Kj8syK3wzNGOBAJ/uJ57SD/1F7w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=YoGhsX0YbeHQ+q5YeRiBNLJKEBdlj/G1xoTP521N5y03vCDG/VSngcYX70XvJ9RK4 EOINB6phIsT/ZCZGR6qtzJCCGQETplCDSHalEKXUK4LrJ2qFbFbyk6nyOZSN/j0yfN TpG95ERWw9GS8QijxxDtmoGySyD5qo2vMKNjYmj0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726698AbgFGP42 (ORCPT ); Sun, 7 Jun 2020 11:56:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:57342 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726631AbgFGP42 (ORCPT ); Sun, 7 Jun 2020 11:56:28 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 347CC2078C; Sun, 7 Jun 2020 15:56:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545388; bh=duArOxpewVlEIEs0Kj8syK3wzNGOBAJ/uJ57SD/1F7w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SDPwBA/D/fHbpYl324o55ZsG5hDojQZySUQyEBMVuNBN/4YW8Cr/l9P1ffeochIsW F+pl6Xozp6h26P8PjdJUI6fdQPnLQ0eP5V/I3YTyVEU7D0DcekzLUMEh1hT1Ws6rVr 35QBjRigROUrSH61TvKNBdSPwUqwl/Mm6L9wpKHs= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Mikko Koivunen Subject: [PATCH 10/32] iio:light:rpr0521 Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:46 +0100 Message-Id: <20200607155408.958437-11-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak appart from previous readings and in this case the status byte from the device. The forced alignment of ts is not necessary in this case but it potentially makes the code less fragile. Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") Cc: Mikko Koivunen Signed-off-by: Jonathan Cameron --- drivers/iio/light/rpr0521.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/iio/light/rpr0521.c b/drivers/iio/light/rpr0521.c index c20fbc730d65..66f22ea3d68a 100644 --- a/drivers/iio/light/rpr0521.c +++ b/drivers/iio/light/rpr0521.c @@ -194,6 +194,17 @@ struct rpr0521_data { bool pxs_need_dis; struct regmap *regmap; + + /* + * Ensure correct naturally aligned timestamp. + * Note that the read will put garbage data into + * the padding but this should not be a problem + */ + struct { + __le16 channels[3]; + u8 garbage; + s64 ts __aligned(8); + } scan; }; static IIO_CONST_ATTR(in_intensity_scale_available, RPR0521_ALS_SCALE_AVAIL); @@ -449,8 +460,6 @@ static irqreturn_t rpr0521_trigger_consumer_handler(int irq, void *p) struct rpr0521_data *data = iio_priv(indio_dev); int err; - u8 buffer[16]; /* 3 16-bit channels + padding + ts */ - /* Use irq timestamp when reasonable. */ if (iio_trigger_using_own(indio_dev) && data->irq_timestamp) { pf->timestamp = data->irq_timestamp; @@ -461,11 +470,11 @@ static irqreturn_t rpr0521_trigger_consumer_handler(int irq, void *p) pf->timestamp = iio_get_time_ns(indio_dev); err = regmap_bulk_read(data->regmap, RPR0521_REG_PXS_DATA, - &buffer, + data->scan.channels, (3 * 2) + 1); /* 3 * 16-bit + (discarded) int clear reg. */ if (!err) iio_push_to_buffers_with_timestamp(indio_dev, - buffer, pf->timestamp); + &data->scan, pf->timestamp); else dev_err(&data->client->dev, "Trigger consumer can't read from sensor.\n"); From patchwork Sun Jun 7 15:53:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591681 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5910D913 for ; Sun, 7 Jun 2020 15:56:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 38895207D8 for ; Sun, 7 Jun 2020 15:56:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545391; bh=ivuToFhcb/RIqOUjvSILL6KctK9DcKr+jnj1Swv7Im8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=jGM/UDctOBjv5Ika57UnG1+Q/kPT0aMjx31ijZA7V4PeGsoONxezagOAH6/U7+Jta iYuPP/yUa3dKCTRDEmDOxv1UkqyH76ihMljRzo73fop+SofkTqnr+j/DGnWGvt63Tp akwqdyM6z7j+7TJvTfTEdBtY5+WwdcZOadhKTT3A= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726699AbgFGP4a (ORCPT ); Sun, 7 Jun 2020 11:56:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:57360 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726697AbgFGP43 (ORCPT ); Sun, 7 Jun 2020 11:56:29 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6B740206F6; Sun, 7 Jun 2020 15:56:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545389; bh=ivuToFhcb/RIqOUjvSILL6KctK9DcKr+jnj1Swv7Im8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ouv1fvEHVIFpP7QO5lcPe/OcrsfWY90ahPbp8gXJwvo1/32bPwM8M7SRBdqqrpvEg r/+OkiHNIRLH48dmJdQgaRR8F2mWs2Vu+CLf4U9nS+LJsERklgX3MKVzbjNLlxzjYW WJMINwnR53dzXQScjfvPV0vJl/MHjSahnczGlHTw= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Lorenzo Bianconi Subject: [PATCH 11/32] iio:light:st_uvis25 Fix timestamp alignment and prevent data leak. Date: Sun, 7 Jun 2020 16:53:47 +0100 Message-Id: <20200607155408.958437-12-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 3025c8688c1e ("iio: light: add support for UVIS25 sensor") Reported-by: Lars-Peter Clausen Acked-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron --- drivers/iio/light/st_uvis25.h | 5 +++++ drivers/iio/light/st_uvis25_core.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/light/st_uvis25.h b/drivers/iio/light/st_uvis25.h index 78bc56aad129..283086887caf 100644 --- a/drivers/iio/light/st_uvis25.h +++ b/drivers/iio/light/st_uvis25.h @@ -27,6 +27,11 @@ struct st_uvis25_hw { struct iio_trigger *trig; bool enabled; int irq; + /* Ensure timestamp is naturally aligned */ + struct { + u8 chan; + s64 ts __aligned(8); + } scan; }; extern const struct dev_pm_ops st_uvis25_pm_ops; diff --git a/drivers/iio/light/st_uvis25_core.c b/drivers/iio/light/st_uvis25_core.c index 4d001d50e775..818b8faea73c 100644 --- a/drivers/iio/light/st_uvis25_core.c +++ b/drivers/iio/light/st_uvis25_core.c @@ -234,17 +234,17 @@ static const struct iio_buffer_setup_ops st_uvis25_buffer_ops = { static irqreturn_t st_uvis25_buffer_handler_thread(int irq, void *p) { - u8 buffer[ALIGN(sizeof(u8), sizeof(s64)) + sizeof(s64)]; struct iio_poll_func *pf = p; struct iio_dev *iio_dev = pf->indio_dev; struct st_uvis25_hw *hw = iio_priv(iio_dev); int err; - err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, (int *)buffer); + err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, + (unsigned int *)&hw->scan.chan); if (err < 0) goto out; - iio_push_to_buffers_with_timestamp(iio_dev, buffer, + iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan, iio_get_time_ns(iio_dev)); out: From patchwork Sun Jun 7 15:53:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591683 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2809D913 for ; Sun, 7 Jun 2020 15:56:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 10D42207F9 for ; Sun, 7 Jun 2020 15:56:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545392; bh=kB6f4yVW/JpgGxwha4XSD5/n+WvVjsG7v5Tz7QWGmBw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=QyOZTMq8YV2JEGdUfN2I65SOa9itH5a2wzm4MzwT3rM0ISMmHXwITxFh6uW9fOa8Z AFHIONub+d43xf+7+FvNmAMLUPRiChkRdl9U3sBSzj/gHdiaRgcthr4VCrIC1N6+5G 6XCqbzwD44ZkGp5IOonNS0SRMUrD+7TwYHnqoDBY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726631AbgFGP4b (ORCPT ); Sun, 7 Jun 2020 11:56:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:57374 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4b (ORCPT ); Sun, 7 Jun 2020 11:56:31 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C6CD920723; Sun, 7 Jun 2020 15:56:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545390; bh=kB6f4yVW/JpgGxwha4XSD5/n+WvVjsG7v5Tz7QWGmBw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s3+Zgylo2/hHN4+c76bFP8pTRhgKLlQ72HpNt1U5+fxRmy9jGyf7Ais9ROLGCm7p0 ZFK6hOxhvGvVemeGjtkjAAfW1ILBElmJ0U14T1MocE75TQdKKEQE3cGSvp6DomnZOJ wqOUa0cKlKF60pnHk82voKDilDiVxC4ibU/JPH90= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 12/32] iio:light:ltr501 Fix timestamp alignment issue. Date: Sun, 7 Jun 2020 16:53:48 +0100 Message-Id: <20200607155408.958437-13-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here we use a structure on the stack. The driver already did an explicit memset so no data leak was possible. Forced alignment of ts is not strictly necessary but probably makes the code slightly less fragile. Note there has been some rework in this driver of the years, so no way this will apply cleanly all the way back. Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/light/ltr501.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/iio/light/ltr501.c b/drivers/iio/light/ltr501.c index 4bac0646398d..b4323d2db0b1 100644 --- a/drivers/iio/light/ltr501.c +++ b/drivers/iio/light/ltr501.c @@ -1243,13 +1243,16 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ltr501_data *data = iio_priv(indio_dev); - u16 buf[8]; + struct { + u16 channels[3]; + s64 ts __aligned(8); + } scan; __le16 als_buf[2]; u8 mask = 0; int j = 0; int ret, psdata; - memset(buf, 0, sizeof(buf)); + memset(&scan, 0, sizeof(scan)); /* figure out which data needs to be ready */ if (test_bit(0, indio_dev->active_scan_mask) || @@ -1268,9 +1271,9 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p) if (ret < 0) return ret; if (test_bit(0, indio_dev->active_scan_mask)) - buf[j++] = le16_to_cpu(als_buf[1]); + scan.channels[j++] = le16_to_cpu(als_buf[1]); if (test_bit(1, indio_dev->active_scan_mask)) - buf[j++] = le16_to_cpu(als_buf[0]); + scan.channels[j++] = le16_to_cpu(als_buf[0]); } if (mask & LTR501_STATUS_PS_RDY) { @@ -1278,10 +1281,10 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p) &psdata, 2); if (ret < 0) goto done; - buf[j++] = psdata & LTR501_PS_DATA_MASK; + scan.channels[j++] = psdata & LTR501_PS_DATA_MASK; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev)); done: From patchwork Sun Jun 7 15:53:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591685 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7496D912 for ; Sun, 7 Jun 2020 15:56:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5CDA3207D8 for ; Sun, 7 Jun 2020 15:56:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545393; bh=0kB/tB6TPZqTzGb6+NEUJ5B+RCiWr3Z2M0u4dfsTbj0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=NJthkLmDIqcfLvjpau2aaPjQXFh0ADYbhlXNDf7aUs2Zlw0+Md1R7LD3Oc05o0XdH l2OhxIIw9l246pHdSR3S3ZIRmWUDgZ1R2AgvzKNB6KZFe9S5G2hXZdP9XILbWngFlW WKFQUFdxkKTNvG7EQpP45+1W0XjI3wvz+AJYYkxU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726714AbgFGP4c (ORCPT ); Sun, 7 Jun 2020 11:56:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:57410 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4c (ORCPT ); Sun, 7 Jun 2020 11:56:32 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1014120748; Sun, 7 Jun 2020 15:56:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545392; bh=0kB/tB6TPZqTzGb6+NEUJ5B+RCiWr3Z2M0u4dfsTbj0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sp1DMWVcQlr/0dvTM4wPmUolljL1VwYBqvigPOtOu20fpzZ3ZEARyx/otikyuK8n6 NosX5YKxhulCfsr734f1SMVSxSQG0X7F+3FVVWM1XTXtBStavuuDlUSB/LibbxUIGp xTB2K8ULa1wAQ7QvP2M+rdWw+dNhIKPm1OvRjUiw= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Linus Walleij Subject: [PATCH 13/32] iio:magnetometer:ak8974: Fix alignment and data leak issues Date: Sun, 7 Jun 2020 16:53:49 +0100 Message-Id: <20200607155408.958437-14-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 7c94a8b2ee8cf ("iio: magn: add a driver for AK8974") Reported-by: Lars-Peter Clausen Reviewed-by: Linus Walleij Signed-off-by: Jonathan Cameron --- drivers/iio/magnetometer/ak8974.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/magnetometer/ak8974.c b/drivers/iio/magnetometer/ak8974.c index c2260c84f7f1..ea09b549ec4e 100644 --- a/drivers/iio/magnetometer/ak8974.c +++ b/drivers/iio/magnetometer/ak8974.c @@ -192,6 +192,11 @@ struct ak8974 { bool drdy_irq; struct completion drdy_complete; bool drdy_active_low; + /* Ensure timestamp is naturally aligned */ + struct { + __le16 channels[3]; + s64 ts __aligned(8); + } scan; }; static const char ak8974_reg_avdd[] = "avdd"; @@ -657,7 +662,6 @@ static void ak8974_fill_buffer(struct iio_dev *indio_dev) { struct ak8974 *ak8974 = iio_priv(indio_dev); int ret; - __le16 hw_values[8]; /* Three axes + 64bit padding */ pm_runtime_get_sync(&ak8974->i2c->dev); mutex_lock(&ak8974->lock); @@ -667,13 +671,13 @@ static void ak8974_fill_buffer(struct iio_dev *indio_dev) dev_err(&ak8974->i2c->dev, "error triggering measure\n"); goto out_unlock; } - ret = ak8974_getresult(ak8974, hw_values); + ret = ak8974_getresult(ak8974, ak8974->scan.channels); if (ret) { dev_err(&ak8974->i2c->dev, "error getting measures\n"); goto out_unlock; } - iio_push_to_buffers_with_timestamp(indio_dev, hw_values, + iio_push_to_buffers_with_timestamp(indio_dev, &ak8974->scan, iio_get_time_ns(indio_dev)); out_unlock: From patchwork Sun Jun 7 15:53:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591687 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5A6F0912 for ; Sun, 7 Jun 2020 15:56:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3BC33207ED for ; Sun, 7 Jun 2020 15:56:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545395; bh=nJDWVOzM0afylRhWaEUTTdsW0SwOaqzkiktGFmVbPwA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=FIfKOddIn0b/CRybAk11Of7CNn5gjiJxPnw0t8AteehmtERt7o2PkSTF+ubLZEwxz xOl876G6Nfj+KnLaXO28VpBJNGmNodHXG65xicp1BhejxT0IlLuptSu8cnBGGyWE25 hvIuJDR4lydD5qYNkt/8yyv2NtVAy8GmoqTw60oI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726715AbgFGP4e (ORCPT ); Sun, 7 Jun 2020 11:56:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:57428 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4e (ORCPT ); Sun, 7 Jun 2020 11:56:34 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6CE212078C; Sun, 7 Jun 2020 15:56:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545393; bh=nJDWVOzM0afylRhWaEUTTdsW0SwOaqzkiktGFmVbPwA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ocLHgJae/igYvzPUz5hm/FBA3ZAf3YqPqI2c35+W17jFkjXyAJc/EvrKnGenXWsqC aE5um6V7KMeUfNbNGHIcrW32U9c1zc8WoJYSz8l4P5sVpbGX6wLtMtkrrNWpa6qXan J9woQMqFv4VWANOrcurkI5p/abRpdtkOu7n62vbM= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Gregor Boirie , Linus Walleij Subject: [PATCH 14/32] iio:magnetometer:ak8975 Fix alignment and data leak issues. Date: Sun, 7 Jun 2020 16:53:50 +0100 Message-Id: <20200607155408.958437-15-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. The explicit alignment of ts is not necessary in this case as by coincidence the padding will end up the same, however I consider it to make the code less fragile and have included it. Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support") Reported-by: Lars-Peter Clausen Cc: Gregor Boirie Cc: Andy Shevchenko Cc: Linus Walleij Signed-off-by: Jonathan Cameron --- drivers/iio/magnetometer/ak8975.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c index 03d71f796177..14d66fd11aa3 100644 --- a/drivers/iio/magnetometer/ak8975.c +++ b/drivers/iio/magnetometer/ak8975.c @@ -366,6 +366,12 @@ struct ak8975_data { struct iio_mount_matrix orientation; struct regulator *vdd; struct regulator *vid; + + /* Ensure natural alignment of timestamp */ + struct { + s16 channels[3]; + s64 ts __aligned(8); + } scan; }; /* Enable attached power regulator if any. */ @@ -793,7 +799,6 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev) const struct i2c_client *client = data->client; const struct ak_def *def = data->def; int ret; - s16 buff[8]; /* 3 x 16 bits axis values + 1 aligned 64 bits timestamp */ __le16 fval[3]; mutex_lock(&data->lock); @@ -816,11 +821,14 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev) mutex_unlock(&data->lock); /* Clamp to valid range. */ - buff[0] = clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range); - buff[1] = clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range); - buff[2] = clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range); - - iio_push_to_buffers_with_timestamp(indio_dev, buff, + data->scan.channels[0] = + clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range); + data->scan.channels[1] = + clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range); + data->scan.channels[2] = + clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range); + + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); return; From patchwork Sun Jun 7 15:53:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591689 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 75553913 for ; Sun, 7 Jun 2020 15:56:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5A49E20659 for ; Sun, 7 Jun 2020 15:56:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545396; bh=mMuKcBvTXiWZzJiaFG6JAmtS0d6Tu2YW0zZARGnklTY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=I3H/w794t7KNbR6fLhYqqIX+ESkNPYf8nqbcNDp2grKEV+9Hn90xdkyIUYSBLFXT0 3SHQoI+SE6BbQrXN1Ub4B3hIq/t35+8esRJI2ZAx0mZzey7ujRVlPNrNP5d0Bo711p pTp7k1k1PRNn2BRXnpPKanIxZiq7dS4E3XZd+VdQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726720AbgFGP4f (ORCPT ); Sun, 7 Jun 2020 11:56:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:57444 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4f (ORCPT ); Sun, 7 Jun 2020 11:56:35 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F1361207C3; Sun, 7 Jun 2020 15:56:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545394; bh=mMuKcBvTXiWZzJiaFG6JAmtS0d6Tu2YW0zZARGnklTY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XlmVDbbUtW8Q27lhucCqy+UcQylCiuARUbUa6TfWRVAwtefzBtJgb0TCYHPubvkmh SutjyAuBmm6thE9fKalEHMYMpBLUOTvN9BGnXdZn1mbE9tsBfQVYTUiDfYrFBtZHOU dyEFOLe5bpFQlXqDlEsE7dP46VbKqHgP4Op0HHJA= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 15/32] iio:magnetometer:mag3110 Fix alignment and data leak issues. Date: Sun, 7 Jun 2020 16:53:51 +0100 Message-Id: <20200607155408.958437-16-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. The explicit alignment of ts is not necessary in this case but does make the code slightly less fragile so I have included it. Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/magnetometer/mag3110.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/iio/magnetometer/mag3110.c b/drivers/iio/magnetometer/mag3110.c index 4d305a21c379..e96113ca39bd 100644 --- a/drivers/iio/magnetometer/mag3110.c +++ b/drivers/iio/magnetometer/mag3110.c @@ -56,6 +56,12 @@ struct mag3110_data { int sleep_val; struct regulator *vdd_reg; struct regulator *vddio_reg; + /* Ensure natural alignment of timestamp */ + struct { + __be16 channels[3]; + u8 temp; + s64 ts __aligned(8); + } scan; }; static int mag3110_request(struct mag3110_data *data) @@ -387,10 +393,9 @@ static irqreturn_t mag3110_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct mag3110_data *data = iio_priv(indio_dev); - u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */ int ret; - ret = mag3110_read(data, (__be16 *) buffer); + ret = mag3110_read(data, data->scan.channels); if (ret < 0) goto done; @@ -399,10 +404,10 @@ static irqreturn_t mag3110_trigger_handler(int irq, void *p) MAG3110_DIE_TEMP); if (ret < 0) goto done; - buffer[6] = ret; + data->scan.temp = ret; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); done: From patchwork Sun Jun 7 15:53:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591691 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9E7D9913 for ; Sun, 7 Jun 2020 15:56:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 86D0B2076A for ; Sun, 7 Jun 2020 15:56:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545397; bh=HP6QiGsO6mZHJotBLGSvYQhGJVexxnVRqWQ+bd20rzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=YQbXX98oyrxfIhruWmtgW72GZSSGlfIVXfypoNimR7SKiPQZar0cHp/YXTVtDMbTO VdsfBfNEEi93ki4J9PSTWt5XvyHXV8uF8CGLBHqVPvJ2Ms7DOd/lJCXhpDmk8tFOAB ANC2e/y9dPmfYzcuVics+dDz4++J10+sxRsrD1mU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726732AbgFGP4h (ORCPT ); Sun, 7 Jun 2020 11:56:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:57466 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4g (ORCPT ); Sun, 7 Jun 2020 11:56:36 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 338402075A; Sun, 7 Jun 2020 15:56:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545396; bh=HP6QiGsO6mZHJotBLGSvYQhGJVexxnVRqWQ+bd20rzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=c7r+EwMLudIA5OV3n3KetK2rQ7qX3EBA4snowR3rNK8dqXdvqjmQff2xB+Obcqo7B 8uqcScypEGV4BRlJfuxMifEJ9vxXfYSd5pyeAaAi3II43w82DEzOqRg/Z2s/ObduRQ qjulse46bEXBFmPRFBVm8B7xMCx8UZh2hJ9R2k8c= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Matt Ranostay , Alison Schofield Subject: [PATCH 16/32] iio:humidity:hdc100x Fix alignment and data leak issues Date: Sun, 7 Jun 2020 16:53:52 +0100 Message-Id: <20200607155408.958437-17-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 16bf793f86b2 ("iio: humidity: hdc100x: add triggered buffer support for HDC100X") Reported-by: Lars-Peter Clausen Acked-by: Matt Ranostay Cc: Alison Schofield Signed-off-by: Jonathan Cameron --- drivers/iio/humidity/hdc100x.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/humidity/hdc100x.c b/drivers/iio/humidity/hdc100x.c index 3331141734c8..e64af35f5f6f 100644 --- a/drivers/iio/humidity/hdc100x.c +++ b/drivers/iio/humidity/hdc100x.c @@ -38,6 +38,11 @@ struct hdc100x_data { /* integration time of the sensor */ int adc_int_us[2]; + /* Ensure natural alignment of timestamp */ + struct { + __be16 channels[2]; + s64 ts __aligned(8); + } scan; }; /* integration time in us */ @@ -322,7 +327,6 @@ static irqreturn_t hdc100x_trigger_handler(int irq, void *p) struct i2c_client *client = data->client; int delay = data->adc_int_us[0] + data->adc_int_us[1]; int ret; - s16 buf[8]; /* 2x s16 + padding + 8 byte timestamp */ /* dual read starts at temp register */ mutex_lock(&data->lock); @@ -333,13 +337,13 @@ static irqreturn_t hdc100x_trigger_handler(int irq, void *p) } usleep_range(delay, delay + 1000); - ret = i2c_master_recv(client, (u8 *)buf, 4); + ret = i2c_master_recv(client, (u8 *)data->scan.channels, 4); if (ret < 0) { dev_err(&client->dev, "cannot read sensor data\n"); goto err; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); err: mutex_unlock(&data->lock); From patchwork Sun Jun 7 15:53:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591693 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 097E7912 for ; Sun, 7 Jun 2020 15:56:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E758B2077D for ; Sun, 7 Jun 2020 15:56:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545398; bh=S2Jjnh0+tYrXK47pf9FbMkiy83Yzn3uSRUjW1h+pqAU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=p0XlozrakltLEL7YMCu87Bj4bCOgjTuo7wiSUEmDJ8VBQ1fwl4lhH3SUQzywUlyfG dhaL8YWt18FPFZ2EHLPGexgUvx+fJQfrGc0nRRaclCm7/u7rkD5nqUZC9FDjF3UIes 3BprODiJQvsE+XYnJ2WHfQgol/Ubg9HTQ++reptQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726738AbgFGP4i (ORCPT ); Sun, 7 Jun 2020 11:56:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:57486 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4h (ORCPT ); Sun, 7 Jun 2020 11:56:37 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B506C20659; Sun, 7 Jun 2020 15:56:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545397; bh=S2Jjnh0+tYrXK47pf9FbMkiy83Yzn3uSRUjW1h+pqAU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ze/nVNAwCfjpYsMGM7EnMAupXeEl0qJGKyI2S8myoovk+cOLGcLR0GE6qV4d5fAjb 2JbCCuQ+nfUMkZhVfkXAP+SXNm2EKBYPAc9WA+P7sRVjtXCoHgv0B4OFVsF8u1Vs5U 277CUWr0kGMNyVAMuzLVLtUixyWWw9nOZaO6MGWA= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Lorenzo Bianconi Subject: [PATCH 17/32] iio:humidity:hts221 Fix alignment and data leak issues Date: Sun, 7 Jun 2020 16:53:53 +0100 Message-Id: <20200607155408.958437-18-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Explicit alignment of ts needed to ensure consistent padding on all architectures (particularly x86_32 with it's 4 byte alignment of s64) Fixes: e4a70e3e7d84 ("iio: humidity: add support to hts221 rh/temp combo device") Reported-by: Lars-Peter Clausen Acked-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron --- drivers/iio/humidity/hts221.h | 7 +++++-- drivers/iio/humidity/hts221_buffer.c | 9 +++++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/iio/humidity/hts221.h b/drivers/iio/humidity/hts221.h index 7c650df77556..721359e226cb 100644 --- a/drivers/iio/humidity/hts221.h +++ b/drivers/iio/humidity/hts221.h @@ -14,8 +14,6 @@ #include -#define HTS221_DATA_SIZE 2 - enum hts221_sensor_type { HTS221_SENSOR_H, HTS221_SENSOR_T, @@ -39,6 +37,11 @@ struct hts221_hw { bool enabled; u8 odr; + /* Ensure natural alignment of timestamp */ + struct { + __le16 channels[2]; + s64 ts __aligned(8); + } scan; }; extern const struct dev_pm_ops hts221_pm_ops; diff --git a/drivers/iio/humidity/hts221_buffer.c b/drivers/iio/humidity/hts221_buffer.c index 21c6c160462d..59ede9860185 100644 --- a/drivers/iio/humidity/hts221_buffer.c +++ b/drivers/iio/humidity/hts221_buffer.c @@ -160,7 +160,6 @@ static const struct iio_buffer_setup_ops hts221_buffer_ops = { static irqreturn_t hts221_buffer_handler_thread(int irq, void *p) { - u8 buffer[ALIGN(2 * HTS221_DATA_SIZE, sizeof(s64)) + sizeof(s64)]; struct iio_poll_func *pf = p; struct iio_dev *iio_dev = pf->indio_dev; struct hts221_hw *hw = iio_priv(iio_dev); @@ -170,18 +169,20 @@ static irqreturn_t hts221_buffer_handler_thread(int irq, void *p) /* humidity data */ ch = &iio_dev->channels[HTS221_SENSOR_H]; err = regmap_bulk_read(hw->regmap, ch->address, - buffer, HTS221_DATA_SIZE); + &hw->scan.channels[0], + sizeof(hw->scan.channels[0])); if (err < 0) goto out; /* temperature data */ ch = &iio_dev->channels[HTS221_SENSOR_T]; err = regmap_bulk_read(hw->regmap, ch->address, - buffer + HTS221_DATA_SIZE, HTS221_DATA_SIZE); + &hw->scan.channels[1], + sizeof(hw->scan.channels[1])); if (err < 0) goto out; - iio_push_to_buffers_with_timestamp(iio_dev, buffer, + iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan, iio_get_time_ns(iio_dev)); out: From patchwork Sun Jun 7 15:53:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591695 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8F4B9913 for ; Sun, 7 Jun 2020 15:56:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 793C72076A for ; Sun, 7 Jun 2020 15:56:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545400; bh=phINfUjXz2CIGUvz/IAoTkNjUthzAtgr7B+EcO0G7ms=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=KU/8wEnzdFu1EVdqO7X/9/TH9RIRkY9MqDXonGSazzqGJ0GUFnSTYYePr5bGw1pnq dZkDh2bvNIywofsR4jg/bP+VeP7WYgacjU6dP/QgZVIBuauBvB1L5Gayen+JTjc9wu S19kA0EbW5zfxVl0PgApAXQCdRoCFXYXKgJOSvI8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726742AbgFGP4j (ORCPT ); Sun, 7 Jun 2020 11:56:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:57500 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4j (ORCPT ); Sun, 7 Jun 2020 11:56:39 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1CC1C20774; Sun, 7 Jun 2020 15:56:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545399; bh=phINfUjXz2CIGUvz/IAoTkNjUthzAtgr7B+EcO0G7ms=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YUk7n+QvBjZZ5mI2Btyzt0yDKsnnERsxb50aaewEJdZVx2xFr4sLvVtk7PFdWnMet 1Mk3xh8bUCsz2fhH5gwU+jQeUT1Benwpw8yAdPFsP5aU4P8msVm+BaMJM7TGQ95QLM IJzgZ6obFfdW6DmVP8hWy+0VYVUHFEa0KFbHGCLU= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Daniel Baluta Subject: [PATCH 18/32] iio:imu:bmi160 Fix alignment and data leak issues Date: Sun, 7 Jun 2020 16:53:54 +0100 Message-Id: <20200607155408.958437-19-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable array in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 77c4ad2d6a9b ("iio: imu: Add initial support for Bosch BMI160") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Daniel Baluta Signed-off-by: Jonathan Cameron --- drivers/iio/imu/bmi160/bmi160.h | 2 ++ drivers/iio/imu/bmi160/bmi160_core.c | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/iio/imu/bmi160/bmi160.h b/drivers/iio/imu/bmi160/bmi160.h index a82e040bd109..d29f1b5d1658 100644 --- a/drivers/iio/imu/bmi160/bmi160.h +++ b/drivers/iio/imu/bmi160/bmi160.h @@ -10,6 +10,8 @@ struct bmi160_data { struct iio_trigger *trig; struct regulator_bulk_data supplies[2]; struct iio_mount_matrix orientation; + /* Ensure natural alignment for timestamp if present */ + __le16 buf[16] __aligned(8); }; extern const struct regmap_config bmi160_regmap_config; diff --git a/drivers/iio/imu/bmi160/bmi160_core.c b/drivers/iio/imu/bmi160/bmi160_core.c index 222ebb26f013..86cfd75ea125 100644 --- a/drivers/iio/imu/bmi160/bmi160_core.c +++ b/drivers/iio/imu/bmi160/bmi160_core.c @@ -427,7 +427,6 @@ static irqreturn_t bmi160_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct bmi160_data *data = iio_priv(indio_dev); - __le16 buf[16]; /* 3 sens x 3 axis x __le16 + 3 x __le16 pad + 4 x __le16 tstamp */ int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L; __le16 sample; @@ -438,10 +437,10 @@ static irqreturn_t bmi160_trigger_handler(int irq, void *p) &sample, sizeof(sample)); if (ret) goto done; - buf[j++] = sample; + data->buf[j++] = sample; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, data->buf, pf->timestamp); done: iio_trigger_notify_done(indio_dev->trig); return IRQ_HANDLED; From patchwork Sun Jun 7 15:53:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591697 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 16476913 for ; Sun, 7 Jun 2020 15:56:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F3A432077D for ; Sun, 7 Jun 2020 15:56:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545402; bh=1ProLWL3iF3ZlhoS+5Y3dYFaj2FebM+LgdJaSC3sAJk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=vLvVHyxyRXR/QEdWppGObJs0dBURUvAuCTujBrofFlXumJzewiUIMpiOAFWjKanTD mN68txG83GjaS5OedjKhbrxFYDyShaigXuGdhvDWJXyZNCavBVuL0eZsnmkt8gv/Jo dpX1KVtfVGr1fkTZy4sQloQfnTlbVKbBRZ3QSYl0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726745AbgFGP4l (ORCPT ); Sun, 7 Jun 2020 11:56:41 -0400 Received: from mail.kernel.org ([198.145.29.99]:57514 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4l (ORCPT ); Sun, 7 Jun 2020 11:56:41 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 79B28206F6; Sun, 7 Jun 2020 15:56:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545400; bh=1ProLWL3iF3ZlhoS+5Y3dYFaj2FebM+LgdJaSC3sAJk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aW5hMztsvsquiRlppQJWKyKy4LtpaCCw3bFz+Hy4T0nMhDCt446sk3qfx/+Kq9cjG tZVRTVNzIfhXJQwuYH7t01r95SgVQhbUepZhF+y+1fPP08jKpL/+VRxn38OdClIEjx S0FdLoWxtHbpnPFg7oBe/hpyli6iaPd7n06JzToU= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Lorenzo Bianconi Subject: [PATCH 19/32] iio:imu:st_lsm6dsx Fix alignment and data leak issues Date: Sun, 7 Jun 2020 16:53:55 +0100 Message-Id: <20200607155408.958437-20-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a set of suitable structures in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. For the tagged path the data is aligned by using __aligned(8) for the buffer on the stack. There has been a lot of churn in this driver, so likely backports may be needed for stable. Fixes: 290a6ce11d93 ("iio: imu: add support to lsm6dsx driver") Reported-by: Lars-Peter Clausen Cc: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Acked-by: Lorenzo Bianconi --- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 5 +++ .../iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 36 ++++++++++--------- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h index b56df409ed0f..5f821ef467da 100644 --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h @@ -411,6 +411,11 @@ struct st_lsm6dsx_hw { const struct st_lsm6dsx_settings *settings; struct iio_mount_matrix orientation; + /* Ensure natural alignment of buffer elements */ + struct { + __le16 channels[3]; + s64 ts __aligned(8); + } gyro_scan, acc_scan, ext_scan; }; static __maybe_unused const struct iio_event_spec st_lsm6dsx_event = { diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c index afd00daeefb2..bebbc2bb37f7 100644 --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c @@ -341,9 +341,6 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) int err, sip, acc_sip, gyro_sip, ts_sip, ext_sip, read_len, offset; u16 fifo_len, pattern_len = hw->sip * ST_LSM6DSX_SAMPLE_SIZE; u16 fifo_diff_mask = hw->settings->fifo_ops.fifo_diff.mask; - u8 gyro_buff[ST_LSM6DSX_IIO_BUFF_SIZE]; - u8 acc_buff[ST_LSM6DSX_IIO_BUFF_SIZE]; - u8 ext_buff[ST_LSM6DSX_IIO_BUFF_SIZE]; bool reset_ts = false; __le16 fifo_status; s64 ts = 0; @@ -404,19 +401,22 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) while (acc_sip > 0 || gyro_sip > 0 || ext_sip > 0) { if (gyro_sip > 0 && !(sip % gyro_sensor->decimator)) { - memcpy(gyro_buff, &hw->buff[offset], - ST_LSM6DSX_SAMPLE_SIZE); - offset += ST_LSM6DSX_SAMPLE_SIZE; + memcpy(hw->gyro_scan.channels, + &hw->buff[offset], + sizeof(hw->gyro_scan.channels)); + offset += sizeof(hw->gyro_scan.channels); } if (acc_sip > 0 && !(sip % acc_sensor->decimator)) { - memcpy(acc_buff, &hw->buff[offset], - ST_LSM6DSX_SAMPLE_SIZE); - offset += ST_LSM6DSX_SAMPLE_SIZE; + memcpy(hw->acc_scan.channels, + &hw->buff[offset], + sizeof(hw->acc_scan.channels)); + offset += sizeof(hw->acc_scan.channels); } if (ext_sip > 0 && !(sip % ext_sensor->decimator)) { - memcpy(ext_buff, &hw->buff[offset], - ST_LSM6DSX_SAMPLE_SIZE); - offset += ST_LSM6DSX_SAMPLE_SIZE; + memcpy(hw->ext_scan.channels, + &hw->buff[offset], + sizeof(hw->ext_scan.channels)); + offset += sizeof(hw->ext_scan.channels); } if (ts_sip-- > 0) { @@ -446,19 +446,22 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) if (gyro_sip > 0 && !(sip % gyro_sensor->decimator)) { iio_push_to_buffers_with_timestamp( hw->iio_devs[ST_LSM6DSX_ID_GYRO], - gyro_buff, gyro_sensor->ts_ref + ts); + &hw->gyro_scan, + gyro_sensor->ts_ref + ts); gyro_sip--; } if (acc_sip > 0 && !(sip % acc_sensor->decimator)) { iio_push_to_buffers_with_timestamp( hw->iio_devs[ST_LSM6DSX_ID_ACC], - acc_buff, acc_sensor->ts_ref + ts); + &hw->acc_scan, + acc_sensor->ts_ref + ts); acc_sip--; } if (ext_sip > 0 && !(sip % ext_sensor->decimator)) { iio_push_to_buffers_with_timestamp( hw->iio_devs[ST_LSM6DSX_ID_EXT0], - ext_buff, ext_sensor->ts_ref + ts); + &hw->ext_scan, + ext_sensor->ts_ref + ts); ext_sip--; } sip++; @@ -543,7 +546,8 @@ int st_lsm6dsx_read_tagged_fifo(struct st_lsm6dsx_hw *hw) { u16 pattern_len = hw->sip * ST_LSM6DSX_TAGGED_SAMPLE_SIZE; u16 fifo_len, fifo_diff_mask; - u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE], tag; + u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8); + u8 tag; bool reset_ts = false; int i, err, read_len; __le16 fifo_status; From patchwork Sun Jun 7 15:53:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591699 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E229912 for ; Sun, 7 Jun 2020 15:56:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 66A1C20748 for ; Sun, 7 Jun 2020 15:56:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545403; bh=otkcmb0TXx88PkiLyOyxReINExJ5dBj+ADctCQ/EKl4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=QQSmTWfOD+uKGh3aEo9/tcCI9qCnddLCHDH5y4b0kGNbpGIEVYJHJHaZWtKfy9aVX 4f8rCnPqtvstHso4WJ9ZEPKcFVH4Q7I/LOpp6dZnjYBv+Z7kqIGkZRLIv+00RvZWuF kfD14iUdXouTgDljWaHQVepY0KEY1vFG9DSGRrNM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726752AbgFGP4m (ORCPT ); Sun, 7 Jun 2020 11:56:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:57528 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4m (ORCPT ); Sun, 7 Jun 2020 11:56:42 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D90E320723; Sun, 7 Jun 2020 15:56:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545401; bh=otkcmb0TXx88PkiLyOyxReINExJ5dBj+ADctCQ/EKl4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vDeSOzQMsbcje8tbTl3d87TaD47MfWWnJjqV7fgRgx6JiBU31eZWh/02zQ6L3nEN2 nV5Hzk2zkiQjbPNNTxmFpW4Z/i1eu4QAgMljsMPcILv5O6UJYrYMNkGNEWx/Bv6in7 SdFs2WH7zZCYGohFUXIvB0632gi4mLKkhfk0xrgo= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Jean-Baptiste Maneyrol Subject: [PATCH 20/32] iio:imu:inv_mpu6050 Fix dma and ts alignment and data leak issues. Date: Sun, 7 Jun 2020 16:53:56 +0100 Message-Id: <20200607155408.958437-21-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron This case is a bit different to the rest of the series. The driver was doing a regmap_bulk_read into a buffer that wasn't dma safe as it was on the stack with no guarantee of it being in a cacheline on it's own. Fixing that also dealt with the data leak and alignment issues that Lars-Peter pointed out. Also removed some unaligned handling as we are now aligned. Fixes tag is for the dma safe buffer issue. Potentially we would need to backport timestamp alignment futher but that is a totally different patch. Fixes: fd64df16f40e ("iio: imu: inv_mpu6050: Add SPI support for MPU6000") Reported-by: Lars-Peter Clausen Cc: Jean-Baptiste Maneyrol Signed-off-by: Jonathan Cameron Reviewed-by: Jean-Baptiste Maneyrol Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 8 +++++--- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 12 ++++++------ 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h index cd38b3fccc7b..e4df2d51b689 100644 --- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h @@ -122,6 +122,9 @@ struct inv_mpu6050_chip_config { u8 user_ctrl; }; +/* 6 + 6 + 2 + 7 (for MPU9x50) = 21 round up to 24 and plus 8 */ +#define INV_MPU6050_OUTPUT_DATA_SIZE 32 + /** * struct inv_mpu6050_hw - Other important hardware information. * @whoami: Self identification byte from WHO_AM_I register @@ -165,6 +168,7 @@ struct inv_mpu6050_hw { * @magn_raw_to_gauss: coefficient to convert mag raw value to Gauss. * @magn_orient: magnetometer sensor chip orientation if available. * @suspended_sensors: sensors mask of sensors turned off for suspend + * @data: dma safe buffer used for bulk reads. */ struct inv_mpu6050_state { struct mutex lock; @@ -190,6 +194,7 @@ struct inv_mpu6050_state { s32 magn_raw_to_gauss[3]; struct iio_mount_matrix magn_orient; unsigned int suspended_sensors; + u8 data[INV_MPU6050_OUTPUT_DATA_SIZE] ____cacheline_aligned; }; /*register and associated bit definition*/ @@ -334,9 +339,6 @@ struct inv_mpu6050_state { #define INV_ICM20608_TEMP_OFFSET 8170 #define INV_ICM20608_TEMP_SCALE 3059976 -/* 6 + 6 + 2 + 7 (for MPU9x50) = 21 round up to 24 and plus 8 */ -#define INV_MPU6050_OUTPUT_DATA_SIZE 32 - #define INV_MPU6050_REG_INT_PIN_CFG 0x37 #define INV_MPU6050_ACTIVE_HIGH 0x00 #define INV_MPU6050_ACTIVE_LOW 0x80 diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c index 9511e4715e2c..554c16592d47 100644 --- a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c +++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c @@ -13,7 +13,6 @@ #include #include #include -#include #include "inv_mpu_iio.h" /** @@ -121,7 +120,6 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) struct inv_mpu6050_state *st = iio_priv(indio_dev); size_t bytes_per_datum; int result; - u8 data[INV_MPU6050_OUTPUT_DATA_SIZE]; u16 fifo_count; s64 timestamp; int int_status; @@ -160,11 +158,12 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) * read fifo_count register to know how many bytes are inside the FIFO * right now */ - result = regmap_bulk_read(st->map, st->reg->fifo_count_h, data, + result = regmap_bulk_read(st->map, st->reg->fifo_count_h, + st->data, INV_MPU6050_FIFO_COUNT_BYTE); if (result) goto end_session; - fifo_count = get_unaligned_be16(&data[0]); + fifo_count = be16_to_cpup((__be16 *)&st->data[0]); /* * Handle fifo overflow by resetting fifo. @@ -182,7 +181,7 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) inv_mpu6050_update_period(st, pf->timestamp, nb); for (i = 0; i < nb; ++i) { result = regmap_bulk_read(st->map, st->reg->fifo_r_w, - data, bytes_per_datum); + st->data, bytes_per_datum); if (result) goto flush_fifo; /* skip first samples if needed */ @@ -191,7 +190,8 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) continue; } timestamp = inv_mpu6050_get_timestamp(st); - iio_push_to_buffers_with_timestamp(indio_dev, data, timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, st->data, + timestamp); } end_session: From patchwork Sun Jun 7 15:53:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591701 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 69C78913 for ; Sun, 7 Jun 2020 15:56:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5279520748 for ; Sun, 7 Jun 2020 15:56:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545404; bh=hZxyQtventa4kfzAWVTFXjuBvdlNLCQy46mZYQxIFfw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=RaPKRNPAO/de6Zkw2Xg1A2ye3cmYG+1vM95y7L0lxCWCA65MkutIZ3VsC8orgzCqj 2pjwMO6Yi1dKK9aN98kxxRS4fKL66r6BvF5QvjL9N0sLgw4i695Lc3BO3oVPZnrX+K qL+PGXYunefBIBhgUKAzg1pN26O3/gHe7+e3RyE8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726764AbgFGP4n (ORCPT ); Sun, 7 Jun 2020 11:56:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:57542 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4n (ORCPT ); Sun, 7 Jun 2020 11:56:43 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4620E2076A; Sun, 7 Jun 2020 15:56:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545403; bh=hZxyQtventa4kfzAWVTFXjuBvdlNLCQy46mZYQxIFfw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LGfJLMyoQaQfPmugJt9jaBojN4q98gikSRTwO8204vzXbpOkx7hVTFzEkVyclUZeB dHVxUwq2Dv+F4SUUUG+Qu/zAwzzuikdGl7mdMSGs6nbEZpRAKZN66+iOsNNObKxkHi Evi/tAo7H7UGX9CuMkkRhUiYH5JiDrw7dF4ILSYw= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 21/32] iio:pressure:ms5611 Fix buffer element alignment Date: Sun, 7 Jun 2020 16:53:57 +0100 Message-Id: <20200607155408.958437-22-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here there is no data leak possibility so use an explicit structure on the stack to ensure alignment and nice readable fashion. The forced alignment of ts isn't strictly necessary in this driver as the padding will be correct anyway (there isn't any). However it is probably less fragile to have it there and it acts as documentation of the requirement. Fixes: 713bbb4efb9dc ("iio: pressure: ms5611: Add triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Tomasz Duszynski --- drivers/iio/pressure/ms5611_core.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/pressure/ms5611_core.c b/drivers/iio/pressure/ms5611_core.c index d451bb9dffc8..214b0d25f598 100644 --- a/drivers/iio/pressure/ms5611_core.c +++ b/drivers/iio/pressure/ms5611_core.c @@ -212,16 +212,21 @@ static irqreturn_t ms5611_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ms5611_state *st = iio_priv(indio_dev); - s32 buf[4]; /* s32 (pressure) + s32 (temp) + 2 * s32 (timestamp) */ + /* Ensure buffer elements are naturally aligned */ + struct { + s32 channels[2]; + s64 ts __aligned(8); + } scan; int ret; mutex_lock(&st->lock); - ret = ms5611_read_temp_and_pressure(indio_dev, &buf[1], &buf[0]); + ret = ms5611_read_temp_and_pressure(indio_dev, &scan.channels[1], + &scan.channels[0]); mutex_unlock(&st->lock); if (ret < 0) goto err; - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev)); err: From patchwork Sun Jun 7 15:53:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591703 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D68DC913 for ; Sun, 7 Jun 2020 15:56:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B5D6A207D8 for ; Sun, 7 Jun 2020 15:56:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545405; bh=Xm+MlJ2SnfPeDcxMvvfWqhIChWvopZqJRFLMYpPAjEQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=V4xhc5SdYsl+r28lbl6wyMQ2F0Iz0Ig+tFW8X+SdptZd4JWEP7qJ0i8m2DbrudRpK WZfuBOex9QKSKdTmlxDIPevL0bsjGb3kXL3xA+xduYh/8HcUVwz/BicmhXb8ihWLH9 fJUmePyBll8d5WE20ibAHT67lcJd5H3u7HV9yxCo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726772AbgFGP4p (ORCPT ); Sun, 7 Jun 2020 11:56:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:57558 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4o (ORCPT ); Sun, 7 Jun 2020 11:56:44 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7F654207ED; Sun, 7 Jun 2020 15:56:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545404; bh=Xm+MlJ2SnfPeDcxMvvfWqhIChWvopZqJRFLMYpPAjEQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oxaKLJcS8ZkQaprZEkqBd24TEHelY3uHG3tKZHnqvygj6TmdUlfX34JSybP28gciu HBDOfLg6U4IKdvVwwKhOHfBwLTjPpXO8TgnrPbE2oT11CAu+wujzKxj1evy77daXb0 Dy7kXMrpIdyFwlxbHJiTt+n3jWxwNHg7wFMMmIX4= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Peter Meerwald Subject: [PATCH 22/32] iio:pressure:mpl3115 Force alignment of buffer Date: Sun, 7 Jun 2020 16:53:58 +0100 Message-Id: <20200607155408.958437-23-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron Whilst this is another case of the issue Lars reported with an array of elements of smaller than 8 bytes being passed to iio_push_to_buffers_with_timestamp, the solution here is a bit different from the other cases and relies on __aligned working on the stack (true since 4.6?) This one is unusual. We have to do an explicit memset each time as we are reading 3 bytes into a potential 4 byte channel which may sometimes be a 2 byte channel depending on what is enabled. As such, moving the buffer to the heap in the iio_priv structure doesn't save us much. We can't use a nice explicit structure on the stack either as the data channels have different storage sizes and are all separately controlled. Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") Reported-by: Lars-Peter Clausen Cc: Peter Meerwald Signed-off-by: Jonathan Cameron --- drivers/iio/pressure/mpl3115.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/iio/pressure/mpl3115.c b/drivers/iio/pressure/mpl3115.c index ccdb0b70e48c..8a481dbe808c 100644 --- a/drivers/iio/pressure/mpl3115.c +++ b/drivers/iio/pressure/mpl3115.c @@ -144,7 +144,8 @@ static irqreturn_t mpl3115_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct mpl3115_data *data = iio_priv(indio_dev); - u8 buffer[16]; /* 32-bit channel + 16-bit channel + padding + ts */ + /* 32-bit channel + 16-bit channel + padding + ts */ + u8 buffer[16] __aligned(8); int ret, pos = 0; mutex_lock(&data->lock); From patchwork Sun Jun 7 15:53:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591705 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 37E42912 for ; Sun, 7 Jun 2020 15:56:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1EECA206C3 for ; Sun, 7 Jun 2020 15:56:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545407; bh=GCmZkmjy0OcVhpEfdQZSCkwWib7UM+f/q0mWXYVqYKQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=axkBDBlCjrvt0AFtKmILbJDIz919Xj1rBuq+7jnfy/bls57cl9A3ugmdCTk9p8f7H E6ROIj1G2mhLhB+BIa1oftYNIg6r+eZAPH17DdcMx3J9dVQKfszvVdT+wvAjVXAQe6 G/udDbWfmZl/OUUznv/Y91rRMQ4jm7kJ8NK3Uz3w= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726779AbgFGP4q (ORCPT ); Sun, 7 Jun 2020 11:56:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:57578 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4q (ORCPT ); Sun, 7 Jun 2020 11:56:46 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EBC5020748; Sun, 7 Jun 2020 15:56:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545405; bh=GCmZkmjy0OcVhpEfdQZSCkwWib7UM+f/q0mWXYVqYKQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lyBviUq4XcPcCfJ9fhVPJCs95eGvVAPvUPvEgYteSFNoDAPZra5jQv3iNdY7CIvr7 hNzb+iqJ70Gjoy2qOhodFuRs8NnfcO1k0kygZ1GTwL5t03B6sK1RgY+cGb6gZgC2hK xiUwJj25LTJ0HU7InE6KLp/vpm/Ebf6K7jDoYOds= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 23/32] iio:adc:ti-adc081c Fix alignment and data leak issues Date: Sun, 7 Jun 2020 16:53:59 +0100 Message-Id: <20200607155408.958437-24-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak apart from previous readings. The eplicit alignment of ts is necessary to ensure correct padding on x86_32 where s64 is only aligned to 4 bytes. Fixes: 08e05d1fce5c (" ti-adc081c: Initial triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-adc081c.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-adc081c.c b/drivers/iio/adc/ti-adc081c.c index e44e7a40a36b..12b47dffeb3b 100644 --- a/drivers/iio/adc/ti-adc081c.c +++ b/drivers/iio/adc/ti-adc081c.c @@ -33,6 +33,12 @@ struct adc081c { /* 8, 10 or 12 */ int bits; + + /* Ensure natural alignment of buffer elements */ + struct { + u16 channel; + s64 ts __aligned(8); + } scan; }; #define REG_CONV_RES 0x00 @@ -128,14 +134,13 @@ static irqreturn_t adc081c_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct adc081c *data = iio_priv(indio_dev); - u16 buf[8]; /* 2 bytes data + 6 bytes padding + 8 bytes timestamp */ int ret; ret = i2c_smbus_read_word_swapped(data->i2c, REG_CONV_RES); if (ret < 0) goto out; - buf[0] = ret; - iio_push_to_buffers_with_timestamp(indio_dev, buf, + data->scan.channel = ret; + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); out: iio_trigger_notify_done(indio_dev->trig); From patchwork Sun Jun 7 15:54:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591707 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AC8C2912 for ; Sun, 7 Jun 2020 15:56:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 938B520659 for ; Sun, 7 Jun 2020 15:56:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545408; bh=uM0FYKGVkIcOcvlbf1vGvmQSGOxaLshXHdVEW9i+wN0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=DCpOsbcxrEH9Gz/wFkPLhkfNHhs5mvO3JuFEtrNa15OOD5Y7AAWscpvS9ZgJ4qZ8G 6IR04CSLi7PMPW9SzaUustSfHRmwTK7htYx+cViGQZN4DbfXRBHjGoRYmYPNwk6xBs FTqLLaXUdwvxDx5M44t2pnAhq+2zq75SFpxOJ02Q= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726777AbgFGP4s (ORCPT ); Sun, 7 Jun 2020 11:56:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:57592 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4r (ORCPT ); Sun, 7 Jun 2020 11:56:47 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3191C2075A; Sun, 7 Jun 2020 15:56:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545407; bh=uM0FYKGVkIcOcvlbf1vGvmQSGOxaLshXHdVEW9i+wN0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U2BUDz43U+k7LtJspMTnlhfE3AgRwRZJ+F71iZ5jf8reRlp76wInfrSiVIwlDuCQg rfTFKfi1AXRavJKu/1fS3ZBVXiBfoZAdED7MDqhfgBquvxCzfKy8nfmO+BLia2m6jB 0CfKlVdJ7lb8NrKT9uCiqa2DvPB0C2z+0ii550eo= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , =?utf-8?q?M=C3=A5rten_Lindahl?= Subject: [PATCH 24/32] iio:adc:ti-adc084s021 Fix alignment and data leak issues. Date: Sun, 7 Jun 2020 16:54:00 +0100 Message-Id: <20200607155408.958437-25-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak apart from previous readings. The force alignment of ts is not strictly necessary in this case but reduces the fragility of the code. Fixes: 3691e5a69449 ("iio: adc: add driver for the ti-adc084s021 chip") Reported-by: Lars-Peter Clausen Cc: Mårten Lindahl Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-adc084s021.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-adc084s021.c b/drivers/iio/adc/ti-adc084s021.c index 376a0cf1f4ff..3ffbde379011 100644 --- a/drivers/iio/adc/ti-adc084s021.c +++ b/drivers/iio/adc/ti-adc084s021.c @@ -25,6 +25,11 @@ struct adc084s021 { struct spi_transfer spi_trans; struct regulator *reg; struct mutex lock; + /* Buffer used to align data */ + struct { + __be16 channels[4]; + s64 ts __aligned(8); + } scan; /* * DMA (thus cache coherency maintenance) requires the * transfer buffers to live in their own cache line. @@ -140,14 +145,13 @@ static irqreturn_t adc084s021_buffer_trigger_handler(int irq, void *pollfunc) struct iio_poll_func *pf = pollfunc; struct iio_dev *indio_dev = pf->indio_dev; struct adc084s021 *adc = iio_priv(indio_dev); - __be16 data[8] = {0}; /* 4 * 16-bit words of data + 8 bytes timestamp */ mutex_lock(&adc->lock); - if (adc084s021_adc_conversion(adc, &data) < 0) + if (adc084s021_adc_conversion(adc, adc->scan.channels) < 0) dev_err(&adc->spi->dev, "Failed to read data\n"); - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, &adc->scan, iio_get_time_ns(indio_dev)); mutex_unlock(&adc->lock); iio_trigger_notify_done(indio_dev->trig); From patchwork Sun Jun 7 15:54:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591709 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DC745913 for ; Sun, 7 Jun 2020 15:56:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C580820774 for ; Sun, 7 Jun 2020 15:56:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545409; bh=dVfq5V3L0+vohzM0nMsJsSxCJIA/PiVCZdl8DTEhlYY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=r1fe2BCmxpiBRg0fTHn4Wc2QFtnvs1pi7j03Mbp9Oqn3b7bZeAPUIPCAhgtxH7bck kqboXUwGYVK1rbpmO46oio+TesZs/SJ56CF++6lSdiMDElqwUapB8x9iLfHV3qTqM7 7sirZ27ZQ1Eki2Uu2bDzRPv9mTEKcMufFu8ESezE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726781AbgFGP4t (ORCPT ); Sun, 7 Jun 2020 11:56:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:57604 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4s (ORCPT ); Sun, 7 Jun 2020 11:56:48 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 921EF206C3; Sun, 7 Jun 2020 15:56:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545408; bh=dVfq5V3L0+vohzM0nMsJsSxCJIA/PiVCZdl8DTEhlYY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hPxxGPEWgKa5oJaltRQtntAIQieK9VTfAH1P8ISJQdrkvd9XQs063C8yYn4t1lYzd kGWb194f7sIFpJlQbk0ZiLrCBmsp8saIGNvWxT+xSI241SkqUr3F28Foyh0ebYwWFb b9ftSs5BTgV7dGY+AAF9kaXPRxm2YXCXGP2j24p0= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron Subject: [PATCH 25/32] iio:adc:ti-adc084s021 Tidy up endian types Date: Sun, 7 Jun 2020 16:54:01 +0100 Message-Id: <20200607155408.958437-26-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron By adding a few local variables and avoiding a void * for a parameter we can easily make all the endian types explicit and get rid of the warnings from sparse: CHECK drivers/iio/adc/ti-adc084s021.c drivers/iio/adc/ti-adc084s021.c:84:26: warning: incorrect type in assignment (different base types) drivers/iio/adc/ti-adc084s021.c:84:26: expected unsigned short [usertype] drivers/iio/adc/ti-adc084s021.c:84:26: got restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-adc084s021.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/iio/adc/ti-adc084s021.c b/drivers/iio/adc/ti-adc084s021.c index 3ffbde379011..b1448f49386b 100644 --- a/drivers/iio/adc/ti-adc084s021.c +++ b/drivers/iio/adc/ti-adc084s021.c @@ -69,11 +69,10 @@ static const struct iio_chan_spec adc084s021_channels[] = { * @adc: The ADC SPI data. * @data: Buffer for converted data. */ -static int adc084s021_adc_conversion(struct adc084s021 *adc, void *data) +static int adc084s021_adc_conversion(struct adc084s021 *adc, __be16 *data) { int n_words = (adc->spi_trans.len >> 1) - 1; /* Discard first word */ int ret, i = 0; - u16 *p = data; /* Do the transfer */ ret = spi_sync(adc->spi, &adc->message); @@ -81,7 +80,7 @@ static int adc084s021_adc_conversion(struct adc084s021 *adc, void *data) return ret; for (; i < n_words; i++) - *(p + i) = adc->rx_buf[i + 1]; + *(data + i) = adc->rx_buf[i + 1]; return ret; } @@ -92,6 +91,7 @@ static int adc084s021_read_raw(struct iio_dev *indio_dev, { struct adc084s021 *adc = iio_priv(indio_dev); int ret; + __be16 be_val; switch (mask) { case IIO_CHAN_INFO_RAW: @@ -106,13 +106,13 @@ static int adc084s021_read_raw(struct iio_dev *indio_dev, } adc->tx_buf[0] = channel->channel << 3; - ret = adc084s021_adc_conversion(adc, val); + ret = adc084s021_adc_conversion(adc, &be_val); iio_device_release_direct_mode(indio_dev); regulator_disable(adc->reg); if (ret < 0) return ret; - *val = be16_to_cpu(*val); + *val = be16_to_cpu(be_val); *val = (*val >> channel->scan_type.shift) & 0xff; return IIO_VAL_INT; From patchwork Sun Jun 7 15:54:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591711 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3EAFF913 for ; Sun, 7 Jun 2020 15:56:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 20A302077D for ; Sun, 7 Jun 2020 15:56:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545411; bh=bEkx+kdm4FbF7v8rgFy3YdWHwD04eABMX6SAPjuSXqc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=or4eQp/SQ90BHmZ9T9uT4CMgTkhHSWlB1qavecc8sKObhcKdHqnMrescp/iG81igD Rk0BLJEH/CVpV1a9rBHnif3g3ubpyQf389FQqzdwy3ZgRFyKF1LeWpbgwxd646drfd vDDOyCjkccZtPX9FIQmDTiraCksmPMIdEU/Cif6o= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726788AbgFGP4u (ORCPT ); Sun, 7 Jun 2020 11:56:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:57616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4u (ORCPT ); Sun, 7 Jun 2020 11:56:50 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AF89E2078C; Sun, 7 Jun 2020 15:56:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545409; bh=bEkx+kdm4FbF7v8rgFy3YdWHwD04eABMX6SAPjuSXqc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vFDld1g0AjWzRM5X0hGbdnrnIre2P0atBrbw/6tmNy7R5G6oS/9SkCWV/5KNrVK+S CnGFRDdIHzHIxJS3/oOnb53EIk62dhpLYxqsWpuNckuYE/+utSeT8mkArVzVgYl2DN P3/JTLXhwKtBO8XdJh1LjniyfLN5FQzJk/CByFCY= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 26/32] iio:adc:ti-ads1015 Fix buffer element alignment Date: Sun, 7 Jun 2020 16:54:02 +0100 Message-Id: <20200607155408.958437-27-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here we use an explicit structure and rely on that to enforce alignment on the stack. Note there was never a data leak here due to the explicit memset. Explicit alignment of ts is needed to avoid incorrect padding on architectures which only enforce 4 byte alignment for s64 such as x86_32 Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") Reported-by: Lars-Peter Clausen Cc: Andy Shevchenko Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-ads1015.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/ti-ads1015.c b/drivers/iio/adc/ti-ads1015.c index 629c631e8f5c..6f4b54b97c5c 100644 --- a/drivers/iio/adc/ti-ads1015.c +++ b/drivers/iio/adc/ti-ads1015.c @@ -385,10 +385,14 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ads1015_data *data = iio_priv(indio_dev); - s16 buf[8]; /* 1x s16 ADC val + 3x s16 padding + 4x s16 timestamp */ + /* Ensure natural alignment for buffer elements */ + struct { + s16 channel; + s64 ts __aligned(8); + } scan; int chan, ret, res; - memset(buf, 0, sizeof(buf)); + memset(&scan, 0, sizeof(scan)); mutex_lock(&data->lock); chan = find_first_bit(indio_dev->active_scan_mask, @@ -399,10 +403,10 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p) goto err; } - buf[0] = res; + scan.channel = res; mutex_unlock(&data->lock); - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev)); err: From patchwork Sun Jun 7 15:54:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591713 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 483CC912 for ; Sun, 7 Jun 2020 15:56:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3172420723 for ; Sun, 7 Jun 2020 15:56:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545412; bh=jkMvbLw7ydajY5LmRGSihqTbAlFJeMGs1LWyA2Q0XBc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=IjRSxzQUi7JK4BqEgCF0Hx5uTT/qGKPuB9t18x6qbyuNcQMf+0cO38jh/WJNR/2GO Pkswv+Zjh6RINsAp4Gprt76qc8RxS4bNs3ljQDlpaLEY5MZtA2WK5de6IoCqBqgtaP ttOmta8fmLv3okseVSEfi0BCabh7E8ho+Fd5MnhQ= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726806AbgFGP4v (ORCPT ); Sun, 7 Jun 2020 11:56:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:57632 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4v (ORCPT ); Sun, 7 Jun 2020 11:56:51 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EB32420774; Sun, 7 Jun 2020 15:56:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545411; bh=jkMvbLw7ydajY5LmRGSihqTbAlFJeMGs1LWyA2Q0XBc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ugoEO3vUw8G5GJgOC3axr5LglnpHvfE1nVCMFVdKMy1UrILNSAfFfUdL+o3D/AP+r oJwS1Ca6uX2JWvBBns46x1v9SNIzrncxCFG00uu3eJ26Pa/NSK2fqm+aEv3EwHOTjs sidIPA6iz5SSw9+7e0dTCg5jyHt0v9inaFDzsYWA= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Dan Murphy Subject: [PATCH 27/32] iio:adc:ti-ads124s08 Fix alignment and data leak issues. Date: Sun, 7 Jun 2020 16:54:03 +0100 Message-Id: <20200607155408.958437-28-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") Reported-by: Lars-Peter Clausen Cc: Dan Murphy Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-ads124s08.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-ads124s08.c b/drivers/iio/adc/ti-ads124s08.c index dacaa7255a3b..f9731e6a4260 100644 --- a/drivers/iio/adc/ti-ads124s08.c +++ b/drivers/iio/adc/ti-ads124s08.c @@ -99,6 +99,11 @@ struct ads124s_private { struct gpio_desc *reset_gpio; struct spi_device *spi; struct mutex lock; + /* + * Used to correctly align data. + * Ensure timestamp is naturally aligned. + */ + u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8); u8 data[5] ____cacheline_aligned; }; @@ -269,7 +274,6 @@ static irqreturn_t ads124s_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ads124s_private *priv = iio_priv(indio_dev); - u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u16)]; int scan_index, j = 0; int ret; @@ -284,7 +288,7 @@ static irqreturn_t ads124s_trigger_handler(int irq, void *p) if (ret) dev_err(&priv->spi->dev, "Start ADC conversions failed\n"); - buffer[j] = ads124s_read(indio_dev, scan_index); + priv->buffer[j] = ads124s_read(indio_dev, scan_index); ret = ads124s_write_cmd(indio_dev, ADS124S08_STOP_CONV); if (ret) dev_err(&priv->spi->dev, "Stop ADC conversions failed\n"); @@ -292,7 +296,7 @@ static irqreturn_t ads124s_trigger_handler(int irq, void *p) j++; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, priv->buffer, pf->timestamp); iio_trigger_notify_done(indio_dev->trig); From patchwork Sun Jun 7 15:54:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591715 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BBCA0913 for ; Sun, 7 Jun 2020 15:56:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A377C20723 for ; Sun, 7 Jun 2020 15:56:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545413; bh=L+l90Dhc1qGI/ojNSpAaOaRIYuesV6sRi61GnzBQKHY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=DbYHSwvfRAzn55Ggk9R5EeckfbYuhmXEycA3Uux++UwHvf8Caa129KPg1W0QvEVIQ TwF/VafWHHlPlTXSE1O6UyzmQPXo8WZGrXv0Ped0GGj3sbZFnuOQwVdSMnyKo3Dl77 EGtfHz+fS5WRHHYxvaoefN4FvRwkvjGbRaruFQ28= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726784AbgFGP4x (ORCPT ); Sun, 7 Jun 2020 11:56:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:57654 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4w (ORCPT ); Sun, 7 Jun 2020 11:56:52 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 59DF320659; Sun, 7 Jun 2020 15:56:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545412; bh=L+l90Dhc1qGI/ojNSpAaOaRIYuesV6sRi61GnzBQKHY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Y94TDZa6Iu61d7rH7EPSKRzVJwKCIa4VGHaQPXnkVA0jogod2Lz4HS6FJMI5PH5ml mdhFRAa9w3YdnoSpOxwvqz+7SZQ9gJeKM9DaDrlE7W5whqc0G0FkDlAcogeZPp1lYN EAMuAG04hZLVw15erEHNwTK4psDxMLNtOr355QKo= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Sean Nyekjaer Subject: [PATCH 28/32] iio:adc:ti-ads8688 Fix alignment and potential data leak issue Date: Sun, 7 Jun 2020 16:54:04 +0100 Message-Id: <20200607155408.958437-29-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 32 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 2a86487786b5 ("iio: adc: ti-ads8688: add trigger and buffer support") Reported-by: Lars-Peter Clausen Cc: Sean Nyekjaer Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-ads8688.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-ads8688.c b/drivers/iio/adc/ti-ads8688.c index 011e5c8b5afd..2b4bce0cac17 100644 --- a/drivers/iio/adc/ti-ads8688.c +++ b/drivers/iio/adc/ti-ads8688.c @@ -68,6 +68,12 @@ struct ads8688_state { struct regulator *reg; unsigned int vref_mv; enum ads8688_range range[8]; + /* + * Used to align data for pushing to IIO. + * Ensure natural alignment of timestamps + */ + u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8); + union { __be32 d32; u8 d8[4]; @@ -383,17 +389,17 @@ static irqreturn_t ads8688_trigger_handler(int irq, void *p) { struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; - u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)]; + struct ads8688_state *st = iio_priv(indio_dev); int i, j = 0; for (i = 0; i < indio_dev->masklength; i++) { if (!test_bit(i, indio_dev->active_scan_mask)) continue; - buffer[j] = ads8688_read(indio_dev, i); + st->buffer[j] = ads8688_read(indio_dev, i); j++; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, st->buffer, iio_get_time_ns(indio_dev)); iio_trigger_notify_done(indio_dev->trig); From patchwork Sun Jun 7 15:54:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591717 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0DE50913 for ; Sun, 7 Jun 2020 15:56:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EB2A12077D for ; Sun, 7 Jun 2020 15:56:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545415; bh=sPusuvgLxBsWeZb1ceB3MObWrWc5hwbleK/4UxFoGT8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Qr3D/S/5+ixxWmm/QC1K/xdI2lwCFFvChv+uu1sKrC06+mF5LNXL8Dr2LH6IPIQuZ oS4Pz1ggJina8lyZmhFCfbvfg1FBjfA0Bj/88Vg3UGt/p3F+WwGCTQDhJPBJlN8Llv Ts7mmGCRHsI2bgA9zb2MIihTsIszLI59RK2s7kSU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726815AbgFGP4y (ORCPT ); Sun, 7 Jun 2020 11:56:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:57668 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4y (ORCPT ); Sun, 7 Jun 2020 11:56:54 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B9919206C3; Sun, 7 Jun 2020 15:56:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545413; bh=sPusuvgLxBsWeZb1ceB3MObWrWc5hwbleK/4UxFoGT8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jiLKhtpALhRSEn8cWG6JOdu9ul10QOYmW6SjcTg4zXr2WEGBMN2kzMI3epUWGMFsO XLXMy340rlrteQp675PCvUK14DCNxiExcQp7x5WbaAsagmLBM9+MitwXPW7SyV8iF2 LpKzAkNgjtCN7Z9ma1ebgK50zaWuqhaUYZRqSN/I= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Akinobu Mita Subject: [PATCH 29/32] iio:adc:ti-adc0832 Fix alignment issue with timestamp Date: Sun, 7 Jun 2020 16:54:05 +0100 Message-Id: <20200607155408.958437-30-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. We fix this issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Note that previously no data could leak 'including' previous readings but I don't think it is an issue to potentially leak them like this now does. Fixes: 815bbc87462a ("iio: ti-adc0832: add triggered buffer support") Reported-by: Lars-Peter Clausen Cc: Akinobu Mita Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-adc0832.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-adc0832.c b/drivers/iio/adc/ti-adc0832.c index 054db3425afa..a419c697272a 100644 --- a/drivers/iio/adc/ti-adc0832.c +++ b/drivers/iio/adc/ti-adc0832.c @@ -28,6 +28,8 @@ struct adc0832 { struct regulator *reg; struct mutex lock; u8 mux_bits; + /* 16x 1 byte ADC data + 8 bytes timestamp */ + u8 data[24] __aligned(8); u8 tx_buf[2] ____cacheline_aligned; u8 rx_buf[2]; @@ -199,7 +201,6 @@ static irqreturn_t adc0832_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct adc0832 *adc = iio_priv(indio_dev); - u8 data[24] = { }; /* 16x 1 byte ADC data + 8 bytes timestamp */ int scan_index; int i = 0; @@ -217,10 +218,10 @@ static irqreturn_t adc0832_trigger_handler(int irq, void *p) goto out; } - data[i] = ret; + adc->data[i] = ret; i++; } - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, adc->data, iio_get_time_ns(indio_dev)); out: mutex_unlock(&adc->lock); From patchwork Sun Jun 7 15:54:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591719 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 777D7912 for ; Sun, 7 Jun 2020 15:56:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 604F12077D for ; Sun, 7 Jun 2020 15:56:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545416; bh=VZXpzmPODQV0DwSJJDIe2LQy8VO+w/2CkuzP3X6CKa8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=0617sJ3D2QAQxCvOWNoroiqfBnR1E5aTGjiG4eq1QMebOURvbYtvhY6qYGHqpvq2i Kc7aezwlQ+MFTSNh3wmeQSLUn1fOEiRdsiV+jO6VuGsZcBSehKq+3e0RjM9l0CWr7k suKXAEOKF+q3Oa1vc4N8Fja4tRvpjSrjJ0rgTqh8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726818AbgFGP4z (ORCPT ); Sun, 7 Jun 2020 11:56:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:57682 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP4z (ORCPT ); Sun, 7 Jun 2020 11:56:55 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 225A720723; Sun, 7 Jun 2020 15:56:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545415; bh=VZXpzmPODQV0DwSJJDIe2LQy8VO+w/2CkuzP3X6CKa8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BHdMa+sjkmdTQrXzrsBSDJfeClMkpBoaAHgGTTRGHbY2gF0TDVjSw2gJqJlSh5Jy0 IA25hm7LYcwatWON42l4xeQYGNYnjJpHKOeefWAHFWDg4ChprrO2fKrwuJh0h5YsMc fTbkwq3ElUEL2Z0W3FPLFaw2eHlP8L0XV24fsS6A= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Akinobu Mita Subject: [PATCH 30/32] iio:adc:ti-adc12138 Fix alignment issue with timestamp Date: Sun, 7 Jun 2020 16:54:06 +0100 Message-Id: <20200607155408.958437-31-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. We move to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Note that previously no leak at all could occur, but previous readings should never be a problem. Fixes: 50a6edb1b6e0 ("iio: adc: add ADC12130/ADC12132/ADC12138 ADC driver") Reported-by: Lars-Peter Clausen Cc: Akinobu Mita Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-adc12138.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/ti-adc12138.c b/drivers/iio/adc/ti-adc12138.c index e485719cd2c4..16f4fd7a04d9 100644 --- a/drivers/iio/adc/ti-adc12138.c +++ b/drivers/iio/adc/ti-adc12138.c @@ -47,6 +47,8 @@ struct adc12138 { struct completion complete; /* The number of cclk periods for the S/H's acquisition time */ unsigned int acquisition_time; + /* 16x 2 bytes ADC data + 8 bytes timestamp */ + __be16 data[20] __aligned(8); u8 tx_buf[2] ____cacheline_aligned; u8 rx_buf[2]; @@ -329,7 +331,6 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct adc12138 *adc = iio_priv(indio_dev); - __be16 data[20] = { }; /* 16x 2 bytes ADC data + 8 bytes timestamp */ __be16 trash; int ret; int scan_index; @@ -345,7 +346,7 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) reinit_completion(&adc->complete); ret = adc12138_start_and_read_conv(adc, scan_chan, - i ? &data[i - 1] : &trash); + i ? &adc->data[i - 1] : &trash); if (ret) { dev_warn(&adc->spi->dev, "failed to start conversion\n"); @@ -362,7 +363,7 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) } if (i) { - ret = adc12138_read_conv_data(adc, &data[i - 1]); + ret = adc12138_read_conv_data(adc, &adc->data[i - 1]); if (ret) { dev_warn(&adc->spi->dev, "failed to get conversion data\n"); @@ -370,7 +371,7 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) } } - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, adc->data, iio_get_time_ns(indio_dev)); out: mutex_unlock(&adc->lock); From patchwork Sun Jun 7 15:54:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591721 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 687B9912 for ; Sun, 7 Jun 2020 15:56:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 51EAF207F9 for ; Sun, 7 Jun 2020 15:56:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545418; bh=du8yk3rKsbhTwjnvXwqDzbgB7MW9kseCaTDwmJK04LA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=QF3/IpRN+L5bZXtTJ/cnkRA9XLV8BCq3gwoR/ka/4vDG7DiZA4GaLY1HOKL3darYH SE9/U9c8JIiOPUVCuuW0cZqDrk/AsSSQ2T68CLzygnlMGoQ71EW5ECDy7EtWXBK59i ipf5Z6e5ytUD+ThX3C4AN2uV1cqTGWvaTkA+zAU4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726823AbgFGP45 (ORCPT ); Sun, 7 Jun 2020 11:56:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:57700 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP45 (ORCPT ); Sun, 7 Jun 2020 11:56:57 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7E2642076A; Sun, 7 Jun 2020 15:56:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545416; bh=du8yk3rKsbhTwjnvXwqDzbgB7MW9kseCaTDwmJK04LA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gyt8kpLbBDN3S9xZe4r05e0+O2ujVNNpvWHEGJZU3ycXW+5gxGSJgiZupoG6ytuES Vynp56sPlRQZSkhOL5AwJrB6MN4uwrbiZp9ExQtW5TYdPboS0qYp4hJAmWqdSVkBPR UE2z/XewUlr0aAkRpYgISp0+arBnXEEW2DrJuVEs= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , =?utf-8?q?Stefan_Br=C3=BCns?= , Marc Titinger Subject: [PATCH 31/32] iio:adc:ina2xx Fix timestamp alignment issue. Date: Sun, 7 Jun 2020 16:54:07 +0100 Message-Id: <20200607155408.958437-32-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 32 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. If we want this in older stables will need manual backport due to driver reworks. Fixes: c43a102e67db ("iio: ina2xx: add support for TI INA2xx Power Monitors") Reported-by: Lars-Peter Clausen Cc: Stefan Brüns Cc: Marc Titinger Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ina2xx-adc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/ina2xx-adc.c b/drivers/iio/adc/ina2xx-adc.c index 467f48b6f451..6f466d42c520 100644 --- a/drivers/iio/adc/ina2xx-adc.c +++ b/drivers/iio/adc/ina2xx-adc.c @@ -146,6 +146,8 @@ struct ina2xx_chip_info { int range_vbus; /* Bus voltage maximum in V */ int pga_gain_vshunt; /* Shunt voltage PGA gain */ bool allow_async_readout; + /* data buffer needs space for channel data and timestap */ + unsigned short data[4 + sizeof(s64)/sizeof(short)] __aligned(8); }; static const struct ina2xx_config ina2xx_config[] = { @@ -738,8 +740,6 @@ static int ina2xx_conversion_ready(struct iio_dev *indio_dev) static int ina2xx_work_buffer(struct iio_dev *indio_dev) { struct ina2xx_chip_info *chip = iio_priv(indio_dev); - /* data buffer needs space for channel data and timestap */ - unsigned short data[4 + sizeof(s64)/sizeof(short)]; int bit, ret, i = 0; s64 time; @@ -758,10 +758,10 @@ static int ina2xx_work_buffer(struct iio_dev *indio_dev) if (ret < 0) return ret; - data[i++] = val; + chip->data[i++] = val; } - iio_push_to_buffers_with_timestamp(indio_dev, data, time); + iio_push_to_buffers_with_timestamp(indio_dev, chip->data, time); return 0; }; From patchwork Sun Jun 7 15:54:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11591723 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6AE56913 for ; Sun, 7 Jun 2020 15:56:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 49B24207D8 for ; Sun, 7 Jun 2020 15:56:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545419; bh=Jt2G0C25ddMVmJpl8LbsERNxLCJDO1grGNi1SJTVETA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=FxifLhSlAJwdcsWEzyP8bIMXEhxnC1332DdSeCnTHJatSucXjw53/nE03FFc/itZ8 D67MKFsgIIHztQtRsCcPtpgQTchfEihwJNZ6IqvgnucxW0stvQ51PNOGSFh6YYNNkG PREWrW5M1htrN8Ud/e00/+TdZghgNSqbbZreDoEI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726789AbgFGP46 (ORCPT ); Sun, 7 Jun 2020 11:56:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:57718 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726703AbgFGP46 (ORCPT ); Sun, 7 Jun 2020 11:56:58 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0E8612077D; Sun, 7 Jun 2020 15:56:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591545418; bh=Jt2G0C25ddMVmJpl8LbsERNxLCJDO1grGNi1SJTVETA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zW7qjx9qvMeGz9UyV2UEaT2+u4OU2i4+6sOzHuCVEvluaH7X8pkn219rlqkO++Nvq 6o/kaR8sHyfdn4db86rODAgk7krXKmaApXW5K48xqVeemAE/ZJMik/f+kK/qxxafVF fvBJcS3ryThf99b2Em3w86MoJWpXBmRx9S1VTFBk= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Andy Shevchenko , Jonathan Cameron , Lars-Peter Clausen , Akinobu Mita Subject: [PATCH 32/32] iio:adc:max1118 Fix alignment of timestamp and data leak issues Date: Sun, 7 Jun 2020 16:54:08 +0100 Message-Id: <20200607155408.958437-33-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200607155408.958437-1-jic23@kernel.org> References: <20200607155408.958437-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. The explicit alignment of ts is necessary to ensure correct padding on architectures where s64 is only 4 bytes aligned such as x86_32. Fixes: a9e9c7153e96 ("iio: adc: add max1117/max1118/max1119 ADC driver") Reported-by: Lars-Peter Clausen Cc: Akinobu Mita Signed-off-by: Jonathan Cameron --- drivers/iio/adc/max1118.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/max1118.c b/drivers/iio/adc/max1118.c index 273fbea2a515..af68d6165b68 100644 --- a/drivers/iio/adc/max1118.c +++ b/drivers/iio/adc/max1118.c @@ -35,6 +35,11 @@ struct max1118 { struct spi_device *spi; struct mutex lock; struct regulator *reg; + /* Ensure natural alignment of buffer elements */ + struct { + u8 channels[2]; + s64 ts __aligned(8); + } scan; u8 data ____cacheline_aligned; }; @@ -165,7 +170,6 @@ static irqreturn_t max1118_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct max1118 *adc = iio_priv(indio_dev); - u8 data[16] = { }; /* 2x 8-bit ADC data + padding + 8 bytes timestamp */ int scan_index; int i = 0; @@ -183,10 +187,10 @@ static irqreturn_t max1118_trigger_handler(int irq, void *p) goto out; } - data[i] = ret; + adc->scan.channels[i] = ret; i++; } - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, &adc->scan, iio_get_time_ns(indio_dev)); out: mutex_unlock(&adc->lock);