From patchwork Mon May 25 17:06:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569077 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A29941392 for ; Mon, 25 May 2020 17:09:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 81C9C207D8 for ; Mon, 25 May 2020 17:09:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426542; bh=CxYHx5n4rZeuGiT5E8ZQEM9kqOu7HPZ4zfAaZ1Sivc0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=hH24fX7dwZGTmykcIby6uINKwQFMtaoJ73+1N4j/kCuD/hu/1Hd4EoR0TzI/OaWRH IKrapv5gUxJ91bt3q+lwvih5BLuVYeF73nap6wz6bS8wbIX8YJ/H9Hdo6fIUGaGzum kKpXCzRSO9EIbXaf6DVp7tBOnSzCetlzqxzZmE2U= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389203AbgEYRJC (ORCPT ); Mon, 25 May 2020 13:09:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:42536 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJC (ORCPT ); Mon, 25 May 2020 13:09:02 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8FF4820723; Mon, 25 May 2020 17:09:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426541; bh=CxYHx5n4rZeuGiT5E8ZQEM9kqOu7HPZ4zfAaZ1Sivc0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y3TJkDWJnJ206dnU47zAsyfh0NGPktZrQXW9/hM4WGCXYsky+7EV/0o+N6GMFVsGJ zp4+hDd0jISARg11OrbR0lzzMnbtCsZ8hIyLtoHC0KB23tk5iaP8RyzOn3sPXId7Gd z0Sn2k9TxJ/t7mYWKCt1rc+8QklVO0dI51FNbBoE= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Peter Meerwald-Stadler Subject: [PATCH 01/25] iio:light:si1145: Fix timestamp alignment and prevent data leak. Date: Mon, 25 May 2020 18:06:04 +0100 Message-Id: <20200525170628.503283-2-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 24 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable array in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: ac45e57f1590 ("iio: light: Add driver for Silabs si1132, si1141/2/3 and si1145/6/7 ambient light, uv index and proximity sensors") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Peter Meerwald-Stadler --- drivers/iio/light/si1145.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/iio/light/si1145.c b/drivers/iio/light/si1145.c index 0476c2bc8138..aa93c6d38043 100644 --- a/drivers/iio/light/si1145.c +++ b/drivers/iio/light/si1145.c @@ -179,6 +179,8 @@ struct si1145_data { bool autonomous; struct iio_trigger *trig; int meas_rate; + /* Ensure timestamp will be naturally aligned if present */ + u8 buffer[24] __aligned(8); }; /** @@ -445,7 +447,6 @@ static irqreturn_t si1145_trigger_handler(int irq, void *private) * 6*2 bytes channels data + 4 bytes alignment + * 8 bytes timestamp */ - u8 buffer[24]; int i, j = 0; int ret; u8 irq_status = 0; @@ -478,7 +479,7 @@ static irqreturn_t si1145_trigger_handler(int irq, void *private) ret = i2c_smbus_read_i2c_block_data_or_emulated( data->client, indio_dev->channels[i].address, - sizeof(u16) * run, &buffer[j]); + sizeof(u16) * run, &data->buffer[j]); if (ret < 0) goto done; j += run * sizeof(u16); @@ -493,7 +494,7 @@ static irqreturn_t si1145_trigger_handler(int irq, void *private) goto done; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, iio_get_time_ns(indio_dev)); done: From patchwork Mon May 25 17:06:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569079 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BAC2C1392 for ; Mon, 25 May 2020 17:09:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A3999207DA for ; Mon, 25 May 2020 17:09:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426543; bh=8VyojAOydO4gMx0fVEeQ9THwMx6ke3f/D4KfGqm/9rg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=gGt1F+ZzUYw/p5w17ErXEAX+A78AgDC20XJwkr3Q5FI2KmJV/rilz45zHw0mbdUB6 OQwMxG6pJWJ0lDvkO6FYWYZaWToxGFCHk2107hoTEr8sQK1hEnbgrvZtU/hnbheZC1 NW3oTqJe8HacpFlmjcGpqHsXiHhlXpeDorAqtLCo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389222AbgEYRJD (ORCPT ); Mon, 25 May 2020 13:09:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:42548 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJD (ORCPT ); Mon, 25 May 2020 13:09:03 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D887320776; Mon, 25 May 2020 17:09:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426542; bh=8VyojAOydO4gMx0fVEeQ9THwMx6ke3f/D4KfGqm/9rg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N5VDneET9AZNpE1pHh++tKh2g859K30o+w4jagIi2B0IPKmgCxUZYZrECBhYkEFaJ Bj9GfjmX6FSX715HLWQL60FwwPimq3hzgM91v4PabOExxy5I7EMsUeSJDZRZj83UgI 3NZHt9Fk429hHTlXJXPnpvP+tKgLmwxG5tpV54QA= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 02/25] iio:light:max44000 Fix timestamp alignment and prevent data leak. Date: Mon, 25 May 2020 18:06:05 +0100 Message-Id: <20200525170628.503283-3-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 16 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 06ad7ea10e2b ("max44000: Initial triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/light/max44000.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/iio/light/max44000.c b/drivers/iio/light/max44000.c index d6d8007ba430..d27b6170792d 100644 --- a/drivers/iio/light/max44000.c +++ b/drivers/iio/light/max44000.c @@ -75,6 +75,11 @@ struct max44000_data { struct mutex lock; struct regmap *regmap; + /* Ensure naturally aligned timestamp */ + struct { + u16 channels[2]; + s64 ts; + } scan; }; /* Default scale is set to the minimum of 0.03125 or 1 / (1 << 5) lux */ @@ -488,7 +493,6 @@ static irqreturn_t max44000_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct max44000_data *data = iio_priv(indio_dev); - u16 buf[8]; /* 2x u16 + padding + 8 bytes timestamp */ int index = 0; unsigned int regval; int ret; @@ -498,17 +502,17 @@ static irqreturn_t max44000_trigger_handler(int irq, void *p) ret = max44000_read_alsval(data); if (ret < 0) goto out_unlock; - buf[index++] = ret; + data->scan.channels[index++] = ret; } if (test_bit(MAX44000_SCAN_INDEX_PRX, indio_dev->active_scan_mask)) { ret = regmap_read(data->regmap, MAX44000_REG_PRX_DATA, ®val); if (ret < 0) goto out_unlock; - buf[index] = regval; + data->scan.channels[index] = regval; } mutex_unlock(&data->lock); - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); iio_trigger_notify_done(indio_dev->trig); return IRQ_HANDLED; From patchwork Mon May 25 17:06:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569081 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D632C739 for ; Mon, 25 May 2020 17:09:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BEB2820849 for ; Mon, 25 May 2020 17:09:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426544; bh=m8RwHQtW52r/AFKN3Dy02ncCis7GXGs0Kb7gVGLAjRo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=nhTgJbpjpdLe35kXrPWlxSUjgcn1K1CNlyNSEbxsY7pE8X59qvOyLR0VOf+Wdr0ky rjH0zNFj/ypBAN5j3eBQyEzXbUpMuO3FYUYFlRjvSacEtDVOHJyXTZPERsB70FI9rW AiEuXoUpieUcyt/m7g0c2JU7VDg8SHrNYWxTs2U0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389275AbgEYRJE (ORCPT ); Mon, 25 May 2020 13:09:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:42558 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJE (ORCPT ); Mon, 25 May 2020 13:09:04 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F12B62078B; Mon, 25 May 2020 17:09:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426543; bh=m8RwHQtW52r/AFKN3Dy02ncCis7GXGs0Kb7gVGLAjRo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Top3V7QSQNfAYMglMCaXMJ8piyOaHitaxaibLTG+gWzl4xqL9pM+u5O9n9X5agYSI XvnZKyhztS9jIdNMROZzQGId8dN0JuzqJZqQSnsfyW/EEJ7ozBRRzaUQG0p4uipphn XK5KpJWowpz8r+Yo3vk/lvDZyK+8adTdaPjU8e9M= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Mikko Koivunen Subject: [PATCH 03/25] iio:light:rpr0521 Fix timestamp alignment and prevent data leak. Date: Mon, 25 May 2020 18:06:06 +0100 Message-Id: <20200525170628.503283-4-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak appart from previous readings and in this case the status byte from the device. Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer") Signed-off-by: Jonathan Cameron Cc: Mikko Koivunen --- drivers/iio/light/rpr0521.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/iio/light/rpr0521.c b/drivers/iio/light/rpr0521.c index a0a7aeae5a82..a1fc8a91b2b6 100644 --- a/drivers/iio/light/rpr0521.c +++ b/drivers/iio/light/rpr0521.c @@ -194,6 +194,17 @@ struct rpr0521_data { bool pxs_need_dis; struct regmap *regmap; + + /* + * Ensure correct naturally aligned timestamp. + * Note that the read will put garbage data into + * the padding but this should not be a problem + */ + struct { + __le16 channels[3]; + u8 garbage; + s64 ts; + } scan; }; static IIO_CONST_ATTR(in_intensity_scale_available, RPR0521_ALS_SCALE_AVAIL); @@ -449,8 +460,6 @@ static irqreturn_t rpr0521_trigger_consumer_handler(int irq, void *p) struct rpr0521_data *data = iio_priv(indio_dev); int err; - u8 buffer[16]; /* 3 16-bit channels + padding + ts */ - /* Use irq timestamp when reasonable. */ if (iio_trigger_using_own(indio_dev) && data->irq_timestamp) { pf->timestamp = data->irq_timestamp; @@ -461,11 +470,11 @@ static irqreturn_t rpr0521_trigger_consumer_handler(int irq, void *p) pf->timestamp = iio_get_time_ns(indio_dev); err = regmap_bulk_read(data->regmap, RPR0521_REG_PXS_DATA, - &buffer, + data->scan.channels, (3 * 2) + 1); /* 3 * 16-bit + (discarded) int clear reg. */ if (!err) iio_push_to_buffers_with_timestamp(indio_dev, - buffer, pf->timestamp); + &data->scan, pf->timestamp); else dev_err(&data->client->dev, "Trigger consumer can't read from sensor.\n"); From patchwork Mon May 25 17:06:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569083 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 358E4739 for ; Mon, 25 May 2020 17:09:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1DE242084C for ; Mon, 25 May 2020 17:09:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426546; bh=ZMLNo4cvgQNjTdwR1tJWRA46HQutBLqmURBHlJy0faQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=S9fAww9Aq5pcZUX5iqczuNoEcxsDeH01a4HRTJIvMSIKDlso2Rco0ZDbgNX+oxasi itIYhLGHw4YttqksHfnm/Gze2m/5uzJ4cws2IiZK9I7o7UfHXfH2HX/wfItNAtaEOj k9S+WZyRksQW4i9VmAqh5Nv7zyG6cIW0R91LLEYY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391267AbgEYRJF (ORCPT ); Mon, 25 May 2020 13:09:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:42568 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJF (ORCPT ); Mon, 25 May 2020 13:09:05 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 16C80207D8; Mon, 25 May 2020 17:09:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426544; bh=ZMLNo4cvgQNjTdwR1tJWRA46HQutBLqmURBHlJy0faQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1Odz5GuBc6OGwNnpNnkmz/YsIcxn/Ml13CwV033oF/FZY5O9t/Vfl+wXpGiMy+cJ7 GKEcZcjmmZ8kN2hB493I3Hj2flA+hubp51ZlZcu7yL4Vca5pw79NWdHe9PC1wlWW8w LevHQekLnG9DLMC/plNEUq0oCK/s+Qyc/mI1F7ro= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Lorenzo Bianconi Subject: [PATCH 04/25] iio:light:st_uvis25 Fix timestamp alignment and prevent data leak. Date: Mon, 25 May 2020 18:06:07 +0100 Message-Id: <20200525170628.503283-5-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 3025c8688c1e ("iio: light: add support for UVIS25 sensor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Lorenzo Bianconi Acked-by: Lorenzo Bianconi --- drivers/iio/light/st_uvis25.h | 5 +++++ drivers/iio/light/st_uvis25_core.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/light/st_uvis25.h b/drivers/iio/light/st_uvis25.h index 78bc56aad129..f7027e4c4493 100644 --- a/drivers/iio/light/st_uvis25.h +++ b/drivers/iio/light/st_uvis25.h @@ -27,6 +27,11 @@ struct st_uvis25_hw { struct iio_trigger *trig; bool enabled; int irq; + /* Ensure timestamp is naturally aligned */ + struct { + u8 chan; + s64 ts; + } scan; }; extern const struct dev_pm_ops st_uvis25_pm_ops; diff --git a/drivers/iio/light/st_uvis25_core.c b/drivers/iio/light/st_uvis25_core.c index d262c254b895..fe1f2dc970c7 100644 --- a/drivers/iio/light/st_uvis25_core.c +++ b/drivers/iio/light/st_uvis25_core.c @@ -234,17 +234,17 @@ static const struct iio_buffer_setup_ops st_uvis25_buffer_ops = { static irqreturn_t st_uvis25_buffer_handler_thread(int irq, void *p) { - u8 buffer[ALIGN(sizeof(u8), sizeof(s64)) + sizeof(s64)]; struct iio_poll_func *pf = p; struct iio_dev *iio_dev = pf->indio_dev; struct st_uvis25_hw *hw = iio_priv(iio_dev); int err; - err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, (int *)buffer); + err = regmap_read(hw->regmap, ST_UVIS25_REG_OUT_ADDR, + (unsigned int *)&hw->scan.chan); if (err < 0) goto out; - iio_push_to_buffers_with_timestamp(iio_dev, buffer, + iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan, iio_get_time_ns(iio_dev)); out: From patchwork Mon May 25 17:06:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569085 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 160341392 for ; Mon, 25 May 2020 17:09:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F39382084C for ; Mon, 25 May 2020 17:09:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426547; bh=P/qsnxYPMV2FGwuWAhBl8kCLLFpLGH3XIqJL5xPeNHw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=nU1cMQfF64XA2uZjv+binhldJjTF2LlohyjzTq3ThDlCVekpmNpFxFGUuQCXDttpt RD4rVvemYjduH/WdDHzwK9gzaJ58M2AyDnDCRYc+AeeVDAwct2+9F65vVh2KvqQbfK ln4xq4q915tkifFwkEpSgbhuUH1JhjXVeuPfDkcM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391273AbgEYRJG (ORCPT ); Mon, 25 May 2020 13:09:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:42578 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJG (ORCPT ); Mon, 25 May 2020 13:09:06 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 534BF207DA; Mon, 25 May 2020 17:09:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426546; bh=P/qsnxYPMV2FGwuWAhBl8kCLLFpLGH3XIqJL5xPeNHw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s54pUHyhJ6ZSEzNbmO6BthwYYQAF3KFtykCAHnzrpigezdWcQ5GS1lkU2L16KXjuD OVqrYjQPAtHyZfhc6MRGVRkFmBhcEzXqGqS2snkLdogdENr1kuFki7NYAeml9H2LFE Ez5MT2MnSzTM4hMdU+KAukRzzQv9sngf5lf1xU9k= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 05/25] iio:light:ltr501 Fix timestamp alignment issue. Date: Mon, 25 May 2020 18:06:08 +0100 Message-Id: <20200525170628.503283-6-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here we use a structure on the stack. The driver already did an explicit memset so no data leak was possible. Note there has been some rework in this driver of the years, so no way this will apply cleanly all the way back. Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/light/ltr501.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/iio/light/ltr501.c b/drivers/iio/light/ltr501.c index 5a3fcb127cd2..c8b1ca13eb55 100644 --- a/drivers/iio/light/ltr501.c +++ b/drivers/iio/light/ltr501.c @@ -1243,13 +1243,16 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ltr501_data *data = iio_priv(indio_dev); - u16 buf[8]; + struct { + u16 channels[3]; + s64 ts; + } scan; __le16 als_buf[2]; u8 mask = 0; int j = 0; int ret, psdata; - memset(buf, 0, sizeof(buf)); + memset(&scan, 0, sizeof(scan)); /* figure out which data needs to be ready */ if (test_bit(0, indio_dev->active_scan_mask) || @@ -1268,9 +1271,9 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p) if (ret < 0) return ret; if (test_bit(0, indio_dev->active_scan_mask)) - buf[j++] = le16_to_cpu(als_buf[1]); + scan.channels[j++] = le16_to_cpu(als_buf[1]); if (test_bit(1, indio_dev->active_scan_mask)) - buf[j++] = le16_to_cpu(als_buf[0]); + scan.channels[j++] = le16_to_cpu(als_buf[0]); } if (mask & LTR501_STATUS_PS_RDY) { @@ -1278,10 +1281,10 @@ static irqreturn_t ltr501_trigger_handler(int irq, void *p) &psdata, 2); if (ret < 0) goto done; - buf[j++] = psdata & LTR501_PS_DATA_MASK; + scan.channels[j++] = psdata & LTR501_PS_DATA_MASK; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev)); done: From patchwork Mon May 25 17:06:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569087 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 89A151392 for ; Mon, 25 May 2020 17:09:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 68A8F2084C for ; Mon, 25 May 2020 17:09:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426548; bh=K9dQlLMfAWEdV+u98OYydkoKZfNrb/mofkqS3kOEybc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=P0r6SoT4m7VY0MF2lBxV4bxxipbGajvEPckM90BNei70XMIR0o0lr0bj5loL53JcM GSRqpCtyvm7FcAnN+oBtWB9qdf9JHyzO8K3FqyOKgdipYj5+/lXjIra8mCpbMyba53 5ovOVH/exlg0IylyecjlGWc8tnopjgOD3CCziX9U= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391274AbgEYRJI (ORCPT ); Mon, 25 May 2020 13:09:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:42590 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJH (ORCPT ); Mon, 25 May 2020 13:09:07 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6EA2020849; Mon, 25 May 2020 17:09:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426547; bh=K9dQlLMfAWEdV+u98OYydkoKZfNrb/mofkqS3kOEybc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZAq92k9Hu5yoNJi3gLdw35dsf6n2v5dHECOCjaFa2iHsEVssbvuzPW5VZYlXd+zKP 52BfZ3bZEZd2VWq7ZCuJ89+s0suYB3bs2DlhwCcvf+R11+02+ENB4OFTqKcZjrkWT9 HuH1OANLqwhO09G+WLhPQy+JIG5Q+NOEKv+pOLxk= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Linus Walleij Subject: [PATCH 06/25] iio:magnetometer:ak8974: Fix alignment and data leak issues Date: Mon, 25 May 2020 18:06:09 +0100 Message-Id: <20200525170628.503283-7-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 7c94a8b2ee8cf ("iio: magn: add a driver for AK8974") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Linus Walleij Reviewed-by: Linus Walleij --- drivers/iio/magnetometer/ak8974.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/magnetometer/ak8974.c b/drivers/iio/magnetometer/ak8974.c index 810fdfd37c88..899795add957 100644 --- a/drivers/iio/magnetometer/ak8974.c +++ b/drivers/iio/magnetometer/ak8974.c @@ -192,6 +192,11 @@ struct ak8974 { bool drdy_irq; struct completion drdy_complete; bool drdy_active_low; + /* Ensure timestamp is naturally aligned */ + struct { + __le16 channels[3]; + s64 ts; + } scan; }; static const char ak8974_reg_avdd[] = "avdd"; @@ -657,7 +662,6 @@ static void ak8974_fill_buffer(struct iio_dev *indio_dev) { struct ak8974 *ak8974 = iio_priv(indio_dev); int ret; - __le16 hw_values[8]; /* Three axes + 64bit padding */ pm_runtime_get_sync(&ak8974->i2c->dev); mutex_lock(&ak8974->lock); @@ -667,13 +671,13 @@ static void ak8974_fill_buffer(struct iio_dev *indio_dev) dev_err(&ak8974->i2c->dev, "error triggering measure\n"); goto out_unlock; } - ret = ak8974_getresult(ak8974, hw_values); + ret = ak8974_getresult(ak8974, ak8974->scan.channels); if (ret) { dev_err(&ak8974->i2c->dev, "error getting measures\n"); goto out_unlock; } - iio_push_to_buffers_with_timestamp(indio_dev, hw_values, + iio_push_to_buffers_with_timestamp(indio_dev, &ak8974->scan, iio_get_time_ns(indio_dev)); out_unlock: From patchwork Mon May 25 17:06:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569089 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 48B36739 for ; Mon, 25 May 2020 17:09:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 30B1620870 for ; Mon, 25 May 2020 17:09:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426550; bh=2ZongO4r61nzcvxv3gVNk8l5fF2nHAYt8WrvrUHK6PI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=UXkDmutwIZyNC36IRaJj+k4tfUq2vRx98XXORbe1O1Y/jT18O/e53AX4tw8kkomfz mBQiM4JkzwHd8wgwCdfjHcOvYzNeRCOjmFzBCl6HcvSQQjndm9oC3x6W4n67iY/t0P 3/6FUTn2oDetjjq1mRjC20dd3vVR/6yDXCiaNPp0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391275AbgEYRJJ (ORCPT ); Mon, 25 May 2020 13:09:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:42602 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJJ (ORCPT ); Mon, 25 May 2020 13:09:09 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A98532078B; Mon, 25 May 2020 17:09:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426548; bh=2ZongO4r61nzcvxv3gVNk8l5fF2nHAYt8WrvrUHK6PI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=tfW3fbN59Y81bT2okCVlNyvD44wESrnqEnmbu/fCvGkdUFLKCI0m1uNkMDwIEOZW0 L6K8oB6xH9eBPeOGhP9/fAbh2MtE1+6e9U4E07H8mTn+zqcZadviZTK41UlA8Yga5Q 8zalC3Z6s25Iqzy40MQ2p/i+teRjuqHGzGUWHD90= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Gregor Boirie , Andy Shevchenko , Linus Walleij Subject: [PATCH 07/25] iio:magnetometer:ak8975 Fix alignment and data leak issues. Date: Mon, 25 May 2020 18:06:10 +0100 Message-Id: <20200525170628.503283-8-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Gregor Boirie Cc: Andy Shevchenko Cc: Linus Walleij --- drivers/iio/magnetometer/ak8975.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c index 3c881541ae72..673ac70d014d 100644 --- a/drivers/iio/magnetometer/ak8975.c +++ b/drivers/iio/magnetometer/ak8975.c @@ -365,6 +365,12 @@ struct ak8975_data { struct iio_mount_matrix orientation; struct regulator *vdd; struct regulator *vid; + + /* Ensure natural alignment of timestamp */ + struct { + s16 channels[3]; + s64 ts; + } scan; }; /* Enable attached power regulator if any. */ @@ -787,7 +793,6 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev) const struct i2c_client *client = data->client; const struct ak_def *def = data->def; int ret; - s16 buff[8]; /* 3 x 16 bits axis values + 1 aligned 64 bits timestamp */ __le16 fval[3]; mutex_lock(&data->lock); @@ -810,11 +815,14 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev) mutex_unlock(&data->lock); /* Clamp to valid range. */ - buff[0] = clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range); - buff[1] = clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range); - buff[2] = clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range); - - iio_push_to_buffers_with_timestamp(indio_dev, buff, + data->scan.channels[0] = + clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range); + data->scan.channels[1] = + clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range); + data->scan.channels[2] = + clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range); + + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); return; From patchwork Mon May 25 17:06:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569091 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 14AA41392 for ; Mon, 25 May 2020 17:09:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E6ADE2087D for ; Mon, 25 May 2020 17:09:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426551; bh=HTUMhtM+zF/gn/xjq6pNSv4MEwxlibkASog742zOvog=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=FP6wk4VRr05CKXyHiXILDeyJ4AvHagCZgROfPlND0jAfrrJSzqCf042Tkaw5BQhkH GzStPXWRFCbNA9Gxwx5VF5rrL+jubWoz9WfvT7vRXf8E5Rn6r4h+a2TCPbu//9XcBL NDUESJUjVR+7mEux8lfluMUhTKx4s+QNL8BWbOBc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391276AbgEYRJK (ORCPT ); Mon, 25 May 2020 13:09:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:42610 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJK (ORCPT ); Mon, 25 May 2020 13:09:10 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3E9E02084C; Mon, 25 May 2020 17:09:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426550; bh=HTUMhtM+zF/gn/xjq6pNSv4MEwxlibkASog742zOvog=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=P+rwHn7uKhDQEdA1mtKe8h37qkhVMYPHJvFk4VuFKBQt0qsYvOnPGafIIPA0DYSsG D24zVRLS/3SQ23Gy7Wr4f6EesgxFfWKN29cpiyMhQw3geJFhX8HfiHedimdJA4c3WT xAbAsAQmkUHOP3ZkQmeMRneT/cvnOajI90MiBg4c= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 08/25] iio:magnetometer:mag3110 Fix alignment and data leak issues. Date: Mon, 25 May 2020 18:06:11 +0100 Message-Id: <20200525170628.503283-9-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 39631b5f9584 ("iio: Add Freescale mag3110 magnetometer driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/magnetometer/mag3110.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/iio/magnetometer/mag3110.c b/drivers/iio/magnetometer/mag3110.c index fb16cfdd6fa6..17cd613c21c9 100644 --- a/drivers/iio/magnetometer/mag3110.c +++ b/drivers/iio/magnetometer/mag3110.c @@ -56,6 +56,12 @@ struct mag3110_data { int sleep_val; struct regulator *vdd_reg; struct regulator *vddio_reg; + /* Ensure natural alignment of timestamp */ + struct { + __be16 channels[3]; + u8 temp; + s64 ts; + } scan; }; static int mag3110_request(struct mag3110_data *data) @@ -387,10 +393,9 @@ static irqreturn_t mag3110_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct mag3110_data *data = iio_priv(indio_dev); - u8 buffer[16]; /* 3 16-bit channels + 1 byte temp + padding + ts */ int ret; - ret = mag3110_read(data, (__be16 *) buffer); + ret = mag3110_read(data, data->scan.channels); if (ret < 0) goto done; @@ -399,10 +404,10 @@ static irqreturn_t mag3110_trigger_handler(int irq, void *p) MAG3110_DIE_TEMP); if (ret < 0) goto done; - buffer[6] = ret; + data->scan.temp = ret; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); done: From patchwork Mon May 25 17:06:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569093 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9FF731392 for ; Mon, 25 May 2020 17:09:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 88EE620723 for ; Mon, 25 May 2020 17:09:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426552; bh=CvCCODs9v6cJ+sXq8doRK2RVNbHkTrQleIsyW0aZ3bg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=p1Sad4cHXM9qwRKW/lbroOfayLLqVLXv3EfNLhDFAbz0/zyLhD9EM9RQ8P9/XrSQc 8lwukatlXKzzppYmbQpeDxSi33YRz1ToRozD1k/1guerjo4U/h0gm+INroQWoTmd7c sVg63szQ881KkHnWlFYM/2WtL8q4zQv6b+FVIqlA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391277AbgEYRJM (ORCPT ); Mon, 25 May 2020 13:09:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:42624 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJL (ORCPT ); Mon, 25 May 2020 13:09:11 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5D52720870; Mon, 25 May 2020 17:09:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426551; bh=CvCCODs9v6cJ+sXq8doRK2RVNbHkTrQleIsyW0aZ3bg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BFgApHMvqKGJ4ngpQ8h8ZiWM9zDjFeKOWrDEf5/vqvCBBjISQ9EsNwMJvTqnIdmpE DdSwtwpZq80oxC2aTDSVFYEUWEmZk+OjO4AhzD4qkO+uVkOFze5QA5fIbZP2x6zdTw 8lGcuFETGbQH9S7M7ECju2je3fw9Ljn4J+8avdLA= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Alison Schofield , Matt Ranostay Subject: [PATCH 09/25] iio:humidity:hdc100x Fix alignment and data leak issues Date: Mon, 25 May 2020 18:06:12 +0100 Message-Id: <20200525170628.503283-10-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 16bf793f86b2 ("iio: humidity: hdc100x: add triggered buffer support for HDC100X") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Alison Schofield Cc: Matt Ranostay Acked-by: Matt Ranostay --- drivers/iio/humidity/hdc100x.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/humidity/hdc100x.c b/drivers/iio/humidity/hdc100x.c index 7ecd2ffa3132..fd825e281d4f 100644 --- a/drivers/iio/humidity/hdc100x.c +++ b/drivers/iio/humidity/hdc100x.c @@ -38,6 +38,11 @@ struct hdc100x_data { /* integration time of the sensor */ int adc_int_us[2]; + /* Ensure natural alignment of timestamp */ + struct { + __be16 channels[2]; + s64 ts; + } scan; }; /* integration time in us */ @@ -322,7 +327,6 @@ static irqreturn_t hdc100x_trigger_handler(int irq, void *p) struct i2c_client *client = data->client; int delay = data->adc_int_us[0] + data->adc_int_us[1]; int ret; - s16 buf[8]; /* 2x s16 + padding + 8 byte timestamp */ /* dual read starts at temp register */ mutex_lock(&data->lock); @@ -333,13 +337,13 @@ static irqreturn_t hdc100x_trigger_handler(int irq, void *p) } usleep_range(delay, delay + 1000); - ret = i2c_master_recv(client, (u8 *)buf, 4); + ret = i2c_master_recv(client, (u8 *)data->scan.channels, 4); if (ret < 0) { dev_err(&client->dev, "cannot read sensor data\n"); goto err; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); err: mutex_unlock(&data->lock); From patchwork Mon May 25 17:06:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569095 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6EBA2739 for ; Mon, 25 May 2020 17:09:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 50CE02089D for ; Mon, 25 May 2020 17:09:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426555; bh=/K37xNWkiux7nVbz0T1QufBrgwbjsyiaXp95wAoXfbA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=o/z30U3rI2g33GDe0OeWIwmD24xG9edcEhpkpO8Q4AkgCZ/zI0paVEiQoUYNNcTK5 gXJtxcNxyUuXqs31MX6ExgmekkteNUyd2rGCOUXjMEcDpIASBpLCitKunPhk+OXUvF n+6xbl41lJ+Qk2vMe/nb7UJoEuUjJ6EWPKgSUmxI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391280AbgEYRJO (ORCPT ); Mon, 25 May 2020 13:09:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:42642 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388812AbgEYRJN (ORCPT ); Mon, 25 May 2020 13:09:13 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C110920878; Mon, 25 May 2020 17:09:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426552; bh=/K37xNWkiux7nVbz0T1QufBrgwbjsyiaXp95wAoXfbA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XugG6PSgghvXabF3xfQp+XgVwL1N+f3BXmkgCcYBCbHtXkRAGHGN+/xy/+Bt1xa5z ipAXG+lQP5q8SCpdtAjnpI0lIEd55ovdW0m0c7LIfhctUyn9PWEFcbjU0bSssxl0Aa U6xkrHB+1n5XPxCYjj1z9m+c1Xk337X9fkh6+KF8= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Lorenzo Bianconi Subject: [PATCH 10/25] iio:humidity:hts221 Fix alignment and data leak issues Date: Mon, 25 May 2020 18:06:13 +0100 Message-Id: <20200525170628.503283-11-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: e4a70e3e7d84 ("iio: humidity: add support to hts221 rh/temp combo device") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Lorenzo Bianconi Acked-by: Lorenzo Bianconi --- drivers/iio/humidity/hts221.h | 5 +++++ drivers/iio/humidity/hts221_buffer.c | 9 +++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/iio/humidity/hts221.h b/drivers/iio/humidity/hts221.h index 7c650df77556..6ad579ca9cef 100644 --- a/drivers/iio/humidity/hts221.h +++ b/drivers/iio/humidity/hts221.h @@ -39,6 +39,11 @@ struct hts221_hw { bool enabled; u8 odr; + /* Ensure natural alignment of timestamp */ + struct { + __le16 channels[2]; + s64 ts; + } scan; }; extern const struct dev_pm_ops hts221_pm_ops; diff --git a/drivers/iio/humidity/hts221_buffer.c b/drivers/iio/humidity/hts221_buffer.c index 21c6c160462d..59ede9860185 100644 --- a/drivers/iio/humidity/hts221_buffer.c +++ b/drivers/iio/humidity/hts221_buffer.c @@ -160,7 +160,6 @@ static const struct iio_buffer_setup_ops hts221_buffer_ops = { static irqreturn_t hts221_buffer_handler_thread(int irq, void *p) { - u8 buffer[ALIGN(2 * HTS221_DATA_SIZE, sizeof(s64)) + sizeof(s64)]; struct iio_poll_func *pf = p; struct iio_dev *iio_dev = pf->indio_dev; struct hts221_hw *hw = iio_priv(iio_dev); @@ -170,18 +169,20 @@ static irqreturn_t hts221_buffer_handler_thread(int irq, void *p) /* humidity data */ ch = &iio_dev->channels[HTS221_SENSOR_H]; err = regmap_bulk_read(hw->regmap, ch->address, - buffer, HTS221_DATA_SIZE); + &hw->scan.channels[0], + sizeof(hw->scan.channels[0])); if (err < 0) goto out; /* temperature data */ ch = &iio_dev->channels[HTS221_SENSOR_T]; err = regmap_bulk_read(hw->regmap, ch->address, - buffer + HTS221_DATA_SIZE, HTS221_DATA_SIZE); + &hw->scan.channels[1], + sizeof(hw->scan.channels[1])); if (err < 0) goto out; - iio_push_to_buffers_with_timestamp(iio_dev, buffer, + iio_push_to_buffers_with_timestamp(iio_dev, &hw->scan, iio_get_time_ns(iio_dev)); out: From patchwork Mon May 25 17:06:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569097 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 86004739 for ; Mon, 25 May 2020 17:09:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6F9EA20849 for ; Mon, 25 May 2020 17:09:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426558; bh=QiHTxdk/MwrRdHI4WdZKznL5IopXuhyAOipatDZDTg0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=2swOq1gnrrUuwExLSI7nvcwaJMNNn01pgE/UOD6cdAXNs7IIqm0vn3mX2Z8OAPeMi CamPRs57U94LV2LZy29rw52Q5RiWS8Fg6Y7YLbCD+TXIs4f/4KMrfFQm+r4VVy+/nW YPPmQe9EeoXLzsKiJc3jDw8zwR10wIVZoT2Zc6DA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391288AbgEYRJP (ORCPT ); Mon, 25 May 2020 13:09:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:42660 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391279AbgEYRJO (ORCPT ); Mon, 25 May 2020 13:09:14 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 09A1A20723; Mon, 25 May 2020 17:09:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426553; bh=QiHTxdk/MwrRdHI4WdZKznL5IopXuhyAOipatDZDTg0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Y6gd+0opL5Dzu0FhCf7tdStObZJddWb76eHboUOjFuBLWoKNSBomE8Pk20CWbrCKj sU48rvEpg9iwdkY/y/j7ACTkK1QnPFgGsQiAwl0I21ZM8tGRnySn2WgNAhWwVERkw1 K83g686WrJUeWChax57BYAOzEIpcDGV7axQdf8Lk= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Daniel Baluta Subject: [PATCH 11/25] iio:imu:bmi160 Fix alignment and data leak issues Date: Mon, 25 May 2020 18:06:14 +0100 Message-Id: <20200525170628.503283-12-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable array in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 77c4ad2d6a9b ("iio: imu: Add initial support for Bosch BMI160") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Daniel Baluta --- drivers/iio/imu/bmi160/bmi160.h | 2 ++ drivers/iio/imu/bmi160/bmi160_core.c | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/iio/imu/bmi160/bmi160.h b/drivers/iio/imu/bmi160/bmi160.h index 621f5309d735..fa071d9230ec 100644 --- a/drivers/iio/imu/bmi160/bmi160.h +++ b/drivers/iio/imu/bmi160/bmi160.h @@ -7,6 +7,8 @@ struct bmi160_data { struct regmap *regmap; struct iio_trigger *trig; + /* Ensure natural alignment for timestamp if present */ + __le16 buf[16] __aligned(8); }; extern const struct regmap_config bmi160_regmap_config; diff --git a/drivers/iio/imu/bmi160/bmi160_core.c b/drivers/iio/imu/bmi160/bmi160_core.c index 6af65d6f1d28..81977d427687 100644 --- a/drivers/iio/imu/bmi160/bmi160_core.c +++ b/drivers/iio/imu/bmi160/bmi160_core.c @@ -411,7 +411,6 @@ static irqreturn_t bmi160_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct bmi160_data *data = iio_priv(indio_dev); - __le16 buf[16]; /* 3 sens x 3 axis x __le16 + 3 x __le16 pad + 4 x __le16 tstamp */ int i, ret, j = 0, base = BMI160_REG_DATA_MAGN_XOUT_L; __le16 sample; @@ -422,10 +421,10 @@ static irqreturn_t bmi160_trigger_handler(int irq, void *p) &sample, sizeof(sample)); if (ret) goto done; - buf[j++] = sample; + data->buf[j++] = sample; } - iio_push_to_buffers_with_timestamp(indio_dev, buf, pf->timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, data->buf, pf->timestamp); done: iio_trigger_notify_done(indio_dev->trig); return IRQ_HANDLED; From patchwork Mon May 25 17:06:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569099 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DD71F159A for ; Mon, 25 May 2020 17:09:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C6ECD208A7 for ; Mon, 25 May 2020 17:09:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426558; bh=i9veCVP76NNaz3ItuFgqknUChsXzi53dbAYJ5UM7laA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=e7Qcr4zEGVP5z7Bfnpz58EM4uNVL7BtFW5vaenMCvMdZbl1QFqUyN5beC1Rj/Cp55 dsPehsZp91IqU/Wj0dPfETtzp8Ms+aJ9XEppuA3JKX8WdpljUrmBJqm7sOH8/YncPq EapTO+waDe0h8x6BQB/GoJArd1LMlTo558sJKbFU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391299AbgEYRJS (ORCPT ); Mon, 25 May 2020 13:09:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:42680 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391278AbgEYRJP (ORCPT ); Mon, 25 May 2020 13:09:15 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 48E382087D; Mon, 25 May 2020 17:09:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426555; bh=i9veCVP76NNaz3ItuFgqknUChsXzi53dbAYJ5UM7laA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1Gx+MtQFr3M4QCPjt/s/olu2mNnkUskC0jaVIkRvNx8wmeXv922ZSV9MIVKs5lPqE qoF5y7Fm657sy2QLivYkzAn9wECPYFKhC5mx9K/PSuaK1F/4YueHNDHuCoU+gywEZO Dp/8cDU7wBQvJw14zGKxAlZmURB7sFVjgO/08upg= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Lorenzo Bianconi Subject: [PATCH 12/25] iio:imu:st_lsm6dsx Fix alignment and data leak issues Date: Mon, 25 May 2020 18:06:15 +0100 Message-Id: <20200525170628.503283-13-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a set of suitable structures in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. There has been a lot of churn in this driver, so likely backports may be needed for stable. Fixes: 290a6ce11d93 ("iio: imu: add support to lsm6dsx driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Lorenzo Bianconi --- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 5 ++++ .../iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 27 ++++++++++--------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h index b56df409ed0f..5bc724eadc83 100644 --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h @@ -411,6 +411,11 @@ struct st_lsm6dsx_hw { const struct st_lsm6dsx_settings *settings; struct iio_mount_matrix orientation; + /* Ensure natural alignment of buffer elements */ + struct { + __le16 channels[3]; + s64 ts; + } gyro_scan, acc_scan, ext_scan; }; static __maybe_unused const struct iio_event_spec st_lsm6dsx_event = { diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c index afd00daeefb2..9bcffbfac797 100644 --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c @@ -341,9 +341,6 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) int err, sip, acc_sip, gyro_sip, ts_sip, ext_sip, read_len, offset; u16 fifo_len, pattern_len = hw->sip * ST_LSM6DSX_SAMPLE_SIZE; u16 fifo_diff_mask = hw->settings->fifo_ops.fifo_diff.mask; - u8 gyro_buff[ST_LSM6DSX_IIO_BUFF_SIZE]; - u8 acc_buff[ST_LSM6DSX_IIO_BUFF_SIZE]; - u8 ext_buff[ST_LSM6DSX_IIO_BUFF_SIZE]; bool reset_ts = false; __le16 fifo_status; s64 ts = 0; @@ -404,18 +401,21 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) while (acc_sip > 0 || gyro_sip > 0 || ext_sip > 0) { if (gyro_sip > 0 && !(sip % gyro_sensor->decimator)) { - memcpy(gyro_buff, &hw->buff[offset], - ST_LSM6DSX_SAMPLE_SIZE); + memcpy(hw->gyro_scan.channels, + &hw->buff[offset], + sizeof(hw->gyro_scan.channels)); offset += ST_LSM6DSX_SAMPLE_SIZE; } if (acc_sip > 0 && !(sip % acc_sensor->decimator)) { - memcpy(acc_buff, &hw->buff[offset], - ST_LSM6DSX_SAMPLE_SIZE); + memcpy(hw->acc_scan.channels, + &hw->buff[offset], + sizeof(hw->acc_scan.channels)); offset += ST_LSM6DSX_SAMPLE_SIZE; } if (ext_sip > 0 && !(sip % ext_sensor->decimator)) { - memcpy(ext_buff, &hw->buff[offset], - ST_LSM6DSX_SAMPLE_SIZE); + memcpy(hw->ext_scan.channels, + &hw->buff[offset], + sizeof(hw->ext_scan.channels)); offset += ST_LSM6DSX_SAMPLE_SIZE; } @@ -446,19 +446,22 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw) if (gyro_sip > 0 && !(sip % gyro_sensor->decimator)) { iio_push_to_buffers_with_timestamp( hw->iio_devs[ST_LSM6DSX_ID_GYRO], - gyro_buff, gyro_sensor->ts_ref + ts); + &hw->gyro_scan, + gyro_sensor->ts_ref + ts); gyro_sip--; } if (acc_sip > 0 && !(sip % acc_sensor->decimator)) { iio_push_to_buffers_with_timestamp( hw->iio_devs[ST_LSM6DSX_ID_ACC], - acc_buff, acc_sensor->ts_ref + ts); + &hw->acc_scan, + acc_sensor->ts_ref + ts); acc_sip--; } if (ext_sip > 0 && !(sip % ext_sensor->decimator)) { iio_push_to_buffers_with_timestamp( hw->iio_devs[ST_LSM6DSX_ID_EXT0], - ext_buff, ext_sensor->ts_ref + ts); + &hw->ext_scan, + ext_sensor->ts_ref + ts); ext_sip--; } sip++; From patchwork Mon May 25 17:06:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569101 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3735E159A for ; Mon, 25 May 2020 17:09:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1F1C3208A9 for ; Mon, 25 May 2020 17:09:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426560; bh=0ufRuxJl/lRnXdoUBSaEpO75Gd2neFd+09jSJEB88JI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=15BmPjqt62E1KgxAQAbmCb7oNtUWls+dYH0SAIEgRs2YPRZSPlTZAFmO1qK9mPiG2 a2QuPvBC5eUNrT3V1kYKCZ9LYzQvwZ28DWCbHPls58NoApRAxIAU2dlPhBKdBpG6PG /ZO9pgXP8DNoZeT7ZbjnfkDegc7wO9mN6fXyt78Q= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391298AbgEYRJT (ORCPT ); Mon, 25 May 2020 13:09:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:42740 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391297AbgEYRJR (ORCPT ); Mon, 25 May 2020 13:09:17 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 885A92089D; Mon, 25 May 2020 17:09:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426556; bh=0ufRuxJl/lRnXdoUBSaEpO75Gd2neFd+09jSJEB88JI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kMFLyO2uXqeL6vUVHMI8e1xpxgTBlsWTstMx9G27b4gFywumWcUqwDrnhVYy/F17y G08U928epfIMI9VmxDiCyxuQfmUImKvbvyqyMwCgpkZhI13NC4rW+frBGC1FuyNQIR 4gam4LBzm0/wjMhh4+np10vWFCBbeYdyQT0af73w= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Jean-Baptiste Maneyrol Subject: [PATCH 13/25] iio:imu:inv_mpu6050 Fix dma and ts alignment and data leak issues. Date: Mon, 25 May 2020 18:06:16 +0100 Message-Id: <20200525170628.503283-14-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron This case is a bit different to the rest of the series. The driver was doing a regmap_bulk_read into a buffer that wasn't dma safe as it was on the stack with no guarantee of it being in a cacheline on it's own. Fixing that also dealt with the data leak and alignment issues that Lars-Peter pointed out. Also removed some unaligned handling as we are now aligned. Fixes tag is for the dma safe buffer issue. Potentially we would need to backport timestamp alignment futher but that is a totally different patch. Fixes: fd64df16f40e ("iio: imu: inv_mpu6050: Add SPI support for MPU6000") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Jean-Baptiste Maneyrol Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 8 +++++--- drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c | 12 ++++++------ 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h index cd38b3fccc7b..e4df2d51b689 100644 --- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h @@ -122,6 +122,9 @@ struct inv_mpu6050_chip_config { u8 user_ctrl; }; +/* 6 + 6 + 2 + 7 (for MPU9x50) = 21 round up to 24 and plus 8 */ +#define INV_MPU6050_OUTPUT_DATA_SIZE 32 + /** * struct inv_mpu6050_hw - Other important hardware information. * @whoami: Self identification byte from WHO_AM_I register @@ -165,6 +168,7 @@ struct inv_mpu6050_hw { * @magn_raw_to_gauss: coefficient to convert mag raw value to Gauss. * @magn_orient: magnetometer sensor chip orientation if available. * @suspended_sensors: sensors mask of sensors turned off for suspend + * @data: dma safe buffer used for bulk reads. */ struct inv_mpu6050_state { struct mutex lock; @@ -190,6 +194,7 @@ struct inv_mpu6050_state { s32 magn_raw_to_gauss[3]; struct iio_mount_matrix magn_orient; unsigned int suspended_sensors; + u8 data[INV_MPU6050_OUTPUT_DATA_SIZE] ____cacheline_aligned; }; /*register and associated bit definition*/ @@ -334,9 +339,6 @@ struct inv_mpu6050_state { #define INV_ICM20608_TEMP_OFFSET 8170 #define INV_ICM20608_TEMP_SCALE 3059976 -/* 6 + 6 + 2 + 7 (for MPU9x50) = 21 round up to 24 and plus 8 */ -#define INV_MPU6050_OUTPUT_DATA_SIZE 32 - #define INV_MPU6050_REG_INT_PIN_CFG 0x37 #define INV_MPU6050_ACTIVE_HIGH 0x00 #define INV_MPU6050_ACTIVE_LOW 0x80 diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c index 9511e4715e2c..554c16592d47 100644 --- a/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c +++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_ring.c @@ -13,7 +13,6 @@ #include #include #include -#include #include "inv_mpu_iio.h" /** @@ -121,7 +120,6 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) struct inv_mpu6050_state *st = iio_priv(indio_dev); size_t bytes_per_datum; int result; - u8 data[INV_MPU6050_OUTPUT_DATA_SIZE]; u16 fifo_count; s64 timestamp; int int_status; @@ -160,11 +158,12 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) * read fifo_count register to know how many bytes are inside the FIFO * right now */ - result = regmap_bulk_read(st->map, st->reg->fifo_count_h, data, + result = regmap_bulk_read(st->map, st->reg->fifo_count_h, + st->data, INV_MPU6050_FIFO_COUNT_BYTE); if (result) goto end_session; - fifo_count = get_unaligned_be16(&data[0]); + fifo_count = be16_to_cpup((__be16 *)&st->data[0]); /* * Handle fifo overflow by resetting fifo. @@ -182,7 +181,7 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) inv_mpu6050_update_period(st, pf->timestamp, nb); for (i = 0; i < nb; ++i) { result = regmap_bulk_read(st->map, st->reg->fifo_r_w, - data, bytes_per_datum); + st->data, bytes_per_datum); if (result) goto flush_fifo; /* skip first samples if needed */ @@ -191,7 +190,8 @@ irqreturn_t inv_mpu6050_read_fifo(int irq, void *p) continue; } timestamp = inv_mpu6050_get_timestamp(st); - iio_push_to_buffers_with_timestamp(indio_dev, data, timestamp); + iio_push_to_buffers_with_timestamp(indio_dev, st->data, + timestamp); } end_session: From patchwork Mon May 25 17:06:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569103 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9026B739 for ; Mon, 25 May 2020 17:09:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6FF7C208A7 for ; Mon, 25 May 2020 17:09:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426560; bh=rVZ8obXG9Z449L0E2sVrhNZGsbFafinP9wKcqaPwfjQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Wal4JMy7RgoqMPgYKgJzhEoDVXddb3V8f19AP5hAzRxY++ykznZiadEYB51MWNccE Ujkv21IS0NQQgygOardxOWD4tV14L/KnqR4Y0fHopc2rox6s0nQxrPZZcFIlr35VFp a0gGZtqwLaUAjm2GdO8FSfJGCW3lds/GUMOeBdYg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391278AbgEYRJS (ORCPT ); Mon, 25 May 2020 13:09:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:42760 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391298AbgEYRJS (ORCPT ); Mon, 25 May 2020 13:09:18 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C6492207DA; Mon, 25 May 2020 17:09:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426557; bh=rVZ8obXG9Z449L0E2sVrhNZGsbFafinP9wKcqaPwfjQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cyWJ6lv6uHTqWc+CJ/HQeQl7zccY/GGIZLMMOrjnsU/JLqoqpMoK4oRd7bjY/82lI /SkQB0jYETfFuZPDy3FstYcZPpzetdDV6bKxCZ0cV3ErB1XAm/hzlBRsD5/0esC81s GWbigP4wRl80F2GenQ+3KTEW5cpIDYwEuP4EUFdo= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 14/25] iio:pressure:ms5611 Fix buffer element alignment Date: Mon, 25 May 2020 18:06:17 +0100 Message-Id: <20200525170628.503283-15-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here there is no data leak possibility so use an explicit structure on the stack to ensure alignment and nice readable fashion. Fixes: 713bbb4efb9dc ("iio: pressure: ms5611: Add triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/pressure/ms5611_core.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/pressure/ms5611_core.c b/drivers/iio/pressure/ms5611_core.c index 2f598ad91621..ba9cf9d77a4a 100644 --- a/drivers/iio/pressure/ms5611_core.c +++ b/drivers/iio/pressure/ms5611_core.c @@ -212,16 +212,21 @@ static irqreturn_t ms5611_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ms5611_state *st = iio_priv(indio_dev); - s32 buf[4]; /* s32 (pressure) + s32 (temp) + 2 * s32 (timestamp) */ + /* Ensure buffer elements are naturally aligned */ + struct { + s32 channels[2]; + s64 ts; + } scan; int ret; mutex_lock(&st->lock); - ret = ms5611_read_temp_and_pressure(indio_dev, &buf[1], &buf[0]); + ret = ms5611_read_temp_and_pressure(indio_dev, &scan.channels[1], + &scan.channels[0]); mutex_unlock(&st->lock); if (ret < 0) goto err; - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev)); err: From patchwork Mon May 25 17:06:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569105 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 57F13739 for ; Mon, 25 May 2020 17:09:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 350A420899 for ; Mon, 25 May 2020 17:09:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426561; bh=CNWGTwBeYGJWxxzCexMKu10P8TSjcAkE0sqNRE5lu/Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=RGXLNMVMN2ImGTRbIaoqvR2NeZITmHsjczOYu7EfckX87XDqlQWBy1qvLXDgxpbKL eD3Yq77v9lBzqRdCT5dwM1KbIhC7o5sk3EsX6wdENPfr8BB9+LGi2f+EVJnkdd4s/d Tqt8y0Ji8HHkyylomwVpQ4Bysw1baSU9yKjvZJQk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391303AbgEYRJU (ORCPT ); Mon, 25 May 2020 13:09:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:42778 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391300AbgEYRJT (ORCPT ); Mon, 25 May 2020 13:09:19 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E0AEC207D8; Mon, 25 May 2020 17:09:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426558; bh=CNWGTwBeYGJWxxzCexMKu10P8TSjcAkE0sqNRE5lu/Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sizrp5LYo7GJMNudqMb88tGXDWwf8RTL1XxuJ6+vfGrOeSVGlt4HQD10AECzPHNgt 7Ta0An6fghqafHnbB/yeuXDXIUTL+61oEwbrXg7hwm/bxyJ9O306fw3Q1cfr2qP4pK pEK7/wwkChI5ifx9ZkAWfl2GCCZ4YDX9oVmeDJjA= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Peter Meerwald Subject: [PATCH 15/25] iio:pressure:mpl3115 Force alignment of buffer Date: Mon, 25 May 2020 18:06:18 +0100 Message-Id: <20200525170628.503283-16-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron Whilst this is another case of the issue Lars reported with an array of elements of smaller than 8 bytes being passed to iio_push_to_buffers_with_timestamp, the solution here is a bit different from the other cases and relies on __aligned working on the stack (true since 4.6?) This one is unusual. We have to do an explicit memset each time as we are reading 3 bytes into a potential 4 byte channel which may sometimes be a 2 byte channel depending on what is enabled. As such, moving the buffer to the heap in the iio_priv structure doesn't save us much. We can't use a nice explicit structure on the stack either as the data channels have different storage sizes and are all separately controlled. Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Peter Meerwald --- drivers/iio/pressure/mpl3115.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/iio/pressure/mpl3115.c b/drivers/iio/pressure/mpl3115.c index d066f3c5a8a6..1eb761befcbe 100644 --- a/drivers/iio/pressure/mpl3115.c +++ b/drivers/iio/pressure/mpl3115.c @@ -144,7 +144,8 @@ static irqreturn_t mpl3115_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct mpl3115_data *data = iio_priv(indio_dev); - u8 buffer[16]; /* 32-bit channel + 16-bit channel + padding + ts */ + /* 32-bit channel + 16-bit channel + padding + ts */ + u8 buffer[16] __aligned(8); int ret, pos = 0; mutex_lock(&data->lock); From patchwork Mon May 25 17:06:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569107 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 98515159A for ; Mon, 25 May 2020 17:09:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8086A208A7 for ; Mon, 25 May 2020 17:09:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426561; bh=f/Nc+hedZHg36KsmzFlx/ePuPCJOi0vgAcBQ6L23fr0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=tIxKeO7dsw5xvWG3Hgb06SsK/pkzIxqFUT5FOkccRSXC/YGywV5qHdQ12UU5LvHhG RommXCrmlHFzmAYKViOKMxaLQ83lEIbKa8Li4tsf7RoofT1+lgZ5DXePV69gQlW6SH 4Jer/wYO+3yCiD+yaLF2mHJEJdSJtKG1I1373L0M= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391300AbgEYRJV (ORCPT ); Mon, 25 May 2020 13:09:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:42806 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391297AbgEYRJU (ORCPT ); Mon, 25 May 2020 13:09:20 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2C67F20849; Mon, 25 May 2020 17:09:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426559; bh=f/Nc+hedZHg36KsmzFlx/ePuPCJOi0vgAcBQ6L23fr0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gMBwNncBiWiGqwGuZIOXEAW8hDbdPMLKL5ZZsGJKarLetA3w4dlZDnuD/WmJGBopv 9eBBdag2NcId3pMApdBede0f8w4A7HWr+puLYhtkcuMVSY0g1eDkYaTdPPn+e9Pn0f qYkYI4iYc+7WIYtuIcpeHtaw7iju8Vwe1+DU4K0I= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen Subject: [PATCH 16/25] iio:adc:ti-adc081c Fix alignment and data leak issues Date: Mon, 25 May 2020 18:06:19 +0100 Message-Id: <20200525170628.503283-17-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 08e05d1fce5c (" ti-adc081c: Initial triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-adc081c.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-adc081c.c b/drivers/iio/adc/ti-adc081c.c index 0235863ff77b..a5c1a438370d 100644 --- a/drivers/iio/adc/ti-adc081c.c +++ b/drivers/iio/adc/ti-adc081c.c @@ -33,6 +33,12 @@ struct adc081c { /* 8, 10 or 12 */ int bits; + + /* Ensure natural alignment of buffer elements */ + struct { + u16 channel; + s64 ts; + } scan; }; #define REG_CONV_RES 0x00 @@ -128,14 +134,13 @@ static irqreturn_t adc081c_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct adc081c *data = iio_priv(indio_dev); - u16 buf[8]; /* 2 bytes data + 6 bytes padding + 8 bytes timestamp */ int ret; ret = i2c_smbus_read_word_swapped(data->i2c, REG_CONV_RES); if (ret < 0) goto out; - buf[0] = ret; - iio_push_to_buffers_with_timestamp(indio_dev, buf, + data->scan.channel = ret; + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, iio_get_time_ns(indio_dev)); out: iio_trigger_notify_done(indio_dev->trig); From patchwork Mon May 25 17:06:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569109 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4CAAF1392 for ; Mon, 25 May 2020 17:09:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2BCE920870 for ; Mon, 25 May 2020 17:09:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426563; bh=+xpa65jymIGOxUbAyYqIQ5ig/I8NZrqJJOUJ32e7LxQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=r+6fFtWbXe3FT3eP9f9cnaTcvp8RbA4HEDZKt57VTvApzZF2eRwqmw5504gAnPLwQ +UwyHUaAADhdG7AVusdYcxAKW7i1ZWveWRuSIktMnxQOjWOMnHGCu3iZpgvl1+AFKM viHA23XvaVwt4IDjhO0fKLZy2ZwUqIgR1cbT6eVU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391302AbgEYRJW (ORCPT ); Mon, 25 May 2020 13:09:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:42820 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391297AbgEYRJV (ORCPT ); Mon, 25 May 2020 13:09:21 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 42A02208A9; Mon, 25 May 2020 17:09:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426561; bh=+xpa65jymIGOxUbAyYqIQ5ig/I8NZrqJJOUJ32e7LxQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ci1G0Uh60xxyXvXaiSQcSZfcDnMiuzg3Sk2i5pa4XVffSXojcH2UkksYler848+oL tcFVwtFiE4gXuLByK3pgpHIYPZ6ouymWaeCBPrxhjw9XA5BQPlufhFwzu/msrEtLY5 5kfDaiKwdxlHeQyvPR9P/+stUda30Vw1DA1uLEt4= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , =?utf-8?q?M=C3=A5rten_Lindahl?= Subject: [PATCH 17/25] iio:adc:ti-adc084s021 Fix alignment and data leak issues. Date: Mon, 25 May 2020 18:06:20 +0100 Message-Id: <20200525170628.503283-18-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv(). This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 3691e5a69449 ("iio: adc: add driver for the ti-adc084s021 chip") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Mårten Lindahl --- drivers/iio/adc/ti-adc084s021.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-adc084s021.c b/drivers/iio/adc/ti-adc084s021.c index bdedf456ee05..36d874cced9d 100644 --- a/drivers/iio/adc/ti-adc084s021.c +++ b/drivers/iio/adc/ti-adc084s021.c @@ -25,6 +25,11 @@ struct adc084s021 { struct spi_transfer spi_trans; struct regulator *reg; struct mutex lock; + /* Buffer used to align data */ + struct { + __be16 channels[4]; + s64 ts; + } scan; /* * DMA (thus cache coherency maintenance) requires the * transfer buffers to live in their own cache line. @@ -140,14 +145,13 @@ static irqreturn_t adc084s021_buffer_trigger_handler(int irq, void *pollfunc) struct iio_poll_func *pf = pollfunc; struct iio_dev *indio_dev = pf->indio_dev; struct adc084s021 *adc = iio_priv(indio_dev); - __be16 data[8] = {0}; /* 4 * 16-bit words of data + 8 bytes timestamp */ mutex_lock(&adc->lock); - if (adc084s021_adc_conversion(adc, &data) < 0) + if (adc084s021_adc_conversion(adc, adc->scan.channels) < 0) dev_err(&adc->spi->dev, "Failed to read data\n"); - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, &adc->scan, iio_get_time_ns(indio_dev)); mutex_unlock(&adc->lock); iio_trigger_notify_done(indio_dev->trig); From patchwork Mon May 25 17:06:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569111 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C0486739 for ; Mon, 25 May 2020 17:09:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A9D2720870 for ; Mon, 25 May 2020 17:09:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426563; bh=nFosc3nmDM7l3/dxYkBECh+zB/K54jghac146JKe5J0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=HrZ6dpS5bsWtFsHRZJYPHrPv6Eormw2fCjXqKBlm2zF6zPgYNKj/faHWE/7xjspAK c3p0yozoRm88XcoTUCB4tqzDrg9Yaq3iJSogCE3BTVuOI9km8e9H56G1MV8DmhhOR4 gB4RSOLPo5S+CTI9KAWNsj88UECI4xsHBStC8Iu8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391297AbgEYRJW (ORCPT ); Mon, 25 May 2020 13:09:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:42834 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJW (ORCPT ); Mon, 25 May 2020 13:09:22 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 810EB208B3; Mon, 25 May 2020 17:09:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426562; bh=nFosc3nmDM7l3/dxYkBECh+zB/K54jghac146JKe5J0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nRpTeJkK6cfOEUyE7uB52wrE4vfwvu0AqQVdvQucYEYuD8fppyutxLwBuinTKHoGD 30kqfuM2HPYpwRNZiL8oCyropVF01s6QEo2M/K5I76V29LCr0n81fPjobhOHITNoHo IMKSNtbJSRoBpWtFLi3EviX3VaR7yRsuO4m1mxis= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron Subject: [PATCH 18/25] iio:adc:ti-adc084s021 Tidy up endian types Date: Mon, 25 May 2020 18:06:21 +0100 Message-Id: <20200525170628.503283-19-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron By adding a few local variables and avoiding a void * for a parameter we can easily make all the endian types explicit and get rid of the warnings from sparse: CHECK drivers/iio/adc/ti-adc084s021.c drivers/iio/adc/ti-adc084s021.c:84:26: warning: incorrect type in assignment (different base types) drivers/iio/adc/ti-adc084s021.c:84:26: expected unsigned short [usertype] drivers/iio/adc/ti-adc084s021.c:84:26: got restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 drivers/iio/adc/ti-adc084s021.c:115:24: warning: cast to restricted __be16 Signed-off-by: Jonathan Cameron --- drivers/iio/adc/ti-adc084s021.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/iio/adc/ti-adc084s021.c b/drivers/iio/adc/ti-adc084s021.c index 36d874cced9d..4e393cb44caa 100644 --- a/drivers/iio/adc/ti-adc084s021.c +++ b/drivers/iio/adc/ti-adc084s021.c @@ -69,11 +69,10 @@ static const struct iio_chan_spec adc084s021_channels[] = { * @adc: The ADC SPI data. * @data: Buffer for converted data. */ -static int adc084s021_adc_conversion(struct adc084s021 *adc, void *data) +static int adc084s021_adc_conversion(struct adc084s021 *adc, __be16 *data) { int n_words = (adc->spi_trans.len >> 1) - 1; /* Discard first word */ int ret, i = 0; - u16 *p = data; /* Do the transfer */ ret = spi_sync(adc->spi, &adc->message); @@ -81,7 +80,7 @@ static int adc084s021_adc_conversion(struct adc084s021 *adc, void *data) return ret; for (; i < n_words; i++) - *(p + i) = adc->rx_buf[i + 1]; + *(data + i) = adc->rx_buf[i + 1]; return ret; } @@ -92,6 +91,7 @@ static int adc084s021_read_raw(struct iio_dev *indio_dev, { struct adc084s021 *adc = iio_priv(indio_dev); int ret; + __be16 be_val; switch (mask) { case IIO_CHAN_INFO_RAW: @@ -106,13 +106,13 @@ static int adc084s021_read_raw(struct iio_dev *indio_dev, } adc->tx_buf[0] = channel->channel << 3; - ret = adc084s021_adc_conversion(adc, val); + ret = adc084s021_adc_conversion(adc, &be_val); iio_device_release_direct_mode(indio_dev); regulator_disable(adc->reg); if (ret < 0) return ret; - *val = be16_to_cpu(*val); + *val = be16_to_cpu(be_val); *val = (*val >> channel->scan_type.shift) & 0xff; return IIO_VAL_INT; From patchwork Mon May 25 17:06:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569113 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C72CA739 for ; Mon, 25 May 2020 17:09:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A6AB620723 for ; Mon, 25 May 2020 17:09:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426564; bh=GIXYLtXq1Eg29sZPC/QkiQGfghod5tYMkm1NEimzBXk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=PXnDZA1MBLlidTQNGTjCXVPAO7dqik5XqqHw3+ppTz4PB9tB49CNO7+RXwc/NfIb+ ZbxLHS9mieC8zTXCnhXLUHSYviPt+0drIxBOeL/6ljDXJ+2hag2oi5t17R8uCNDd6T UjsJzri3IHXw0RHTzK/M8PeZsBa7bZ0qTJVkUqoM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391304AbgEYRJY (ORCPT ); Mon, 25 May 2020 13:09:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:42846 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJX (ORCPT ); Mon, 25 May 2020 13:09:23 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 764ED2078B; Mon, 25 May 2020 17:09:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426563; bh=GIXYLtXq1Eg29sZPC/QkiQGfghod5tYMkm1NEimzBXk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1dljblTPtUW/QOZRiFoIV62X7qqBq/CoEHaCecWJB1Qukwp3hxcNBEZlS4Yx6CXRE F2m9TPqvUuhWqk7lzelU81JNHydsEn2bN1gsYB0xdUEG8vaIstcBFNg/ClcnW0z96a tcclGEfx+X4A+L6ZoI4lAsVy0O8C60pXtSino5QQ= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Andy Shevchenko Subject: [PATCH 19/25] iio:adc:ti-ads1015 Fix buffer element alignment Date: Mon, 25 May 2020 18:06:22 +0100 Message-Id: <20200525170628.503283-20-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here we use an explicit structure and rely on that to enforce alignment on the stack. Note there was never a data leak here due to the explicit memset. Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Andy Shevchenko --- drivers/iio/adc/ti-ads1015.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/ti-ads1015.c b/drivers/iio/adc/ti-ads1015.c index 5ea4f45d6bad..05853723dbdb 100644 --- a/drivers/iio/adc/ti-ads1015.c +++ b/drivers/iio/adc/ti-ads1015.c @@ -385,10 +385,14 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ads1015_data *data = iio_priv(indio_dev); - s16 buf[8]; /* 1x s16 ADC val + 3x s16 padding + 4x s16 timestamp */ + /* Ensure natural alignment for buffer elements */ + struct { + s16 channel; + s64 ts; + } scan; int chan, ret, res; - memset(buf, 0, sizeof(buf)); + memset(&scan, 0, sizeof(scan)); mutex_lock(&data->lock); chan = find_first_bit(indio_dev->active_scan_mask, @@ -399,10 +403,10 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p) goto err; } - buf[0] = res; + scan.channel = res; mutex_unlock(&data->lock); - iio_push_to_buffers_with_timestamp(indio_dev, buf, + iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns(indio_dev)); err: From patchwork Mon May 25 17:06:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569115 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 12EF0739 for ; Mon, 25 May 2020 17:09:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id F017D20776 for ; Mon, 25 May 2020 17:09:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426566; bh=j5orTSX/27oQbVPk5oYRFnnZSh0KwF86SEvaraRl1TE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=IygVibJFH+OMBwhzCxEwAz8hgRXKvB/k85x/mdCn3qWYSAqRw6q4nBxLui4t9/NdW lBJ5r9Azi5HNgpFaTv2wQ8pCxYdhWVR+P7cHR4dLpHdvh+VnQHo6tq5nMfoH2EAkvZ D/KGYKM2EA/0KeLbztzqT6O1GfD8oHTTJ4KYMMhg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391305AbgEYRJZ (ORCPT ); Mon, 25 May 2020 13:09:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:42866 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJZ (ORCPT ); Mon, 25 May 2020 13:09:25 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B4B4120878; Mon, 25 May 2020 17:09:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426564; bh=j5orTSX/27oQbVPk5oYRFnnZSh0KwF86SEvaraRl1TE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1eWOV8hNQt1cVwkAn6S8nbpMZt4SnfhDYL01vLC3hhAfumXQIuNmBwdjFR+khLGyW WAUwbB6cJfhmf3vL3d9HbeFU/AnfhnsTpMumpwn7rvUxkPEtazzv40AYDUKlq1uXCn UK8vZnv6+HsKr3KwBkvsohEOupZdWK4rE5LBnmo4= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Dan Murphy Subject: [PATCH 20/25] iio:adc:ti-ads124s08 Fix alignment and data leak issues. Date: Mon, 25 May 2020 18:06:23 +0100 Message-Id: <20200525170628.503283-21-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: e717f8c6dfec ("iio: adc: Add the TI ads124s08 ADC code") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Dan Murphy --- drivers/iio/adc/ti-ads124s08.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-ads124s08.c b/drivers/iio/adc/ti-ads124s08.c index f1ee3b1e2827..fb0da62b09f5 100644 --- a/drivers/iio/adc/ti-ads124s08.c +++ b/drivers/iio/adc/ti-ads124s08.c @@ -99,6 +99,11 @@ struct ads124s_private { struct gpio_desc *reset_gpio; struct spi_device *spi; struct mutex lock; + /* + * Used to correctly align data. + * Ensure timestamp is naturally aligned. + */ + u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8); u8 data[5] ____cacheline_aligned; }; @@ -269,7 +274,6 @@ static irqreturn_t ads124s_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct ads124s_private *priv = iio_priv(indio_dev); - u32 buffer[ADS124S08_MAX_CHANNELS + sizeof(s64)/sizeof(u16)]; int scan_index, j = 0; int ret; @@ -284,7 +288,7 @@ static irqreturn_t ads124s_trigger_handler(int irq, void *p) if (ret) dev_err(&priv->spi->dev, "Start ADC conversions failed\n"); - buffer[j] = ads124s_read(indio_dev, scan_index); + priv->buffer[j] = ads124s_read(indio_dev, scan_index); ret = ads124s_write_cmd(indio_dev, ADS124S08_STOP_CONV); if (ret) dev_err(&priv->spi->dev, "Stop ADC conversions failed\n"); @@ -292,7 +296,7 @@ static irqreturn_t ads124s_trigger_handler(int irq, void *p) j++; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, priv->buffer, pf->timestamp); iio_trigger_notify_done(indio_dev->trig); From patchwork Mon May 25 17:06:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569117 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 91E231392 for ; Mon, 25 May 2020 17:09:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 719E52084C for ; Mon, 25 May 2020 17:09:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426567; bh=G68Usw2U6nRxeR+vJb7TeOGTTy2D2HEYNeEVvVD3bK4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=NZjtWrI4nlI+dazI+58uoEjDPW1yNcDxp4+BhnkxO+gtmPXAYC8rOzBSyK92Z8ZiL DDQTAakyT5gjQv9HrQ1REd9lN2bK+FDaiCRz4ylUjWX1h3AqvPSKse102PqpYDcGrI gmrouk4AmA+vYNQoEBZvYJB4dBRU3K+XUnBkl30M= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391306AbgEYRJ0 (ORCPT ); Mon, 25 May 2020 13:09:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:42878 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJ0 (ORCPT ); Mon, 25 May 2020 13:09:26 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F3E4620723; Mon, 25 May 2020 17:09:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426565; bh=G68Usw2U6nRxeR+vJb7TeOGTTy2D2HEYNeEVvVD3bK4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cZ9AblseYwu4LnfJXGWBRpiB+0T8iJCpaq2V+f5Jaz/EXye/xn00OYYPc4GMhb2Su C19P7sGNC+P2ZX3Hiifpor/iFNpNkT8rDkgfbs3j2syZZOTd+01SQS/ybtLReqCul1 fpx18DPEbya/OoMKo8uJzmM+5vkjVPTMix/HTTpU= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Sean Nyekjaer Subject: [PATCH 21/25] iio:adc:ti-ads8688 Fix alignment and potential data leak issue Date: Mon, 25 May 2020 18:06:24 +0100 Message-Id: <20200525170628.503283-22-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 32 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 2a86487786b5 ("iio: adc: ti-ads8688: add trigger and buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Sean Nyekjaer --- drivers/iio/adc/ti-ads8688.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-ads8688.c b/drivers/iio/adc/ti-ads8688.c index 14fe7c320b52..8acc0f59de60 100644 --- a/drivers/iio/adc/ti-ads8688.c +++ b/drivers/iio/adc/ti-ads8688.c @@ -68,6 +68,12 @@ struct ads8688_state { struct regulator *reg; unsigned int vref_mv; enum ads8688_range range[8]; + /* + * Used to align data for pushing to IIO. + * Ensure natural alignment of timestamps + */ + u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)] __aligned(8); + union { __be32 d32; u8 d8[4]; @@ -383,17 +389,17 @@ static irqreturn_t ads8688_trigger_handler(int irq, void *p) { struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; - u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)]; + struct ads8688_state *st = iio_priv(indio_dev); int i, j = 0; for (i = 0; i < indio_dev->masklength; i++) { if (!test_bit(i, indio_dev->active_scan_mask)) continue; - buffer[j] = ads8688_read(indio_dev, i); + st->buffer[j] = ads8688_read(indio_dev, i); j++; } - iio_push_to_buffers_with_timestamp(indio_dev, buffer, + iio_push_to_buffers_with_timestamp(indio_dev, st->buffer, iio_get_time_ns(indio_dev)); iio_trigger_notify_done(indio_dev->trig); From patchwork Mon May 25 17:06:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569119 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B03551392 for ; Mon, 25 May 2020 17:09:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9043520870 for ; Mon, 25 May 2020 17:09:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426568; bh=AETRhCeY7BNet5jvDUX2jK+rvWgMOMebVUXzSDccbDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=s8y+1L483P7+5Tb5LBfR7FPP8ms1jfS5dytV71WVpFPhoEAhgtvkUSBqxUh7JTZxt vtuGbfoKw39lWFNL8z8q0bBFFmVFq685jW0owTmk86tDh+AZqhDFZbNXXzeAvjhOvR ce16FXSddMvj7xLsaJ+VpCEQXHjS/vir0uhEBWNg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391307AbgEYRJ2 (ORCPT ); Mon, 25 May 2020 13:09:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:42890 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJ1 (ORCPT ); Mon, 25 May 2020 13:09:27 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 406E320776; Mon, 25 May 2020 17:09:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426567; bh=AETRhCeY7BNet5jvDUX2jK+rvWgMOMebVUXzSDccbDk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fXtE8LjcCBZCfCaGIw955mkuI/XP5yKE5Qy5oZIqHr4hH6iTlelMYlXrVL1uqvYng c2Lptvx0tMGY93EGr6v13Onj3ri2xFSi2AJTt/nXrR/ntteNmYI+HtokX8ClqV8CQq 7D2r1ibkTO1YSKFUKdti0q3rl56zAmftobSpuDmI= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Akinobu Mita Subject: [PATCH 22/25] iio:adc:ti-adc0832 Fix alignment issue with timestamp Date: Mon, 25 May 2020 18:06:25 +0100 Message-Id: <20200525170628.503283-23-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. We fix this issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Note that previously no data could leak 'including' previous readings but I don't think it is an issue to potentially leak them like this now does. Fixes: 815bbc87462a ("iio: ti-adc0832: add triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Akinobu Mita --- drivers/iio/adc/ti-adc0832.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/ti-adc0832.c b/drivers/iio/adc/ti-adc0832.c index 6ea39f4bbb37..f94c862b7821 100644 --- a/drivers/iio/adc/ti-adc0832.c +++ b/drivers/iio/adc/ti-adc0832.c @@ -28,6 +28,8 @@ struct adc0832 { struct regulator *reg; struct mutex lock; u8 mux_bits; + /* 16x 1 byte ADC data + 8 bytes timestamp */ + u8 data[24] __aligned(8); u8 tx_buf[2] ____cacheline_aligned; u8 rx_buf[2]; @@ -199,7 +201,6 @@ static irqreturn_t adc0832_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct adc0832 *adc = iio_priv(indio_dev); - u8 data[24] = { }; /* 16x 1 byte ADC data + 8 bytes timestamp */ int scan_index; int i = 0; @@ -217,10 +218,10 @@ static irqreturn_t adc0832_trigger_handler(int irq, void *p) goto out; } - data[i] = ret; + adc->data[i] = ret; i++; } - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, adc->data, iio_get_time_ns(indio_dev)); out: mutex_unlock(&adc->lock); From patchwork Mon May 25 17:06:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569121 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D4A66739 for ; Mon, 25 May 2020 17:09:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BE37020870 for ; Mon, 25 May 2020 17:09:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426569; bh=akRiI9CTbMvpt2jnNGW/thGQ9nPtuuI7mj741tEoFz4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=1bPuhxzCOHqYlCQ0nXiWsO+RctzjMCaydYLtQBFO/upBjRq8nStDYoXjZMT7KOLTt SnYz63pu1fvQhAuU5O5nmRXU5MnmOUYJLU//LK+MzCUmQbzBHyc8/4VYzQJIH7Zlo2 q2C5CFvkViJ1WKzzYa/ceWscvZsw7txjlyc+jifI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391308AbgEYRJ3 (ORCPT ); Mon, 25 May 2020 13:09:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:42902 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJ2 (ORCPT ); Mon, 25 May 2020 13:09:28 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 825FA20899; Mon, 25 May 2020 17:09:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426568; bh=akRiI9CTbMvpt2jnNGW/thGQ9nPtuuI7mj741tEoFz4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YHaFuV7HjAjlqe0FNH7mBotrfgPbRm2lIbe3zQR1ec8gee8pR/KOZI5NwTjtk6kIA D0wCzcOcPbIzSpvYFO6NynjviO7vaJFHI/y0EJb8Uo78dIh4+OBwYtNGCCETVJbOBN /FaahbXimW9HodBDC1l9Y5upwZiDUg2TVW7IRpdA= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Akinobu Mita Subject: [PATCH 23/25] iio:adc:ti-adc12138 Fix alignment issue with timestamp Date: Mon, 25 May 2020 18:06:26 +0100 Message-Id: <20200525170628.503283-24-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. We move to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. Note that previously no leak at all could occur, but previous readings should never be a problem. Fixes: 50a6edb1b6e0 ("iio: adc: add ADC12130/ADC12132/ADC12138 ADC driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Akinobu Mita --- drivers/iio/adc/ti-adc12138.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/ti-adc12138.c b/drivers/iio/adc/ti-adc12138.c index 68a9dcb8faa2..f764c3694a96 100644 --- a/drivers/iio/adc/ti-adc12138.c +++ b/drivers/iio/adc/ti-adc12138.c @@ -47,6 +47,8 @@ struct adc12138 { struct completion complete; /* The number of cclk periods for the S/H's acquisition time */ unsigned int acquisition_time; + /* 16x 2 bytes ADC data + 8 bytes timestamp */ + __be16 data[20] __aligned(8); u8 tx_buf[2] ____cacheline_aligned; u8 rx_buf[2]; @@ -329,7 +331,6 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct adc12138 *adc = iio_priv(indio_dev); - __be16 data[20] = { }; /* 16x 2 bytes ADC data + 8 bytes timestamp */ __be16 trash; int ret; int scan_index; @@ -345,7 +346,7 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) reinit_completion(&adc->complete); ret = adc12138_start_and_read_conv(adc, scan_chan, - i ? &data[i - 1] : &trash); + i ? &adc->data[i - 1] : &trash); if (ret) { dev_warn(&adc->spi->dev, "failed to start conversion\n"); @@ -362,7 +363,7 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) } if (i) { - ret = adc12138_read_conv_data(adc, &data[i - 1]); + ret = adc12138_read_conv_data(adc, &adc->data[i - 1]); if (ret) { dev_warn(&adc->spi->dev, "failed to get conversion data\n"); @@ -370,7 +371,7 @@ static irqreturn_t adc12138_trigger_handler(int irq, void *p) } } - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, adc->data, iio_get_time_ns(indio_dev)); out: mutex_unlock(&adc->lock); From patchwork Mon May 25 17:06:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569123 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 598881392 for ; Mon, 25 May 2020 17:09:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4338920870 for ; Mon, 25 May 2020 17:09:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426571; bh=Wu6mvDbeHBOOgIe4UaMtENrclvA24EsKP2BStbE5TWg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=Y6Am+jXvX7MnrgVZax2zXqhyrB+Lx5KA5KfFSg/uuNvUQs3pPtWW0H2nXNVBEicfJ 0s6h+4rwMjH32GMuYD8jN++8YqoDybvJh3uL1oobC/VW6IA5StTom4DtgmEEtE/Vjj BK5JDHjyRulHh3EG7vTuuKukM+1J4RE38Tu3UmUY= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391309AbgEYRJa (ORCPT ); Mon, 25 May 2020 13:09:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:42918 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJa (ORCPT ); Mon, 25 May 2020 13:09:30 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C6F6D2084C; Mon, 25 May 2020 17:09:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426569; bh=Wu6mvDbeHBOOgIe4UaMtENrclvA24EsKP2BStbE5TWg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mcZjXG3GarrUmMruwaGFLISccDimDCzXgmB3K60G43wIfa+WPnFziq0VtYTgS/R6s 1EfJpKfTjm59UPdOLMpxyFeYrr134JuxYPXxQTEjfDlXPWL9lrh7bkK0ME5MFyZVF3 iNST4mBaY1g+YXMu0RrhzcMsKYxb2SAUGIXxPZYI= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , =?utf-8?q?Stefan_Br=C3=BCns?= , Marc Titinger Subject: [PATCH 24/25] iio:adc:ina2xx Fix timestamp alignment issue. Date: Mon, 25 May 2020 18:06:27 +0100 Message-Id: <20200525170628.503283-25-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 32 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak apart from previous readings. If we want this in older stables will need manual backport due to driver reworks. Fixes: c43a102e67db ("iio: ina2xx: add support for TI INA2xx Power Monitors") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Stefan Brüns Cc: Marc Titinger --- drivers/iio/adc/ina2xx-adc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/iio/adc/ina2xx-adc.c b/drivers/iio/adc/ina2xx-adc.c index bdd7cba6f6b0..ed2d069b791a 100644 --- a/drivers/iio/adc/ina2xx-adc.c +++ b/drivers/iio/adc/ina2xx-adc.c @@ -146,6 +146,8 @@ struct ina2xx_chip_info { int range_vbus; /* Bus voltage maximum in V */ int pga_gain_vshunt; /* Shunt voltage PGA gain */ bool allow_async_readout; + /* data buffer needs space for channel data and timestap */ + unsigned short data[4 + sizeof(s64)/sizeof(short)] __aligned(8); }; static const struct ina2xx_config ina2xx_config[] = { @@ -738,8 +740,6 @@ static int ina2xx_conversion_ready(struct iio_dev *indio_dev) static int ina2xx_work_buffer(struct iio_dev *indio_dev) { struct ina2xx_chip_info *chip = iio_priv(indio_dev); - /* data buffer needs space for channel data and timestap */ - unsigned short data[4 + sizeof(s64)/sizeof(short)]; int bit, ret, i = 0; s64 time; @@ -758,10 +758,10 @@ static int ina2xx_work_buffer(struct iio_dev *indio_dev) if (ret < 0) return ret; - data[i++] = val; + chip->data[i++] = val; } - iio_push_to_buffers_with_timestamp(indio_dev, data, time); + iio_push_to_buffers_with_timestamp(indio_dev, chip->data, time); return 0; }; From patchwork Mon May 25 17:06:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan Cameron X-Patchwork-Id: 11569125 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6AFD8739 for ; Mon, 25 May 2020 17:09:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4A8DC20849 for ; Mon, 25 May 2020 17:09:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426573; bh=s3OTwiKGmtQFWWFLEttjDV3dHScyMzmuOmgsAQChbvY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=wxxeToeBNmdaj2PrWqp2YuZqo5q+AONjOodd5RjJ1/ieiNG4JNTV2ZygpPgL1zhWL 3BIlT76bgHHTs3zhEidT962uci6NTB2n8dakLPts0nkkcaqvHBidllG8XbYFk0icNg 27r/lYChCw6vJU1rxIr99dE3AN9nBxBnYgqHmy08= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391310AbgEYRJd (ORCPT ); Mon, 25 May 2020 13:09:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:42928 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391301AbgEYRJb (ORCPT ); Mon, 25 May 2020 13:09:31 -0400 Received: from localhost.localdomain (cpc149474-cmbg20-2-0-cust94.5-4.cable.virginm.net [82.4.196.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3AC3F207D8; Mon, 25 May 2020 17:09:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590426571; bh=s3OTwiKGmtQFWWFLEttjDV3dHScyMzmuOmgsAQChbvY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=x8AD/5yskj6IXoPdvfPZ4pgi647fiGgbshx6VI+ybASZ2r0H/xpu1VLbVGf42LH0L YRQ520H7kU5RsZMrzf5CzPhAgvF+4SV2E3txET5W+Awdcq1+pugPJFrM25lpm39Z6u hpC6sc/qXxpZ7V1lLITCkofiD95o9EGdgPlpMcjc= From: Jonathan Cameron To: linux-iio@vger.kernel.org Cc: Jonathan Cameron , Lars-Peter Clausen , Akinobu Mita Subject: [PATCH 25/25] iio:adc:max1118 Fix alignment of timestamp and data leak issues Date: Mon, 25 May 2020 18:06:28 +0100 Message-Id: <20200525170628.503283-26-jic23@kernel.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200525170628.503283-1-jic23@kernel.org> References: <20200525170628.503283-1-jic23@kernel.org> MIME-Version: 1.0 Sender: linux-iio-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-iio@vger.kernel.org From: Jonathan Cameron One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: a9e9c7153e96 ("iio: adc: add max1117/max1118/max1119 ADC driver") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Cc: Akinobu Mita --- drivers/iio/adc/max1118.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/adc/max1118.c b/drivers/iio/adc/max1118.c index 0c5d7aaf6826..32296cc6fa9b 100644 --- a/drivers/iio/adc/max1118.c +++ b/drivers/iio/adc/max1118.c @@ -35,6 +35,11 @@ struct max1118 { struct spi_device *spi; struct mutex lock; struct regulator *reg; + /* Ensure natural alignment of buffer elements */ + struct { + u8 channels[2]; + s64 ts; + } scan; u8 data ____cacheline_aligned; }; @@ -165,7 +170,6 @@ static irqreturn_t max1118_trigger_handler(int irq, void *p) struct iio_poll_func *pf = p; struct iio_dev *indio_dev = pf->indio_dev; struct max1118 *adc = iio_priv(indio_dev); - u8 data[16] = { }; /* 2x 8-bit ADC data + padding + 8 bytes timestamp */ int scan_index; int i = 0; @@ -183,10 +187,10 @@ static irqreturn_t max1118_trigger_handler(int irq, void *p) goto out; } - data[i] = ret; + adc->scan.channels[i] = ret; i++; } - iio_push_to_buffers_with_timestamp(indio_dev, data, + iio_push_to_buffers_with_timestamp(indio_dev, &adc->scan, iio_get_time_ns(indio_dev)); out: mutex_unlock(&adc->lock);