On Wed, 22 Jul 2020 16:50:49 +0100
Jonathan Cameron <jic23@xxxxxxxxxx> wrote:
> From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
>
> One of a class of bugs pointed out by Lars in a recent review.
> iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
> to the size of the timestamp (8 bytes). This is not guaranteed in
> this driver which uses an array of smaller elements on the stack.
> As Lars also noted this anti pattern can involve a leak of data to
> userspace and that indeed can happen here. We close both issues by
> moving to a suitable structure in the iio_priv() data.
>
> This data is allocated with kzalloc so no data can leak apart from
> previous readings.
>
> The explicit alignment of ts is not necessary in this case as by
> coincidence the padding will end up the same, however I consider
> it to make the code less fragile and have included it.
>
> Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support")
> Reported-by: Lars-Peter Clausen <lars@xxxxxxxxxx>
> Cc: Gregor Boirie <gregor.boirie@xxxxxxxxxx>
> Cc: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
> Cc: Linus Walleij <linus.walleij@xxxxxxxxxx>
> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
Applied and marked for stable.
Thanks,
Jonathan
> ---
> drivers/iio/magnetometer/ak8975.c | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
> index 03d71f796177..623766ff800b 100644
> --- a/drivers/iio/magnetometer/ak8975.c
> +++ b/drivers/iio/magnetometer/ak8975.c
> @@ -366,6 +366,12 @@ struct ak8975_data {
> struct iio_mount_matrix orientation;
> struct regulator *vdd;
> struct regulator *vid;
> +
> + /* Ensure natural alignment of timestamp */
> + struct {
> + s16 channels[3];
> + s64 ts __aligned(8);
> + } scan;
> };
>
> /* Enable attached power regulator if any. */
> @@ -793,7 +799,6 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev)
> const struct i2c_client *client = data->client;
> const struct ak_def *def = data->def;
> int ret;
> - s16 buff[8]; /* 3 x 16 bits axis values + 1 aligned 64 bits timestamp */
> __le16 fval[3];
>
> mutex_lock(&data->lock);
> @@ -816,12 +821,13 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev)
> mutex_unlock(&data->lock);
>
> /* Clamp to valid range. */
> - buff[0] = clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range);
> - buff[1] = clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range);
> - buff[2] = clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range);
> + data->scan.channels[0] = clamp_t(s16, le16_to_cpu(fval[0]), -def->range, def->range);
> + data->scan.channels[1] = clamp_t(s16, le16_to_cpu(fval[1]), -def->range, def->range);
> + data->scan.channels[2] = clamp_t(s16, le16_to_cpu(fval[2]), -def->range, def->range);
>
> - iio_push_to_buffers_with_timestamp(indio_dev, buff,
> + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
> iio_get_time_ns(indio_dev));
> +
> return;
>
> unlock:
