From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Andy Shevchenko <andy.shevchenko@gmail.com>,
Stable@vger.kernel.org
Subject: [PATCH 4.4 12/46] iio:light:ltr501 Fix timestamp alignment issue.
Date: Mon, 21 Sep 2020 18:27:28 +0200 [thread overview]
Message-ID: <20200921162033.923131993@linuxfoundation.org> (raw)
In-Reply-To: <20200921162033.346434578@linuxfoundation.org>
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
commit 2684d5003490df5398aeafe2592ba9d4a4653998 upstream.
One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes). This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
Here we use a structure on the stack. The driver already did an
explicit memset so no data leak was possible.
Forced alignment of ts is not strictly necessary but probably makes
the code slightly less fragile.
Note there has been some rework in this driver of the years, so no
way this will apply cleanly all the way back.
Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/light/ltr501.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1218,13 +1218,16 @@ static irqreturn_t ltr501_trigger_handle
struct iio_poll_func *pf = p;
struct iio_dev *indio_dev = pf->indio_dev;
struct ltr501_data *data = iio_priv(indio_dev);
- u16 buf[8];
+ struct {
+ u16 channels[3];
+ s64 ts __aligned(8);
+ } scan;
__le16 als_buf[2];
u8 mask = 0;
int j = 0;
int ret, psdata;
- memset(buf, 0, sizeof(buf));
+ memset(&scan, 0, sizeof(scan));
/* figure out which data needs to be ready */
if (test_bit(0, indio_dev->active_scan_mask) ||
@@ -1243,9 +1246,9 @@ static irqreturn_t ltr501_trigger_handle
if (ret < 0)
return ret;
if (test_bit(0, indio_dev->active_scan_mask))
- buf[j++] = le16_to_cpu(als_buf[1]);
+ scan.channels[j++] = le16_to_cpu(als_buf[1]);
if (test_bit(1, indio_dev->active_scan_mask))
- buf[j++] = le16_to_cpu(als_buf[0]);
+ scan.channels[j++] = le16_to_cpu(als_buf[0]);
}
if (mask & LTR501_STATUS_PS_RDY) {
@@ -1253,10 +1256,10 @@ static irqreturn_t ltr501_trigger_handle
&psdata, 2);
if (ret < 0)
goto done;
- buf[j++] = psdata & LTR501_PS_DATA_MASK;
+ scan.channels[j++] = psdata & LTR501_PS_DATA_MASK;
}
- iio_push_to_buffers_with_timestamp(indio_dev, buf, iio_get_time_ns());
+ iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns());
done:
iio_trigger_notify_done(indio_dev->trig);
next prev parent reply other threads:[~2020-09-21 16:33 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 16:27 [PATCH 4.4 00/46] 4.4.237-rc1 review Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 01/46] ARM: dts: socfpga: fix register entry for timer3 on Arria10 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 02/46] scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 03/46] drivers/net/wan/lapbether: Added needed_tailroom Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 04/46] firestream: Fix memleak in fs_open Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 05/46] drivers/net/wan/lapbether: Set network_header before transmitting Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 06/46] xfs: initialize the shortform attr header padding entry Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 07/46] drivers/net/wan/hdlc_cisco: Add hard_header_len Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 08/46] ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 09/46] gcov: Disable gcov build with GCC 10 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 10/46] iio: adc: mcp3422: fix locking scope Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 11/46] iio: adc: mcp3422: fix locking on error path Greg Kroah-Hartman
2020-09-21 16:27 ` Greg Kroah-Hartman [this message]
2020-09-21 16:27 ` [PATCH 4.4 13/46] iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 14/46] iio:accel:mma8452: " Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 15/46] USB: core: add helpers to retrieve endpoints Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 16/46] staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 17/46] btrfs: fix wrong address when faulting in pages in the search ioctl Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 18/46] scsi: target: iscsi: Fix hang in iscsit_access_np() when getting tpg->np_login_sem Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 19/46] rbd: require global CAP_SYS_ADMIN for mapping and unmapping Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 20/46] fbcon: remove soft scrollback code Greg Kroah-Hartman
2020-09-28 6:06 ` Ajay Kaher
2020-09-28 12:17 ` Greg KH
2020-09-21 16:27 ` [PATCH 4.4 21/46] fbcon: remove now unusued softback_lines cursor() argument Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 22/46] vgacon: remove software scrollback support Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 23/46] KVM: VMX: Dont freeze guest when event delivery causes an APIC-access exit Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 24/46] video: fbdev: fix OOB read in vga_8planes_imageblit() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 25/46] USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 26/46] USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 27/46] usb: Fix out of sync data toggle if a configured device is reconfigured Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 28/46] gcov: add support for GCC 10.1 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 29/46] NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 30/46] scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 31/46] scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 32/46] SUNRPC: stop printk reading past end of string Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 33/46] rapidio: Replace select DMAENGINES with depends on Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 34/46] i2c: algo: pca: Reapply i2c bus settings after reset Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 35/46] MIPS: SNI: Fix MIPS_L1_CACHE_SHIFT Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 36/46] perf test: Free formats for perf pmu parse test Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 37/46] fbcon: Fix user font detection test at fbcon_resize() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 38/46] MIPS: SNI: Fix spurious interrupts Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 39/46] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 40/46] USB: UAS: fix disconnect by unplugging a hub Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 41/46] usblp: fix race between disconnect() and read() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 42/46] Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset lists Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.4 43/46] serial: 8250_pci: Add Realtek 816a and 816b Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.4 44/46] ehci-hcd: Move include to keep CRC stable Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.4 45/46] powerpc/dma: Fix dma_map_ops::get_required_mask Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.4 46/46] x86/defconfig: Enable CONFIG_USB_XHCI_HCD=y Greg Kroah-Hartman
2020-09-22 9:54 ` [PATCH 4.4 00/46] 4.4.237-rc1 review Nobuhiro Iwamatsu
2020-09-24 17:07 ` Greg Kroah-Hartman
2020-09-22 12:30 ` Naresh Kamboju
2020-09-22 20:17 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200921162033.923131993@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jonathan.Cameron@huawei.com \
--cc=andy.shevchenko@gmail.com \
--cc=lars@metafoo.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).