Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp25033pxk;
        Tue, 15 Sep 2020 16:43:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxYfyTZZ8RhowQMwiL0Zi7yRd7QhesFtdGYrwahegiDX+fEImh+LL2vWXHfv6haP/VB/goT
X-Received: by 2002:a50:ee14:: with SMTP id g20mr26012465eds.32.1600213425229;
        Tue, 15 Sep 2020 16:43:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600213425; cv=none;
        d=google.com; s=arc-20160816;
        b=DQRVGF5Gd+c/54aXvva5a3xWu1QUsqeoQ1kSpVKbGKfijpAo5MIu+TVQOHA51q3bQ0
         voVksUSW7P7xrg+d+AG3QTeA+zauXO0pxv9zm9phFuTTkogtTjYg4PL6beJAd2bi4DX8
         E24Fqp4Qd8HyppAPh+sAFCy6Vst8E+0WyK5IU+b5DAQp6uGL+8MRT2IaeZreUwVUMa3r
         as2bs9j9Wt74j1moQ5aVCW0yj/jneROLniIGQiwYxOuShB/Yv+47ztsTcSlfNxJBGltn
         e6cv3SimWePF4OEJfKxe0myRdmaDn0ni8nl4v3csPvCXpv41zV8iYpBJfVbKGtBzFVA+
         1X4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=AgQ8sT8YpwQdvoRMRWuxr7t65WuygmU+9EqoTjPhT2Y=;
        b=VCJ6P16E3y3yf7x398pxC7Qr2GT26Z3OKUeGgVIW4xXNEtDQctpYWPI55PJd4zqDsP
         dtvxGE4loRRcBCXcAQ/xAuyGkYbLORHA2Zv6e8+qw5Z6dEw0KFJUOgYES5aAsx+fieF1
         2h1K1YmKSltGniL9M9Iz/1mxRRS+zFx3uq4jeeKu86KWGMo/LX5UsX/SbuMlQDUd++ZC
         qHQxUvet95Dt+tzbZDGjxuCGbBxgdPV1X6qf19je3i2xdeAIk/MWNBVXutOgflpNg/nl
         P7Nz28AD9m0Nq3HEE1UdfCPF6lIaqVZVrq8z/Sr49HcXwZZ8rHqtKVXJeSqyHjNAadvf
         cCMA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=jtLuMvI+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g10si1097266edv.314.2020.09.15.16.43.23;
        Tue, 15 Sep 2020 16:43:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=jtLuMvI+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727381AbgIOXkj (ORCPT <rfc822;mcfarlandjb@gmail.com>
        + 99 others); Tue, 15 Sep 2020 19:40:39 -0400
Received: from mail.kernel.org ([198.145.29.99]:48030 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727115AbgIOOem (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Sep 2020 10:34:42 -0400
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 563DC2222D;
        Tue, 15 Sep 2020 14:16:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1600179391;
        bh=hmWrwfrqHutEDO5G3ccIAni9EKGj79SQoDeFS3TxWxc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=jtLuMvI+peJ0w57YBUkarYw9hJDORkmjthJ3gCqnGAty4Hjr1e5OI8E9QRAp6IWK5
         XzE1/uwUSrtY30GxmCPYPnZCVHx9y6MHl6WQSNt8qqkS5g+cL9gjPltHopdEp3Ip4I
         TYzwd7pEVIyUJ9ED6g4DVilEzXQjUfp7GZzWGQEg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Andy Shevchenko <andy.shevchenko@gmail.com>,
        Stable@vger.kernel.org
Subject: [PATCH 4.19 42/78] iio:light:ltr501 Fix timestamp alignment issue.
Date:   Tue, 15 Sep 2020 16:13:07 +0200
Message-Id: <20200915140635.692471455@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200915140633.552502750@linuxfoundation.org>
References: <20200915140633.552502750@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

commit 2684d5003490df5398aeafe2592ba9d4a4653998 upstream.

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
Here we use a structure on the stack.  The driver already did an
explicit memset so no data leak was possible.

Forced alignment of ts is not strictly necessary but probably makes
the code slightly less fragile.

Note there has been some rework in this driver of the years, so no
way this will apply cleanly all the way back.

Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1245,13 +1245,16 @@ static irqreturn_t ltr501_trigger_handle
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct ltr501_data *data = iio_priv(indio_dev);
-	u16 buf[8];
+	struct {
+		u16 channels[3];
+		s64 ts __aligned(8);
+	} scan;
 	__le16 als_buf[2];
 	u8 mask = 0;
 	int j = 0;
 	int ret, psdata;
 
-	memset(buf, 0, sizeof(buf));
+	memset(&scan, 0, sizeof(scan));
 
 	/* figure out which data needs to be ready */
 	if (test_bit(0, indio_dev->active_scan_mask) ||
@@ -1270,9 +1273,9 @@ static irqreturn_t ltr501_trigger_handle
 		if (ret < 0)
 			return ret;
 		if (test_bit(0, indio_dev->active_scan_mask))
-			buf[j++] = le16_to_cpu(als_buf[1]);
+			scan.channels[j++] = le16_to_cpu(als_buf[1]);
 		if (test_bit(1, indio_dev->active_scan_mask))
-			buf[j++] = le16_to_cpu(als_buf[0]);
+			scan.channels[j++] = le16_to_cpu(als_buf[0]);
 	}
 
 	if (mask & LTR501_STATUS_PS_RDY) {
@@ -1280,10 +1283,10 @@ static irqreturn_t ltr501_trigger_handle
 				       &psdata, 2);
 		if (ret < 0)
 			goto done;
-		buf[j++] = psdata & LTR501_PS_DATA_MASK;
+		scan.channels[j++] = psdata & LTR501_PS_DATA_MASK;
 	}
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buf,
+	iio_push_to_buffers_with_timestamp(indio_dev, &scan,
 					   iio_get_time_ns(indio_dev));
 
 done: