Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3281600pxk;
        Mon, 21 Sep 2020 09:35:48 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwGpwCDTB+Cw9ky1pMWD8qBm5EsQOuOe3icQ2HS7cLDrXegcqRtdRJVoffOPUb7rAyaWV8f
X-Received: by 2002:a05:6402:1717:: with SMTP id y23mr560929edu.112.1600706148616;
        Mon, 21 Sep 2020 09:35:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600706148; cv=none;
        d=google.com; s=arc-20160816;
        b=mY3pgW57lnj8tFgP6zJwZpBd/83nOzB0rYJNg1DRXlfzWIle0u/YmmMeq4+UxRmVd7
         kxfHWE0/jP2SuT/c+gj66DHQc75v7QUHFJX1nK1DD4JCCaQHu4AlAIM1F3x1jB4rvcWI
         gTi6/Vn/K4O8BMZCKrOmolbdG6AGHcCf+9EWj443EDfoOG9xdnxojQTsKsvSeYKLAnPa
         6znXmB2sKTTxiBYTTKD/n0TeSZ/1j2BIyTVxc/ArjFJVj4cYDCnwExCBDESME837/2pA
         IyuvfsWxR5jMmg/fncQSEgChkHD+hzDrnV59OWwYHA9406ISMS2tl87nfwsKIPBBigNv
         zvkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=h1D6OJ4P2tzJmsp1qWkAKYgnuvpDVk1G01iUDeGFvwM=;
        b=gCuEs2cWnl0bEYl8q1kDMZUoF4P9pCHTEYkHsxufKbBq+igVsao5Cg3h265xCQTdKJ
         aYr5TJAu+fQI3EQ+aoK8ngl8KKQEfXAwWw9Ut8hD/ZG5a/0Eg1oLaGUuiWMQOYEp2vdG
         5dWcCPa4EZal3tJW3KLG9AQZEh2IiWC0kq5pJ1/FmYo/BBdOwE2r3+Q8e0wktEkV29pB
         WVjavJinPAnjrpozWjDf5EqGovCnHLtJNa0Vhjo+UEQvFwO9AVfn9tkh5s9SLaqNhoUk
         itmRZiGxR+j9LqiZ1nedJn0FXmI+efQ2dgUF3d3WQ0iiNiHnToPZ7i6UwOI3hO23l8Fw
         y7+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XcNX6QFm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s10si8547163ejr.574.2020.09.21.09.35.24;
        Mon, 21 Sep 2020 09:35:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=XcNX6QFm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726419AbgIUQd2 (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Mon, 21 Sep 2020 12:33:28 -0400
Received: from mail.kernel.org ([198.145.29.99]:59010 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728571AbgIUQdH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Sep 2020 12:33:07 -0400
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C218223998;
        Mon, 21 Sep 2020 16:33:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1600705986;
        bh=ZnMOBF5X9pk7vKlo2wALEivGY4W8rWnFNiX4BpkSnLs=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XcNX6QFm4pxOjoXlOy9UkrMIGLkzmygPI8Ftt663W8Ss3Lhp1IzUvchwXj1gVLhp0
         uRR3Vfd4A8lL8a2j0dDLtLOwgZD18xsOLbs5WEX52ocXwnxnTtIb7RKpGGJzOrWvnx
         uOtITsHLGFjzlGNC4VlKYHdIfRRF9CKzOt3e6jVc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Andy Shevchenko <andy.shevchenko@gmail.com>,
        Stable@vger.kernel.org
Subject: [PATCH 4.4 12/46] iio:light:ltr501 Fix timestamp alignment issue.
Date:   Mon, 21 Sep 2020 18:27:28 +0200
Message-Id: <20200921162033.923131993@linuxfoundation.org>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <20200921162033.346434578@linuxfoundation.org>
References: <20200921162033.346434578@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

commit 2684d5003490df5398aeafe2592ba9d4a4653998 upstream.

One of a class of bugs pointed out by Lars in a recent review.
iio_push_to_buffers_with_timestamp assumes the buffer used is aligned
to the size of the timestamp (8 bytes).  This is not guaranteed in
this driver which uses an array of smaller elements on the stack.
Here we use a structure on the stack.  The driver already did an
explicit memset so no data leak was possible.

Forced alignment of ts is not strictly necessary but probably makes
the code slightly less fragile.

Note there has been some rework in this driver of the years, so no
way this will apply cleanly all the way back.

Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1218,13 +1218,16 @@ static irqreturn_t ltr501_trigger_handle
 	struct iio_poll_func *pf = p;
 	struct iio_dev *indio_dev = pf->indio_dev;
 	struct ltr501_data *data = iio_priv(indio_dev);
-	u16 buf[8];
+	struct {
+		u16 channels[3];
+		s64 ts __aligned(8);
+	} scan;
 	__le16 als_buf[2];
 	u8 mask = 0;
 	int j = 0;
 	int ret, psdata;
 
-	memset(buf, 0, sizeof(buf));
+	memset(&scan, 0, sizeof(scan));
 
 	/* figure out which data needs to be ready */
 	if (test_bit(0, indio_dev->active_scan_mask) ||
@@ -1243,9 +1246,9 @@ static irqreturn_t ltr501_trigger_handle
 		if (ret < 0)
 			return ret;
 		if (test_bit(0, indio_dev->active_scan_mask))
-			buf[j++] = le16_to_cpu(als_buf[1]);
+			scan.channels[j++] = le16_to_cpu(als_buf[1]);
 		if (test_bit(1, indio_dev->active_scan_mask))
-			buf[j++] = le16_to_cpu(als_buf[0]);
+			scan.channels[j++] = le16_to_cpu(als_buf[0]);
 	}
 
 	if (mask & LTR501_STATUS_PS_RDY) {
@@ -1253,10 +1256,10 @@ static irqreturn_t ltr501_trigger_handle
 				       &psdata, 2);
 		if (ret < 0)
 			goto done;
-		buf[j++] = psdata & LTR501_PS_DATA_MASK;
+		scan.channels[j++] = psdata & LTR501_PS_DATA_MASK;
 	}
 
-	iio_push_to_buffers_with_timestamp(indio_dev, buf, iio_get_time_ns());
+	iio_push_to_buffers_with_timestamp(indio_dev, &scan, iio_get_time_ns());
 
 done:
 	iio_trigger_notify_done(indio_dev->trig);