[patch] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw

linux-iio.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
@ 2015-08-08 19:16 Dan Carpenter
  2015-08-15 20:05 ` Jonathan Cameron
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2015-08-08 19:16 UTC (permalink / raw)
  To: Jonathan Cameron
  Cc: Hartmut Knaack, Lars-Peter Clausen, Peter Meerwald,
	Greg Kroah-Hartman, Octavian Purdila, Aybuke Ozdemir,
	Josselin Costanzi, linux-iio, devel, kernel-janitors

"num_read" is in byte units but we are write u16s so we end up write
twice as much as intended.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/iio/accel/sca3000_ring.c b/drivers/staging/iio/accel/sca3000_ring.c
index 23685e7..bd2c69f 100644
--- a/drivers/staging/iio/accel/sca3000_ring.c
+++ b/drivers/staging/iio/accel/sca3000_ring.c
@@ -116,7 +116,7 @@ static int sca3000_read_first_n_hw_rb(struct iio_buffer *r,
 	if (ret)
 		goto error_ret;
 
-	for (i = 0; i < num_read; i++)
+	for (i = 0; i < num_read / sizeof(u16); i++)
 		*(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i);
 
 	if (copy_to_user(buf, rx, num_read))

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [patch] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
  2015-08-08 19:16 [patch] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() Dan Carpenter
@ 2015-08-15 20:05 ` Jonathan Cameron
  2015-10-03  9:28   ` Jonathan Cameron
  0 siblings, 1 reply; 3+ messages in thread
From: Jonathan Cameron @ 2015-08-15 20:05 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Hartmut Knaack, Lars-Peter Clausen, Peter Meerwald,
	Greg Kroah-Hartman, Octavian Purdila, Aybuke Ozdemir,
	Josselin Costanzi, linux-iio, devel, kernel-janitors

On 08/08/15 20:16, Dan Carpenter wrote:
> "num_read" is in byte units but we are write u16s so we end up write
> twice as much as intended.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Hi Dan,

This is fine. Given it's an old bug, Greg is not going to take this
sort of fix until after the merge window.   I won't be doing another
pull to him to go in during the merge window.  Hence fastest route
will be as a fix post 4.3-rc1.

Give me a poke if I haven't picked it up and sent it on by rc2 or so.

Thanks and good find.

Jonathan
> 
> diff --git a/drivers/staging/iio/accel/sca3000_ring.c b/drivers/staging/iio/accel/sca3000_ring.c
> index 23685e7..bd2c69f 100644
> --- a/drivers/staging/iio/accel/sca3000_ring.c
> +++ b/drivers/staging/iio/accel/sca3000_ring.c
> @@ -116,7 +116,7 @@ static int sca3000_read_first_n_hw_rb(struct iio_buffer *r,
>  	if (ret)
>  		goto error_ret;
>  
> -	for (i = 0; i < num_read; i++)
> +	for (i = 0; i < num_read / sizeof(u16); i++)
>  		*(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i);
>  
>  	if (copy_to_user(buf, rx, num_read))
> --
> To unsubscribe from this list: send the line "unsubscribe linux-iio" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [patch] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
  2015-08-15 20:05 ` Jonathan Cameron
@ 2015-10-03  9:28   ` Jonathan Cameron
  0 siblings, 0 replies; 3+ messages in thread
From: Jonathan Cameron @ 2015-10-03  9:28 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Hartmut Knaack, Lars-Peter Clausen, Peter Meerwald,
	Greg Kroah-Hartman, Octavian Purdila, Aybuke Ozdemir,
	Josselin Costanzi, linux-iio, devel, kernel-janitors

On 15/08/15 21:05, Jonathan Cameron wrote:
> On 08/08/15 20:16, Dan Carpenter wrote:
>> "num_read" is in byte units but we are write u16s so we end up write
>> twice as much as intended.
>>
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Hi Dan,
> 
> This is fine. Given it's an old bug, Greg is not going to take this
> sort of fix until after the merge window.   I won't be doing another
> pull to him to go in during the merge window.  Hence fastest route
> will be as a fix post 4.3-rc1.
> 
> Give me a poke if I haven't picked it up and sent it on by rc2 or so.
> 
> Thanks and good find.
> 
> Jonathan
Nearly forgot this one!

Anyhow, applied to the fixes-togreg branch of iio.git and marked for stable.

Jonathan
>>
>> diff --git a/drivers/staging/iio/accel/sca3000_ring.c b/drivers/staging/iio/accel/sca3000_ring.c
>> index 23685e7..bd2c69f 100644
>> --- a/drivers/staging/iio/accel/sca3000_ring.c
>> +++ b/drivers/staging/iio/accel/sca3000_ring.c
>> @@ -116,7 +116,7 @@ static int sca3000_read_first_n_hw_rb(struct iio_buffer *r,
>>  	if (ret)
>>  		goto error_ret;
>>  
>> -	for (i = 0; i < num_read; i++)
>> +	for (i = 0; i < num_read / sizeof(u16); i++)
>>  		*(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i);
>>  
>>  	if (copy_to_user(buf, rx, num_read))
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-iio" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-iio" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-10-03  9:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-08 19:16 [patch] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb() Dan Carpenter
2015-08-15 20:05 ` Jonathan Cameron
2015-10-03  9:28   ` Jonathan Cameron

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).