From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754648AbcGYVWQ (ORCPT ); Mon, 25 Jul 2016 17:22:16 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46536 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754609AbcGYVRn (ORCPT ); Mon, 25 Jul 2016 17:17:43 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, george.mccollister@gmail.com, Matt Ranostay , Jonathan Cameron Subject: [PATCH 4.4 102/146] iio: proximity: as3935: fix buffer stack trashing Date: Mon, 25 Jul 2016 13:55:57 -0700 Message-Id: <20160725203525.595895287@linuxfoundation.org> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20160725203521.340401316@linuxfoundation.org> References: <20160725203521.340401316@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Matt Ranostay commit 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 upstream. Buffer wasn't of a valid size to allow the timestamp, and correct padding. This patchset also moves the buffer off the stack, and onto the heap. Cc: george.mccollister@gmail.com Signed-off-by: Matt Ranostay Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/iio/proximity/as3935.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/iio/proximity/as3935.c +++ b/drivers/iio/proximity/as3935.c @@ -64,6 +64,7 @@ struct as3935_state { struct delayed_work work; u32 tune_cap; + u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */ u8 buf[2] ____cacheline_aligned; }; @@ -212,9 +213,10 @@ static irqreturn_t as3935_trigger_handle ret = as3935_read(st, AS3935_DATA, &val); if (ret) goto err_read; - val &= AS3935_DATA_MASK; - iio_push_to_buffers_with_timestamp(indio_dev, &val, pf->timestamp); + st->buffer[0] = val & AS3935_DATA_MASK; + iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer, + pf->timestamp); err_read: iio_trigger_notify_done(indio_dev->trig);