From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:52075 "EHLO
	mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752743AbcGYAbb (ORCPT
	<rfc822;stable@vger.kernel.org>); Sun, 24 Jul 2016 20:31:31 -0400
Subject: Patch "iio: proximity: as3935: fix buffer stack trashing" has been added to the 4.6-stable tree
To: mranostay@gmail.com, gregkh@linuxfoundation.org, jic23@kernel.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Sun, 24 Jul 2016 17:31:45 -0700
Message-ID: <1469406705181248@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    iio: proximity: as3935: fix buffer stack trashing

to the 4.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iio-proximity-as3935-fix-buffer-stack-trashing.patch
and it can be found in the queue-4.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 Mon Sep 17 00:00:00 2001
From: Matt Ranostay <mranostay@gmail.com>
Date: Sat, 21 May 2016 20:01:03 -0700
Subject: iio: proximity: as3935: fix buffer stack trashing

From: Matt Ranostay <mranostay@gmail.com>

commit 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 upstream.

Buffer wasn't of a valid size to allow the timestamp, and correct padding.
This patchset also moves the buffer off the stack, and onto the heap.

Cc: george.mccollister@gmail.com
Signed-off-by: Matt Ranostay <mranostay@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/proximity/as3935.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -64,6 +64,7 @@ struct as3935_state {
 	struct delayed_work work;
 
 	u32 tune_cap;
+	u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */
 	u8 buf[2] ____cacheline_aligned;
 };
 
@@ -212,9 +213,10 @@ static irqreturn_t as3935_trigger_handle
 	ret = as3935_read(st, AS3935_DATA, &val);
 	if (ret)
 		goto err_read;
-	val &= AS3935_DATA_MASK;
 
-	iio_push_to_buffers_with_timestamp(indio_dev, &val, pf->timestamp);
+	st->buffer[0] = val & AS3935_DATA_MASK;
+	iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer,
+					   pf->timestamp);
 err_read:
 	iio_trigger_notify_done(indio_dev->trig);
 


Patches currently in stable-queue which might be from mranostay@gmail.com are

queue-4.6/iio-hudmidity-hdc100x-fix-incorrect-shifting-and-scaling.patch
queue-4.6/iio-proximity-as3935-fix-buffer-stack-trashing.patch
queue-4.6/iio-light-apds9960-add-the-missing-dev.parent.patch
queue-4.6/iio-proximity-as3935-correct-iio_chan_info_raw-output.patch
queue-4.6/iio-proximity-as3935-remove-triggered-buffer-processing.patch
queue-4.6/iio-humidity-hdc100x-correct-humidity-integration-time-mask.patch
queue-4.6/iio-humidity-hdc100x-fix-iio_temp-channel-reporting.patch