From: Jonathan Cameron <jic23@kernel.org>
To: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: "Pengpeng Hou" <pengpeng@iscas.ac.cn>,
"Gyeyoung Baek" <gye976@gmail.com>,
"David Lechner" <dlechner@baylibre.com>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] iio: chemical: mhz19b: reject oversized serial replies
Date: Sun, 12 Apr 2026 16:16:51 +0100 [thread overview]
Message-ID: <20260412161651.3479e47e@jic23-huawei> (raw)
In-Reply-To: <ac4rKEMYAl-FJ5e8@ashevche-desk.local>
On Thu, 2 Apr 2026 11:39:04 +0300
Andy Shevchenko <andriy.shevchenko@intel.com> wrote:
> On Thu, Apr 02, 2026 at 01:40:15PM +0800, Pengpeng Hou wrote:
> > mhz19b_receive_buf() appends each serdev chunk into the fixed
> > MHZ19B_CMD_SIZE receive buffer and advances buf_idx by len without
> > checking that the chunk fits in the remaining space. A large callback
> > can therefore overflow st->buf before the command path validates the
> > reply.
> >
> > Reset the reply state before each command and reject oversized serial
> > replies before copying them into the fixed buffer. When an oversized
> > reply is detected, wake the waiter and report -EMSGSIZE instead of
> > overwriting st->buf.
>
> ...
>
> > struct completion buf_ready;
> >
> > u8 buf_idx;
> > + bool buf_overflow;
>
> + blank line here.
>
> (No need to resend just for this.)
>
This version addressed the comment I just made on v2 so all good.
I tweaked whilst applying.
Applied to the fixes-togreg branch of iio.git.
Note I'm unlikely to send another fixes pull request this cycle, so
I'll rebase that branch on rc1 once available and send out then.
Thanks,
Jonathan
next prev parent reply other threads:[~2026-04-12 15:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 5:40 [PATCH] iio: chemical: mhz19b: reject oversized serial replies Pengpeng Hou
2026-04-02 8:39 ` Andy Shevchenko
2026-04-12 15:16 ` Jonathan Cameron [this message]
2026-04-03 17:31 ` Gyeyoung Baek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260412161651.3479e47e@jic23-huawei \
--to=jic23@kernel.org \
--cc=andriy.shevchenko@intel.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=gye976@gmail.com \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
--cc=pengpeng@iscas.ac.cn \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox