| From 07f51365b6862f0ef73f65a17dbd00327d66c0bc Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Sat, 1 May 2021 18:01:07 +0100 |
| Subject: iio: accel: mxc4005: Fix overread of data and alignment issue. |
| |
| From: Jonathan Cameron <Jonathan.Cameron@huawei.com> |
| |
| [ Upstream commit f65802284a3a337510d7f8f916c97d66c74f2e71 ] |
| |
| The bulk read size is based on the size of an array that also has |
| space for the timestamp alongside the channels. |
| Fix that and also fix alignment of the buffer passed |
| to iio_push_to_buffers_with_timestamp. |
| |
| Found during an audit of all calls to this function. |
| |
| Fixes: 1ce0eda0f757 ("iio: mxc4005: add triggered buffer mode for mxc4005") |
| Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> |
| Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> |
| Link: https://lore.kernel.org/r/20210501170121.512209-6-jic23@kernel.org |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/iio/accel/mxc4005.c | 10 +++++++--- |
| 1 file changed, 7 insertions(+), 3 deletions(-) |
| |
| diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c |
| index f877263dc6ef..5a2b0ffbb145 100644 |
| --- a/drivers/iio/accel/mxc4005.c |
| +++ b/drivers/iio/accel/mxc4005.c |
| @@ -56,7 +56,11 @@ struct mxc4005_data { |
| struct mutex mutex; |
| struct regmap *regmap; |
| struct iio_trigger *dready_trig; |
| - __be16 buffer[8]; |
| + /* Ensure timestamp is naturally aligned */ |
| + struct { |
| + __be16 chans[3]; |
| + s64 timestamp __aligned(8); |
| + } scan; |
| bool trigger_enabled; |
| }; |
| |
| @@ -135,7 +139,7 @@ static int mxc4005_read_xyz(struct mxc4005_data *data) |
| int ret; |
| |
| ret = regmap_bulk_read(data->regmap, MXC4005_REG_XOUT_UPPER, |
| - data->buffer, sizeof(data->buffer)); |
| + data->scan.chans, sizeof(data->scan.chans)); |
| if (ret < 0) { |
| dev_err(data->dev, "failed to read axes\n"); |
| return ret; |
| @@ -301,7 +305,7 @@ static irqreturn_t mxc4005_trigger_handler(int irq, void *private) |
| if (ret < 0) |
| goto err; |
| |
| - iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, |
| + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, |
| pf->timestamp); |
| |
| err: |
| -- |
| 2.30.2 |
| |