releases/4.4.16/iio-proximity-as3935-fix-buffer-stack-trashing.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 Mon Sep 17 00:00:00 2001
 From: Matt Ranostay <mranostay@gmail.com>
 Date: Sat, 21 May 2016 20:01:03 -0700
 Subject: iio: proximity: as3935: fix buffer stack trashing

 From: Matt Ranostay <mranostay@gmail.com>

 commit 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 upstream.

 Buffer wasn't of a valid size to allow the timestamp, and correct padding.
 This patchset also moves the buffer off the stack, and onto the heap.

 Cc: george.mccollister@gmail.com
 Signed-off-by: Matt Ranostay <mranostay@gmail.com>
 Signed-off-by: Jonathan Cameron <jic23@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/iio/proximity/as3935.c |    6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

 --- a/drivers/iio/proximity/as3935.c
 +++ b/drivers/iio/proximity/as3935.c
 @@ -64,6 +64,7 @@ struct as3935_state {
  	struct delayed_work work;

  	u32 tune_cap;
 +	u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */
  	u8 buf[2] ____cacheline_aligned;
  };

 @@ -212,9 +213,10 @@ static irqreturn_t as3935_trigger_handle
  	ret = as3935_read(st, AS3935_DATA, &val);
  	if (ret)
  		goto err_read;
 -	val &= AS3935_DATA_MASK;

 -	iio_push_to_buffers_with_timestamp(indio_dev, &val, pf->timestamp);
 +	st->buffer[0] = val & AS3935_DATA_MASK;
 +	iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer,
 +					   pf->timestamp);
  err_read:
  	iio_trigger_notify_done(indio_dev->trig);
	From 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 Mon Sep 17 00:00:00 2001
	From: Matt Ranostay <mranostay@gmail.com>
	Date: Sat, 21 May 2016 20:01:03 -0700
	Subject: iio: proximity: as3935: fix buffer stack trashing

	From: Matt Ranostay <mranostay@gmail.com>

	commit 37b1ba2c68cfbe37f5f45bb91bcfaf2b016ae6a1 upstream.

	Buffer wasn't of a valid size to allow the timestamp, and correct padding.
	This patchset also moves the buffer off the stack, and onto the heap.

	Cc: george.mccollister@gmail.com
	Signed-off-by: Matt Ranostay <mranostay@gmail.com>
	Signed-off-by: Jonathan Cameron <jic23@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/iio/proximity/as3935.c \| 6 ++++--
	1 file changed, 4 insertions(+), 2 deletions(-)

	--- a/drivers/iio/proximity/as3935.c
	+++ b/drivers/iio/proximity/as3935.c
	@@ -64,6 +64,7 @@ struct as3935_state {
	struct delayed_work work;

	u32 tune_cap;
	+ u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */
	u8 buf[2] ____cacheline_aligned;
	};

	@@ -212,9 +213,10 @@ static irqreturn_t as3935_trigger_handle
	ret = as3935_read(st, AS3935_DATA, &val);
	if (ret)
	goto err_read;
	- val &= AS3935_DATA_MASK;

	- iio_push_to_buffers_with_timestamp(indio_dev, &val, pf->timestamp);
	+ st->buffer[0] = val & AS3935_DATA_MASK;
	+ iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer,
	+ pf->timestamp);
	err_read:
	iio_trigger_notify_done(indio_dev->trig);