iio: accel: mxc4005: Fix overread of data and alignment issue.

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The bulk read size is based on the size of an array that also has
space for the timestamp alongside the channels.
Fix that and also fix alignment of the buffer passed
to iio_push_to_buffers_with_timestamp.

Found during an audit of all calls to this function.

Fixes: 1ce0eda0f757 ("iio: mxc4005: add triggered buffer mode for mxc4005")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210501170121.512209-6-jic23@kernel.org

Jonathan Cameron 4 years ago f6580228 3ab3aa2e

+7 -3

1 changed file

expand all

drivers

iio

accel

mxc4005.c

+7 -3

drivers/iio/accel/mxc4005.c

··· 56 56 struct mutex mutex; 57 57 struct regmap *regmap; 58 58 struct iio_trigger *dready_trig; 59 - __be16 buffer[8]; 59 + /* Ensure timestamp is naturally aligned */ 60 + struct { 61 + __be16 chans[3]; 62 + s64 timestamp __aligned(8); 63 + } scan; 60 64 bool trigger_enabled; 61 65 }; 62 66 ··· 139 135 int ret; 140 136 141 137 ret = regmap_bulk_read(data->regmap, MXC4005_REG_XOUT_UPPER, 142 - data->buffer, sizeof(data->buffer)); 138 + data->scan.chans, sizeof(data->scan.chans)); 143 139 if (ret < 0) { 144 140 dev_err(data->dev, "failed to read axes\n"); 145 141 return ret; ··· 305 301 if (ret < 0) 306 302 goto err; 307 303 308 - iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, 304 + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, 309 305 pf->timestamp); 310 306 311 307 err: