[patch] iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
Jonathan Cameron
jic23 at kernel.org
Sat Aug 15 20:05:53 UTC 2015
On 08/08/15 20:16, Dan Carpenter wrote:
> "num_read" is in byte units but we are write u16s so we end up write
> twice as much as intended.
>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Hi Dan,
This is fine. Given it's an old bug, Greg is not going to take this
sort of fix until after the merge window. I won't be doing another
pull to him to go in during the merge window. Hence fastest route
will be as a fix post 4.3-rc1.
Give me a poke if I haven't picked it up and sent it on by rc2 or so.
Thanks and good find.
Jonathan
>
> diff --git a/drivers/staging/iio/accel/sca3000_ring.c b/drivers/staging/iio/accel/sca3000_ring.c
> index 23685e7..bd2c69f 100644
> --- a/drivers/staging/iio/accel/sca3000_ring.c
> +++ b/drivers/staging/iio/accel/sca3000_ring.c
> @@ -116,7 +116,7 @@ static int sca3000_read_first_n_hw_rb(struct iio_buffer *r,
> if (ret)
> goto error_ret;
>
> - for (i = 0; i < num_read; i++)
> + for (i = 0; i < num_read / sizeof(u16); i++)
> *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i);
>
> if (copy_to_user(buf, rx, num_read))
> --
> To unsubscribe from this list: send the line "unsubscribe linux-iio" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
More information about the devel
mailing list