From f65802284a3a337510d7f8f916c97d66c74f2e71 Mon Sep 17 00:00:00 2001 From: Jonathan Cameron Date: Sat, 1 May 2021 18:01:07 +0100 Subject: [PATCH] iio: accel: mxc4005: Fix overread of data and alignment issue. The bulk read size is based on the size of an array that also has space for the timestamp alongside the channels. Fix that and also fix alignment of the buffer passed to iio_push_to_buffers_with_timestamp. Found during an audit of all calls to this function. Fixes: 1ce0eda0f757 ("iio: mxc4005: add triggered buffer mode for mxc4005") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501170121.512209-6-jic23@kernel.org --- drivers/iio/accel/mxc4005.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c index 98c7f5f..b3afbf0 100644 --- a/drivers/iio/accel/mxc4005.c +++ b/drivers/iio/accel/mxc4005.c @@ -56,7 +56,11 @@ struct mxc4005_data { struct mutex mutex; struct regmap *regmap; struct iio_trigger *dready_trig; - __be16 buffer[8]; + /* Ensure timestamp is naturally aligned */ + struct { + __be16 chans[3]; + s64 timestamp __aligned(8); + } scan; bool trigger_enabled; }; @@ -135,7 +139,7 @@ static int mxc4005_read_xyz(struct mxc4005_data *data) int ret; ret = regmap_bulk_read(data->regmap, MXC4005_REG_XOUT_UPPER, - data->buffer, sizeof(data->buffer)); + data->scan.chans, sizeof(data->scan.chans)); if (ret < 0) { dev_err(data->dev, "failed to read axes\n"); return ret; @@ -301,7 +305,7 @@ static irqreturn_t mxc4005_trigger_handler(int irq, void *private) if (ret < 0) goto err; - iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, + iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, pf->timestamp); err: -- 2.7.4