This is a note to let you know that I've just added the patch titled
iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
to the 4.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
iio-accel-sca3000-memory-corruption-in-sca3000_read_first_n_hw_rb.patch
and it can be found in the queue-4.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From eda7d0f38aaf50dbb2a2de15e8db386c4f6f65fc Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Sat, 8 Aug 2015 22:16:42 +0300
Subject: iio: accel: sca3000: memory corruption in sca3000_read_first_n_hw_rb()
From: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
commit eda7d0f38aaf50dbb2a2de15e8db386c4f6f65fc upstream.
"num_read" is in byte units but we are write u16s so we end up write
twice as much as intended.
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Jonathan Cameron <jic23@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/staging/iio/accel/sca3000_ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/accel/sca3000_ring.c
+++ b/drivers/staging/iio/accel/sca3000_ring.c
@@ -116,7 +116,7 @@ static int sca3000_read_first_n_hw_rb(st
if (ret)
goto error_ret;
- for (i = 0; i < num_read; i++)
+ for (i = 0; i < num_read / sizeof(u16); i++)
*(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i);
if (copy_to_user(buf, rx, num_read))
Patches currently in stable-queue which might be from dan.carpenter@xxxxxxxxxx are
queue-4.2/iio-accel-sca3000-memory-corruption-in-sca3000_read_first_n_hw_rb.patch
queue-4.2/drm-crtc-integer-overflow-in-drm_property_create_blob.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html