• Martin Kelly's avatar
    iio:kfifo_buf: check for uint overflow · 838f25e3
    Martin Kelly authored
    commit 3d13de4b upstream.
    
    Currently, the following causes a kernel OOPS in memcpy:
    
    echo 1073741825 > buffer/length
    echo 1 > buffer/enable
    
    Note that using 1073741824 instead of 1073741825 causes "write error:
    Cannot allocate memory" but no OOPS.
    
    This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo
    rounds up to the nearest power of 2, it will actually call kmalloc with
    roundup_pow_of_two(length) * bytes_per_datum.
    
    Using length == 1073741825 and bytes_per_datum == 2, we get:
    
    kmalloc(roundup_pow_of_two(1073741825) * 2
    or kmalloc(2147483648 * 2)
    or kmalloc(4294967296)
    or kmalloc(UINT_MAX + 1)
    
    so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and
    subsequent memcpy to fail once the device is enabled.
    
    Fix this by checking for overflow prior to allocating a kfifo. With this
    check added, the above code returns -EINVAL when enabling the buffer,
    rather than causing an OOPS.
    Signed-off-by: default avatarMartin Kelly <mkelly@xevo.com>
    cc: <Stable@vger.kernel.org>
    Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    838f25e3
Name
Last commit
Last update
..
accel Loading commit data...
adc Loading commit data...
amplifiers Loading commit data...
buffer Loading commit data...
chemical Loading commit data...
common Loading commit data...
counter Loading commit data...
dac Loading commit data...
dummy Loading commit data...
frequency Loading commit data...
gyro Loading commit data...
health Loading commit data...
humidity Loading commit data...
imu Loading commit data...
light Loading commit data...
magnetometer Loading commit data...
multiplexer Loading commit data...
orientation Loading commit data...
potentiometer Loading commit data...
potentiostat Loading commit data...
pressure Loading commit data...
proximity Loading commit data...
temperature Loading commit data...
trigger Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
iio_core.h Loading commit data...
iio_core_trigger.h Loading commit data...
industrialio-buffer.c Loading commit data...
industrialio-configfs.c Loading commit data...
industrialio-core.c Loading commit data...
industrialio-event.c Loading commit data...
industrialio-sw-device.c Loading commit data...
industrialio-sw-trigger.c Loading commit data...
industrialio-trigger.c Loading commit data...
industrialio-triggered-event.c Loading commit data...
inkern.c Loading commit data...