IIO: ti_adc: Print error and handle short FIFO events

In the case that the FIFO threshold handler gets called when the FIFO has not actually reached the threshold, the driver will pass uninitialized memory to the IIO subsystem. In the past, this would occur due to bugs in the driver, those bugs have been fixed. However, it is still a good idea to close this just in case additional bugs in hardware or software exist. Signed-off-by: Russ Dill <Russ.Dill@ti.com>

IIO: ti_adc: Print error and handle short FIFO events
In the case that the FIFO threshold handler gets called when the FIFO has not actually reached the threshold, the driver will pass uninitialized memory to the IIO subsystem. In the past, this would occur due to bugs in the driver, those bugs have been fixed. However, it is still a good idea to close this just in case additional bugs in hardware or software exist. Signed-off-by: Russ Dill <Russ.Dill@ti.com>
Russ Dill · Vaibhav Hiremath
1 parent de871da920
Showing 1 changed file with 7 additions and 0 deletions Side-by-side Diff
drivers/staging/iio/adc/ti_adc.c
@@ -192,6 +192,13 @@
 	u32 *iBuf;
  
 	fifo1count = adc_readl(adc_dev, TSCADC_REG_FIFO1CNT);
+	if (fifo1count * sizeof(u32) <
+				buffer->access->get_bytes_per_datum(buffer)) {
+		dev_err(adc_dev->mfd_tscadc->dev, "%s: Short FIFO event\n",
+								__func__);
+		goto out;
+	}
+
 	iBuf = kmalloc((fifo1count + 1) * sizeof(u32), GFP_KERNEL);
 	if (iBuf == NULL)
 		goto out;
...	...	@@ -192,6 +192,13 @@
192	192	u32 *iBuf;
193	193
194	194	fifo1count = adc_readl(adc_dev, TSCADC_REG_FIFO1CNT);
	195	+ if (fifo1count * sizeof(u32) <
	196	+ buffer->access->get_bytes_per_datum(buffer)) {
	197	+ dev_err(adc_dev->mfd_tscadc->dev, "%s: Short FIFO event\n",
	198	+ __func__);
	199	+ goto out;
	200	+ }
	201	+
195	202	iBuf = kmalloc((fifo1count + 1) * sizeof(u32), GFP_KERNEL);
196	203	if (iBuf == NULL)
197	204	goto out;