]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
ieee802154: ca8210: fix pointer truncation in kfifo on 64-bit
authorShitalkumar Gandhi <shital.gandhi45@gmail.com>
Wed, 20 May 2026 10:57:50 +0000 (16:27 +0530)
committerStefan Schmidt <stefan@datenfreihafen.org>
Fri, 19 Jun 2026 20:33:04 +0000 (22:33 +0200)
ca8210_test_int_driver_write() and ca8210_test_int_user_read() exchange
a kmalloc'd buffer pointer through a struct kfifo, but pass a literal
'4' as the byte count to kfifo_in()/kfifo_out().

This is correct on 32-bit (pointer = 4 bytes), but on 64-bit only the
low 4 bytes of the 8-byte pointer are written into the FIFO. The reader
then reads back 4 bytes into an 8-byte local pointer variable, leaving
the upper 4 bytes uninitialized stack data. The first dereference of
the reconstructed pointer (fifo_buffer[1]) accesses an arbitrary kernel
address and generally results in an oops.

Use sizeof(fifo_buffer) so the byte count matches pointer width on every
architecture.

The driver has no architecture restriction in Kconfig, so any 64-bit
build with CONFIG_IEEE802154_CA8210_DEBUGFS=y is exposed. Issue has
been latent since the driver was added in 2017 because it is most
commonly deployed on 32-bit MCUs.

Found via a custom Coccinelle semantic patch hunting for short-byte
kfifo I/O on byte-mode kfifos used to shuttle pointers.

Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
Cc: stable@vger.kernel.org
Signed-off-by: Shitalkumar Gandhi <shitalkumar.gandhi@cambiumnetworks.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/20260520105750.30144-1-shitalkumar.gandhi@cambiumnetworks.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
drivers/net/ieee802154/ca8210.c

index bf837adfebb2105aabf1a6fc7cf54c4d3860fc8c..01af4f9cf7f297303d14f156b7fb1b3590fce976 100644 (file)
@@ -595,7 +595,7 @@ static int ca8210_test_int_driver_write(
        fifo_buffer = kmemdup(buf, len, GFP_KERNEL);
        if (!fifo_buffer)
                return -ENOMEM;
-       kfifo_in(&test->up_fifo, &fifo_buffer, 4);
+       kfifo_in(&test->up_fifo, &fifo_buffer, sizeof(fifo_buffer));
        wake_up_interruptible(&priv->test.readq);
 
        return 0;
@@ -2526,6 +2526,7 @@ static ssize_t ca8210_test_int_user_read(
        struct ca8210_priv *priv = filp->private_data;
        unsigned char *fifo_buffer;
        unsigned long bytes_not_copied;
+       unsigned int copied;
 
        if (filp->f_flags & O_NONBLOCK) {
                /* Non-blocking mode */
@@ -2539,7 +2540,8 @@ static ssize_t ca8210_test_int_user_read(
                );
        }
 
-       if (kfifo_out(&priv->test.up_fifo, &fifo_buffer, 4) != 4) {
+       copied = kfifo_out(&priv->test.up_fifo, &fifo_buffer, sizeof(fifo_buffer));
+       if (copied != sizeof(fifo_buffer)) {
                dev_err(
                        &priv->spi->dev,
                        "test_interface: Wrong number of elements popped from upstream fifo\n"