Hello Shitalkumar Gandhi.
On Wed, 20 May 2026 16:27:50 +0530, Shitalkumar Gandhi wrote:
> ca8210_test_int_driver_write() and ca8210_test_int_user_read() exchange
> a kmalloc'd buffer pointer through a struct kfifo, but pass a literal
> '4' as the byte count to kfifo_in()/kfifo_out().
>
> This is correct on 32-bit (pointer = 4 bytes), but on 64-bit only the
> low 4 bytes of the 8-byte pointer are written into the FIFO. The reader
> then reads back 4 bytes into an 8-byte local pointer variable, leaving
> the upper 4 bytes uninitialized stack data. The first dereference of
> the reconstructed pointer (fifo_buffer[1]) accesses an arbitrary kernel
> address and generally results in an oops.
>
> [...]
Applied to wpan/wpan-next.git, thanks!
[1/1] ieee802154: ca8210: fix pointer truncation in kfifo on 64-bit
https://git.kernel.org/wpan/wpan-next/c/6d7f7bcf225b
regards,
Stefan Schmidt
