From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC3D228505E; Thu, 16 Jul 2026 14:23:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784211814; cv=none; b=JuzwARrYFJDbs5S/MgQkNK88vOneCBRKrhGfGAueCzSeieo2CfjBztHil/fv/2sQGbY2tBM4bVx1fRz2h26wa0MoOkG2V/PQ5rOZJWQX6zwDUh1/16YmtBUuGBMvo3xdd2DGOJd1wM7xgGDM9TdZLwjQtiyqZb2jNkExcfBZX5M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784211814; c=relaxed/simple; bh=GQzxxSLLUDL1EtGSrcHg9+CODrwIl7+SLAvpp/TTAQM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=s8uwBccBXbezqbMqc6IrBqAXyNEL6pt4l6WOqMo601cn/v1McxlYVxJtbCL/v3BMT/vxVXL+6mx95yIuo64KjoNZ4LiHQ0mtfG78xdhrQ0/D8N/M9MFt3QU3ClBGWfW4qU72ehioPCnyoIM+qzkbFWb3wHhm9JavcSUuJovzgVE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=uaiLaQOF; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="uaiLaQOF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2E3DC1F000E9; Thu, 16 Jul 2026 14:23:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1784211813; bh=YPjYces7sl7JOB+OxI32eDepgf80CV9fLppuKVlKKSw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=uaiLaQOFaCCDhqZNvt7Datvbqg2Xce+qUwneuJPLXVnxLh4EiMu+cyIbkAQd6rn+a 83R+kF2pvRQzdmqlIzIyhIowOwCWxctx83IfZc60j4AtG/Vg7mrbi6uKZsJ8IHJF42 SO5rpAMN4zr934X+Qk9g8GK+fSc4Kuyu76wzNQ0E= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Lars-Peter Clausen , =?UTF-8?q?Nuno=20S=C3=A1?= , Stable@vger.kernel.org, Jonathan Cameron Subject: [PATCH 6.12 053/349] iio: event: Fix event FIFO reset race Date: Thu, 16 Jul 2026 15:29:47 +0200 Message-ID: <20260716133034.510687537@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260716133033.287196923@linuxfoundation.org> References: <20260716133033.287196923@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6.12-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lars-Peter Clausen commit af791d295737ea6b6ff2c8d8488462a49c14af01 upstream. `iio_event_getfd()` creates the event file descriptor with `anon_inode_getfd()`, which allocates a new fd, creates the anonymous file and installs it in the process fd table before returning to the caller. The IIO code resets the event FIFO after `anon_inode_getfd()` has returned, but before `IIO_GET_EVENT_FD_IOCTL` has copied the fd number to userspace. But since fd tables are shared between threads, another thread can guess the newly allocated fd number and issue a `read()` on it as soon as the fd has been installed. This means the `kfifo_to_user()` in `iio_event_chrdev_read()` can run in parallel with the `kfifo_reset_out()` in `iio_event_getfd()`. The kfifo documentation says that `kfifo_reset_out()` is only safe when it is called from the reader thread and there is only one concurrent reader. Otherwise it is dangerous and must be handled in the same way as `kfifo_reset()`. If that happens, `kfifo_to_user()` can advance the FIFO `out` index based on state from before the reset, after the reset has already moved the `out` index to the current `in` index. That can leave the FIFO with an `out` index past the `in` index. A later `read()` can then see an underflowed FIFO length and copy more data than the event FIFO buffer contains. This can result in an out-of-bounds read and leak adjacent kernel memory to userspace. Move the FIFO reset before `anon_inode_getfd()`. At that point the event fd is marked busy, but the new fd has not been installed yet, so userspace cannot access it while the FIFO is reset. Fixes: b91accafbb10 ("iio:event: Fix and cleanup locking") Reported-by: Codex:gpt-5.5 Signed-off-by: Lars-Peter Clausen Reviewed-by: Nuno Sá Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/iio/industrialio-event.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/drivers/iio/industrialio-event.c +++ b/drivers/iio/industrialio-event.c @@ -207,6 +207,8 @@ static int iio_event_getfd(struct iio_de goto unlock; } + kfifo_reset_out(&ev_int->det_events); + iio_device_get(indio_dev); fd = anon_inode_getfd("iio:event", &iio_event_chrdev_fileops, @@ -214,10 +216,7 @@ static int iio_event_getfd(struct iio_de if (fd < 0) { clear_bit(IIO_BUSY_BIT_POS, &ev_int->flags); iio_device_put(indio_dev); - } else { - kfifo_reset_out(&ev_int->det_events); } - unlock: mutex_unlock(&iio_dev_opaque->mlock); return fd;