From: David Lechner <dlechner@baylibre.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-iio@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
"Lorenzo Bianconi" <lorenzo@kernel.org>,
"Jonathan Cameron" <jic23@kernel.org>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>, stable <stable@kernel.org>
Subject: Re: [PATCH 2/3] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
Date: Thu, 9 Apr 2026 10:25:15 -0500 [thread overview]
Message-ID: <590ff995-00c6-44d5-bc24-d4cc2b7547cd@baylibre.com> (raw)
In-Reply-To: <2026040949-ferment-reload-abcd@gregkh>
On 4/9/26 8:40 AM, Greg Kroah-Hartman wrote:
> The tagged FIFO path declares iio_buff on the stack with __aligned(8)
> but no initializer, but there is a hole in the structure, which will
> then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
> copied, but the space between that and the timestamp are not
> initialized.
>
> Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
> issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
> but for the tagged path it only added the alignment qualifier and not
> the initializer :(
>
> Fix this by just zero-initializing the structure on the stack.
>
Reviewed-by: David Lechner <dlechner@baylibre.com>
>
> diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
> index 5b28a3ffcc3d..48291203d1cd 100644
> --- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
> +++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
> @@ -609,7 +609,7 @@ int st_lsm6dsx_read_tagged_fifo(struct st_lsm6dsx_hw *hw)
> * must be passed a buffer that is aligned to 8 bytes so
> * as to allow insertion of a naturally aligned timestamp.
> */
> - u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
> + u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
Looks like a case where we could follow this up with a patch to
use IIO_DECLARE_BUF_WITH_TS().
> u8 tag;
> bool reset_ts = false;
> int i, err, read_len;
next prev parent reply other threads:[~2026-04-09 15:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 13:40 [PATCH 1/3] iio: pressure: bmp280: fix stack leak in bmp580 trigger handler Greg Kroah-Hartman
2026-04-09 13:40 ` [PATCH 2/3] iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer Greg Kroah-Hartman
2026-04-09 15:25 ` David Lechner [this message]
2026-04-09 13:40 ` [PATCH 3/3] iio: imu: adis16550: fix stack leak in trigger handler Greg Kroah-Hartman
2026-04-09 15:29 ` David Lechner
2026-04-09 15:01 ` [PATCH 1/3] iio: pressure: bmp280: fix stack leak in bmp580 " David Lechner
2026-04-20 18:20 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=590ff995-00c6-44d5-bc24-d4cc2b7547cd@baylibre.com \
--to=dlechner@baylibre.com \
--cc=andy@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=nuno.sa@analog.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.