Re: [PATCH RFC v3 6/6] iio: osf: register IIO devices from capabilities

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jinseob Kim" <kimjinseob88@gmail.com>
Cc: robh@kernel.org, conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH RFC v3 6/6] iio: osf: register IIO devices from capabilities
Date: Fri, 29 May 2026 14:36:32 +0000	[thread overview]
Message-ID: <20260529143632.AA5671F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260529121005.1470-7-kimjinseob88@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Uninitialized kernel heap memory is leaked to userspace through IIO buffer padding.
--

commit 9319c55b6b77ef9ce1f7e526e5ce9463c217bc27
Author: Jinseob Kim <kimjinseob88@gmail.com>

iio: osf: register IIO devices from capabilities

This commit updates the Open Sensor Fusion (OSF) driver to parse the first
capability report and create corresponding IIO devices. It also adds logic
to cache the latest samples and push enabled buffers directly to userspace.

> diff --git a/drivers/iio/opensensorfusion/osf_iio.c b/drivers/iio/opensensorfusion/osf_iio.c
> new file mode 100644
> index 0000000000000..5e509987876d7
> --- /dev/null
> +++ b/drivers/iio/opensensorfusion/osf_iio.c
[ ... ]
> +int osf_iio_push_sample(struct iio_dev *indio_dev, const s32 *values,
> +			unsigned int channel_count)
> +{
> +	struct osf_iio_state *state = iio_priv(indio_dev);
> +	s32 scan[OSF_MAX_SAMPLE_CHANNELS] = { };
> +	s64 timestamp;
> +
> +	if (channel_count != state->spec->channel_count)
> +		return -EPROTO;
> +
> +	memcpy(scan, values, channel_count * sizeof(*values));
> +
> +	/* Buffer state can change here; IIO rechecks it during the push path. */
> +	if (!iio_buffer_enabled(indio_dev))
> +		return 0;
> +
> +	timestamp = iio_get_time_ns(indio_dev);
> +
> +	return iio_push_to_buffers_with_ts_unaligned(indio_dev, scan,
> +						     channel_count * sizeof(*scan),
> +						     timestamp);

[Severity: High]
Does this leak uninitialized kernel heap memory to userspace?

The driver passes channel_count * sizeof(*scan) as the data_sz, which
is 12 bytes for a 3-axis sensor or 4 bytes for temperature.

However, the IIO core calculates the buffer's scan_bytes to include padding
to 8-byte align the 64-bit timestamp. This results in a scan size of 24
bytes for a 3-axis sensor, or 16 bytes for temperature.

Looking at iio_push_to_buffers_with_ts_unaligned(), the bounce buffer is
allocated without zeroing the memory:

drivers/iio/industrialio-buffer.c:iio_push_to_buffers_with_ts_unaligned() {
	...
	if (iio_dev_opaque->bounce_buffer_size !=  indio_dev->scan_bytes) {
		void *bb;

		bb = devm_krealloc(&indio_dev->dev,
				   iio_dev_opaque->bounce_buffer,
				   indio_dev->scan_bytes, GFP_KERNEL);
		...
	}
	memcpy(iio_dev_opaque->bounce_buffer, data, data_sz);
	return iio_push_to_buffers_with_timestamp(indio_dev, ...);
}

It only copies data_sz bytes into the bounce buffer and then appends the
8-byte timestamp, leaving the intermediate padding bytes uninitialized.
When this buffer is pushed to the kfifo, the uninitialized kernel memory is
exposed to userspace.

Could we pass a correctly padded and zero-initialized structure, or provide
the exact size including padding up to the timestamp, to avoid leaking
these bytes?

> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260529121005.1470-1-kimjinseob88@gmail.com?part=6

     prev parent reply	other threads:[~2026-05-29 14:36 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29 12:09 [PATCH RFC v3 0/6] iio: add Open Sensor Fusion OSF0 UART driver Jinseob Kim
2026-05-29 12:10 ` [PATCH RFC v3 1/6] dt-bindings: iio: add OSF GREEN sensor aggregation device Jinseob Kim
2026-05-29 12:19   ` sashiko-bot
2026-05-29 16:31   ` Conor Dooley
2026-05-29 17:14     ` Jonathan Cameron
2026-05-29 12:10 ` [PATCH RFC v3 2/6] Documentation: iio: add Open Sensor Fusion protocol v0 reference Jinseob Kim
2026-05-29 12:23   ` sashiko-bot
2026-05-29 12:10 ` [PATCH RFC v3 3/6] iio: osf: add protocol v0 decoding Jinseob Kim
2026-05-29 12:10 ` [PATCH RFC v3 4/6] iio: osf: add stream parser Jinseob Kim
2026-05-29 13:08   ` sashiko-bot
2026-05-29 12:10 ` [PATCH RFC v3 5/6] iio: osf: add UART serdev transport Jinseob Kim
2026-05-29 13:40   ` sashiko-bot
2026-05-29 12:10 ` [PATCH RFC v3 6/6] iio: osf: register IIO devices from capabilities Jinseob Kim
2026-05-29 14:36   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260529143632.AA5671F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=kimjinseob88@gmail.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox