From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23E833D7A0C; Thu, 16 Jul 2026 14:01:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784210483; cv=none; b=IRAaUEpiRt77XQ5bq1y/Y8/MQX7xRrexPNNj6eZc8cxCYyMomk0JPTzavi9IPIHXJ669T6ILrT8Rc7iwJxt/5blV2HmWor5l2AbyUOWf2SaDAgdNJ1yvq7IWFfRCmYK44pOCUbLYEO5FXNG+RQpQlz11nWJfPwi19v2hhHsmknk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784210483; c=relaxed/simple; bh=+5y6SOATZcCnHIQKKMZkkwIvIOqreS3gcyGxNlCFnNg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=OjDjNzAV/U0TDdvhxPHkkhnPbVM8ZYlLu+DZQLM6TM6JUW1Gk4mSwkiIC9yO+/RCqrvYWJ3fPDmxkP0qalfRx2kK/FT6m1H+DlkbZi8eXF3uqBcr7YWJbuKyIDzMpKYhXOl5S/wb2bCH/tyHCk5fMGWdq/xZpxfaENsAT05JQHI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=TRFplgPu; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="TRFplgPu" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7DDC21F00A3F; Thu, 16 Jul 2026 14:01:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1784210482; bh=BrWFQtBer5ZEFjOu0XWmciBVAMsP1NPZmCXzD1SvhnI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=TRFplgPufXWTXJHojA032FM6n8qXVLLtGjTTguSUtoat2SC/+I/B89NFDFnvRCNoP Q1FCY3lztV42xZ/6P6h8fDk4mx7m2MLmjGKrv2bMsTUstkoehJGZyCrgOowEb12drO 4Z53TG2ic9SqZjAwbwRAnWDvSFHiTkOztkPmueLM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Lars-Peter Clausen , =?UTF-8?q?Nuno=20S=C3=A1?= , Stable@vger.kernel.org, Jonathan Cameron Subject: [PATCH 6.18 064/480] iio: event: Fix event FIFO reset race Date: Thu, 16 Jul 2026 15:26:51 +0200 Message-ID: <20260716133046.094225068@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260716133044.672218725@linuxfoundation.org> References: <20260716133044.672218725@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lars-Peter Clausen commit af791d295737ea6b6ff2c8d8488462a49c14af01 upstream. `iio_event_getfd()` creates the event file descriptor with `anon_inode_getfd()`, which allocates a new fd, creates the anonymous file and installs it in the process fd table before returning to the caller. The IIO code resets the event FIFO after `anon_inode_getfd()` has returned, but before `IIO_GET_EVENT_FD_IOCTL` has copied the fd number to userspace. But since fd tables are shared between threads, another thread can guess the newly allocated fd number and issue a `read()` on it as soon as the fd has been installed. This means the `kfifo_to_user()` in `iio_event_chrdev_read()` can run in parallel with the `kfifo_reset_out()` in `iio_event_getfd()`. The kfifo documentation says that `kfifo_reset_out()` is only safe when it is called from the reader thread and there is only one concurrent reader. Otherwise it is dangerous and must be handled in the same way as `kfifo_reset()`. If that happens, `kfifo_to_user()` can advance the FIFO `out` index based on state from before the reset, after the reset has already moved the `out` index to the current `in` index. That can leave the FIFO with an `out` index past the `in` index. A later `read()` can then see an underflowed FIFO length and copy more data than the event FIFO buffer contains. This can result in an out-of-bounds read and leak adjacent kernel memory to userspace. Move the FIFO reset before `anon_inode_getfd()`. At that point the event fd is marked busy, but the new fd has not been installed yet, so userspace cannot access it while the FIFO is reset. Fixes: b91accafbb10 ("iio:event: Fix and cleanup locking") Reported-by: Codex:gpt-5.5 Signed-off-by: Lars-Peter Clausen Reviewed-by: Nuno Sá Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman --- drivers/iio/industrialio-event.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/drivers/iio/industrialio-event.c +++ b/drivers/iio/industrialio-event.c @@ -207,6 +207,8 @@ static int iio_event_getfd(struct iio_de goto unlock; } + kfifo_reset_out(&ev_int->det_events); + iio_device_get(indio_dev); fd = anon_inode_getfd("iio:event", &iio_event_chrdev_fileops, @@ -214,10 +216,7 @@ static int iio_event_getfd(struct iio_de if (fd < 0) { clear_bit(IIO_BUSY_BIT_POS, &ev_int->flags); iio_device_put(indio_dev); - } else { - kfifo_reset_out(&ev_int->det_events); } - unlock: mutex_unlock(&iio_dev_opaque->mlock); return fd;