drivers/iio/magnetometer/ak8975.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
From: Joshua Crofts <joshua.crofts1@gmail.com>
Currently in the AK8975 driver there are two instances where potential
uninitialized kernel stack memory leaks can occur. If
i2c_smbus_read_i2c_block_data_or_emulated() returns a value less than
the size of the buffer, uninitialized bytes are retained in the buffer
and later the buffer is passed on to IIO buffers, potentially leaking
memory to userspace.
Fix this by adding checks whether the return value of the function is
equal to the size of the buffer and subsequently if the value is
lesser than zero to distinguish from a returned error code.
Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260513-ak8975-fix-v1-1-104ea605dd54%40gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
---
drivers/iio/magnetometer/ak8975.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
index b648b0afa5733fd7a54bdf2b8f92f00e924c074b..9d23c8136291a52ca9ab928d81332aa32933fec6 100644
--- a/drivers/iio/magnetometer/ak8975.c
+++ b/drivers/iio/magnetometer/ak8975.c
@@ -756,8 +756,11 @@ static int ak8975_read_axis(struct iio_dev *indio_dev, int index, int *val)
ret = i2c_smbus_read_i2c_block_data_or_emulated(
client, def->data_regs[index],
sizeof(rval), (u8*)&rval);
- if (ret < 0)
+ if (ret != sizeof(rval)) {
+ if (ret >= 0)
+ ret = -EIO;
goto exit;
+ }
/* Read out ST2 for release lock on measurement data. */
ret = i2c_smbus_read_byte_data(client, data->def->ctrl_regs[ST2]);
@@ -871,8 +874,11 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev)
def->data_regs[0],
3 * sizeof(fval[0]),
(u8 *)fval);
- if (ret < 0)
+ if (ret != sizeof(fval)) {
+ if (ret >= 0)
+ ret = -EIO;
goto unlock;
+ }
mutex_unlock(&data->lock);
---
base-commit: 86138b484d6367a57312f69af4ec958806c2673c
change-id: 20260514-magnetometer-kernel-mem-leak-d88a85d28a60
Best regards,
--
Joshua Crofts <joshua.crofts1@gmail.com>On Thu, May 14, 2026 at 01:38:17PM +0200, Joshua Crofts via B4 Relay wrote:
> Currently in the AK8975 driver there are two instances where potential
> uninitialized kernel stack memory leaks can occur. If
> i2c_smbus_read_i2c_block_data_or_emulated() returns a value less than
> the size of the buffer, uninitialized bytes are retained in the buffer
> and later the buffer is passed on to IIO buffers, potentially leaking
> memory to userspace.
>
> Fix this by adding checks whether the return value of the function is
> equal to the size of the buffer and subsequently if the value is
> lesser than zero to distinguish from a returned error code.
...
> - if (ret < 0)
> + if (ret != sizeof(rval)) {
> + if (ret >= 0)
> + ret = -EIO;
> goto exit;
> + }
Still better to not mix the two
if (ret < 0)
goto exit;
if (ret != sizeof(rval)) {
ret = -EIO;
goto exit;
}
...
Ditto for the second case.
--
With Best Regards,
Andy Shevchenko
On Thu, 14 May 2026 at 13:38, Joshua Crofts via B4 Relay
<devnull+joshua.crofts1.gmail.com@kernel.org> wrote:
>
> From: Joshua Crofts <joshua.crofts1@gmail.com>
>
> Currently in the AK8975 driver there are two instances where potential
> uninitialized kernel stack memory leaks can occur. If
> i2c_smbus_read_i2c_block_data_or_emulated() returns a value less than
> the size of the buffer, uninitialized bytes are retained in the buffer
> and later the buffer is passed on to IIO buffers, potentially leaking
> memory to userspace.
>
> Fix this by adding checks whether the return value of the function is
> equal to the size of the buffer and subsequently if the value is
> lesser than zero to distinguish from a returned error code.
>
> Fixes: bc11ca4a0b84 ("iio:magnetometer:ak8975: triggered buffer support")
> Reported-by: Sashiko <sashiko-bot@kernel.org>
> Closes: https://sashiko.dev/#/patchset/20260513-ak8975-fix-v1-1-104ea605dd54%40gmail.com
> Cc: stable@vger.kernel.org
> Signed-off-by: Joshua Crofts <joshua.crofts1@gmail.com>
> ---
> drivers/iio/magnetometer/ak8975.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
> index b648b0afa5733fd7a54bdf2b8f92f00e924c074b..9d23c8136291a52ca9ab928d81332aa32933fec6 100644
> --- a/drivers/iio/magnetometer/ak8975.c
> +++ b/drivers/iio/magnetometer/ak8975.c
> @@ -756,8 +756,11 @@ static int ak8975_read_axis(struct iio_dev *indio_dev, int index, int *val)
> ret = i2c_smbus_read_i2c_block_data_or_emulated(
> client, def->data_regs[index],
> sizeof(rval), (u8*)&rval);
> - if (ret < 0)
> + if (ret != sizeof(rval)) {
> + if (ret >= 0)
> + ret = -EIO;
> goto exit;
> + }
>
> /* Read out ST2 for release lock on measurement data. */
> ret = i2c_smbus_read_byte_data(client, data->def->ctrl_regs[ST2]);
> @@ -871,8 +874,11 @@ static void ak8975_fill_buffer(struct iio_dev *indio_dev)
> def->data_regs[0],
> 3 * sizeof(fval[0]),
> (u8 *)fval);
> - if (ret < 0)
> + if (ret != sizeof(fval)) {
Hmm, Sashiko pointed out that I am comparing a signed integer with
an unsigned integer, which would result in type promotion and subsequent
mangling of any potential negative values... will fix in v2.
https://sashiko.dev/#/patchset/20260514-magnetometer-kernel-mem-leak-v1-1-35b48d699faf%40gmail.com
--
Kind regards
CJD
On Fri, May 15, 2026 at 11:00:17AM +0200, Joshua Crofts wrote:
> On Thu, 14 May 2026 at 13:38, Joshua Crofts via B4 Relay
> <devnull+joshua.crofts1.gmail.com@kernel.org> wrote:
...
> > - if (ret < 0)
> > + if (ret != sizeof(fval)) {
>
> Hmm, Sashiko pointed out that I am comparing a signed integer with
> an unsigned integer, which would result in type promotion and subsequent
> mangling of any potential negative values... will fix in v2.
>
> https://sashiko.dev/#/patchset/20260514-magnetometer-kernel-mem-leak-v1-1-35b48d699faf%40gmail.com
See my response. That how it should be in your v2.
--
With Best Regards,
Andy Shevchenko
On Fri, 15 May 2026 at 11:51, Andy Shevchenko
<andriy.shevchenko@intel.com> wrote:
>
> On Fri, May 15, 2026 at 11:00:17AM +0200, Joshua Crofts wrote:
> > On Thu, 14 May 2026 at 13:38, Joshua Crofts via B4 Relay
> > <devnull+joshua.crofts1.gmail.com@kernel.org> wrote:
>
> ...
>
> > > - if (ret < 0)
> > > + if (ret != sizeof(fval)) {
> >
> > Hmm, Sashiko pointed out that I am comparing a signed integer with
> > an unsigned integer, which would result in type promotion and subsequent
> > mangling of any potential negative values... will fix in v2.
> >
> > https://sashiko.dev/#/patchset/20260514-magnetometer-kernel-mem-leak-v1-1-35b48d699faf%40gmail.com
>
> See my response. That how it should be in your v2.
Thanks. Checking the driver again I found 2 additional places where an
I2C read is going
into uninitialized memory that Sashiko missed.
--
Kind regards
CJD
© 2016 - 2026 Red Hat, Inc.