From: Jonathan Cameron Jonathan.Cameron@huawei.com
[ Upstream commit 886a446b76afddfad307488e95e87f23a08ffd51 ]
On x86_32 s64 fields are only 32-bit aligned. Hence force the alignment of the field and padding in the structure by using aligned_s64 instead.
Reviewed-by: David Lechner dlechner@baylibre.com Link: https://patch.msgid.link/20250413103443.2420727-19-jic23@kernel.org Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com Signed-off-by: Sasha Levin sashal@kernel.org ---
Based on my analysis, here is my determination:
**YES**
This commit should be backported to stable kernel trees for the following reasons:
1. **Critical Bug Fix**: The commit fixes a subtle but serious alignment bug that can cause **buffer overruns** on 32-bit architectures. The original code uses a plain `u64 timestamp` field in the sample structure, which is only guaranteed 4-byte alignment on x86_32 and other 32-bit architectures.
2. **Security Impact**: As shown in the `iio_push_to_buffers_with_timestamp()` function at line `((int64_t *)data)[ts_offset] = timestamp;`, the code performs a 64-bit write at a calculated offset. If the buffer is only 4-byte aligned but the offset calculation assumes 8-byte alignment, this can result in: - Buffer overflow beyond the allocated structure - Memory corruption of adjacent stack variables - Potential information leaks to userspace
3. **Pattern of Similar Fixes**: Looking at similar commits: - Commit #2 (mprls0025pa: use aligned_s64) was marked for stable with `Fixes:` tag - Commit #5 (ms5611 Fix buffer element alignment) was marked for stable - The analysis document shows this is part of a systematic campaign to fix these issues since 2020
4. **Small, Contained Change**: The fix is minimal - simply changing `u64 timestamp` to `aligned_s64 timestamp`. This ensures the timestamp field is properly 8-byte aligned through the `__aligned(8)` attribute, preventing any alignment issues.
5. **Architecture-Specific Vulnerability**: The bug specifically affects 32-bit architectures where s64 has only 4-byte natural alignment. This makes it a real issue for ARM32 and other 32-bit platforms still in use.
6. **Recent Related Security Fix**: The same file had a recent security fix (commit 6007d10c5262) for information leaks, showing this driver has active security concerns that need addressing in stable trees.
The commit follows the stable tree rules perfectly: it fixes an important bug with minimal changes and low regression risk. The alignment issue can cause actual crashes or data corruption on affected architectures, making it a clear candidate for stable backporting.
drivers/iio/pressure/zpa2326.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/pressure/zpa2326.c b/drivers/iio/pressure/zpa2326.c index df60b3d91dad4..85ca48f2fe665 100644 --- a/drivers/iio/pressure/zpa2326.c +++ b/drivers/iio/pressure/zpa2326.c @@ -581,7 +581,7 @@ static int zpa2326_fill_sample_buffer(struct iio_dev *indio_dev, struct { u32 pressure; u16 temperature; - u64 timestamp; + aligned_s64 timestamp; } sample; int err;