* panic in iio_trigger_notify_done
@ 2014-07-04 18:59 Srinivas Pandruvada
2014-07-04 21:09 ` Jonathan Cameron
0 siblings, 1 reply; 2+ messages in thread
From: Srinivas Pandruvada @ 2014-07-04 18:59 UTC (permalink / raw)
To: Jonathan Cameron, linux-iio
Hi Jonathan,
I got reports of some rare to reproduce random crash in inv_mpu6050 driver.
Always crash points to iio_trigger_notify_done.
Usually, when user space disconnects the trigger by writing a dummy name,
(following example generic_buffer.c)
this indio_dev->trig can be set to NULL. But there can be race between
kernel and user space, so still the iio_trigger_notify_done can be
called, which will try to dereference on NULL pointer.
Recently you commented on my patch that setting
"indio_dev->trig
This is dangerous. Doing it like this will, IIRC leave the wrong
reference counts for the trigger. If you really, really want to do
this then call iio_get_trigger on the trigger as well to increment
the use count. Preferred option is to leave the binding to userspace
after the driver is probed.
"
I have seen several drivers in upstream kernel is doing this assignment,
I have patches to correct all of them assuming they will used on
x86 platform.
Is it OK to submit patches for all even, if we don't have evidence of
problem?
Thanks,
Srinivas
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: panic in iio_trigger_notify_done
2014-07-04 18:59 panic in iio_trigger_notify_done Srinivas Pandruvada
@ 2014-07-04 21:09 ` Jonathan Cameron
0 siblings, 0 replies; 2+ messages in thread
From: Jonathan Cameron @ 2014-07-04 21:09 UTC (permalink / raw)
To: Srinivas Pandruvada, linux-iio
On July 4, 2014 7:59:48 PM GMT+01:00, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> wrote:
>Hi Jonathan,
>
>I got reports of some rare to reproduce random crash in inv_mpu6050
>driver.
>Always crash points to iio_trigger_notify_done.
>Usually, when user space disconnects the trigger by writing a dummy
>name,
>(following example generic_buffer.c)
>this indio_dev->trig can be set to NULL. But there can be race between
>kernel and user space, so still the iio_trigger_notify_done can be
>called, which will try to dereference on NULL pointer.
>
>Recently you commented on my patch that setting
>"indio_dev->trig
>This is dangerous. Doing it like this will, IIRC leave the wrong
>reference counts for the trigger. If you really, really want to do
>this then call iio_get_trigger on the trigger as well to increment
>the use count. Preferred option is to leave the binding to userspace
>after the driver is probed.
>"
>
>I have seen several drivers in upstream kernel is doing this
>assignment,
>I have patches to correct all of them assuming they will used on
>x86 platform.
>
>Is it OK to submit patches for all even, if we don't have evidence of
>problem?
Absolutely. I had a feeling I haven't kept a close eye on this one and I is definitely a real
issue as you can tract the reference counts easily enough and see it is zero when it
should not be!
>
>Thanks,
>Srinivas
>--
>To unsubscribe from this list: send the line "unsubscribe linux-iio" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-07-04 21:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-04 18:59 panic in iio_trigger_notify_done Srinivas Pandruvada
2014-07-04 21:09 ` Jonathan Cameron
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.