From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
To: Jonathan Cameron <jic23@kernel.org>
Cc: linux-iio@vger.kernel.org
Subject: Re: [PATCH 1/9] iio: Fix crash in trigger unregister
Date: Tue, 22 Oct 2013 07:41:45 -0700 [thread overview]
Message-ID: <52668EA9.3070209@linux.intel.com> (raw)
In-Reply-To: <997f9af3-4265-483e-960e-9ee08051ba3c@email.android.com>
On 10/21/2013 02:35 PM, Jonathan Cameron wrote:
>
> Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> wrote:
>> User space can write a triger name via trigger/current_trigger.
>> But it is possible that it can't find this name. In this case
>> iio_trigger_find_by_name will return NULL. Even if it is NULL,
>> it sets indio_dev->trig to this NULL value. But when iio drivers
>> calls iio_trigger_unregister, it will crash because it will try
>> to dereference NULL pointer. So either every driver checks for
>> NULL before calling iio_trigger_unregister or make sure that
>> NULL is not assigned because of invalid trigger name. The later
>> is better and has less impact.
>>
>> Signed-off-by: Srinivas Pandruvada
>> <srinivas.pandruvada@linux.intel.com>
> Sorry to say I missed this in review.
> Indio_dev->trig is a pointer to the trigger being used by the device NOT the trigger provided by the device. If the device provides a trigger, the pointer to that is stored somewhere in iio_priv.
>
> Hence the bug is not in the core but in the sensor hub trigger creation and freeing code.
>
> Sorry again that I did not pick up on this before as this is not the first driver to confuse this. In mitigation it is clearly documented as intern (i.e. not for driver assignment) in iio.h
>
> When I get a few mins I will check if we have any other equivalent cases that have slipped through the net...
<Thanks for pointing this. I will fix in sensor hub driver and resubmit.>
Srinivas
> Jonathan
>> ---
>> drivers/iio/industrialio-trigger.c | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/iio/industrialio-trigger.c
>> b/drivers/iio/industrialio-trigger.c
>> index bf5e70a..4dc4247 100644
>> --- a/drivers/iio/industrialio-trigger.c
>> +++ b/drivers/iio/industrialio-trigger.c
>> @@ -342,13 +342,16 @@ static ssize_t iio_trigger_write_current(struct
>> device *dev,
>> if (oldtrig == trig)
>> return len;
>>
>> - if (trig && indio_dev->info->validate_trigger) {
>> + if (!trig)
>> + return -EINVAL;
>> +
>> + if (indio_dev->info->validate_trigger) {
>> ret = indio_dev->info->validate_trigger(indio_dev, trig);
>> if (ret)
>> return ret;
>> }
>>
>> - if (trig && trig->ops && trig->ops->validate_device) {
>> + if (trig->ops && trig->ops->validate_device) {
>> ret = trig->ops->validate_device(trig, indio_dev);
>> if (ret)
>> return ret;
prev parent reply other threads:[~2013-10-22 14:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-21 21:01 [PATCH 1/9] iio: Fix crash in trigger unregister Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 2/9] iio: hid-sensors: Add connection type Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 3/9] iio: hid-sensors: accelerometer: Add sensitivity Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 4/9] iio: hid-sensors: gyro : " Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 5/9] iio: hid-sensors: light/als " Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 6/9] iio: hid-sensors: magnetometer " Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 7/9] iio: hid-sensors: Added Inclinometer 3D Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 8/9] iio: Add channel modifiers for Quaternion Rotations Srinivas Pandruvada
2013-10-21 21:01 ` [PATCH 9/9] iio: hid-sensors: Added device rotation support Srinivas Pandruvada
2013-10-21 21:35 ` [PATCH 1/9] iio: Fix crash in trigger unregister Jonathan Cameron
2013-10-22 14:41 ` Srinivas Pandruvada [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52668EA9.3070209@linux.intel.com \
--to=srinivas.pandruvada@linux.intel.com \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).