All of lore.kernel.org
 help / color / mirror / Atom feed
From: Lars-Peter Clausen <lars@metafoo.de>
To: Jonathan Cameron <jic23@kernel.org>
Cc: Martin Fuzzey <mfuzzey@parkeon.com>,
	Peter Meerwald-Stadler <pmeerw@pmeerw.net>,
	linux-iio@vger.kernel.org
Subject: Re: [PATCH 1/2] iio: mma8452: Fix trigger reference couting
Date: Thu, 28 Oct 2021 21:52:46 +0200	[thread overview]
Message-ID: <3bf78fdf-c6df-dd77-a1f1-61800c0ebe37@metafoo.de> (raw)
In-Reply-To: <20211028150731.753d4e40@jic23-huawei>

On 10/28/21 4:07 PM, Jonathan Cameron wrote:
> On Sun, 24 Oct 2021 11:26:59 +0200
> Lars-Peter Clausen <lars@metafoo.de> wrote:
>
>> The mma8452 driver directly assigns a trigger to the struct iio_dev. The
>> IIO core when done using this trigger will call `iio_trigger_put()` to drop
>> the reference count by 1.
>>
>> Without the matching `iio_trigger_get()` in the driver the reference count
>> can reach 0 too early, the trigger gets freed while still in use and a
>> use-after-free occurs.
>>
>> Fix this by getting a reference to the trigger before assigning it to the
>> IIO device.
>>
>> Fixes: ae6d9ce05691 ("iio: mma8452: Add support for interrupt driven triggers.")
>> Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
> Gah. I thought we'd gotten all these years ago. I guess this one slipped through
> the net.
Btw. we already have iio_trigger_set_immutable(), which handles the 
reference counting. I was think of adding a iio(_device)_trigger_set() 
that does the same except not setting the trig_readonly flag. And then 
eventually move the trigger to iio_dev_opaque. Any concerns with this?

  reply	other threads:[~2021-10-28 19:52 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-24  9:26 [PATCH 1/2] iio: mma8452: Fix trigger reference couting Lars-Peter Clausen
2021-10-24  9:27 ` [PATCH 2/2] iio: trigger: Fix reference counting Lars-Peter Clausen
2021-10-25 10:55   ` Sa, Nuno
2021-10-28 14:16   ` Jonathan Cameron
2021-10-28 16:04     ` Lars-Peter Clausen
2021-10-28 16:12       ` Jonathan Cameron
2021-10-28 14:07 ` [PATCH 1/2] iio: mma8452: Fix trigger reference couting Jonathan Cameron
2021-10-28 19:52   ` Lars-Peter Clausen [this message]
2021-10-30 15:03     ` Jonathan Cameron
2021-10-30 15:12       ` Lars-Peter Clausen
2021-10-30 17:08         ` Jonathan Cameron

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3bf78fdf-c6df-dd77-a1f1-61800c0ebe37@metafoo.de \
    --to=lars@metafoo.de \
    --cc=jic23@kernel.org \
    --cc=linux-iio@vger.kernel.org \
    --cc=mfuzzey@parkeon.com \
    --cc=pmeerw@pmeerw.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.