All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alexandru Ardelean <ardeleanalex@gmail.com>
To: Lars-Peter Clausen <lars@metafoo.de>
Cc: "Alexandru Ardelean" <alexandru.ardelean@analog.com>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-iio <linux-iio@vger.kernel.org>,
	"Hennerich, Michael" <Michael.Hennerich@analog.com>,
	"Jonathan Cameron" <jic23@kernel.org>,
	"Nuno Sá" <nuno.sa@analog.com>,
	"Bogdan, Dragos" <dragos.bogdan@analog.com>
Subject: Re: [PATCH v6 19/24] iio: buffer: introduce support for attaching more IIO buffers
Date: Sun, 28 Feb 2021 19:46:51 +0200	[thread overview]
Message-ID: <CA+U=DsrhojhamxY6da7CSu79pkAnF=nHPk3H=xAbkZmtLozx2g@mail.gmail.com> (raw)
In-Reply-To: <d616ffac-9747-55f8-0478-dd747dba381a@metafoo.de>

On Sun, Feb 28, 2021 at 10:31 AM Lars-Peter Clausen <lars@metafoo.de> wrote:
>
> On 2/15/21 11:40 AM, Alexandru Ardelean wrote:
> >   static ssize_t iio_show_scan_index(struct device *dev,
> >                                  struct device_attribute *attr,
> >                                  char *buf)
> > @@ -1451,11 +1465,13 @@ static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer)
> >       iio_free_chan_devattr_list(&buffer->buffer_attr_list);
> >   }
> >
> > -int iio_buffer_alloc_sysfs_and_mask(struct iio_dev *indio_dev)
> > +int iio_buffers_alloc_sysfs_and_mask(struct iio_dev *indio_dev)
> >   {
> > [...]
> > +error_unwind_sysfs_and_mask:
> > +     for (; unwind_idx >= 0; unwind_idx--) {
> > +             buffer = iio_dev_opaque->attached_buffers[unwind_idx];
> > +             __iio_buffer_free_sysfs_and_mask(buffer);
> > +     }
> > +     kfree(iio_dev_opaque->attached_buffers);
> > +     return ret;
> >   }
> >
> > -void iio_buffer_free_sysfs_and_mask(struct iio_dev *indio_dev)
> > +void iio_buffers_free_sysfs_and_mask(struct iio_dev *indio_dev)
> >   {
> > [...]
> > +     for (i = iio_dev_opaque->attached_buffers_cnt - 1; i >= 0; i--) {
> > +             buffer = iio_dev_opaque->attached_buffers[i];
> > +             __iio_buffer_free_sysfs_and_mask(buffer);
> > +     }
> > +
> > +     kfree(iio_dev_opaque->attached_buffers);
> >   }
> > [...]
> > diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> > index 1d500ea246af..f7f785431106 100644
> > --- a/drivers/iio/industrialio-core.c
> > +++ b/drivers/iio/industrialio-core.c
> > @@ -1583,7 +1583,7 @@ static void iio_dev_release(struct device *device)
> >       iio_device_unregister_eventset(indio_dev);
> >       iio_device_unregister_sysfs(indio_dev);
> >
> > -     iio_buffer_put(indio_dev->buffer);
> > +     iio_buffers_put(indio_dev);
> We do call kfree(iio_dev_opaque->attached_buffers) before we get here. I
> think we need to keep the array around, otherwise we end of up with a
> use after free.
>

Good catch.
Will send an update here.

  reply	other threads:[~2021-02-28 17:48 UTC|newest]

Thread overview: 67+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-15 10:40 [PATCH v6 00/24] iio: core,buffer: add support for multiple IIO buffers per IIO device Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 01/24] iio: adc: ti_am335x_adc: remove omitted iio_kfifo_free() Alexandru Ardelean
2021-02-15 11:18   ` Jonathan Cameron
2021-02-15 10:40 ` [PATCH v6 02/24] iio: kfifo: add devm_iio_kfifo_buffer_setup() helper Alexandru Ardelean
2021-02-28  8:06   ` Lars-Peter Clausen
2021-02-28 17:45     ` Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 03/24] iio: make use of " Alexandru Ardelean
2021-02-15 12:11   ` Jonathan Cameron
2021-02-16 23:46     ` Gwendal Grignou
2021-02-18  8:22       ` Matt Ranostay
2021-02-18 13:25         ` Jonathan Cameron
2021-02-15 10:40 ` [PATCH v6 04/24] iio: accel: sca3000: use " Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 05/24] iio: kfifo: un-export devm_iio_kfifo_allocate() function Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 06/24] iio: buffer-dma,adi-axi-adc: introduce devm_iio_dmaengine_buffer_setup() Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 07/24] docs: ioctl-number.rst: reserve IIO subsystem ioctl() space Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 08/24] iio: core: register chardev only if needed Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 09/24] iio: core-trigger: make iio_device_register_trigger_consumer() an int return Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 10/24] iio: core: rework iio device group creation Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 11/24] iio: buffer: group attr count and attr alloc Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 12/24] iio: core: merge buffer/ & scan_elements/ attributes Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 13/24] iio: add reference to iio buffer on iio_dev_attr Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 14/24] iio: buffer: wrap all buffer attributes into iio_dev_attr Alexandru Ardelean
     [not found]   ` <CGME20210401073947eucas1p2c7f672475bce79dea00e9398cc562073@eucas1p2.samsung.com>
2021-04-01  7:39     ` Marek Szyprowski
2021-04-01  8:26       ` Jonathan Cameron
2021-04-01 11:10         ` Alexandru Ardelean
2022-09-09  8:12   ` Vaittinen, Matti
2022-09-19  8:52     ` [RFT] potential bug with IIO_CONST_ATTR usage with triggered buffers Vaittinen, Matti
2022-09-19 15:32       ` Jonathan Cameron
2022-09-19 17:18         ` Jonathan Cameron
2022-09-19 18:06           ` Vaittinen, Matti
2022-09-24 13:49             ` Jonathan Cameron
2022-09-25 13:28               ` Alexandru Ardelean
2022-10-06  8:33       ` Claudiu.Beznea
2021-02-15 10:40 ` [PATCH v6 15/24] iio: buffer: dmaengine: obtain buffer object from attribute Alexandru Ardelean
2021-02-15 12:44   ` Jonathan Cameron
2021-02-15 10:40 ` [PATCH v6 16/24] iio: core: wrap iio device & buffer into struct for character devices Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 17/24] iio: buffer: move __iio_buffer_free_sysfs_and_mask() before alloc Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 18/24] iio: dummy: iio_simple_dummy_buffer: use triggered buffer core calls Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 19/24] iio: buffer: introduce support for attaching more IIO buffers Alexandru Ardelean
2021-02-28  8:29   ` Lars-Peter Clausen
2021-02-28 17:46     ` Alexandru Ardelean [this message]
2021-02-15 10:40 ` [PATCH v6 20/24] iio: buffer: add ioctl() to support opening extra buffers for IIO device Alexandru Ardelean
2021-02-28  7:57   ` Lars-Peter Clausen
2021-02-28 18:04     ` Alexandru Ardelean
2021-02-28  8:51   ` Lars-Peter Clausen
2021-02-28 14:34     ` Jonathan Cameron
2021-02-28 15:51       ` Lars-Peter Clausen
2021-02-28 17:27         ` Jonathan Cameron
2021-03-06 17:00           ` Alexandru Ardelean
2021-03-07 12:13             ` Jonathan Cameron
2021-03-13 18:46               ` Jonathan Cameron
2021-03-15  9:58             ` Sa, Nuno
2021-03-20 17:41               ` Jonathan Cameron
2021-03-21 17:37                 ` Jonathan Cameron
2021-03-23  9:51                   ` Alexandru Ardelean
2021-03-23 11:34                     ` Jonathan Cameron
2021-03-24  9:10                       ` Alexandru Ardelean
2021-03-27 12:00                         ` Lars-Peter Clausen
2021-02-28 18:09         ` Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 21/24] iio: core: rename 'dev' -> 'indio_dev' in iio_device_alloc() Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 22/24] tools: iio: make iioutils_get_type() private in iio_utils Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 23/24] tools: iio: privatize globals and functions in iio_generic_buffer.c file Alexandru Ardelean
2021-02-15 10:40 ` [PATCH v6 24/24] tools: iio: convert iio_generic_buffer to use new IIO buffer API Alexandru Ardelean
2021-02-15 13:52   ` Jonathan Cameron
2021-02-15 13:57 ` [PATCH v6 00/24] iio: core,buffer: add support for multiple IIO buffers per IIO device Jonathan Cameron
2021-02-15 14:10   ` Alexandru Ardelean
2021-02-16 11:19     ` Jonathan Cameron

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+U=DsrhojhamxY6da7CSu79pkAnF=nHPk3H=xAbkZmtLozx2g@mail.gmail.com' \
    --to=ardeleanalex@gmail.com \
    --cc=Michael.Hennerich@analog.com \
    --cc=alexandru.ardelean@analog.com \
    --cc=dragos.bogdan@analog.com \
    --cc=jic23@kernel.org \
    --cc=lars@metafoo.de \
    --cc=linux-iio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nuno.sa@analog.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.