linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] iio: core: fix ioctl handlers removal
@ 2021-04-23  8:02 Tomasz Duszynski
  2021-04-24 10:52 ` Jonathan Cameron
  0 siblings, 1 reply; 3+ messages in thread
From: Tomasz Duszynski @ 2021-04-23  8:02 UTC (permalink / raw)
  To: linux-iio; +Cc: linux-kernel, jic23, lars, ardeleanalex, Tomasz Duszynski

Currently ioctl handlers are removed twice. For the first time during
iio_device_unregister() then later on inside
iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().
Double free leads to kernel panic.

Fix this by not touching ioctl handlers list directly but rather
letting code responsible for registration call the matching cleanup
routine itself.

Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev")
Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
Acked-by: Alexandru Ardelean <ardeleanalex@gmail.com>
---
v2:
* add fixes tag and ack

 drivers/iio/industrialio-core.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index d92c58a94fe4..98944cfc7331 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev)

 	indio_dev->info = NULL;

-	list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry)
-		list_del(&h->entry);
-
 	iio_device_wakeup_eventset(indio_dev);
 	iio_buffer_wakeup_poll(indio_dev);

--
2.31.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] iio: core: fix ioctl handlers removal
  2021-04-23  8:02 [PATCH v2] iio: core: fix ioctl handlers removal Tomasz Duszynski
@ 2021-04-24 10:52 ` Jonathan Cameron
  2021-04-24 12:09   ` Tomasz Duszynski
  0 siblings, 1 reply; 3+ messages in thread
From: Jonathan Cameron @ 2021-04-24 10:52 UTC (permalink / raw)
  To: Tomasz Duszynski; +Cc: linux-iio, linux-kernel, lars, ardeleanalex

On Fri, 23 Apr 2021 10:02:44 +0200
Tomasz Duszynski <tomasz.duszynski@octakon.com> wrote:

> Currently ioctl handlers are removed twice. For the first time during
> iio_device_unregister() then later on inside
> iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().
> Double free leads to kernel panic.
> 
> Fix this by not touching ioctl handlers list directly but rather
> letting code responsible for registration call the matching cleanup
> routine itself.
> 
> Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev")
> Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
> Acked-by: Alexandru Ardelean <ardeleanalex@gmail.com>

There are a bunch of unused local variables as a result of this change
(build warnings on my standard W=1 C=1 test).  I've dropped those as well and
applied this to the fixes-togreg branch of iio.git.

We are a bit unfortunate on timing for this as I won't send a pull request
for fixes until towards the end of the merge window.  I've marked it for stable
though so it should filter back fairly quickly so kernels people actually
use.

Thanks,

Jonathan

> ---
> v2:
> * add fixes tag and ack
> 
>  drivers/iio/industrialio-core.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> index d92c58a94fe4..98944cfc7331 100644
> --- a/drivers/iio/industrialio-core.c
> +++ b/drivers/iio/industrialio-core.c
> @@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev)
> 
>  	indio_dev->info = NULL;
> 
> -	list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry)
> -		list_del(&h->entry);
> -
>  	iio_device_wakeup_eventset(indio_dev);
>  	iio_buffer_wakeup_poll(indio_dev);
> 
> --
> 2.31.1
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] iio: core: fix ioctl handlers removal
  2021-04-24 10:52 ` Jonathan Cameron
@ 2021-04-24 12:09   ` Tomasz Duszynski
  0 siblings, 0 replies; 3+ messages in thread
From: Tomasz Duszynski @ 2021-04-24 12:09 UTC (permalink / raw)
  To: Jonathan Cameron
  Cc: Tomasz Duszynski, linux-iio, linux-kernel, lars, ardeleanalex

On Sat, Apr 24, 2021 at 11:52:50AM +0100, Jonathan Cameron wrote:
> On Fri, 23 Apr 2021 10:02:44 +0200
> Tomasz Duszynski <tomasz.duszynski@octakon.com> wrote:
>
> > Currently ioctl handlers are removed twice. For the first time during
> > iio_device_unregister() then later on inside
> > iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().
> > Double free leads to kernel panic.
> >
> > Fix this by not touching ioctl handlers list directly but rather
> > letting code responsible for registration call the matching cleanup
> > routine itself.
> >
> > Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev")
> > Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com>
> > Acked-by: Alexandru Ardelean <ardeleanalex@gmail.com>
>
> There are a bunch of unused local variables as a result of this change
> (build warnings on my standard W=1 C=1 test).  I've dropped those as well and
> applied this to the fixes-togreg branch of iio.git.
>

Right, thanks for catching this.

> We are a bit unfortunate on timing for this as I won't send a pull request
> for fixes until towards the end of the merge window.  I've marked it for stable
> though so it should filter back fairly quickly so kernels people actually
> use.
>
> Thanks,
>
> Jonathan
>
> > ---
> > v2:
> > * add fixes tag and ack
> >
> >  drivers/iio/industrialio-core.c | 3 ---
> >  1 file changed, 3 deletions(-)
> >
> > diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> > index d92c58a94fe4..98944cfc7331 100644
> > --- a/drivers/iio/industrialio-core.c
> > +++ b/drivers/iio/industrialio-core.c
> > @@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev)
> >
> >  	indio_dev->info = NULL;
> >
> > -	list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry)
> > -		list_del(&h->entry);
> > -
> >  	iio_device_wakeup_eventset(indio_dev);
> >  	iio_buffer_wakeup_poll(indio_dev);
> >
> > --
> > 2.31.1
> >
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-24 12:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-23  8:02 [PATCH v2] iio: core: fix ioctl handlers removal Tomasz Duszynski
2021-04-24 10:52 ` Jonathan Cameron
2021-04-24 12:09   ` Tomasz Duszynski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).