2021-04-23 08:13:54

by Tomasz Duszynski

[permalink] [raw]
Subject: [PATCH v2] iio: core: fix ioctl handlers removal

Currently ioctl handlers are removed twice. For the first time during
iio_device_unregister() then later on inside
iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().
Double free leads to kernel panic.

Fix this by not touching ioctl handlers list directly but rather
letting code responsible for registration call the matching cleanup
routine itself.

Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev")
Signed-off-by: Tomasz Duszynski <[email protected]>
Acked-by: Alexandru Ardelean <[email protected]>
---
v2:
* add fixes tag and ack

drivers/iio/industrialio-core.c | 3 ---
1 file changed, 3 deletions(-)

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index d92c58a94fe4..98944cfc7331 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev)

indio_dev->info = NULL;

- list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry)
- list_del(&h->entry);
-
iio_device_wakeup_eventset(indio_dev);
iio_buffer_wakeup_poll(indio_dev);

--
2.31.1


2021-04-24 10:52:58

by Jonathan Cameron

[permalink] [raw]
Subject: Re: [PATCH v2] iio: core: fix ioctl handlers removal

On Fri, 23 Apr 2021 10:02:44 +0200
Tomasz Duszynski <[email protected]> wrote:

> Currently ioctl handlers are removed twice. For the first time during
> iio_device_unregister() then later on inside
> iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().
> Double free leads to kernel panic.
>
> Fix this by not touching ioctl handlers list directly but rather
> letting code responsible for registration call the matching cleanup
> routine itself.
>
> Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev")
> Signed-off-by: Tomasz Duszynski <[email protected]>
> Acked-by: Alexandru Ardelean <[email protected]>

There are a bunch of unused local variables as a result of this change
(build warnings on my standard W=1 C=1 test). I've dropped those as well and
applied this to the fixes-togreg branch of iio.git.

We are a bit unfortunate on timing for this as I won't send a pull request
for fixes until towards the end of the merge window. I've marked it for stable
though so it should filter back fairly quickly so kernels people actually
use.

Thanks,

Jonathan

> ---
> v2:
> * add fixes tag and ack
>
> drivers/iio/industrialio-core.c | 3 ---
> 1 file changed, 3 deletions(-)
>
> diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> index d92c58a94fe4..98944cfc7331 100644
> --- a/drivers/iio/industrialio-core.c
> +++ b/drivers/iio/industrialio-core.c
> @@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev)
>
> indio_dev->info = NULL;
>
> - list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry)
> - list_del(&h->entry);
> -
> iio_device_wakeup_eventset(indio_dev);
> iio_buffer_wakeup_poll(indio_dev);
>
> --
> 2.31.1
>

2021-04-24 12:14:44

by Tomasz Duszynski

[permalink] [raw]
Subject: Re: [PATCH v2] iio: core: fix ioctl handlers removal

On Sat, Apr 24, 2021 at 11:52:50AM +0100, Jonathan Cameron wrote:
> On Fri, 23 Apr 2021 10:02:44 +0200
> Tomasz Duszynski <[email protected]> wrote:
>
> > Currently ioctl handlers are removed twice. For the first time during
> > iio_device_unregister() then later on inside
> > iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask().
> > Double free leads to kernel panic.
> >
> > Fix this by not touching ioctl handlers list directly but rather
> > letting code responsible for registration call the matching cleanup
> > routine itself.
> >
> > Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev")
> > Signed-off-by: Tomasz Duszynski <[email protected]>
> > Acked-by: Alexandru Ardelean <[email protected]>
>
> There are a bunch of unused local variables as a result of this change
> (build warnings on my standard W=1 C=1 test). I've dropped those as well and
> applied this to the fixes-togreg branch of iio.git.
>

Right, thanks for catching this.

> We are a bit unfortunate on timing for this as I won't send a pull request
> for fixes until towards the end of the merge window. I've marked it for stable
> though so it should filter back fairly quickly so kernels people actually
> use.
>
> Thanks,
>
> Jonathan
>
> > ---
> > v2:
> > * add fixes tag and ack
> >
> > drivers/iio/industrialio-core.c | 3 ---
> > 1 file changed, 3 deletions(-)
> >
> > diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> > index d92c58a94fe4..98944cfc7331 100644
> > --- a/drivers/iio/industrialio-core.c
> > +++ b/drivers/iio/industrialio-core.c
> > @@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev)
> >
> > indio_dev->info = NULL;
> >
> > - list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry)
> > - list_del(&h->entry);
> > -
> > iio_device_wakeup_eventset(indio_dev);
> > iio_buffer_wakeup_poll(indio_dev);
> >
> > --
> > 2.31.1
> >
>