| Message ID | 2e2d9ec34fb1df8ab8e2749199822db8cc91d302.1664782676.git.mazziesaccount@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | iio: Fix unsafe buffer attributes | expand |
On Mon, 3 Oct 2022 11:10:29 +0300 Matti Vaittinen <mazziesaccount@gmail.com> wrote: > The devm_iio_kfifo_buffer_setup_ext() was changed by > commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") > to silently expect that all attributes given in buffer_attrs array are > device-attributes. This expectation was not forced by the API - and some > drivers did register attributes created by IIO_CONST_ATTR(). > > The added attribute "wrapping" does not copy the pointer to stored > string constant and when the sysfs file is read the kernel will access > to invalid location. > > Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order > to prevent the invalid memory access. > > Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> > Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") Seems like a safe enough change to take without additional review. Hence applied to the fixes-togreg branch of iio.git and marked for stable. Thanks, Jonathan > > --- > > v2 => v3: > Split change to own patch for simpler fix backporting. > --- > drivers/iio/accel/adxl367.c | 23 ++++++++++++++++++----- > 1 file changed, 18 insertions(+), 5 deletions(-) > > diff --git a/drivers/iio/accel/adxl367.c b/drivers/iio/accel/adxl367.c > index 47feb375b70b..7c7d78040793 100644 > --- a/drivers/iio/accel/adxl367.c > +++ b/drivers/iio/accel/adxl367.c > @@ -1185,17 +1185,30 @@ static ssize_t adxl367_get_fifo_watermark(struct device *dev, > return sysfs_emit(buf, "%d\n", fifo_watermark); > } > > -static IIO_CONST_ATTR(hwfifo_watermark_min, "1"); > -static IIO_CONST_ATTR(hwfifo_watermark_max, > - __stringify(ADXL367_FIFO_MAX_WATERMARK)); > +static ssize_t hwfifo_watermark_min_show(struct device *dev, > + struct device_attribute *attr, > + char *buf) > +{ > + return sysfs_emit(buf, "%s\n", "1"); > +} > + > +static ssize_t hwfifo_watermark_max_show(struct device *dev, > + struct device_attribute *attr, > + char *buf) > +{ > + return sysfs_emit(buf, "%s\n", __stringify(ADXL367_FIFO_MAX_WATERMARK)); > +} > + > +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_min, 0); > +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0); > static IIO_DEVICE_ATTR(hwfifo_watermark, 0444, > adxl367_get_fifo_watermark, NULL, 0); > static IIO_DEVICE_ATTR(hwfifo_enabled, 0444, > adxl367_get_fifo_enabled, NULL, 0); > > static const struct attribute *adxl367_fifo_attributes[] = { > - &iio_const_attr_hwfifo_watermark_min.dev_attr.attr, > - &iio_const_attr_hwfifo_watermark_max.dev_attr.attr, > + &iio_dev_attr_hwfifo_watermark_min.dev_attr.attr, > + &iio_dev_attr_hwfifo_watermark_max.dev_attr.attr, > &iio_dev_attr_hwfifo_watermark.dev_attr.attr, > &iio_dev_attr_hwfifo_enabled.dev_attr.attr, > NULL,
diff --git a/drivers/iio/accel/adxl367.c b/drivers/iio/accel/adxl367.c index 47feb375b70b..7c7d78040793 100644 --- a/drivers/iio/accel/adxl367.c +++ b/drivers/iio/accel/adxl367.c @@ -1185,17 +1185,30 @@ static ssize_t adxl367_get_fifo_watermark(struct device *dev, return sysfs_emit(buf, "%d\n", fifo_watermark); } -static IIO_CONST_ATTR(hwfifo_watermark_min, "1"); -static IIO_CONST_ATTR(hwfifo_watermark_max, - __stringify(ADXL367_FIFO_MAX_WATERMARK)); +static ssize_t hwfifo_watermark_min_show(struct device *dev, + struct device_attribute *attr, + char *buf) +{ + return sysfs_emit(buf, "%s\n", "1"); +} + +static ssize_t hwfifo_watermark_max_show(struct device *dev, + struct device_attribute *attr, + char *buf) +{ + return sysfs_emit(buf, "%s\n", __stringify(ADXL367_FIFO_MAX_WATERMARK)); +} + +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_min, 0); +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0); static IIO_DEVICE_ATTR(hwfifo_watermark, 0444, adxl367_get_fifo_watermark, NULL, 0); static IIO_DEVICE_ATTR(hwfifo_enabled, 0444, adxl367_get_fifo_enabled, NULL, 0); static const struct attribute *adxl367_fifo_attributes[] = { - &iio_const_attr_hwfifo_watermark_min.dev_attr.attr, - &iio_const_attr_hwfifo_watermark_max.dev_attr.attr, + &iio_dev_attr_hwfifo_watermark_min.dev_attr.attr, + &iio_dev_attr_hwfifo_watermark_max.dev_attr.attr, &iio_dev_attr_hwfifo_watermark.dev_attr.attr, &iio_dev_attr_hwfifo_enabled.dev_attr.attr, NULL,
The devm_iio_kfifo_buffer_setup_ext() was changed by commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") to silently expect that all attributes given in buffer_attrs array are device-attributes. This expectation was not forced by the API - and some drivers did register attributes created by IIO_CONST_ATTR(). The added attribute "wrapping" does not copy the pointer to stored string constant and when the sysfs file is read the kernel will access to invalid location. Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order to prevent the invalid memory access. Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") --- v2 => v3: Split change to own patch for simpler fix backporting. --- drivers/iio/accel/adxl367.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-)