| Message ID | 20210423080244.2790-1-tomasz.duszynski@octakon.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] iio: core: fix ioctl handlers removal | expand |
On Fri, 23 Apr 2021 10:02:44 +0200 Tomasz Duszynski <tomasz.duszynski@octakon.com> wrote: > Currently ioctl handlers are removed twice. For the first time during > iio_device_unregister() then later on inside > iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask(). > Double free leads to kernel panic. > > Fix this by not touching ioctl handlers list directly but rather > letting code responsible for registration call the matching cleanup > routine itself. > > Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev") > Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com> > Acked-by: Alexandru Ardelean <ardeleanalex@gmail.com> There are a bunch of unused local variables as a result of this change (build warnings on my standard W=1 C=1 test). I've dropped those as well and applied this to the fixes-togreg branch of iio.git. We are a bit unfortunate on timing for this as I won't send a pull request for fixes until towards the end of the merge window. I've marked it for stable though so it should filter back fairly quickly so kernels people actually use. Thanks, Jonathan > --- > v2: > * add fixes tag and ack > > drivers/iio/industrialio-core.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c > index d92c58a94fe4..98944cfc7331 100644 > --- a/drivers/iio/industrialio-core.c > +++ b/drivers/iio/industrialio-core.c > @@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev) > > indio_dev->info = NULL; > > - list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry) > - list_del(&h->entry); > - > iio_device_wakeup_eventset(indio_dev); > iio_buffer_wakeup_poll(indio_dev); > > -- > 2.31.1 >
On Sat, Apr 24, 2021 at 11:52:50AM +0100, Jonathan Cameron wrote: > On Fri, 23 Apr 2021 10:02:44 +0200 > Tomasz Duszynski <tomasz.duszynski@octakon.com> wrote: > > > Currently ioctl handlers are removed twice. For the first time during > > iio_device_unregister() then later on inside > > iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask(). > > Double free leads to kernel panic. > > > > Fix this by not touching ioctl handlers list directly but rather > > letting code responsible for registration call the matching cleanup > > routine itself. > > > > Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev") > > Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com> > > Acked-by: Alexandru Ardelean <ardeleanalex@gmail.com> > > There are a bunch of unused local variables as a result of this change > (build warnings on my standard W=1 C=1 test). I've dropped those as well and > applied this to the fixes-togreg branch of iio.git. > Right, thanks for catching this. > We are a bit unfortunate on timing for this as I won't send a pull request > for fixes until towards the end of the merge window. I've marked it for stable > though so it should filter back fairly quickly so kernels people actually > use. > > Thanks, > > Jonathan > > > --- > > v2: > > * add fixes tag and ack > > > > drivers/iio/industrialio-core.c | 3 --- > > 1 file changed, 3 deletions(-) > > > > diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c > > index d92c58a94fe4..98944cfc7331 100644 > > --- a/drivers/iio/industrialio-core.c > > +++ b/drivers/iio/industrialio-core.c > > @@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev) > > > > indio_dev->info = NULL; > > > > - list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry) > > - list_del(&h->entry); > > - > > iio_device_wakeup_eventset(indio_dev); > > iio_buffer_wakeup_poll(indio_dev); > > > > -- > > 2.31.1 > > >
diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c index d92c58a94fe4..98944cfc7331 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -1939,9 +1939,6 @@ void iio_device_unregister(struct iio_dev *indio_dev) indio_dev->info = NULL; - list_for_each_entry_safe(h, t, &iio_dev_opaque->ioctl_handlers, entry) - list_del(&h->entry); - iio_device_wakeup_eventset(indio_dev); iio_buffer_wakeup_poll(indio_dev);
Currently ioctl handlers are removed twice. For the first time during iio_device_unregister() then later on inside iio_device_unregister_eventset() and iio_buffers_free_sysfs_and_mask(). Double free leads to kernel panic. Fix this by not touching ioctl handlers list directly but rather letting code responsible for registration call the matching cleanup routine itself. Fixes: 8dedcc3eee3ac ("iio: core: centralize ioctl() calls to the main chardev") Signed-off-by: Tomasz Duszynski <tomasz.duszynski@octakon.com> Acked-by: Alexandru Ardelean <ardeleanalex@gmail.com> --- v2: * add fixes tag and ack drivers/iio/industrialio-core.c | 3 --- 1 file changed, 3 deletions(-) -- 2.31.1