Message ID | 20241018-iio-read-avail-release-v4-5-53c8ac618585@gmail.com (mailing list archive) |
---|---|
State | Changes Requested |
Headers | show |
Series | iio: fix possible race condition during access of available info lists | expand |
On Friday, 18 October 2024, 12:16:44 CEST, Matteo Martelli wrote: > While available integration times are being printed to sysfs by iio core > (iio_read_channel_info_avail), the sampling frequency might be changed. > This could cause the buffer shared with iio core to be corrupted. To > prevent it, make a copy of the integration times buffer and free it in > the read_avail_release_resource callback. > > Signed-off-by: Matteo Martelli <matteomartelli3@gmail.com> > --- > drivers/iio/light/as73211.c | 25 +++++++++++++++++++++---- > 1 file changed, 21 insertions(+), 4 deletions(-) > > diff --git a/drivers/iio/light/as73211.c b/drivers/iio/light/as73211.c > index be0068081ebbbb37fdfb252b67a77b302ff725f6..c4c94873e6a1cc926cfb724d906b07222773c43f 100644 > --- a/drivers/iio/light/as73211.c > +++ b/drivers/iio/light/as73211.c > @@ -108,7 +108,8 @@ struct as73211_spec_dev_data { > * @creg1: Cached Configuration Register 1. > * @creg2: Cached Configuration Register 2. > * @creg3: Cached Configuration Register 3. > - * @mutex: Keeps cached registers in sync with the device. > + * @mutex: Keeps cached registers in sync with the device and protects > + * int_time_avail concurrent access for updating and reading. > * @completion: Completion to wait for interrupt. > * @int_time_avail: Available integration times (depend on sampling frequency). > * @spec_dev: device-specific configuration. > @@ -493,17 +494,32 @@ static int as73211_read_avail(struct iio_dev *indio_dev, struct iio_chan_spec co > *type = IIO_VAL_INT; > return IIO_AVAIL_LIST; > > - case IIO_CHAN_INFO_INT_TIME: > + case IIO_CHAN_INFO_INT_TIME: { > *length = ARRAY_SIZE(data->int_time_avail); > - *vals = data->int_time_avail; > *type = IIO_VAL_INT_PLUS_MICRO; > - return IIO_AVAIL_LIST; > > + guard(mutex)(&data->mutex); > + > + *vals = kmemdup_array(data->int_time_avail, *length, > + sizeof(int), GFP_KERNEL); > + if (!*vals) > + return -ENOMEM; > + > + return IIO_AVAIL_LIST; > + } > default: > return -EINVAL; > } > } > > +static void as73211_read_avail_release_res(struct iio_dev *indio_dev, > + struct iio_chan_spec const *chan, > + const int *vals, long mask) > +{ > + if (mask == IIO_CHAN_INFO_INT_TIME) > + kfree(vals); > +} > + > static int _as73211_write_raw(struct iio_dev *indio_dev, > struct iio_chan_spec const *chan __always_unused, > int val, int val2, long mask) > @@ -699,6 +715,7 @@ static irqreturn_t as73211_trigger_handler(int irq __always_unused, void *p) > static const struct iio_info as73211_info = { > .read_raw = as73211_read_raw, > .read_avail = as73211_read_avail, > + .read_avail_release_resource = as73211_read_avail_release_res, > .write_raw = as73211_write_raw, > }; > > > Thanks for fixing this. Tested-by: Christian Eggers <ceggers@arri.de>
diff --git a/drivers/iio/light/as73211.c b/drivers/iio/light/as73211.c index be0068081ebbbb37fdfb252b67a77b302ff725f6..c4c94873e6a1cc926cfb724d906b07222773c43f 100644 --- a/drivers/iio/light/as73211.c +++ b/drivers/iio/light/as73211.c @@ -108,7 +108,8 @@ struct as73211_spec_dev_data { * @creg1: Cached Configuration Register 1. * @creg2: Cached Configuration Register 2. * @creg3: Cached Configuration Register 3. - * @mutex: Keeps cached registers in sync with the device. + * @mutex: Keeps cached registers in sync with the device and protects + * int_time_avail concurrent access for updating and reading. * @completion: Completion to wait for interrupt. * @int_time_avail: Available integration times (depend on sampling frequency). * @spec_dev: device-specific configuration. @@ -493,17 +494,32 @@ static int as73211_read_avail(struct iio_dev *indio_dev, struct iio_chan_spec co *type = IIO_VAL_INT; return IIO_AVAIL_LIST; - case IIO_CHAN_INFO_INT_TIME: + case IIO_CHAN_INFO_INT_TIME: { *length = ARRAY_SIZE(data->int_time_avail); - *vals = data->int_time_avail; *type = IIO_VAL_INT_PLUS_MICRO; - return IIO_AVAIL_LIST; + guard(mutex)(&data->mutex); + + *vals = kmemdup_array(data->int_time_avail, *length, + sizeof(int), GFP_KERNEL); + if (!*vals) + return -ENOMEM; + + return IIO_AVAIL_LIST; + } default: return -EINVAL; } } +static void as73211_read_avail_release_res(struct iio_dev *indio_dev, + struct iio_chan_spec const *chan, + const int *vals, long mask) +{ + if (mask == IIO_CHAN_INFO_INT_TIME) + kfree(vals); +} + static int _as73211_write_raw(struct iio_dev *indio_dev, struct iio_chan_spec const *chan __always_unused, int val, int val2, long mask) @@ -699,6 +715,7 @@ static irqreturn_t as73211_trigger_handler(int irq __always_unused, void *p) static const struct iio_info as73211_info = { .read_raw = as73211_read_raw, .read_avail = as73211_read_avail, + .read_avail_release_resource = as73211_read_avail_release_res, .write_raw = as73211_write_raw, };
While available integration times are being printed to sysfs by iio core (iio_read_channel_info_avail), the sampling frequency might be changed. This could cause the buffer shared with iio core to be corrupted. To prevent it, make a copy of the integration times buffer and free it in the read_avail_release_resource callback. Signed-off-by: Matteo Martelli <matteomartelli3@gmail.com> --- drivers/iio/light/as73211.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-)