From patchwork Sun Oct 24 09:26:59 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lars-Peter Clausen <lars@metafoo.de>
X-Patchwork-Id: 12580119
Return-Path: <linux-iio-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2398FC433F5
	for <linux-iio@archiver.kernel.org>; Sun, 24 Oct 2021 09:27:29 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id DE3D060E08
	for <linux-iio@archiver.kernel.org>; Sun, 24 Oct 2021 09:27:28 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229868AbhJXJ3s (ORCPT <rfc822;linux-iio@archiver.kernel.org>);
        Sun, 24 Oct 2021 05:29:48 -0400
Received: from www381.your-server.de ([78.46.137.84]:60886 "EHLO
        www381.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229463AbhJXJ3r (ORCPT
        <rfc822;linux-iio@vger.kernel.org>); Sun, 24 Oct 2021 05:29:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=metafoo.de;
         s=default2002;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:
        Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
        Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
        :Resent-Message-ID:In-Reply-To:References;
        bh=OWUzf+fvC3aoz13ITh2Is6uOmBCraHFJLrucmFH18kA=;
 b=TnC70BcfaIqlhyGAc67r+uJDzs
        AI8SvoXJ99eUK6eBBlhJZraPLGUoIhDzfaZZKIefosj/C8tk+CxOpC0LiFGrdP/3IcO4BzJJzbu/H
        5Ll0OZib65onTJ3A2JV2KlGfr7wLISmiDfARl4UNi8oIg2ByDl2xklaD7WMznyehj/IzF7WMxT+5N
        1FBeg+Tx5WI2cWuJPTnFSEp0qqw2WAJ0zjv5bcqryAhbSEgwe1A6wMqFpsMt3Rhn+R8aECIQeLZ8k
        oz1RBG+7HoXWIcYsuOFRfx1sXjGo/hlAQowsLS+7p3Mbjipz+DC0GCNwg3CHYykVoTJZh9sQrATLl
        wOJAqU9A==;
Received: from sslproxy05.your-server.de ([78.46.172.2])
        by www381.your-server.de with esmtpsa
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92.3)
        (envelope-from <lars@metafoo.de>)
        id 1meZmn-000BcJ-8v; Sun, 24 Oct 2021 11:27:25 +0200
Received: from [82.135.83.71] (helo=lars-desktop.fritz.box)
        by sslproxy05.your-server.de with esmtpsa
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <lars@metafoo.de>)
        id 1meZmn-0003Um-2I; Sun, 24 Oct 2021 11:27:25 +0200
From: Lars-Peter Clausen <lars@metafoo.de>
To: Jonathan Cameron <jic23@kernel.org>
Cc: Martin Fuzzey <mfuzzey@parkeon.com>,
        Peter Meerwald-Stadler <pmeerw@pmeerw.net>,
        linux-iio@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>
Subject: [PATCH 1/2] iio: mma8452: Fix trigger reference couting
Date: Sun, 24 Oct 2021 11:26:59 +0200
Message-Id: <20211024092700.6844-1-lars@metafoo.de>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
X-Authenticated-Sender: lars@metafoo.de
X-Virus-Scanned: Clear (ClamAV 0.103.3/26332/Sun Oct 24 10:18:48 2021)
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

The mma8452 driver directly assigns a trigger to the struct iio_dev. The
IIO core when done using this trigger will call `iio_trigger_put()` to drop
the reference count by 1.

Without the matching `iio_trigger_get()` in the driver the reference count
can reach 0 too early, the trigger gets freed while still in use and a
use-after-free occurs.

Fix this by getting a reference to the trigger before assigning it to the
IIO device.

Fixes: ae6d9ce05691 ("iio: mma8452: Add support for interrupt driven triggers.")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
---
 drivers/iio/accel/mma8452.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c
index 715b8138fb71..09c7f10fefb6 100644
--- a/drivers/iio/accel/mma8452.c
+++ b/drivers/iio/accel/mma8452.c
@@ -1470,7 +1470,7 @@ static int mma8452_trigger_setup(struct iio_dev *indio_dev)
 	if (ret)
 		return ret;
 
-	indio_dev->trig = trig;
+	indio_dev->trig = iio_trigger_get(trig);
 
 	return 0;
 }

From patchwork Sun Oct 24 09:27:00 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Lars-Peter Clausen <lars@metafoo.de>
X-Patchwork-Id: 12580121
Return-Path: <linux-iio-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E9325C433EF
	for <linux-iio@archiver.kernel.org>; Sun, 24 Oct 2021 09:27:31 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id C4D02603E7
	for <linux-iio@archiver.kernel.org>; Sun, 24 Oct 2021 09:27:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229463AbhJXJ3v (ORCPT <rfc822;linux-iio@archiver.kernel.org>);
        Sun, 24 Oct 2021 05:29:51 -0400
Received: from www381.your-server.de ([78.46.137.84]:60932 "EHLO
        www381.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229886AbhJXJ3u (ORCPT
        <rfc822;linux-iio@vger.kernel.org>); Sun, 24 Oct 2021 05:29:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=metafoo.de;
         s=default2002; h=Content-Transfer-Encoding:MIME-Version:References:
        In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
        Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
        Resent-To:Resent-Cc:Resent-Message-ID;
        bh=fD5y+86hpSacwZ5irExf2GQC0HqyX7O6dkahfaGcJmc=;
 b=OryVkA4Z6vBC2jkV7SeeXo206u
        2aC/bTcXMIOABcZ6drePznNXEGyZPY0Z9oRrrwdX46o8vNeDADKyo9v6tYIcHnAO5Y1+EzGPnKMdT
        Cmf6vaiHYBCgK0sjyCkFN6rrl26yf/XOShqpBo8b797SF5/ZrBELfJD/3gKyFICx8oXLVz9xswm+h
        5NyP533qKmpykXG1A2myI0PWwafOMpqLYmrJ4m6R/T5y2hn3XZb81rZweHEjxAN5bQ+hTvlCwGPjU
        X7KUsLZSfO9RP6//EqJ4N3eWghAsCwGIb3ztOJAxmsIyDEwIfaJhPx+k2sa7DBDZXnxnJ3KEHdu/G
        kApikO/Q==;
Received: from sslproxy05.your-server.de ([78.46.172.2])
        by www381.your-server.de with esmtpsa
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92.3)
        (envelope-from <lars@metafoo.de>)
        id 1meZmr-000Bch-6n; Sun, 24 Oct 2021 11:27:29 +0200
Received: from [82.135.83.71] (helo=lars-desktop.fritz.box)
        by sslproxy05.your-server.de with esmtpsa
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from <lars@metafoo.de>)
        id 1meZmr-0003Um-0d; Sun, 24 Oct 2021 11:27:29 +0200
From: Lars-Peter Clausen <lars@metafoo.de>
To: Jonathan Cameron <jic23@kernel.org>
Cc: Martin Fuzzey <mfuzzey@parkeon.com>,
        Peter Meerwald-Stadler <pmeerw@pmeerw.net>,
        linux-iio@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>
Subject: [PATCH 2/2] iio: trigger: Fix reference counting
Date: Sun, 24 Oct 2021 11:27:00 +0200
Message-Id: <20211024092700.6844-2-lars@metafoo.de>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20211024092700.6844-1-lars@metafoo.de>
References: <20211024092700.6844-1-lars@metafoo.de>
MIME-Version: 1.0
X-Authenticated-Sender: lars@metafoo.de
X-Virus-Scanned: Clear (ClamAV 0.103.3/26332/Sun Oct 24 10:18:48 2021)
Precedence: bulk
List-ID: <linux-iio.vger.kernel.org>
X-Mailing-List: linux-iio@vger.kernel.org

In viio_trigger_alloc() device_initialize() is used to set the initial
reference count of the trigger to 1. Then another get_device() is called on
trigger. This sets the reference count to 2 before the trigger is returned.

iio_trigger_free(), which is the matching API to viio_trigger_alloc(),
calls put_device() which decreases the reference count by 1. But the second
reference count acquired in viio_trigger_alloc() is never dropped.

As a result the iio_trigger_release() function is never called and the
memory associated with the trigger is never freed.

Since there is no reason for the trigger to start its lifetime with two
reference counts just remove the extra get_device() in
viio_trigger_alloc().

Fixes: 5f9c035cae18 ("staging:iio:triggers. Add a reference get to the core for triggers.")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Nuno Sá <nuno.sa@analog.com>
---
I'm a bit unsure about the fixes tag. I've looked at the IIO tree at the
point when this was introduced and I believe it was incorrect even back
then.

But we also had a few drivers that directly assigned the indio_dev->trig
without getting an extra reference. So these two bugs, one in the core, one
in the drivers sort of even out. Except that iio_trigger_get() also gets a
reference to the drivers module and iio_trigger_put() releases it again. So
with the missing iio_trigger_get() there is still the problem that, even
though the device references balance out, there is a module reference count
imbalance.
---
 drivers/iio/industrialio-trigger.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
index b23caa2f2aa1..93990ff1dfe3 100644
--- a/drivers/iio/industrialio-trigger.c
+++ b/drivers/iio/industrialio-trigger.c
@@ -556,7 +556,6 @@ struct iio_trigger *viio_trigger_alloc(struct device *parent,
 		irq_modify_status(trig->subirq_base + i,
 				  IRQ_NOREQUEST | IRQ_NOAUTOEN, IRQ_NOPROBE);
 	}
-	get_device(&trig->dev);
 
 	return trig;