linux-stable.git/drivers/iio/trigger, branch linux-4.9.y Linux kernel stable tree iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() 2022-11-25T16:35:41+00:00 Yang Yingliang yangyingliang@huawei.com 2022-10-22T07:42:12+00:00 f68c96821b61d2c71a35dbb8bf90c347fad624d9 commit efa17e90e1711bdb084e3954fa44afb6647331c0 upstream. dev_set_name() allocates memory for name, it need be freed when device_add() fails, call put_device() to give up the reference that hold in device_initialize(), so that it can be freed in kobject_cleanup() when the refcount hit to 0. Fault injection test can trigger this: unreferenced object 0xffff8e8340a7b4c0 (size 32): comm "modprobe", pid 243, jiffies 4294678145 (age 48.845s) hex dump (first 32 bytes): 69 69 6f 5f 73 79 73 66 73 5f 74 72 69 67 67 65 iio_sysfs_trigge 72 00 a7 40 83 8e ff ff 00 86 13 c4 f6 ee ff ff r..@............ backtrace: [<0000000074999de8>] __kmem_cache_alloc_node+0x1e9/0x360 [<00000000497fd30b>] __kmalloc_node_track_caller+0x44/0x1a0 [<000000003636c520>] kstrdup+0x2d/0x60 [<0000000032f84da2>] kobject_set_name_vargs+0x1e/0x90 [<0000000092efe493>] dev_set_name+0x4e/0x70 Fixes: 1f785681a870 ("staging:iio:trigger sysfs userspace trigger rework.") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Cc: <Stable@vger.kernel.org> Link: https://lore.kernel.org/r/20221022074212.1386424-1-yangyingliang@huawei.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit efa17e90e1711bdb084e3954fa44afb6647331c0 upstream.

dev_set_name() allocates memory for name, it need be freed
when device_add() fails, call put_device() to give up the
reference that hold in device_initialize(), so that it can
be freed in kobject_cleanup() when the refcount hit to 0.

Fault injection test can trigger this:

unreferenced object 0xffff8e8340a7b4c0 (size 32):
  comm "modprobe", pid 243, jiffies 4294678145 (age 48.845s)
  hex dump (first 32 bytes):
    69 69 6f 5f 73 79 73 66 73 5f 74 72 69 67 67 65  iio_sysfs_trigge
    72 00 a7 40 83 8e ff ff 00 86 13 c4 f6 ee ff ff  r..@............
  backtrace:
    [<0000000074999de8>] __kmem_cache_alloc_node+0x1e9/0x360
    [<00000000497fd30b>] __kmalloc_node_track_caller+0x44/0x1a0
    [<000000003636c520>] kstrdup+0x2d/0x60
    [<0000000032f84da2>] kobject_set_name_vargs+0x1e/0x90
    [<0000000092efe493>] dev_set_name+0x4e/0x70

Fixes: 1f785681a870 ("staging:iio:trigger sysfs userspace trigger rework.")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: <Stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221022074212.1386424-1-yangyingliang@huawei.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: trigger: sysfs: fix use-after-free on remove 2022-07-02T14:17:15+00:00 Vincent Whitchurch vincent.whitchurch@axis.com 2022-05-19T09:19:25+00:00 d6111e7bdb8ec27eb43d01c4cd4ff1620a75f7f2 commit 78601726d4a59a291acc5a52da1d3a0a6831e4e8 upstream. Ensure that the irq_work has completed before the trigger is freed. ================================================================== BUG: KASAN: use-after-free in irq_work_run_list Read of size 8 at addr 0000000064702248 by task python3/25 Call Trace: irq_work_run_list irq_work_tick update_process_times tick_sched_handle tick_sched_timer __hrtimer_run_queues hrtimer_interrupt Allocated by task 25: kmem_cache_alloc_trace iio_sysfs_trig_add dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write Freed by task 25: kfree iio_sysfs_trig_remove dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write ================================================================== Fixes: f38bc926d022 ("staging:iio:sysfs-trigger: Use irq_work to properly active trigger") Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> Reviewed-by: Lars-Peter Clausen <lars@metafoo.de> Link: https://lore.kernel.org/r/20220519091925.1053897-1-vincent.whitchurch@axis.com Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 78601726d4a59a291acc5a52da1d3a0a6831e4e8 upstream.

Ensure that the irq_work has completed before the trigger is freed.

 ==================================================================
 BUG: KASAN: use-after-free in irq_work_run_list
 Read of size 8 at addr 0000000064702248 by task python3/25

 Call Trace:
  irq_work_run_list
  irq_work_tick
  update_process_times
  tick_sched_handle
  tick_sched_timer
  __hrtimer_run_queues
  hrtimer_interrupt

 Allocated by task 25:
  kmem_cache_alloc_trace
  iio_sysfs_trig_add
  dev_attr_store
  sysfs_kf_write
  kernfs_fop_write_iter
  new_sync_write
  vfs_write
  ksys_write
  sys_write

 Freed by task 25:
  kfree
  iio_sysfs_trig_remove
  dev_attr_store
  sysfs_kf_write
  kernfs_fop_write_iter
  new_sync_write
  vfs_write
  ksys_write
  sys_write

 ==================================================================

Fixes: f38bc926d022 ("staging:iio:sysfs-trigger: Use irq_work to properly active trigger")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20220519091925.1053897-1-vincent.whitchurch@axis.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio: trigger: free trigger resource correctly 2017-11-15T14:53:14+00:00 Alison Schofield amsfield22@gmail.com 2017-01-20T03:47:38+00:00 19d0541bd2c22a1413017465069f4aa4cae00b43 [ Upstream commit 10e840dfb0b7fc345082dd9e5fff3c1c02e7690e ] These stand-alone trigger drivers were using iio_trigger_put() where they should have been using iio_trigger_free(). The iio_trigger_put() adds a module_put which is bad since they never did a module_get. In the sysfs driver, module_get/put's are used as triggers are added & removed. This extra module_put() occurs on an error path in the probe routine (probably rare). In the bfin-timer & interrupt trigger drivers, the module resources are not explicitly managed, so it's doing a put on something that was never get'd. It occurs on the probe error path and on the remove path (not so rare). Tested with the sysfs trigger driver. The bfin & interrupt drivers were build tested & inspected only. Signed-off-by: Alison Schofield <amsfield22@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
[ Upstream commit 10e840dfb0b7fc345082dd9e5fff3c1c02e7690e ]

These stand-alone trigger drivers were using iio_trigger_put()
where they should have been using iio_trigger_free().  The
iio_trigger_put() adds a module_put which is bad since they
never did a module_get.

In the sysfs driver, module_get/put's are used as triggers are
added & removed. This extra module_put() occurs on an error path
in the probe routine (probably rare).

In the bfin-timer & interrupt trigger drivers, the module resources
are not explicitly managed, so it's doing a put on something that
was never get'd.  It occurs on the probe error path and on the
remove path (not so rare).

Tested with the sysfs trigger driver.
The bfin & interrupt drivers were build tested & inspected only.

Signed-off-by: Alison Schofield <amsfield22@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
iio:trigger: Experimental kthread tight loop trigger (thread only) 2016-06-03T12:18:44+00:00 Jonathan Cameron jic23@kernel.org 2016-03-06T20:02:56+00:00 bc2e1126eccb47517b9d1c685020c38600f99a3d This patch is in response to that of Gregor Boirie <gregor.boirie@parrot.com> who proposed using a tight kthread within a device driver (be it with the support factored out into a helper library) in order to basically spin as fast as possible. It is meant as a talking point rather than a formal proposal of the code (though we are heading towards that I think). Also gives people some working code to mess around with. I proposed that this could be done with a trigger with a few constraints and this is the proof (be it ugly) of that. There are some constraints though, some of which we would want to relax if this were to move forward. * Will only run the thread part of the registered pollfunc. This is to avoid the overhead of jumping in and out of interrupt context. Is the overhead significant? Not certain but feels like it should be! * This limitation precludes any device that 'must' do some work in interrupt context. However, that is true of few if any drivers and I suspect that any that do will be restricted to using triggers they provide themselves. Usually we have a top half mainly to grab a timestamp as soon after the dataready type signal as possible. Signed-off-by: Jonathan Cameron <jic23@kernel.org> Acked-by: Daniel Baluta <daniel.baluta@intel.com> 
This patch is in response to that of
Gregor Boirie <gregor.boirie@parrot.com>
who proposed using a tight kthread within a device driver (be it with the
support factored out into a helper library) in order to basically spin as
fast as possible.

It is meant as a talking point rather than a formal proposal of the code
(though we are heading towards that I think).
Also gives people some working code to mess around with.

I proposed that this could be done with a trigger with a few constraints
and this is the proof (be it ugly) of that.

There are some constraints though, some of which we would want to relax
if this were to move forward.

* Will only run the thread part of the registered pollfunc.  This is to
  avoid the overhead of jumping in and out of interrupt context.  Is the
  overhead significant?  Not certain but feels like it should be!

* This limitation precludes any device that 'must' do some work in
  interrupt context.  However, that is true of few if any drivers and
  I suspect that any that do will be restricted to using triggers they
  provide themselves.  Usually we have a top half mainly to grab a
  timestamp as soon after the dataready type signal as possible.

Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Acked-by: Daniel Baluta <daniel.baluta@intel.com>
iio: trigger: Introduce IIO hrtimer based trigger 2015-12-03T18:19:27+00:00 Daniel Baluta daniel.baluta@intel.com 2015-11-09T07:14:01+00:00 ac5006a2a558a2441a840c7be1e0e717839d5e07 This patch registers a new IIO software trigger interrupt source based on high resolution timers. Notice that if configfs is enabled we create sampling_frequency attribute allowing users to change hrtimer period (1/sampling_frequency). The IIO hrtimer trigger has a long history, this patch is based on an older version from Marten and Lars-Peter. Signed-off-by: Marten Svanfeldt <marten@intuitiveaerial.com> Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Daniel Baluta <daniel.baluta@intel.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org> 
This patch registers a new IIO software trigger interrupt source
based on high resolution timers.

Notice that if configfs is enabled we create sampling_frequency
attribute allowing users to change hrtimer period (1/sampling_frequency).

The IIO hrtimer trigger has a long history, this patch is based on
an older version from Marten and Lars-Peter.

Signed-off-by: Marten Svanfeldt <marten@intuitiveaerial.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Daniel Baluta <daniel.baluta@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
iio: trigger: Add a blank line after declarations 2014-12-26T12:15:36+00:00 Roberta Dobrescu roberta.dobrescu@gmail.com 2014-12-16T09:16:06+00:00 450a5ff768b008817d7914e3d2db16400e571dff This patch fixes the following checkpatch.pl warning: WARNING: Missing a blank line after declarations Signed-off-by: Roberta Dobrescu <roberta.dobrescu@gmail.com> Reviewed-by: Daniel Baluta <daniel.baluta@intel.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org> 
This patch fixes the following checkpatch.pl warning:
WARNING: Missing a blank line after declarations

Signed-off-by: Roberta Dobrescu <roberta.dobrescu@gmail.com>
Reviewed-by: Daniel Baluta <daniel.baluta@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
iio: remove .owner field for driver using module_platform_driver 2014-08-26T20:08:38+00:00 Sanjeev Sharma sanjeev_sharma@mentor.com 2014-08-20T09:32:00+00:00 81816affeacfa360bfefabba774774e95f3dcc12 This patch removes the .owner field for drivers which use the platform_driver_register api because this is overriden in _platform_driver_register. Signed-off-by: Sanjeev Sharma <Sanjeev_Sharma@mentor.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org> 
This patch removes the .owner field for drivers which use the
platform_driver_register api because this is overriden in
_platform_driver_register.

Signed-off-by: Sanjeev Sharma <Sanjeev_Sharma@mentor.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
iio: Remove timestamp argument from iio_trigger_poll() and iio_trigger_poll_chained() 2014-06-14T15:25:59+00:00 Peter Meerwald pmeerw@pmeerw.net 2014-12-06T06:46:00+00:00 398fd22b6b94cb15c1c299bceecd63644a1b17b4 argument has been ignored; adjust drivers accordingly Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net> Signed-off-by: Jonathan Cameron <jic23@kernel.org> 
argument has been ignored; adjust drivers accordingly

Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
iio:trigger: fix sysfs name on list mutex 2013-09-28T10:51:16+00:00 Denis CIOCCA denis.ciocca@st.com 2013-09-23T10:49:00+00:00 10a485c55ae8d313194afc7a8c65df3ac7c048a1 Signed-off-by: Denis Ciocca <denis.ciocca@st.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org> 
Signed-off-by: Denis Ciocca <denis.ciocca@st.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
iio: Add a comment to about alphabetical order to Kconfigs and Makefiles 2013-08-03T17:40:36+00:00 Lars-Peter Clausen lars@metafoo.de 2013-07-15T07:45:00+00:00 3edc84e6054616b87a3d155fe65fa51f2eae82aa Keeping Makefile and Kconfig entries in alphabetical order usually works better than just appending new entries at the end, since it reduces the amount of conflicts. This patch adds a comment to the IIO Kconfig and Makefile files to document that the entries should be kept in alphabetical order. Also reorder those entries which weren't in alphabetical order yet. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org> 
Keeping Makefile and Kconfig entries in alphabetical order usually works better
than just appending new entries at the end, since it reduces the amount of
conflicts. This patch adds a comment to the IIO Kconfig and Makefile files to
document that the entries should be kept in alphabetical order.

Also reorder those  entries which weren't in alphabetical order yet.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>