| Message ID | 20220519091925.1053897-1-vincent.whitchurch@axis.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | iio: trigger: sysfs: fix use-after-free on remove | expand |
On 5/19/22 11:19, Vincent Whitchurch wrote: > [...] > > > Fixes: e64e7d5c8c86e ("iio:trigger:sysfs Move out of staging.") > Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> Thanks for the patch! Strictly speaking the Fixes: should be f38bc926d022 ("staging:iio:sysfs-trigger: Use irq_work to properly active trigger") Reviewed-by: Lars-Peter Clausen <lars@metafoo.de> > --- > drivers/iio/trigger/iio-trig-sysfs.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/iio/trigger/iio-trig-sysfs.c b/drivers/iio/trigger/iio-trig-sysfs.c > index 2a4b75897910..3d911c24b265 100644 > --- a/drivers/iio/trigger/iio-trig-sysfs.c > +++ b/drivers/iio/trigger/iio-trig-sysfs.c > @@ -191,6 +191,7 @@ static int iio_sysfs_trigger_remove(int id) > } > > iio_trigger_unregister(t->trig); > + irq_work_sync(&t->work); > iio_trigger_free(t->trig); > > list_del(&t->l);
On Thu, 19 May 2022 11:58:03 +0200 Lars-Peter Clausen <lars@metafoo.de> wrote: > On 5/19/22 11:19, Vincent Whitchurch wrote: > > [...] > > > > > > Fixes: e64e7d5c8c86e ("iio:trigger:sysfs Move out of staging.") > > Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> > > Thanks for the patch! > > Strictly speaking the Fixes: should be > > f38bc926d022 ("staging:iio:sysfs-trigger: Use irq_work to properly > active trigger") > > > Reviewed-by: Lars-Peter Clausen <lars@metafoo.de> I've changed the fixes tag and applied to the fixes-togreg branch of iio.git. Thanks, Jonathan > > > --- > > drivers/iio/trigger/iio-trig-sysfs.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/iio/trigger/iio-trig-sysfs.c b/drivers/iio/trigger/iio-trig-sysfs.c > > index 2a4b75897910..3d911c24b265 100644 > > --- a/drivers/iio/trigger/iio-trig-sysfs.c > > +++ b/drivers/iio/trigger/iio-trig-sysfs.c > > @@ -191,6 +191,7 @@ static int iio_sysfs_trigger_remove(int id) > > } > > > > iio_trigger_unregister(t->trig); > > + irq_work_sync(&t->work); > > iio_trigger_free(t->trig); > > > > list_del(&t->l); > >
diff --git a/drivers/iio/trigger/iio-trig-sysfs.c b/drivers/iio/trigger/iio-trig-sysfs.c index 2a4b75897910..3d911c24b265 100644 --- a/drivers/iio/trigger/iio-trig-sysfs.c +++ b/drivers/iio/trigger/iio-trig-sysfs.c @@ -191,6 +191,7 @@ static int iio_sysfs_trigger_remove(int id) } iio_trigger_unregister(t->trig); + irq_work_sync(&t->work); iio_trigger_free(t->trig); list_del(&t->l);
Ensure that the irq_work has completed before the trigger is freed. ================================================================== BUG: KASAN: use-after-free in irq_work_run_list Read of size 8 at addr 0000000064702248 by task python3/25 Call Trace: irq_work_run_list irq_work_tick update_process_times tick_sched_handle tick_sched_timer __hrtimer_run_queues hrtimer_interrupt Allocated by task 25: kmem_cache_alloc_trace iio_sysfs_trig_add dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write Freed by task 25: kfree iio_sysfs_trig_remove dev_attr_store sysfs_kf_write kernfs_fop_write_iter new_sync_write vfs_write ksys_write sys_write ================================================================== Fixes: e64e7d5c8c86e ("iio:trigger:sysfs Move out of staging.") Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> --- drivers/iio/trigger/iio-trig-sysfs.c | 1 + 1 file changed, 1 insertion(+)