| Message ID | be69775aa302159f088b8b91894e6ec449bca65b.1664782676.git.mazziesaccount@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | iio: Fix unsafe buffer attributes | expand |
On 03.10.2022 11:11, Matti Vaittinen wrote: > The iio_triggered_buffer_setup_ext() was changed by > commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") > to silently expect that all attributes given in buffer_attrs array are > device-attributes. This expectation was not forced by the API - and some > drivers did register attributes created by IIO_CONST_ATTR(). > > The added attribute "wrapping" does not copy the pointer to stored > string constant and when the sysfs file is read the kernel will access > to invalid location. > > Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order > to prevent the invalid memory access. > > Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> > Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com> on SAMA5D2
On Thu, 6 Oct 2022 08:34:17 +0000 <Claudiu.Beznea@microchip.com> wrote: > On 03.10.2022 11:11, Matti Vaittinen wrote: > > The iio_triggered_buffer_setup_ext() was changed by > > commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") > > to silently expect that all attributes given in buffer_attrs array are > > device-attributes. This expectation was not forced by the API - and some > > drivers did register attributes created by IIO_CONST_ATTR(). > > > > The added attribute "wrapping" does not copy the pointer to stored > > string constant and when the sysfs file is read the kernel will access > > to invalid location. > > > > Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order > > to prevent the invalid memory access. > > > > Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> > > Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") > > Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com> > > on SAMA5D2 > Applied to the fixes-togreg branch of iio.git and marked for stable. For the reset of the series I'll need to wait for these first 4 patches to make their way to upstream of the togreg branch then queue the rest up on top of that. Jonathan >
diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c index 279430c1d88c..6e3f9fa93cee 100644 --- a/drivers/iio/adc/at91-sama5d2_adc.c +++ b/drivers/iio/adc/at91-sama5d2_adc.c @@ -1841,13 +1841,26 @@ static ssize_t at91_adc_get_watermark(struct device *dev, return scnprintf(buf, PAGE_SIZE, "%d\n", st->dma_st.watermark); } +static ssize_t hwfifo_watermark_min_show(struct device *dev, + struct device_attribute *attr, + char *buf) +{ + return sysfs_emit(buf, "%s\n", "2"); +} + +static ssize_t hwfifo_watermark_max_show(struct device *dev, + struct device_attribute *attr, + char *buf) +{ + return sysfs_emit(buf, "%s\n", AT91_HWFIFO_MAX_SIZE_STR); +} + static IIO_DEVICE_ATTR(hwfifo_enabled, 0444, at91_adc_get_fifo_state, NULL, 0); static IIO_DEVICE_ATTR(hwfifo_watermark, 0444, at91_adc_get_watermark, NULL, 0); - -static IIO_CONST_ATTR(hwfifo_watermark_min, "2"); -static IIO_CONST_ATTR(hwfifo_watermark_max, AT91_HWFIFO_MAX_SIZE_STR); +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_min, 0); +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0); static IIO_CONST_ATTR(oversampling_ratio_available, __stringify(AT91_OSR_1SAMPLES) " " @@ -1864,8 +1877,8 @@ static const struct attribute_group at91_adc_attribute_group = { }; static const struct attribute *at91_adc_fifo_attributes[] = { - &iio_const_attr_hwfifo_watermark_min.dev_attr.attr, - &iio_const_attr_hwfifo_watermark_max.dev_attr.attr, + &iio_dev_attr_hwfifo_watermark_min.dev_attr.attr, + &iio_dev_attr_hwfifo_watermark_max.dev_attr.attr, &iio_dev_attr_hwfifo_watermark.dev_attr.attr, &iio_dev_attr_hwfifo_enabled.dev_attr.attr, NULL,
The iio_triggered_buffer_setup_ext() was changed by commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") to silently expect that all attributes given in buffer_attrs array are device-attributes. This expectation was not forced by the API - and some drivers did register attributes created by IIO_CONST_ATTR(). The added attribute "wrapping" does not copy the pointer to stored string constant and when the sysfs file is read the kernel will access to invalid location. Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order to prevent the invalid memory access. Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") --- v2 => v3: Split change to own patch for simpler fix backporting. --- drivers/iio/adc/at91-sama5d2_adc.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-)