lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMknhBEDp1baTDPrAfAv_gZ5o6LxNSt8bgS8wcGUmXdaCHq_Jw@mail.gmail.com>
Date:   Thu, 2 Nov 2023 09:53:13 -0500
From:   David Lechner <dlechner@...libre.com>
To:     Nuno Sá <noname.nuno@...il.com>
Cc:     Jonathan Cameron <jic23@...nel.org>, linux-iio@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] iio: triggered-buffer: prevent possible freeing of wrong buffer

On Thu, Nov 2, 2023 at 3:59 AM Nuno Sá <noname.nuno@...il.com> wrote:
>
> On Tue, 2023-10-31 at 16:05 -0500, David Lechner wrote:
> > Commit ee708e6baacd ("iio: buffer: introduce support for attaching more
> > IIO buffers") introduced support for multiple buffers per indio_dev but
> > left indio_dev->buffer for a few legacy use cases.
> >
> > In the case of the triggered buffer, iio_triggered_buffer_cleanup()
> > still assumes that indio_dev->buffer points to the buffer allocated by
> > iio_triggered_buffer_setup_ext(). However, since
> > iio_triggered_buffer_setup_ext() now calls iio_device_attach_buffer()
> > to attach the buffer, indio_dev->buffer will only point to the buffer
> > allocated by iio_device_attach_buffer() if it the first buffer attached.
> >
> > This adds a check to make sure that no other buffer has been attached
> > yet to ensure that indio_dev->buffer will be assigned when
> > iio_device_attach_buffer() is called.
> >
> > Fixes: ee708e6baacd ("iio: buffer: introduce support for attaching more IIO
> > buffers")
> > Signed-off-by: David Lechner <dlechner@...libre.com>
> > ---
> >  drivers/iio/buffer/industrialio-triggered-buffer.c | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> >
> > diff --git a/drivers/iio/buffer/industrialio-triggered-buffer.c
> > b/drivers/iio/buffer/industrialio-triggered-buffer.c
> > index c7671b1f5ead..c06515987e7a 100644
> > --- a/drivers/iio/buffer/industrialio-triggered-buffer.c
> > +++ b/drivers/iio/buffer/industrialio-triggered-buffer.c
> > @@ -46,6 +46,16 @@ int iio_triggered_buffer_setup_ext(struct iio_dev
> > *indio_dev,
> >       struct iio_buffer *buffer;
> >       int ret;
> >
> > +     /*
> > +      * iio_triggered_buffer_cleanup() assumes that the buffer allocated
> > here
> > +      * is assigned to indio_dev->buffer but this is only the case if this
> > +      * function is the first caller to iio_device_attach_buffer(). If
> > +      * indio_dev->buffer is already set then we can't proceed otherwise
> > the
> > +      * cleanup function will try to free a buffer that was not allocated
> > here.
> > +      */
> > +     if (indio_dev->buffer)
> > +             return -EADDRINUSE;
> > +
>
> Hmmm, good catch! But I think this is just workarounding the real problem

Yes, I could have done a better job explaining my reason for this fix.
It seemed like the simplest fix that could be easily backported to
stable kernels. And then we can look at removing the legacy field
completely in the future.

> because like this, you can only have a triggered buffer by device. This should
> be fine as we don't really have any multi buffer user so far but ideally it
> should be possible.
>
> Long term we might want to think about moving 'pollfunc' to be a per buffer
> thing. Not sure how much trouble that would be given that a trigger is also per
> device and I don't know if it would make sense to have a trigger per buffer?!
> Ideally, given the multi buffer concept, I would say it makes sense but it might
> be difficult to accomplish. So better to think about it only if there's a real
> usecase for it.
>
> On thing that I guess it could be done is to change the triggered API so it
> returns a buffer and so iio_triggered_buffer_cleanup() would also get a pointer
> to the buffer it allocated (similar to what DMA buffer's are doing). But that's
> indeed also bigger change... Bahh, I'm likely over complicating things for now.

This sounds very much like the work I am doing on SPI Engine offload
support - having a trigger associated with a buffer. So maybe
something will come out of that. ¯\_(ツ)_/¯

> Fell free to:
>
> Acked-by: Nuno Sa <nuno.sa@...log.com>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ