iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7771c8c80d
linux/drivers/iio
History
Tzung-Bi Shih 7771c8c80d iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data() 
cros_ec_sensors_push_data() reads `indio_dev->active_scan_mask` and
calls iio_push_to_buffers_with_timestamp() without making sure the
`indio_dev` stays in buffer mode.  There is a race if `indio_dev` exits
buffer mode right before cros_ec_sensors_push_data() accesses them.

An use-after-free on `indio_dev->active_scan_mask` was observed.  The
call trace:
[...]
 _find_next_bit
 cros_ec_sensors_push_data
 cros_ec_sensorhub_event
 blocking_notifier_call_chain
 cros_ec_irq_thread

It was caused by a race condition: one thread just freed
`active_scan_mask` at [1]; while another thread tried to access the
memory at [2].

Fix it by calling iio_device_claim_buffer_mode() to ensure the
`indio_dev` can't exit buffer mode during cros_ec_sensors_push_data().

[1]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/industrialio-buffer.c#L1189
[2]: https://elixir.bootlin.com/linux/v6.5/source/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c#L198

Cc: stable@vger.kernel.org
Fixes: aa984f1ba4 ("iio: cros_ec: Register to cros_ec_sensorhub when EC supports FIFO")
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Link: https://lore.kernel.org/r/20230829030622.1571852-1-tzungbi@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
2023-10-05 18:06:45 +01:00
..
accel iio: accel: adxl313: Use i2c_get_match_data 2023-07-29 12:30:39 +01:00
adc Merge 6.5-rc6 into char-misc-next 2023-08-13 22:14:51 +02:00
addac iio: addac: ad74413: don't set DIN_SINK for functions other than digital input 2023-06-04 12:25:01 +01:00
afe iio: afe: rescale: export symbols used during testing 2022-07-16 19:01:14 +01:00
amplifiers iio: amplifiers: ad8366: add support for HMC792A Attenuator 2023-07-23 12:22:56 +01:00
buffer iio: Don't silently expect attribute types 2022-11-23 19:44:04 +00:00
cdc iio: cdc: ad7150: relax return value check for IRQ get 2023-08-01 18:55:55 +01:00
chemical iio: chemical: scd4x: Add pressure compensation 2023-07-20 19:21:30 +01:00
common iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data() 2023-10-05 18:06:45 +01:00
dac iio: dac: ad3552r: Correct device IDs 2023-09-11 20:12:59 +01:00
dummy Bitmap patches for 5.19-rc1 2022-06-04 14:04:27 -07:00
filter drivers: iio: filter: admv8818: add bypass mode 2023-08-08 09:51:06 +01:00
frequency iio: admv1013: add mixer_vgate corner cases 2023-09-11 20:12:59 +01:00
gyro iio: Switch i2c drivers back to use .probe() 2023-05-21 18:54:53 +01:00
health iio: Switch i2c drivers back to use .probe() 2023-05-21 18:54:53 +01:00
humidity iio: Switch i2c drivers back to use .probe() 2023-05-21 18:54:53 +01:00
imu Merge 6.5-rc6 into char-misc-next 2023-08-13 22:14:51 +02:00
light Merge 6.5-rc6 into char-misc-next 2023-08-13 22:14:51 +02:00
magnetometer 1st set of IIO new device support, features and cleanup for the 6.5 cycle. 2023-06-15 13:01:55 +02:00
multiplexer iio: multiplexer: Switch to use dev_err_probe() helper 2022-11-23 19:43:57 +00:00
orientation
position
potentiometer iio: potentiometer: mcp4531: Use i2c_get_match_data() 2023-07-29 15:55:48 +01:00
potentiostat iio: Switch i2c drivers back to use .probe() 2023-05-21 18:54:53 +01:00
pressure iio: pressure: bmp280: Fix NULL pointer exception 2023-09-11 20:12:59 +01:00
proximity iio: irsd200: fix -Warray-bounds bug in irsd200_trigger_handler 2023-10-05 18:06:45 +01:00
resolver iio: resolver: ad2s90: Fix alignment for DMA safety 2022-06-14 11:53:19 +01:00
temperature iio: adc: Explicitly include correct DT includes 2023-07-23 13:38:13 +01:00
test iio: test: Mark file local structure arrays static. 2022-08-15 22:30:01 +01:00
trigger iio: trigger: stm32-lptimer-trigger: remove unneeded platform_set_drvdata() 2023-08-05 19:29:39 +01:00
iio_core_trigger.h
iio_core.h
industrialio-buffer.c iio: buffer: fix coding style warnings 2023-05-13 17:56:06 +01:00
industrialio-configfs.c
industrialio-core.c Merge 6.5-rc6 into char-misc-next 2023-08-13 22:14:51 +02:00
industrialio-event.c iio: Add event enums for running period and count 2023-07-23 13:16:18 +01:00
industrialio-gts-helper.c iio: gts-helpers: fix integration time units 2023-05-13 17:54:57 +01:00
industrialio-sw-device.c iio: Don't use bare "unsigned" 2022-07-01 11:19:08 +01:00
industrialio-sw-trigger.c iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails 2022-11-12 17:53:35 +00:00
industrialio-trigger.c iio: Make return value check for set_trigger_state() consistent 2023-07-20 19:21:30 +01:00
industrialio-triggered-event.c
inkern.c iio: inkern: Add a helper to query an available minimum raw value 2023-07-09 22:48:17 +01:00
Kconfig iio: light: Add gain-time-scale helpers 2023-04-10 12:26:34 +01:00
Makefile iio: light: Add gain-time-scale helpers 2023-04-10 12:26:34 +01:00
TODO iio: core: move 'mlock' to 'struct iio_dev_opaque' 2022-11-23 19:44:00 +00:00