linux/drivers/iio/common/hid-sensors/hid-sensor-trigger.c
Srinivas Pandruvada f07b60b7c3 iio: hid-sensors: Prevent crash during hot-unplug
When hid sensor hub is unplugged, there is a crash in
iio_device_unregister_trigger_consumer.
In a typical IIO driver when remove is called, it will unregister and free
trigger and then it will call iio_device_free.
The function iio_trigger_free() will free the allocated memory for trigger.
If this trigger was assigned to iio_dev->trig, then it should be set to NULL.
Othewise when iio_device_free() is called later, it finally calls
iio_device_unregsister_trigger(), which checks for
       if (indio_dev->trig)
                iio_trigger_put(indio_dev->trig);
If indio_dev->trig is not set to NULL, it calls iio_trigger_put on a bad
pointer causing crash.
This scenerio can happen in any driver, which is storing trigger pointer in
iio_dev structure and following current procedure during remove.

Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2012-09-22 10:07:34 +01:00

103 lines
2.8 KiB
C

/*
* HID Sensors Driver
* Copyright (c) 2012, Intel Corporation.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
* version 2, as published by the Free Software Foundation.
*
* This program is distributed in the hope it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
*
*/
#include <linux/device.h>
#include <linux/platform_device.h>
#include <linux/module.h>
#include <linux/interrupt.h>
#include <linux/irq.h>
#include <linux/slab.h>
#include <linux/hid-sensor-hub.h>
#include <linux/iio/iio.h>
#include <linux/iio/trigger.h>
#include <linux/iio/sysfs.h>
#include "hid-sensor-attributes.h"
#include "hid-sensor-trigger.h"
static int hid_sensor_data_rdy_trigger_set_state(struct iio_trigger *trig,
bool state)
{
struct hid_sensor_iio_common *st = trig->private_data;
int state_val;
state_val = state ? 1 : 0;
#if (defined CONFIG_HID_SENSOR_ENUM_BASE_QUIRKS) || \
(defined CONFIG_HID_SENSOR_ENUM_BASE_QUIRKS_MODULE)
++state_val;
#endif
st->data_ready = state;
sensor_hub_set_feature(st->hsdev, st->power_state.report_id,
st->power_state.index,
(s32)state_val);
sensor_hub_set_feature(st->hsdev, st->report_state.report_id,
st->report_state.index,
(s32)state_val);
return 0;
}
void hid_sensor_remove_trigger(struct iio_dev *indio_dev)
{
iio_trigger_unregister(indio_dev->trig);
iio_trigger_free(indio_dev->trig);
indio_dev->trig = NULL;
}
EXPORT_SYMBOL(hid_sensor_remove_trigger);
static const struct iio_trigger_ops hid_sensor_trigger_ops = {
.owner = THIS_MODULE,
.set_trigger_state = &hid_sensor_data_rdy_trigger_set_state,
};
int hid_sensor_setup_trigger(struct iio_dev *indio_dev, const char *name,
struct hid_sensor_iio_common *attrb)
{
int ret;
struct iio_trigger *trig;
trig = iio_trigger_alloc("%s-dev%d", name, indio_dev->id);
if (trig == NULL) {
dev_err(&indio_dev->dev, "Trigger Allocate Failed\n");
ret = -ENOMEM;
goto error_ret;
}
trig->dev.parent = indio_dev->dev.parent;
trig->private_data = attrb;
trig->ops = &hid_sensor_trigger_ops;
ret = iio_trigger_register(trig);
if (ret) {
dev_err(&indio_dev->dev, "Trigger Register Failed\n");
goto error_free_trig;
}
indio_dev->trig = trig;
return ret;
error_free_trig:
iio_trigger_free(trig);
error_ret:
return ret;
}
EXPORT_SYMBOL(hid_sensor_setup_trigger);
MODULE_AUTHOR("Srinivas Pandruvada <srinivas.pandruvada@intel.com>");
MODULE_DESCRIPTION("HID Sensor trigger processing");
MODULE_LICENSE("GPL");