Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3cbaa6ff authored by Puneet Yatnal's avatar Puneet Yatnal Committed by Gerrit - the friendly Code Review server
Browse files

drivers: iio: imu: Fix NULL pointer dereference in IMU drivers 



The early buffer feature enablement for all 3 sensors SMI130, ASM330
and IAM20680 does not has synchronisation between early buffer read
and write, due to that when user application deletes the memory allocated
for early buffer data,the driver still try to write the data which inturn
lead to NULL pointer derefernce.The issue is solved by proper
synchronisation between read and write to early buffer memory by
using mutex lock.

Change-Id: Iea3421da43ad4586bcdde439d0d9dda6522d9474
Signed-off-by: default avatarPuneet Yatnal <puneet@codeaurora.org>
parent ef8d7656

drivers/iio/imu/inv_mpu/iam20680/inv_mpu_core_20680.c

+6 −2
Original line number Diff line number Diff line
@@ -809,8 +809,8 @@ static int inv_gyro_read_bootsampl(struct inv_mpu_state *st, 
{

	int i = 0;



	if (enable_read) {

	st->gyro_buffer_inv_samples = false;

	if (enable_read) {

		for (i = 0; i < st->gyro_bufsample_cnt; i++) {

			dev_dbg(st->dev, "gyro_cnt=%d,x=%d,y=%d,z=%d,tsec=%d,nsec=%lld\n",

					i, st->inv_gyro_samplist[i]->xyz[0],
@@ -853,8 +853,8 @@ static int inv_acc_read_bootsampl(struct inv_mpu_state *st, 
{

	int i = 0;



	if (enable_read) {

	st->acc_buffer_inv_samples = false;

	if (enable_read) {

		for (i = 0; i < st->acc_bufsample_cnt; i++) {

			dev_dbg(st->dev, "acc_cnt=%d,x=%d,y=%d,z=%d,tsec=%d,nsec=%lld\n",

					i, st->inv_acc_samplist[i]->xyz[0],
@@ -922,7 +922,9 @@ static ssize_t read_gyro_boot_sample_store(struct device *dev, 
				"Invalid value of input, input=%ld\n", enable);

		return -EINVAL;

	}

	mutex_lock(&st->gyro_sensor_buff);

	err = inv_gyro_read_bootsampl(st, enable);

	mutex_unlock(&st->gyro_sensor_buff);

	if (err)

		return err;

	st->read_gyro_boot_sample = enable;
@@ -958,7 +960,9 @@ static ssize_t read_acc_boot_sample_store(struct device *dev, 
				"Invalid value of input, input=%ld\n", enable);

		return -EINVAL;

	}

	mutex_lock(&st->acc_sensor_buff);

	err = inv_acc_read_bootsampl(st, enable);

	mutex_unlock(&st->acc_sensor_buff);

	if (err)

		return err;

	st->read_acc_boot_sample = enable;

drivers/iio/imu/inv_mpu/inv_mpu_i2c.c

+3 −0
Original line number Diff line number Diff line
@@ -439,6 +439,9 @@ static int inv_acc_gyro_early_buff_init(struct iio_dev *indio_dev) 
	st->acc_buffer_inv_samples = true;

	st->gyro_buffer_inv_samples = true;



	mutex_init(&st->acc_sensor_buff);

	mutex_init(&st->gyro_sensor_buff);



	inv_enable_acc_gyro(st);



	return 1;

drivers/iio/imu/inv_mpu/inv_mpu_iio.h

+2 −0
Original line number Diff line number Diff line
@@ -871,6 +871,8 @@ struct inv_mpu_state { 
	struct input_dev *accbuf_dev;

	struct input_dev *gyrobuf_dev;

	int report_evt_cnt;

	struct mutex acc_sensor_buff;

	struct mutex gyro_sensor_buff;

#endif



};

drivers/iio/imu/inv_mpu/inv_mpu_ring.c

+4 −0
Original line number Diff line number Diff line
@@ -383,7 +383,9 @@ int inv_push_special_8bytes_buffer(struct inv_mpu_state *st, 
	memcpy(&buf[2], &d[0], sizeof(d[0]));

	for (j = 0; j < 2; j++)

		memcpy(&buf[4 + j * 2], &d[j + 1], sizeof(d[j]));

	mutex_lock(&st->gyro_sensor_buff);

	store_gyro_boot_sample(st, t, d[0], d[1], d[2]);

	mutex_unlock(&st->gyro_sensor_buff);

	iio_push_to_buffers(indio_dev, buf);

	inv_push_timestamp(indio_dev, t);
@@ -474,7 +476,9 @@ int inv_push_8bytes_buffer(struct inv_mpu_state *st, u16 sensor, u64 t, s16 *d) 
				for (j = 0; j < 2; j++)

					memcpy(&buf[4 + j * 2], &d[j + 1],

					       sizeof(d[j]));

				mutex_lock(&st->acc_sensor_buff);

				store_acc_boot_sample(st, t, d[0], d[1], d[2]);

				mutex_unlock(&st->acc_sensor_buff);

				iio_push_to_buffers(indio_dev, buf);

				inv_push_timestamp(indio_dev, t);

				st->sensor_l[ii].counter = 0;

drivers/iio/imu/st_asm330lhh/st_asm330lhh.h

+1 −0
Original line number Diff line number Diff line
@@ -191,6 +191,7 @@ struct st_asm330lhh_sensor { 
	int max_buffer_time;

	struct input_dev *buf_dev;

	int report_evt_cnt;

	struct mutex sensor_buff;

#endif

};