Re: [RFT PATCH v3 10/10] iio: Don't silently expect attribute types

From: Matti Vaittinen
Date: Mon Oct 03 2022 - 05:05:25 EST

Hi Andy,

Thanks for taking the time to review :) Much appreciated.

On 10/3/22 11:43, Andy Shevchenko wrote:
On Mon, Oct 03, 2022 at 11:13:53AM +0300, Matti Vaittinen wrote:
The iio_triggered_buffer_setup_ext() and the
devm_iio_kfifo_buffer_setup_ext() were changed by
commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
to silently expect that all attributes given in buffer_attrs array are
device-attributes. This expectation was not forced by the API - and some
drivers did register attributes created by IIO_CONST_ATTR().

When using IIO_CONST_ATTRs the added attribute "wrapping" does not copy
the pointer to stored string constant and when the sysfs file is read the
kernel will access to invalid location.

Change the function signatures to expect an array of iio_dev_attrs to
avoid similar errors in the future.


Wouldn't be better to split this on per driver basis or is it impossible?

We need to change the callers and function signatures in one patch so we don't break bisecting.

struct iio_dev_opaque *iio_dev_opaque = to_iio_dev_opaque(indio_dev);
struct iio_dev_attr *p;

+ const struct iio_dev_attr *id_attr;

I'm wondering if we may keep this upper, so "longer line goes first" rule would
be satisfied.


struct attribute **attr;
int ret, i, attrn, scan_el_attrcount, buffer_attrcount;
const struct iio_chan_spec *channels;


+ for (i = 0, id_attr = buffer->attrs[i];
+ (id_attr = buffer->attrs[i]); i++)

Not sure why we have additional parentheses...

Because gcc warns about the assignment and suggests adding parenthesis if we don't.

+ attr[ARRAY_SIZE(iio_buffer_attrs) + i] =
+ (struct attribute *)&id_attr->dev_attr.attr;

...and explicit casting here. Isn't attr is already of a struct attribute?

I am glad you asked :)
This is one of the "things" I was not really happy about. Here we hide the fact that our array is full of pointers to _const_ data. If we don't cast the compiler points this out. Old code did the same thing but it did this by just doing a memcpy for the pointers - which I personally consider even worse as it gets really easy to miss this. The cast at least hints there is something slightly "fishy" going on.

My "gut feeling" about the correct fix is we should check if some attributes in the array (stored to the struct here) actually need to be modified later (which I doubt). If I was keen on betting I'd bet we could switch the struct definition to also contain pointers to const attributes. I am afraid this would mean quite a few more changes to the function signatures (changing struct attribute * to const struct attribute *) here and there - and possibly also require some changes to drivers. Thus I didn't even look at that option in the scope of this fix. It should probably be a separate refactoring series. But yes - this cast should catch attention as it did.

-- Matti Vaittinen

Matti Vaittinen
Linux kernel developer at ROHM Semiconductors
Oulu Finland

~~ When things go utterly wrong vim users can always type :help! ~~