User space can write a triger name via trigger/current_trigger.
But it is possible that it can't find this name. In this case
iio_trigger_find_by_name will return NULL. Even if it is NULL,
it sets indio_dev->trig to this NULL value. But when iio drivers
calls iio_trigger_unregister, it will crash because it will try
to dereference NULL pointer. So either every driver checks for
NULL before calling iio_trigger_unregister or make sure that
NULL is not assigned because of invalid trigger name. The later
is better and has less impact.
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@xxxxxxxxxxxxxxx>
---
drivers/iio/industrialio-trigger.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
index bf5e70a..4dc4247 100644
--- a/drivers/iio/industrialio-trigger.c
+++ b/drivers/iio/industrialio-trigger.c
@@ -342,13 +342,16 @@ static ssize_t iio_trigger_write_current(struct device *dev,
if (oldtrig == trig)
return len;
- if (trig && indio_dev->info->validate_trigger) {
+ if (!trig)
+ return -EINVAL;
+
+ if (indio_dev->info->validate_trigger) {
ret = indio_dev->info->validate_trigger(indio_dev, trig);
if (ret)
return ret;
}
- if (trig && trig->ops && trig->ops->validate_device) {
+ if (trig->ops && trig->ops->validate_device) {
ret = trig->ops->validate_device(trig, indio_dev);
if (ret)
return ret;
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
