drivers/staging/iio/adc/ad7816.c | 59 +++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 17 deletions(-)
The ad7816 driver lacks proper synchronization around SPI operations
and device state access. Concurrent access from multiple threads can
lead to data corruption and inconsistent device state.
The driver performs sequences of GPIO pin manipulations followed by
SPI transactions without any locking. Device state variables (mode,
channel_id, oti_data) are also accessed without synchronization.
This bug was found through manual code review using static analysis
techniques. The review focused on identifying unsynchronized access
patterns to shared resources. Key indicators were:
- GPIO pin state changes followed by SPI operations without atomicity
- Shared state variables accessed from multiple sysfs entry points
- No mutex or spinlock protection around sections
- Potential for interleaved execution in multi-threaded environments
The review methodology involved tracing data flow paths and identifying
points where concurrent access could corrupt device state or SPI
communication sequences.
Add io_lock mutex to protect:
- SPI transactions and GPIO sequences in read/write functions
- Device state variables in sysfs show/store functions
- Concurrent access to chip configuration
This prevents race conditions when multiple processes access the device
simultaneously through sysfs attributes or device file operations.
Fixes: 7924425db04a ("staging: iio: adc: new driver for AD7816 devices")
Signed-off-by: Mohammad Amin Hosseini <moahmmad.hosseinii@gmail.com>
---
Changes in v5:
- Rebased on top of latest staging tree
- Dropped unrelated cleanups (sysfs_emit, sysfs_streq, type casts, etc.)
- Keep only the mutex locking for SPI and GPIO access
---
drivers/staging/iio/adc/ad7816.c | 59 +++++++++++++++++++++++---------
1 file changed, 42 insertions(+), 17 deletions(-)
diff --git a/drivers/staging/iio/adc/ad7816.c b/drivers/staging/iio/adc/ad7816.c
index 4774df778de9..669572c04181 100644
--- a/drivers/staging/iio/adc/ad7816.c
+++ b/drivers/staging/iio/adc/ad7816.c
@@ -50,6 +50,7 @@ struct ad7816_chip_info {
u8 oti_data[AD7816_CS_MAX + 1];
u8 channel_id; /* 0 always be temperature */
u8 mode;
+ struct mutex io_lock; /* Protects SPI transactions and GPIO toggling */
};
enum ad7816_type {
@@ -67,13 +68,13 @@ static int ad7816_spi_read(struct ad7816_chip_info *chip, u16 *data)
int ret;
__be16 buf;
+ mutex_lock(&chip->io_lock);
+
gpiod_set_value(chip->rdwr_pin, 1);
gpiod_set_value(chip->rdwr_pin, 0);
ret = spi_write(spi_dev, &chip->channel_id, sizeof(chip->channel_id));
- if (ret < 0) {
- dev_err(&spi_dev->dev, "SPI channel setting error\n");
- return ret;
- }
+ if (ret < 0)
+ goto unlock;
gpiod_set_value(chip->rdwr_pin, 1);
if (chip->mode == AD7816_PD) { /* operating mode 2 */
@@ -92,13 +93,13 @@ static int ad7816_spi_read(struct ad7816_chip_info *chip, u16 *data)
gpiod_set_value(chip->rdwr_pin, 0);
gpiod_set_value(chip->rdwr_pin, 1);
ret = spi_read(spi_dev, &buf, sizeof(*data));
- if (ret < 0) {
- dev_err(&spi_dev->dev, "SPI data read error\n");
- return ret;
- }
+ if (ret < 0)
+ goto unlock;
*data = be16_to_cpu(buf);
+unlock:
+ mutex_unlock(&chip->io_lock);
return ret;
}
@@ -107,12 +108,13 @@ static int ad7816_spi_write(struct ad7816_chip_info *chip, u8 data)
struct spi_device *spi_dev = chip->spi_dev;
int ret;
+ mutex_lock(&chip->io_lock);
+
gpiod_set_value(chip->rdwr_pin, 1);
gpiod_set_value(chip->rdwr_pin, 0);
ret = spi_write(spi_dev, &data, sizeof(data));
- if (ret < 0)
- dev_err(&spi_dev->dev, "SPI oti data write error\n");
+ mutex_unlock(&chip->io_lock);
return ret;
}
@@ -122,10 +124,16 @@ static ssize_t ad7816_show_mode(struct device *dev,
{
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ad7816_chip_info *chip = iio_priv(indio_dev);
+ int ret;
+ mutex_lock(&chip->io_lock);
if (chip->mode)
- return sprintf(buf, "power-save\n");
- return sprintf(buf, "full\n");
+ ret = sprintf(buf, "power-save\n");
+ else
+ ret = sprintf(buf, "full\n");
+ mutex_unlock(&chip->io_lock);
+
+ return ret;
}
static ssize_t ad7816_store_mode(struct device *dev,
@@ -136,6 +144,7 @@ static ssize_t ad7816_store_mode(struct device *dev,
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ad7816_chip_info *chip = iio_priv(indio_dev);
+ mutex_lock(&chip->io_lock);
if (strcmp(buf, "full") == 0) {
gpiod_set_value(chip->rdwr_pin, 1);
chip->mode = AD7816_FULL;
@@ -143,6 +152,7 @@ static ssize_t ad7816_store_mode(struct device *dev,
gpiod_set_value(chip->rdwr_pin, 0);
chip->mode = AD7816_PD;
}
+ mutex_unlock(&chip->io_lock);
return len;
}
@@ -168,8 +178,13 @@ static ssize_t ad7816_show_channel(struct device *dev,
{
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ad7816_chip_info *chip = iio_priv(indio_dev);
+ int ret;
- return sprintf(buf, "%d\n", chip->channel_id);
+ mutex_lock(&chip->io_lock);
+ ret = sprintf(buf, "%d\n", chip->channel_id);
+ mutex_unlock(&chip->io_lock);
+
+ return ret;
}
static ssize_t ad7816_store_channel(struct device *dev,
@@ -200,7 +215,9 @@ static ssize_t ad7816_store_channel(struct device *dev,
return -EINVAL;
}
+ mutex_lock(&chip->io_lock);
chip->channel_id = data;
+ mutex_unlock(&chip->io_lock);
return len;
}
@@ -272,18 +289,23 @@ static ssize_t ad7816_show_oti(struct device *dev,
{
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct ad7816_chip_info *chip = iio_priv(indio_dev);
- int value;
+ int value, ret;
+ mutex_lock(&chip->io_lock);
if (chip->channel_id > AD7816_CS_MAX) {
dev_err(dev, "Invalid oti channel id %d.\n", chip->channel_id);
- return -EINVAL;
+ ret = -EINVAL;
} else if (chip->channel_id == 0) {
value = AD7816_BOUND_VALUE_MIN +
(chip->oti_data[chip->channel_id] -
AD7816_BOUND_VALUE_BASE);
- return sprintf(buf, "%d\n", value);
+ ret = sprintf(buf, "%d\n", value);
+ } else {
+ ret = sprintf(buf, "%u\n", chip->oti_data[chip->channel_id]);
}
- return sprintf(buf, "%u\n", chip->oti_data[chip->channel_id]);
+ mutex_unlock(&chip->io_lock);
+
+ return ret;
}
static inline ssize_t ad7816_set_oti(struct device *dev,
@@ -322,7 +344,9 @@ static inline ssize_t ad7816_set_oti(struct device *dev,
if (ret)
return -EIO;
+ mutex_lock(&chip->io_lock);
chip->oti_data[chip->channel_id] = data;
+ mutex_unlock(&chip->io_lock);
return len;
}
@@ -363,6 +387,7 @@ static int ad7816_probe(struct spi_device *spi_dev)
dev_set_drvdata(&spi_dev->dev, indio_dev);
chip->spi_dev = spi_dev;
+ mutex_init(&chip->io_lock);
for (i = 0; i <= AD7816_CS_MAX; i++)
chip->oti_data[i] = 203;
--
2.43.0On 9/1/25 2:40 PM, Mohammad Amin Hosseini wrote:
> The ad7816 driver lacks proper synchronization around SPI operations
> and device state access. Concurrent access from multiple threads can
> lead to data corruption and inconsistent device state.
>
> The driver performs sequences of GPIO pin manipulations followed by
> SPI transactions without any locking. Device state variables (mode,
> channel_id, oti_data) are also accessed without synchronization.
>
> This bug was found through manual code review using static analysis
> techniques. The review focused on identifying unsynchronized access
> patterns to shared resources. Key indicators were:
> - GPIO pin state changes followed by SPI operations without atomicity
> - Shared state variables accessed from multiple sysfs entry points
> - No mutex or spinlock protection around sections
> - Potential for interleaved execution in multi-threaded environments
>
> The review methodology involved tracing data flow paths and identifying
> points where concurrent access could corrupt device state or SPI
> communication sequences.
>
> Add io_lock mutex to protect:
> - SPI transactions and GPIO sequences in read/write functions
> - Device state variables in sysfs show/store functions
> - Concurrent access to chip configuration
>
> This prevents race conditions when multiple processes access the device
> simultaneously through sysfs attributes or device file operations.
>
> Fixes: 7924425db04a ("staging: iio: adc: new driver for AD7816 devices")
>
> Signed-off-by: Mohammad Amin Hosseini <moahmmad.hosseinii@gmail.com>
>
> ---
> Changes in v5:
> - Rebased on top of latest staging tree
> - Dropped unrelated cleanups (sysfs_emit, sysfs_streq, type casts, etc.)
> - Keep only the mutex locking for SPI and GPIO access
> ---
My comments from v1 [1] are still applicable (have not been addressed).
[1]: https://lore.kernel.org/linux-iio/b6c2ac13-2781-49ba-964f-ca821b32e2a2@baylibre.com/
On Mon, Sep 01, 2025 at 11:10:43PM +0330, Mohammad Amin Hosseini wrote:
> The ad7816 driver lacks proper synchronization around SPI operations
> and device state access. Concurrent access from multiple threads can
> lead to data corruption and inconsistent device state.
>
> The driver performs sequences of GPIO pin manipulations followed by
> SPI transactions without any locking. Device state variables (mode,
> channel_id, oti_data) are also accessed without synchronization.
>
> This bug was found through manual code review using static analysis
> techniques. The review focused on identifying unsynchronized access
> patterns to shared resources. Key indicators were:
> - GPIO pin state changes followed by SPI operations without atomicity
> - Shared state variables accessed from multiple sysfs entry points
> - No mutex or spinlock protection around sections
> - Potential for interleaved execution in multi-threaded environments
>
> The review methodology involved tracing data flow paths and identifying
> points where concurrent access could corrupt device state or SPI
> communication sequences.
>
> Add io_lock mutex to protect:
> - SPI transactions and GPIO sequences in read/write functions
> - Device state variables in sysfs show/store functions
> - Concurrent access to chip configuration
>
> This prevents race conditions when multiple processes access the device
> simultaneously through sysfs attributes or device file operations.
>
> Fixes: 7924425db04a ("staging: iio: adc: new driver for AD7816 devices")
>
> Signed-off-by: Mohammad Amin Hosseini <moahmmad.hosseinii@gmail.com>
>
I've asked you to wait a day between resends and Jonathan asked you to
wait for "a few days"... It really is a headache to review the same
patch over and over in the same day.
regards,
dan carpenter
© 2016 - 2025 Red Hat, Inc.