From: sashiko-bot@kernel.org
To: "Sanjay Chitroda" <sanjayembeddedse@gmail.com>
Cc: linux-input@vger.kernel.org, dmitry.torokhov@gmail.com
Subject: Re: [PATCH v3 7/9] iio: humidity: hid-sensor-humidity: use common device for devres
Date: Sat, 09 May 2026 13:06:21 +0000 [thread overview]
Message-ID: <20260509130621.D7770C4AF0D@smtp.kernel.org> (raw)
In-Reply-To: <20260509101040.791404-8-sanjayembedded@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free due to lifetime mismatch between IIO device and platform device devres
--
commit 2edcf899b7cb430d80f56a0ef1506dd20ea46d9d
Author: Sanjay Chitroda <sanjayembeddedse@gmail.com>
iio: humidity: hid-sensor-humidity: use common device for devres
This commit changes the devres allocation of humidity channels to use the
platform device instead of the IIO device. The goal is to have a single,
well-defined parent device for devres ownership.
> diff --git a/drivers/iio/humidity/hid-sensor-humidity.c b/drivers/iio/humidity/hid-sensor-humidity.c
> --- a/drivers/iio/humidity/hid-sensor-humidity.c
> +++ b/drivers/iio/humidity/hid-sensor-humidity.c
> @@ -215,7 +215,7 @@ static int hid_humidity_probe(struct platform_device *pdev)
> if (ret)
> return ret;
>
> - humid_chans = devm_kmemdup(&indio_dev->dev, humidity_channels,
> + humid_chans = devm_kmemdup(&pdev->dev, humidity_channels,
> sizeof(humidity_channels), GFP_KERNEL);
Could this change introduce a use-after-free if the IIO device outlives the
driver binding?
The indio_dev object is allocated using devm_iio_device_alloc(), meaning it is
reference-counted and its lifetime can exceed the platform device binding if
consumers hold a reference.
If the driver unbinds, the pdev devres callbacks will execute and free the
humid_chans memory. However, indio_dev->channels still points to this freed
array.
If a consumer later calls IIO APIs like iio_read_channel_ext_info(), they
will dereference the freed humid_chans memory.
> if (!humid_chans)
> return -ENOMEM;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260509101040.791404-1-sanjayembedded@gmail.com?part=7
next prev parent reply other threads:[~2026-05-09 13:06 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-09 10:10 [PATCH v3 0/9] iio: introduce devm_ API for hid sensro setup and cleanup Sanjay Chitroda
2026-05-09 10:10 ` [PATCH v3 1/9] iio: hid-sensors: drop redundant iio_dev argument Sanjay Chitroda
2026-05-09 10:42 ` sashiko-bot
2026-05-09 21:32 ` David Lechner
2026-05-12 12:37 ` srinivas pandruvada
2026-05-09 10:10 ` [PATCH v3 2/9] iio: hid-sensors: cleanup codestyle warning Sanjay Chitroda
2026-05-09 21:35 ` David Lechner
2026-05-12 12:39 ` srinivas pandruvada
2026-05-09 10:10 ` [PATCH v3 3/9] iio: hid-sensors: introduce device managed API Sanjay Chitroda
2026-05-10 6:36 ` Andy Shevchenko
2026-05-11 16:33 ` Jonathan Cameron
2026-05-12 12:47 ` srinivas pandruvada
2026-05-09 10:10 ` [PATCH v3 4/9] iio: gyro: hid-sensor-gyro-3d: cleanup codestyle warning Sanjay Chitroda
2026-05-09 21:38 ` David Lechner
2026-05-10 6:38 ` Andy Shevchenko
2026-05-09 10:10 ` [PATCH v3 5/9] iio: gyro: hid-sensor-gyro-3d: drop hid_sensor_remove_trigger() using devm API Sanjay Chitroda
2026-05-09 10:10 ` [PATCH v3 6/9] iio: humidity: hid-sensor-humidity: cleanup codestyle check Sanjay Chitroda
2026-05-09 10:10 ` [PATCH v3 7/9] iio: humidity: hid-sensor-humidity: use common device for devres Sanjay Chitroda
2026-05-09 13:06 ` sashiko-bot [this message]
2026-05-10 6:42 ` Andy Shevchenko
2026-05-11 16:41 ` Jonathan Cameron
2026-05-09 10:10 ` [PATCH v3 8/9] iio: humidity: hid-sensor-humidity: use local struct device Sanjay Chitroda
2026-05-09 10:10 ` [PATCH v3 9/9] iio: humidity: hid-sensor-humidity: drop hid_sensor_remove_trigger() using devm API Sanjay Chitroda
2026-05-09 21:44 ` [PATCH v3 0/9] iio: introduce devm_ API for hid sensro setup and cleanup David Lechner
2026-05-14 2:47 ` Zhang, Lixu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260509130621.D7770C4AF0D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dmitry.torokhov@gmail.com \
--cc=linux-input@vger.kernel.org \
--cc=sanjayembeddedse@gmail.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.