From: Salah Triki <salah.triki@gmail.com>
To: Jonathan Cameron <jic23@kernel.org>
Cc: "David Lechner" <dlechner@baylibre.com>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] iio: trigger: fix use-after-free in viio_trigger_alloc()
Date: Wed, 4 Feb 2026 21:03:49 +0100 [thread overview]
Message-ID: <aYOmJeR3x0Mg4GLf@pc> (raw)
In-Reply-To: <20260131124416.19576731@jic23-huawei>
On Sat, Jan 31, 2026 at 12:44:16PM +0000, Jonathan Cameron wrote:
> On Sat, 31 Jan 2026 10:23:33 +0100
> Salah Triki <salah.triki@gmail.com> wrote:
>
> Hi Salah,
>
> This is a definitely case of the fix not being anywhere as simple
> as it might look at first glance.
>
> > Once `device_initialize()` is called, the reference count of the device
> > is set to 1. The memory associated with the device must then be
> > managed by the kobject reference counting.
> >
> > In `viio_trigger_alloc()`, if `irq_alloc_descs()` or `kvasprintf()` fails,
> > the code currently calls `kfree()`. Using `kfree()` in this case bypasses
> > the device's release callback and can lead to a use-after-free or memory
> > corruption.
>
> In some cases yes it can cause problems, but please show me an actual
> path to this in the description. It should indeed be tidied up.
>
> >
> > Fix this by calling `put_device()` instead of `kfree()`. This ensures that
> > the memory is freed properly via `iio_trig_release()` when the reference
> > count drops to zero.
>
> This change is not sufficient and causes some cleanup to happen twice
> thus introducing some bugs that weren't there before.
> So take another look.
>
> >
> > Fixes: 2c99f1a09da3d ("iio: trigger: clean up viio_trigger_alloc()")
> >
> No blank line here. Scripts that commonly run on the kernel tree rely
> on the the tags block having no blank lines in it to avoid false positives.
>
Hi Jonathan,
Thanks for the review!
You're right – my patch was incomplete and can lead to double cleanup
between the error path and iio_trig_release(). I'll rework the error
handling so that once device_initialize() has been called, all cleanup
goes through put_device(), and resource freeing is centralized in the
release callback.
I’ll send a v2 fixing the double-free issue, showing the error path
and correcting the Fixes tag format.
Thanks!
Salah
prev parent reply other threads:[~2026-02-04 20:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-31 9:23 [PATCH] iio: trigger: fix use-after-free in viio_trigger_alloc() Salah Triki
2026-01-31 12:44 ` Jonathan Cameron
2026-02-02 10:12 ` Nuno Sá
2026-02-02 20:52 ` Jonathan Cameron
2026-02-03 11:18 ` Andy Shevchenko
2026-02-03 11:20 ` Andy Shevchenko
2026-02-03 11:26 ` Andy Shevchenko
2026-02-04 20:03 ` Salah Triki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYOmJeR3x0Mg4GLf@pc \
--to=salah.triki@gmail.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.