From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2630C43E493 for ; Tue, 28 Apr 2026 14:53:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777388015; cv=none; b=Al8hnWtOxrgcw74v/YkmRW72xa30QYArhxCMOtpRyUM4qv9TRAp8KkovtDyVzNXGtOEbiAIpT8CTrLs0+eUxInrGjpBEBDougUAhacsye5HGkU7L0XP7FxQkKKYY/t9SFnW+xpmzAxhS0CJNXqDN0Q9E4ICrueB2jKni1GVpyaE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777388015; c=relaxed/simple; bh=FvH2Tq9sg2iWFKvI2rxoy04fXf16C8+o/UVOEHdEM7s=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=IEtv/3xyaykZuluaRHwiXV+KI2djbwDZI66D+qP6/M88EDWJwepSyfptLvRE2B8ZEgQvCS44KCuWffBjg3dGPdCWmiRXkQTdqWf00tmiwfvRByPtH6Ug7N/jYqP0CGyfFnM0fAA8wB0nlFh9hk5CUU3A9TFoUDizlz98pfbowjA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Czh5gzhj; arc=none smtp.client-ip=209.85.215.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Czh5gzhj" Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-c76cce85bd9so4409015a12.1 for ; Tue, 28 Apr 2026 07:53:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777388012; x=1777992812; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=MCksz8OXzQRknN88hplFcT6UVgogcBC8tS3XrnLpgU8=; b=Czh5gzhjTmvVGWmFQYEJf5EFMepmgp6jSkqMqPoXr/waprXmICnL+V9ILzd01av5B9 mu7BlCQJ6/AAkcExl63RNPxs73VZvdjlbWhCX6Q/AJBWlInqdDJx7Rf4EB0VIn7tkUj8 +ccLmBxTs5MpppEL/eynJ6G18A59IFQ9Da/E1xxQpNEBfVLpg9erfPiU0X6346dhubuu nWFLS/uC5xm0Oee1jjgO2RItDmZfKU4Gx5ydXPqSBsld8urixM+huhusXZMLHX579QZ6 fe8psiYo0IEMf4aXEa1LO5WEB2o3IcnWWovrcsACYE7cw4I/bEVL23YxD3X6YpxHaw4Z i5FA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777388012; x=1777992812; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MCksz8OXzQRknN88hplFcT6UVgogcBC8tS3XrnLpgU8=; b=WfIvmvNDEiy23pQm28NOpxM8UHX9N/67wH9zi1thkuEQfIuFo4DUmt76nEzQhIEfzf UJYE/QnZfMZa+Q/9wBfHFyL4BmA13F8dWO27ToVg6NXOE9FX+VsIaXeNOD3xXtFdt6lu jm8uBiS+xRPYmhL52gmsw7x4COSlimeAmBvdWCVe6gfciTl2Hdco8ZorbSYr+JztHJAo PN8vfL6osifWOCQ0/DJcZyannREoEn6CO9N0lTCkDO81025vWNB6QnqjuDTXIu/K0Qev mwQWCSmy7fronxL2E4qop4rdyHG2LP5nwlB7eX6gF5IEjC/uMwMm4fiUjrSjHco4BfS5 lxhg== X-Forwarded-Encrypted: i=1; AFNElJ+ic+3/evvQDSHnhTHX0Oq6KM7oGrPDcGDbVuAmfhyNkhdKEHl2mjhvceBMhIZul1UZs0Gkr4zGRQJSW2s=@vger.kernel.org X-Gm-Message-State: AOJu0YzgXPnSrc+gVzXjZS/hbVD3VI6vqnbcSEuUe1vgcqNdAUBY80sv 6mE+SeQoHyIorH4Zkm1e11I9Kl5ii/uzE7/CrVX3Y/2eJl8j1xNFHdkt X-Gm-Gg: AeBDiesesacBYnIOv73tb3zbCUHeSBKlbotK1wR1lf2JpU1vbVSVVSWwz3vLHA8YgnY noRBVqsnBpslpUdJxMlvB1foPKFnLt1EL/XfoJ32NU6L8z35EInc9CIYpghncmi/D943a0Bl9Lj iMyXa7NhKcodMk6KPI8zL5iFvhF4Lmayhk7qj3aa5MKWbF6UKp31hePD03guTw69jvoX+mIfUo9 oreKrERAby34x2jj1JNKCoy3ksuKrLL8CHC/6hfH75WqPUhJarERYlIQA7ulZev4G4Un0ouC4Rm v7xdfZ6b8ywsuWEgheAdi5XceUIaI0DhZbZhXcW7+OfYaewKRRrT2yY1WLNt8J90xwmBpvhQbRy 6qtQNM4Gg0OtbpXCZygLKrUBJa6am4ETT7hxVyl2ml+46DVMN3TCiIBip8PFK1RzY8gOMDQriOo 2E51Jw5BkjHYKfwCNZHw28CQ0QDgY+ppOodp6SsUeXIX0pURU4NEQtJY4E22fw4FGp4A/Gf60sA Jv7369RDQtQyo0jZECK9ey6Bq2c18U= X-Received: by 2002:a17:902:f645:b0:2b0:beb4:3bb with SMTP id d9443c01a7336-2b97c3f602dmr34619955ad.10.1777388012083; Tue, 28 Apr 2026 07:53:32 -0700 (PDT) Received: from junjungu-PC.localdomain ([223.167.147.125]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b97aa7bbd1sm31950885ad.15.2026.04.28.07.53.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Apr 2026 07:53:31 -0700 (PDT) From: Felix Gu Date: Tue, 28 Apr 2026 22:53:25 +0800 Subject: [PATCH] iio: buffer: hw-consumer: fix use-after-free in error path Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260428-iio-buf-v1-1-dcc63ff7b800@gmail.com> X-B4-Tracking: v=1; b=H4sIAOTJ8GkC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIzMDEyML3czMfN2k0jRdk2QLU1NLAyODRFMTJaDqgqLUtMwKsEnRsbW1AA4 VIxpZAAAA X-Change-ID: 20260428-iio-buf-4c8559020a54 To: Jonathan Cameron , David Lechner , =?utf-8?q?Nuno_S=C3=A1?= , Andy Shevchenko , Lars-Peter Clausen , Arnaud Pouliquen , Mark Brown Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Jonathan Cameron , Felix Gu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777388008; l=1749; i=ustc.gu@gmail.com; h=from:subject:message-id; bh=FvH2Tq9sg2iWFKvI2rxoy04fXf16C8+o/UVOEHdEM7s=; b=omBp2ylCwZOKjbt6WVarpP82l/pR5nrpV801kKwbJG4XpUGT3yRkVfdz1EjL59h8k+mL7/Hhe NBfisK7dZmmDfwCDLANoEgzQhUHhDmaPCCm7xorLrR8UlzIIReqBX4Q X-Developer-Key: i=ustc.gu@gmail.com; a=ed25519; pk=fjUXwmjchVN7Ja6KGP55IXOzFeCl9edaHoQIEUA+/hw= In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code was using list_for_each_entry() to iterate through buffers while calling iio_buffer_put() which can free the current buffer if refcount drops to 0. The list_for_each_entry() loop macro then evaluates buf->head.next to continue iteration, accessing the freed buffer. Fix this by using list_for_each_entry_safe(). Closes:https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support") Signed-off-by: Felix Gu --- drivers/iio/buffer/industrialio-hw-consumer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/iio/buffer/industrialio-hw-consumer.c b/drivers/iio/buffer/industrialio-hw-consumer.c index 24d7df603760..7406efefc123 100644 --- a/drivers/iio/buffer/industrialio-hw-consumer.c +++ b/drivers/iio/buffer/industrialio-hw-consumer.c @@ -85,7 +85,7 @@ static struct hw_consumer_buffer *iio_hw_consumer_get_buffer( */ struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev) { - struct hw_consumer_buffer *buf; + struct hw_consumer_buffer *buf, *n; struct iio_hw_consumer *hwc; struct iio_channel *chan; int ret; @@ -116,7 +116,7 @@ struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev) return hwc; err_put_buffers: - list_for_each_entry(buf, &hwc->buffers, head) + list_for_each_entry_safe(buf, n, &hwc->buffers, head) iio_buffer_put(&buf->buffer); iio_channel_release_all(hwc->channels); err_free_hwc: --- base-commit: 7080e32d3f09d8688c4a87d81bdcc71f7f606b16 change-id: 20260428-iio-buf-4c8559020a54 Best regards, -- Felix Gu