From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EE1BC433EF for ; Sun, 24 Oct 2021 11:09:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3526760EDF for ; Sun, 24 Oct 2021 11:09:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230021AbhJXLL4 (ORCPT ); Sun, 24 Oct 2021 07:11:56 -0400 Received: from mail.kernel.org ([198.145.29.99]:48204 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230520AbhJXLL4 (ORCPT ); Sun, 24 Oct 2021 07:11:56 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BB3D560F6F; Sun, 24 Oct 2021 11:09:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635073776; bh=kejKpyrG6Lk+JbClY8pC6N716pwleVGffYeZ4p4PRDw=; h=Subject:To:From:Date:From; b=zzYmdgz5P5QX5VfasTAz1L4ZlmV2Fop51Q+cgC0vP8cJO0KKa39fQzgKcgwf+I8Os pkqX5yu471NsO6iYjz8yl0ZTeBzOxmgLTYwaOcg6gMLvM7zCLBFkXDTcIP70QpuJsm Wp5l3WhuOzIYwbnEP3WG5bTqDJpbDCQnuZ0qXyvo= Subject: patch "iio: core: fix double free in iio_device_unregister_sysfs()" added to char-misc-testing To: yangyingliang@huawei.com, Jonathan.Cameron@huawei.com, Stable@vger.kernel.org, ardeleanalex@gmail.com, hulkci@huawei.com From: Date: Sun, 24 Oct 2021 13:09:13 +0200 Message-ID: <1635073753153237@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org This is a note to let you know that I've just added the patch titled iio: core: fix double free in iio_device_unregister_sysfs() to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 19833c40d0415d6fe4340b5b9c46239abbf718f6 Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Wed, 13 Oct 2021 11:05:32 +0800 Subject: iio: core: fix double free in iio_device_unregister_sysfs() I got the double free report: BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390 iio_device_unregister_sysfs+0x108/0x13b [industrialio] iio_dev_release+0x9e/0x10e [industrialio] device_release+0xa5/0x240 If __iio_device_register() fails, iio_dev_opaque->groups will be freed in error path in iio_device_unregister_sysfs(), then iio_dev_release() will call iio_device_unregister_sysfs() again, it causes double free. Set iio_dev_opaque->groups to NULL when it's freed to fix this double free. Not this is a local work around for a more general mess around life time management that will get cleaned up and should make this handling unnecesarry. Fixes: 32f171724e5c ("iio: core: rework iio device group creation") Reported-by: Hulk Robot Reviewed-by: Alexandru Ardelean Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20211013030532.956133-1-yangyingliang@huawei.com Cc: Signed-off-by: Jonathan Cameron --- drivers/iio/industrialio-core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c index 48fda6a79076..3e1e86d987cc 100644 --- a/drivers/iio/industrialio-core.c +++ b/drivers/iio/industrialio-core.c @@ -1600,6 +1600,7 @@ static void iio_device_unregister_sysfs(struct iio_dev *indio_dev) kfree(iio_dev_opaque->chan_attr_group.attrs); iio_dev_opaque->chan_attr_group.attrs = NULL; kfree(iio_dev_opaque->groups); + iio_dev_opaque->groups = NULL; } static void iio_dev_release(struct device *device) -- 2.33.1