Re: [PATCH] iio: buffer: hw-consumer: fix use-after-free in error path

Next message: Steven Rostedt: "Re: [PATCH] fprobe: Add unregister_fprobe_sync() for synchronous unregistration"
Previous message: Hugo Villeneuve: "[PATCH v2 07/15] serial: core: use uart_iotype_*() to simplify uart_report_port()"
In reply to: Andy Shevchenko: "Re: [PATCH] iio: buffer: hw-consumer: fix use-after-free in error path"
Next in thread: Roman Gushchin: "Re: [PATCH] iio: buffer: hw-consumer: fix use-after-free in error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Cameron

Date: Tue Apr 28 2026 - 14:27:19 EST

On Tue, 28 Apr 2026 18:59:28 +0300
Andy Shevchenko <andriy.shevchenko@xxxxxxxxx> wrote:

> On Tue, Apr 28, 2026 at 10:53:25PM +0800, Felix Gu wrote:
> > In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
> > was using list_for_each_entry() to iterate through buffers while calling
> > iio_buffer_put() which can free the current buffer if refcount drops to 0.
> > The list_for_each_entry() loop macro then evaluates buf->head.next to
> > continue iteration, accessing the freed buffer.
> >
> > Fix this by using list_for_each_entry_safe().
> >
> > Closes:https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com
>
> Format is wrong, missing space.
>
> >
>
> Tag block should have no blank lines.
>
> > Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
> > Signed-off-by: Felix Gu <ustc.gu@xxxxxxxxx>
>
> I am also wondering should we put Reported-by with the reference to AI somehow?
> Jonathan, others, what are your opinions?

Would be nice to do so for these - things noticed whilst reviewing a patch
type reports.

Roman (+CC), any suggestions on how to do this?

>
> ...
>
> > - struct hw_consumer_buffer *buf;
> > + struct hw_consumer_buffer *buf, *n;
>
> Please, name it rather *tmp.
>
> > {
>