Re: [PATCH] iio: buffer: fix use-after-free for attached_buffers array

From: Lars-Peter Clausen
Date: Sun Mar 07 2021 - 08:00:36 EST

Next message: John Wood: "[PATCH v6 4/8] security/brute: Fine tuning the attack detection"
Previous message: Tejun Heo: "Re: [Patch v3 0/2] cgroup: New misc cgroup controller"
In reply to: Jonathan Cameron: "Re: [PATCH] iio: buffer: fix use-after-free for attached_buffers array"
Next in thread: Alexandru Ardelean: "Re: [PATCH] iio: buffer: fix use-after-free for attached_buffers array"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/7/21 1:36 PM, Jonathan Cameron wrote:

On Sat, 6 Mar 2021 18:47:10 +0200
Alexandru Ardelean <ardeleanalex@xxxxxxxxx> wrote:

Thanks to Lars for finding this.
The free of the 'attached_buffers' array should be done as late as
possible. This change moves it to iio_buffers_put(), which looks like
the best place for it, since it takes place right before the IIO device
data is free'd.

It feels a bit wrong to do direct freeing of stuff in a _put() call
given that kind of implies nothing will happen without some reference
count dropping to 0. We could think about renaming the function to
something like

iio_buffers_put_and_free_array() but is a bit long winded.

Otherwise, I'm fine with this but want to let it sit on list a tiny bit
longer before I take it as it's not totally trivial unlike the previous
one.

Maybe to go with naming schema of iio_device_attach_buffer() call this function iio_device_detach_buffers(). We grab the reference in attach, and drop it in detach.

- Lars

Next message: John Wood: "[PATCH v6 4/8] security/brute: Fine tuning the attack detection"
Previous message: Tejun Heo: "Re: [Patch v3 0/2] cgroup: New misc cgroup controller"
In reply to: Jonathan Cameron: "Re: [PATCH] iio: buffer: fix use-after-free for attached_buffers array"
Next in thread: Alexandru Ardelean: "Re: [PATCH] iio: buffer: fix use-after-free for attached_buffers array"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]