Re: [PATCH v2] iio: trigger: Fix refcount leak in viio_trigger_alloc() error path

Next message: Greg KH: "Re: [PATCH 0/1] rust: module_param: support bool parameters"
Previous message: Krzysztof Kozlowski: "Re: [PATCH 2/2] dt-bindings: arm: cpus: Add compatible qcom,oryon-1-5"
In reply to: Guangshuo Li: "[PATCH v2] iio: trigger: Fix refcount leak in viio_trigger_alloc() error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Mon Apr 13 2026 - 08:42:07 EST

On Mon, Apr 13, 2026 at 07:56:56PM +0800, Guangshuo Li wrote:
> After device_initialize(), the lifetime of the embedded struct device
> is expected to be managed through the device core reference counting.
>
> In viio_trigger_alloc(), if irq_alloc_descs() or kvasprintf() fails,
> the error path frees trig directly with kfree() rather than releasing
> the device reference with put_device(). This bypasses the normal device
> lifetime rules and may leave the reference count of the embedded struct
> device unbalanced, resulting in a refcount leak and potentially leading
> to a use-after-free.
>
> The issue was identified by a static analysis tool I developed and
> confirmed by manual review.
>
> Fix this by using put_device(&trig->dev) in the failure path and let
> iio_trig_release() handle the final cleanup. Also update the subirq_base
> check in iio_trig_release() to test for >= 0, so that a negative error
> code from irq_alloc_descs() is not treated as a valid IRQ descriptor
> base during cleanup.
>
> Fixes: 2c99f1a09da3 ("iio: trigger: clean up viio_trigger_alloc()")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
> ---
> v2:
> - note that the issue was identified by my static analysis tool
> - and confirmed by manual review

No, the issue is that you are working against old code. This bug
was already fixed a different way upstream.

regards,
dan carpenter