Re: [PATCH] iio: buffer: hw-consumer: fix use-after-free in error path

Next message: Steffen Eiden: "[PATCH v2 20/28] s390: Introduce Start Arm Execution instruction"
Previous message: Uros Bizjak: "[PATCH RESEND -tip v2 7/7] x86/process: Use savesegment_mem16() when saving segment selectors"
In reply to: Felix Gu: "[PATCH] iio: buffer: hw-consumer: fix use-after-free in error path"
Next in thread: Andy Shevchenko: "Re: [PATCH] iio: buffer: hw-consumer: fix use-after-free in error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Tue Apr 28 2026 - 12:14:30 EST

On Tue, Apr 28, 2026 at 10:53:25PM +0800, Felix Gu wrote:
> In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
> was using list_for_each_entry() to iterate through buffers while calling
> iio_buffer_put() which can free the current buffer if refcount drops to 0.
> The list_for_each_entry() loop macro then evaluates buf->head.next to
> continue iteration, accessing the freed buffer.
>
> Fix this by using list_for_each_entry_safe().
>
> Closes:https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com

Format is wrong, missing space.

>

Tag block should have no blank lines.

> Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
> Signed-off-by: Felix Gu <ustc.gu@xxxxxxxxx>

I am also wondering should we put Reported-by with the reference to AI somehow?
Jonathan, others, what are your opinions?

...

> - struct hw_consumer_buffer *buf;
> + struct hw_consumer_buffer *buf, *n;

Please, name it rather *tmp.

> {

--
With Best Regards,
Andy Shevchenko