Re: [PATCH v2] iio: buffer: hw-consumer: fix use-after-free in error path

Next message: Hans Zhang: "Re: [RESEND PATCH 00/16] PCI: Use FIELD_MODIFY() to simplify bitfield operations"
Previous message: Shyam Sunder Reddy Padira: "[PATCH] staging: greybus:add missing newline in sysfs show() output"
In reply to: Nuno S&#xE1;: "Re: [PATCH v2] iio: buffer: hw-consumer: fix use-after-free in error path"
Next in thread: Maxwell Doose: "Re: [PATCH v2] iio: buffer: hw-consumer: fix use-after-free in error path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joshua Crofts

Date: Fri May 01 2026 - 10:20:21 EST

On Thu, 30 Apr 2026 at 15:29, Felix Gu <ustc.gu@xxxxxxxxx> wrote:
>
> In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
> was using list_for_each_entry() to iterate through buffers while calling
> iio_buffer_put() which can free the current buffer if refcount drops to 0.
> The list_for_each_entry() loop macro then evaluates buf->head.next to
> continue iteration, accessing the freed buffer.
>
> Fix this by using list_for_each_entry_safe().
>
> Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
> Reported-by: sashiko <sashiko-bot@xxxxxxxxxx>
> Closes: https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com

FYI, Sashiko reported 2 additional regressions (neither introduced by
your patches), one of them critical. Maybe another patch would be good?

https://sashiko.dev/#/patchset/20260430-iio-buf-v2-1-84c2231dea5e%40gmail.com?part=1

--
Kind regards

CJD