Re: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
From: Joshua Crofts
Date: Fri May 22 2026 - 06:38:08 EST
On Fri, 22 May 2026 at 11:44, Ashwin Gundarapu <linuxuser509@xxxxxxxxxxx> wrote:
>
> From: Ashwin Gundarapu <linuxuser509@xxxxxxxxxxx>
> Date: Fri, 22 May 2026 14:34:46 +0530
> Subject: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
>
> Replace direct kfree() with put_device() in the error path after
> device_initialize() has been called.
>
> The direct kfree() bypasses the reference counting mechanism,
> causing memory leak and potential use-after-free.
>
> Signed-off-by: Ashwin Gundarapu <linuxuser509@xxxxxxxxxxx>
> ---
> drivers/iio/industrialio-trigger.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
> index 17781c12bc85..9c72e7ae996c 100644
> --- a/drivers/iio/industrialio-trigger.c
> +++ b/drivers/iio/industrialio-trigger.c
> @@ -598,7 +598,7 @@ struct iio_trigger *viio_trigger_alloc(struct device *parent,
> free_descs:
> irq_free_descs(trig->subirq_base, CONFIG_IIO_CONSUMERS_PER_TRIGGER);
> free_trig:
> - kfree(trig);
> + put_device(&trig->dev);
> return NULL;
IMO calling put_device() on an uninitialized struct device would cause a
panic, as there are multiple goto statements that jump to this section
before the struct is initialized. Additionally (as Sashiko points out), this
patch introduces a double free issue - the IRQs are freed after jumping
to the free_descs label, and then they would be freed again due to
put_device() being called and a subsequently triggered cleanup.
https://sashiko.dev/#/patchset/19e4f066d51.4e6bc94b96251.5845269359367162045%40zohomail.in
--
Kind regards
CJD