Re: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()

From: Jonathan Cameron

Date: Fri May 22 2026 - 08:06:14 EST

On Fri, 22 May 2026 12:23:52 +0200
Joshua Crofts <joshua.crofts1@xxxxxxxxx> wrote:

> On Fri, 22 May 2026 at 11:44, Ashwin Gundarapu <linuxuser509@xxxxxxxxxxx> wrote:
> >
> > From: Ashwin Gundarapu <linuxuser509@xxxxxxxxxxx>
> > Date: Fri, 22 May 2026 14:34:46 +0530
> > Subject: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
> >
> > Replace direct kfree() with put_device() in the error path after
> > device_initialize() has been called.
> >
> > The direct kfree() bypasses the reference counting mechanism,
> > causing memory leak and potential use-after-free.

That statement needs a specific path to be called out. It's correct
but explaining why the reference count that is deleted is a problem
is needed as often that wouldn't matter.

Anyhow see below...


> >
> > Signed-off-by: Ashwin Gundarapu <linuxuser509@xxxxxxxxxxx>
> > ---
> > drivers/iio/industrialio-trigger.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
> > index 17781c12bc85..9c72e7ae996c 100644
> > --- a/drivers/iio/industrialio-trigger.c
> > +++ b/drivers/iio/industrialio-trigger.c
> > @@ -598,7 +598,7 @@ struct iio_trigger *viio_trigger_alloc(struct device *parent,
> > free_descs:
> > irq_free_descs(trig->subirq_base, CONFIG_IIO_CONSUMERS_PER_TRIGGER);
> > free_trig:
> > - kfree(trig);
> > + put_device(&trig->dev);
> > return NULL;
>
> IMO calling put_device() on an uninitialized struct device would cause a
> panic, as there are multiple goto statements that jump to this section
> before the struct is initialized. Additionally (as Sashiko points out), this
> patch introduces a double free issue - the IRQs are freed after jumping
> to the free_descs label, and then they would be freed again due to
> put_device() being called and a subsequently triggered cleanup.
>
> https://sashiko.dev/#/patchset/19e4f066d51.4e6bc94b96251.5845269359367162045%40zohomail.in
>

I'm also curious kernel tree the author is looking at to find this bug.

This was fixed (correctly I believe) in
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12b393486c70

Key is it resolved the issues Joshua / Sashiko pointed out by moving the device_initialize()
much later in the function.

J