Re: [PATCH] iio: trigger: fix use-after-free in viio_trigger_alloc()

Next message: Jethro Beekman: "[PATCH RESEND] KVM: SEV: Track SNP launch state and disallow invalid userspace interactions"
Previous message: Peter Zijlstra: "Re: [patch V2 0/4] sched/mmcid: Cure mode transition woes"
Next in thread: Jonathan Cameron: "Re: [PATCH] iio: trigger: fix use-after-free in viio_trigger_alloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nuno Sá

Date: Mon Feb 02 2026 - 05:18:32 EST

Hi all,

On Sat, 2026-01-31 at 12:44 +0000, Jonathan Cameron wrote:
> On Sat, 31 Jan 2026 10:23:33 +0100
> Salah Triki <salah.triki@xxxxxxxxx> wrote:
>
> Hi Salah,
>
> This is a definitely case of the fix not being anywhere as simple
> as it might look at first glance.
>
> > Once `device_initialize()` is called, the reference count of the device
> > is set to 1. The memory associated with the device must then be
> > managed by the kobject reference counting.
> >
> > In `viio_trigger_alloc()`, if `irq_alloc_descs()` or `kvasprintf()` fails,
> > the code currently calls `kfree()`. Using `kfree()` in this case bypasses
> > the device's release callback and can lead to a use-after-free or memory
> > corruption.
>
> In some cases yes it can cause problems, but please show me an actual
> path to this in the description. It should indeed be tidied up.

>
> >
> > Fix this by calling `put_device()` instead of `kfree()`. This ensures that
> > the memory is freed properly via `iio_trig_release()` when the reference
> > count drops to zero.

Not the first time this pops up and I actually thought it was already fixed. But it seems we
never got v5:

https://lore.kernel.org/linux-iio/20251110035838.37029-1-make24@xxxxxxxxxxx/

Andy already fixed it for the main iio_dev allocation:

https://lore.kernel.org/linux-iio/20251112145735.2075527-3-andriy.shevchenko@xxxxxxxxxxxxxxx/

- Nuno Sá
>