Re: [PATCH] iio: buffer: hw-consumer: fix use-after-free in error path

[Roman Gushchin]

> On Apr 28, 2026, at 11:26 AM, Jonathan Cameron <jic23@xxxxxxxxxx> wrote:
> 
> On Tue, 28 Apr 2026 18:59:28 +0300
> Andy Shevchenko <andriy.shevchenko@xxxxxxxxx> wrote:
> 
>>> On Tue, Apr 28, 2026 at 10:53:25PM +0800, Felix Gu wrote:
>>> In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code
>>> was using list_for_each_entry() to iterate through buffers while calling
>>> iio_buffer_put() which can free the current buffer if refcount drops to 0.
>>> The list_for_each_entry() loop macro then evaluates buf->head.next to
>>> continue iteration, accessing the freed buffer.
>>> 
>>> Fix this by using list_for_each_entry_safe().
>>> 
>>> Closes:https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com  
>> 
>> Format is wrong, missing space.
>> 
>>> 
>> 
>> Tag block should have no blank lines.
>> 
>>> Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support")
>>> Signed-off-by: Felix Gu <ustc.gu@xxxxxxxxx>  
>> 
>> I am also wondering should we put Reported-by with the reference to AI somehow?
>> Jonathan, others, what are your opinions?
> 
> Would be nice to do so for these - things noticed whilst reviewing a patch
> type reports.
> 
> Roman (+CC), any suggestions on how to do this?

I appreciate when people are recognizing Sashiko, but I don’t have any strong preference.
Many engineers are using it locally before sending patches upstream, so we’ll never know
it anyway. But Reported-by/Assisted-by tags are appreciated when appropriate.