Re: [PATCH v1] iio: temperature: hid-sensor-temperature: switch to non-devm iio_device_register()

Next message: Frank Li: "Re: [PATCH v3 01/13] dmaengine: dw-edma: Add per-channel interrupt routing control"
Previous message: Loktionov, Aleksandr: "RE: [Intel-wired-lan] [PATCH net v2] igb: only strip Rx timestamp header on the first buffer of a frame"
In reply to: srinivas pandruvada: "Re: [PATCH v1] iio: temperature: hid-sensor-temperature: switch to non-devm iio_device_register()"
Next in thread: srinivas pandruvada: "Re: [PATCH v1] iio: temperature: hid-sensor-temperature: switch to non-devm iio_device_register()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Maxwell Doose

Date: Mon Jun 22 2026 - 11:34:25 EST

On Mon, Jun 22, 2026 at 10:26 AM srinivas pandruvada
<srinivas.pandruvada@xxxxxxxxxxxxxxx> wrote:
>
> On Mon, 2026-06-22 at 10:51 +0530, Sanjay Chitroda wrote:
> > From: Sanjay Chitroda <sanjayembeddedse@xxxxxxxxx>
> >
> > Avoid using devm_iio_device_register(), as this driver requires
> > explicit
> > error handling and teardown ordering.
> >
> > Mixing devm_* APIs with goto-based error unwinding breaks the
> > expected
> > LIFO resource release model and can introduce race windows during
> > device
> > removal. In particular, the IIO device may remain visible to
> > userspace
> > while dependent resources are already being freed, potentially
> > leading
> > to use-after-free issues.
>
> Please explain this use after free case here.
>
> Thanks,
> Srinivas

My guess is that because the device would still be registered but
would actually be removed, sysfs still has "wild" pointers to
read_raw() and write_raw() (which don't exist anymore), causing the
UAF. If I'm wrong feel free to correct me though.