git.baikalelectronics.ru Git - kernel.git/commit

iio: buffer: fix use-after-free for attached_buffers array

Thanks to Lars for finding this.
The free of the 'attached_buffers' array should be done as late as
possible. This change moves it to iio_buffers_put(), which looks like
the best place for it, since it takes place right before the IIO device
data is free'd.
The free of this array will be handled by calling iio_device_free().
The iio_buffers_put() function is renamed to iio_device_detach_buffers()
since the role of this function changes a bit.

It looks like this issue was ocurring on the error path of
iio_buffers_alloc_sysfs_and_mask() and in
iio_buffers_free_sysfs_and_mask()

Added a comment in the doc-header of iio_device_attach_buffer() to
mention how this will be free'd in case anyone is reading the code
and becoming confused about it.

Fixes: d306061b5ac0 ("iio: buffer: introduce support for attaching more IIO buffers")
Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Link: https://lore.kernel.org/r/20210307185444.32924-1-ardeleanalex@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

author	Alexandru Ardelean <ardeleanalex@gmail.com>
	Sun, 7 Mar 2021 18:54:44 +0000 (20:54 +0200)
committer	Jonathan Cameron <Jonathan.Cameron@huawei.com>
	Thu, 25 Mar 2021 19:13:51 +0000 (19:13 +0000)
commit	0ab809cc94198f50cfeefb06497f1f77ff88b20b
tree	9cf1f0b855ba0b93c65800240f9dcbe48fb11163	tree \| snapshot
parent	56e955a41c91af08dd144571f95d4e19e1e65b2d	commit \| diff

drivers/iio/iio_core.h		diff \| blob \| history
drivers/iio/industrialio-buffer.c		diff \| blob \| history
drivers/iio/industrialio-core.c		diff \| blob \| history