1. Patchew
  2. linux
  3. View series

[PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()

Ashwin Gundarapu posted 1 patch 2 days, 8 hours ago
There is a newer version of this series
drivers/iio/industrialio-trigger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
Posted by Ashwin Gundarapu 2 days, 8 hours ago 
From: Ashwin Gundarapu <linuxuser509@zohomail.in>
Date: Fri, 22 May 2026 14:34:46 +0530
Subject: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()

Replace direct kfree() with put_device() in the error path after
device_initialize() has been called.

The direct kfree() bypasses the reference counting mechanism,
causing memory leak and potential use-after-free.

Signed-off-by: Ashwin Gundarapu <linuxuser509@zohomail.in>
---
 drivers/iio/industrialio-trigger.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
index 17781c12bc85..9c72e7ae996c 100644
--- a/drivers/iio/industrialio-trigger.c
+++ b/drivers/iio/industrialio-trigger.c
@@ -598,7 +598,7 @@ struct iio_trigger *viio_trigger_alloc(struct device *parent,
 free_descs:
 	irq_free_descs(trig->subirq_base, CONFIG_IIO_CONSUMERS_PER_TRIGGER);
 free_trig:
-	kfree(trig);
+	put_device(&trig->dev);
 	return NULL;
 }

--
2.43.0
Re: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
Posted by Joshua Crofts 2 days, 7 hours ago 
On Fri, 22 May 2026 at 11:44, Ashwin Gundarapu <linuxuser509@zohomail.in> wrote:
>
> From: Ashwin Gundarapu <linuxuser509@zohomail.in>
> Date: Fri, 22 May 2026 14:34:46 +0530
> Subject: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
>
> Replace direct kfree() with put_device() in the error path after
> device_initialize() has been called.
>
> The direct kfree() bypasses the reference counting mechanism,
> causing memory leak and potential use-after-free.
>
> Signed-off-by: Ashwin Gundarapu <linuxuser509@zohomail.in>
> ---
>  drivers/iio/industrialio-trigger.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
> index 17781c12bc85..9c72e7ae996c 100644
> --- a/drivers/iio/industrialio-trigger.c
> +++ b/drivers/iio/industrialio-trigger.c
> @@ -598,7 +598,7 @@ struct iio_trigger *viio_trigger_alloc(struct device *parent,
>  free_descs:
>         irq_free_descs(trig->subirq_base, CONFIG_IIO_CONSUMERS_PER_TRIGGER);
>  free_trig:
> -       kfree(trig);
> +       put_device(&trig->dev);
>         return NULL;

IMO calling put_device() on an uninitialized struct device would cause a
panic, as there are multiple goto statements that jump to this section
before the struct is initialized. Additionally (as Sashiko points out), this
patch introduces a double free issue - the IRQs are freed after jumping
to the free_descs label, and then they would be freed again due to
put_device() being called and a subsequently triggered cleanup.

https://sashiko.dev/#/patchset/19e4f066d51.4e6bc94b96251.5845269359367162045%40zohomail.in

-- 
Kind regards

CJD
Re: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
Posted by Jonathan Cameron 2 days, 5 hours ago 
On Fri, 22 May 2026 12:23:52 +0200
Joshua Crofts <joshua.crofts1@gmail.com> wrote:

> On Fri, 22 May 2026 at 11:44, Ashwin Gundarapu <linuxuser509@zohomail.in> wrote:
> >
> > From: Ashwin Gundarapu <linuxuser509@zohomail.in>
> > Date: Fri, 22 May 2026 14:34:46 +0530
> > Subject: [PATCH] iio: trigger: fix memory leak in viio_trigger_alloc()
> >
> > Replace direct kfree() with put_device() in the error path after
> > device_initialize() has been called.
> >
> > The direct kfree() bypasses the reference counting mechanism,
> > causing memory leak and potential use-after-free.

That statement needs a specific path to be called out.  It's correct
but explaining why the reference count that is deleted is a problem
is needed as often that wouldn't matter.

Anyhow see below...


> >
> > Signed-off-by: Ashwin Gundarapu <linuxuser509@zohomail.in>
> > ---
> >  drivers/iio/industrialio-trigger.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-trigger.c
> > index 17781c12bc85..9c72e7ae996c 100644
> > --- a/drivers/iio/industrialio-trigger.c
> > +++ b/drivers/iio/industrialio-trigger.c
> > @@ -598,7 +598,7 @@ struct iio_trigger *viio_trigger_alloc(struct device *parent,
> >  free_descs:
> >         irq_free_descs(trig->subirq_base, CONFIG_IIO_CONSUMERS_PER_TRIGGER);
> >  free_trig:
> > -       kfree(trig);
> > +       put_device(&trig->dev);
> >         return NULL;  
> 
> IMO calling put_device() on an uninitialized struct device would cause a
> panic, as there are multiple goto statements that jump to this section
> before the struct is initialized. Additionally (as Sashiko points out), this
> patch introduces a double free issue - the IRQs are freed after jumping
> to the free_descs label, and then they would be freed again due to
> put_device() being called and a subsequently triggered cleanup.
> 
> https://sashiko.dev/#/patchset/19e4f066d51.4e6bc94b96251.5845269359367162045%40zohomail.in
> 

I'm also curious kernel tree the author is looking at to find this bug.

This was fixed (correctly I believe) in 
https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12b393486c70

Key is it resolved the issues Joshua / Sashiko pointed out by moving the device_initialize()
much later in the function.

J

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.