From nobody Sun Feb 8 05:29:00 2026 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 624E92C3244 for ; Sat, 31 Jan 2026 09:23:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769851423; cv=none; b=UmPeexaiPzfCaVAmHvISVvYTF4iLC5R9xZU/J/grgXScvA7HLv+Amt3Mzszs7mjf3wii/hao1Ea0k/W6e13h2dOAQvt8FhojnkFS0z4wn+oZzGVHbqOMqEME31ZNPhKrkjmnVQKznFeKz1RbwGxAWNBD+0VvOf31KMMJBN1WjzI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769851423; c=relaxed/simple; bh=Zq9dL4a9lFvNQvrNiEvrmOyinYJAbpriZ3tT47d7HZU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dvTYKfZITPKZcQkv2dnicn+pQQrPbPtxIMClSZcFoSH9VJJLJQtCb6fli169ThhoDeYO/1xTyXM5YkFPDNMMpulsHspGENCA9dS25rOZiqaeDrjR7ZYZwOkP3G5JJl2JP044AM2XkzGJiRenkibMqMUlOZTE/ta09bO/pmke6Zo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fRjc7ru/; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fRjc7ru/" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-48068127f00so24272355e9.3 for ; Sat, 31 Jan 2026 01:23:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769851421; x=1770456221; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=wHBcuwFJY03RKqIj/cElv3PBJyuiaW/qIgYAVlCyaxU=; b=fRjc7ru/prlRTZQ+HOpRVl0Qmd22OGJOigEejLuoKLnCgw8Fy/pZKW5vz4E1zYzauv 9YtqmhyMM6V3FD26YMJnyxxR2T1SHqbw9cft2H3SHe+TZn/XfPaZxov6tdnBxyEBX0/K 3n4kYYNWcwRC3/YvuDfI8UHKreCmaC98n/xkaVIQq5BiOHMQ1GT2+W2l1dgDejXEAXP7 fBhA0CTajks9y1/XAT04cCboU5TjKbtFxsGfL1P44lgkSF8MOm8mBOG51VRX1OS084s/ zMdxK3Va99oJXnUc+uLY46tXukhSB+Ohjopa/XaG/i0gQEAjRP7fhdzT593D+XNTcikJ aq0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769851421; x=1770456221; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wHBcuwFJY03RKqIj/cElv3PBJyuiaW/qIgYAVlCyaxU=; b=VQvXt53GcxjfNi9/47bKRGnDlPVIX87Zdo+VGU7dIoMxG6ua1PxkLch/Zu2tmNfha4 d9zU96j1Cmde8xGiowEa3jb+yXAnXKkyuV49TgVwsbQTVv6L7shPGZuJ5Oi4MIxaKe1s 8Exzf/JwUMKeEuQDeFziD3YzVVyK7VNXEpFyWBtxQ/h85yBehpe9iEOvNBc1nUYIRUP1 zvYU7wucD/CjIbsuyYJevyvtRrIkggTPYRsQDnA1pBtFyDHIihl9AOU6NKLF1193ox3N fHsck2VYxKuqlEsWGXLMo2LgjXdFbqIItYOC05HEaWrY7BnA2shduAyd/q0muMaB/7GM HbTQ== X-Forwarded-Encrypted: i=1; AJvYcCVodkG+pA5J4pr35hYmgk2FOdveZNx6KNr0YoYINwOzYeod/kXq/UI9pLqINKfIC54fOdoHtLe7RIXhmCY=@vger.kernel.org X-Gm-Message-State: AOJu0YxA3aYPRlzAwm5JEqLrYBCbKq5spKHpS7BJzPGm/EpF44JE4hil QxkJv0/5qE5kT1iHyFp+ZxApcKT1U4RFpNnYiuliDkBVrwj3ru1011Vl X-Gm-Gg: AZuq6aKt/CCLlpAe3RKYq6dOlZmAyoFbe3SgC3TateC+HPgy4Kl53arTO2PnV9/Aj+u QZUTY7eIpGtwhADT1PIunjgS5KNd8QPFOhIDWJn62s9dY6k7jqM5KR8RKwI4ojXPV8vZSqxGZKJ WfC35AEO0Le+dgX69C4XaUX/fz8prFIzZiF1yUTV488Ti0RAaUPzqKLfGr16fnGmAZ3lUeRb+JF jrQlM/YT0BhRV6fRPcShUll+LvSEYXYZ/OfqumsTJMR4+9l+M1fOIind2jxlX0UfPs06yDDQx43 mwg9Vjl49W2P3lSuUEt/ME9W8Ezth6xgSZeQqzgKDisutIwyCtx1qKxLSqB4CwGH9T5+A3h3++D Ys6xZ3cbcvYmLU38WQHoj0anuAAk/kZxoW/vnX7M81yitYgCNF1CFXWrun07NrfIB37f30h4V9i cY75eZ9gXcPJPN+HmqTg3SguhBHVRuTeyWOJ/9 X-Received: by 2002:a05:600c:34c1:b0:47e:e87b:af8 with SMTP id 5b1f17b1804b1-482db491f49mr60468535e9.21.1769851420572; Sat, 31 Jan 2026 01:23:40 -0800 (PST) Received: from localhost.localdomain ([196.235.54.191]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48066bee7d0sm341661745e9.4.2026.01.31.01.23.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 31 Jan 2026 01:23:39 -0800 (PST) From: Salah Triki To: Jonathan Cameron , David Lechner , =?UTF-8?q?Nuno=20S=C3=A1?= , Andy Shevchenko Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, Salah Triki Subject: [PATCH] iio: trigger: fix use-after-free in viio_trigger_alloc() Date: Sat, 31 Jan 2026 10:23:33 +0100 Message-ID: <20260131092333.247931-1-salah.triki@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Once `device_initialize()` is called, the reference count of the device is set to 1. The memory associated with the device must then be managed by the kobject reference counting. In `viio_trigger_alloc()`, if `irq_alloc_descs()` or `kvasprintf()` fails, the code currently calls `kfree()`. Using `kfree()` in this case bypasses the device's release callback and can lead to a use-after-free or memory corruption. Fix this by calling `put_device()` instead of `kfree()`. This ensures that the memory is freed properly via `iio_trig_release()` when the reference count drops to zero. Fixes: 2c99f1a09da3d ("iio: trigger: clean up viio_trigger_alloc()") Signed-off-by: Salah Triki --- drivers/iio/industrialio-trigger.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/iio/industrialio-trigger.c b/drivers/iio/industrialio-= trigger.c index 54416a384232..981e19757870 100644 --- a/drivers/iio/industrialio-trigger.c +++ b/drivers/iio/industrialio-trigger.c @@ -597,7 +597,7 @@ struct iio_trigger *viio_trigger_alloc(struct device *p= arent, free_descs: irq_free_descs(trig->subirq_base, CONFIG_IIO_CONSUMERS_PER_TRIGGER); free_trig: - kfree(trig); + put_device(&trig->dev); return NULL; } =20 --=20 2.43.0