On Tue, Oct 12, 2021 at 2:37 PM Alexandru Ardelean
<ardeleanalex@xxxxxxxxx> wrote:
>
> On Tue, Oct 12, 2021 at 12:18 PM Yang Yingliang
> <yangyingliang@xxxxxxxxxx> wrote:
> >
> > When __iio_buffer_alloc_sysfs_and_mask() failed, 'unwind_idx' should be
> > set to 'i - 1' to prevent double-free when cleanup resources.
> >
> > BUG: KASAN: double-free or invalid-free in __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio]
> > Call Trace:
> > kfree+0x117/0x4c0
> > __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio]
> > iio_buffers_alloc_sysfs_and_mask+0x60d/0x1570 [industrialio]
> > __iio_device_register+0x483/0x1a30 [industrialio]
> > ina2xx_probe+0x625/0x980 [ina2xx_adc]
> >
>
> Makes sense.
> Thanks for the catch.
>
> Reviewed-by: Alexandru Ardelean <ardeleanalex@xxxxxxxxx>
...
> > ret = __iio_buffer_alloc_sysfs_and_mask(buffer, indio_dev, i);
> > if (ret) {
> > - unwind_idx = i;
> > + unwind_idx = i - 1;
> > goto error_unwind_sysfs_and_mask;
I prefer to see
- for (; unwind_idx >= 0; unwind_idx--) {
+ while (unwind_idx--)
instead.
> > }
> > }
--
With Best Regards,
Andy Shevchenko
