Patch "iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()" has been added to the 5.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 14 Nov 2021 22:25:35 -0500

This is a note to let you know that I've just added the patch titled

    iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iio-buffer-fix-double-free-in-iio_buffers_alloc_sysf.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 911cb797b7ceee272d6568dd8dbb897bfdd98dee
Author: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Date:   Wed Oct 13 12:49:22 2021 +0300

    iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()
    
    [ Upstream commit 09776d9374e635b1580b3736c19b95b788fbaa85 ]
    
    When __iio_buffer_alloc_sysfs_and_mask() failed, 'unwind_idx' should be
    set to 'i - 1' to prevent double-free when cleanup resources.
    
    BUG: KASAN: double-free or invalid-free in __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio]
    Call Trace:
     kfree+0x117/0x4c0
     __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio]
     iio_buffers_alloc_sysfs_and_mask+0x60d/0x1570 [industrialio]
     __iio_device_register+0x483/0x1a30 [industrialio]
     ina2xx_probe+0x625/0x980 [ina2xx_adc]
    
    Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
    Fixes: ee708e6baacd ("iio: buffer: introduce support for attaching more IIO buffers")
    Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
    Reviewed-by: Alexandru Ardelean <ardeleanalex@xxxxxxxxx>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20211013094923.2473-2-andriy.shevchenko@xxxxxxxxxxxxxxx
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
index 2801f3a650760..1dfd10831f379 100644
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1623,7 +1623,7 @@ int iio_buffers_alloc_sysfs_and_mask(struct iio_dev *indio_dev)
 		buffer = iio_dev_opaque->attached_buffers[i];
 		ret = __iio_buffer_alloc_sysfs_and_mask(buffer, indio_dev, i);
 		if (ret) {
-			unwind_idx = i;
+			unwind_idx = i - 1;
 			goto error_unwind_sysfs_and_mask;
 		}
 	}






